diff options
Diffstat (limited to 'modules/pam_keyinit')
| -rw-r--r-- | modules/pam_keyinit/Makefile.am | 29 | ||||
| -rw-r--r-- | modules/pam_keyinit/Makefile.in | 118 | ||||
| -rw-r--r-- | modules/pam_keyinit/README | 25 | ||||
| -rw-r--r-- | modules/pam_keyinit/pam_keyinit.8 | 30 | ||||
| -rw-r--r-- | modules/pam_keyinit/pam_keyinit.8.xml | 41 | ||||
| -rw-r--r-- | modules/pam_keyinit/pam_keyinit.c | 146 |
6 files changed, 240 insertions, 149 deletions
diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am index 5e8657c6..e1953312 100644 --- a/modules/pam_keyinit/Makefile.am +++ b/modules/pam_keyinit/Makefile.am @@ -5,30 +5,29 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit -XMLS = README.xml pam_keyinit.8.xml - -if HAVE_KEY_MANAGEMENT - man_MANS = pam_keyinit.8 - TESTS = tst-pam_keyinit -endif +EXTRA_DIST = $(XMLS) -if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_keyinit.8.xml --include $(top_srcdir)/Make.xml.rules +if HAVE_DOC +dist_man_MANS = pam_keyinit.8 endif +XMLS = README.xml pam_keyinit.8.xml +dist_check_SCRIPTS = tst-pam_keyinit +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_KEY_MANAGEMENT - securelib_LTLIBRARIES = pam_keyinit.la -endif +securelib_LTLIBRARIES = pam_keyinit.la pam_keyinit_la_LIBADD = $(top_builddir)/libpam/libpam.la + +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_keyinit/Makefile.in b/modules/pam_keyinit/Makefile.in index 194ed241..a1a11625 100644 --- a/modules/pam_keyinit/Makefile.in +++ b/modules/pam_keyinit/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,9 +95,6 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_keyinit -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ @@ -103,6 +110,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,8 +152,6 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -@HAVE_KEY_MANAGEMENT_TRUE@am_pam_keyinit_la_rpath = -rpath \ -@HAVE_KEY_MANAGEMENT_TRUE@ $(securelibdir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -159,7 +166,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_keyinit.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,8 +196,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -386,6 +395,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -414,6 +426,8 @@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ @@ -422,7 +436,6 @@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -458,6 +471,7 @@ LN_S = @LN_S@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ @@ -494,11 +508,13 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ USE_NLS = @USE_NLS@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -567,17 +583,20 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_keyinit.8 XMLS = README.xml pam_keyinit.8.xml -@HAVE_KEY_MANAGEMENT_TRUE@man_MANS = pam_keyinit.8 -@HAVE_KEY_MANAGEMENT_TRUE@TESTS = tst-pam_keyinit -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +dist_check_SCRIPTS = tst-pam_keyinit +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) -@HAVE_KEY_MANAGEMENT_TRUE@securelib_LTLIBRARIES = pam_keyinit.la +securelib_LTLIBRARIES = pam_keyinit.la pam_keyinit_la_LIBADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -594,14 +613,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_keyinit/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_keyinit/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -649,7 +667,7 @@ clean-securelibLTLIBRARIES: } pam_keyinit.la: $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_DEPENDENCIES) $(EXTRA_pam_keyinit_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) $(am_pam_keyinit_la_rpath) $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -657,21 +675,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_keyinit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_keyinit.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -685,10 +709,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -723,7 +747,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -811,7 +835,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -901,7 +925,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -911,7 +935,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -944,7 +968,10 @@ tst-pam_keyinit.log: tst-pam_keyinit @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -975,6 +1002,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1023,7 +1051,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_keyinit.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1069,7 +1097,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_keyinit.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1092,15 +1120,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1108,7 +1137,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_keyinit.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README index 38344d9a..fa503700 100644 --- a/modules/pam_keyinit/README +++ b/modules/pam_keyinit/README @@ -7,16 +7,18 @@ DESCRIPTION The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring. -The session component of the module checks to see if the process's session -keyring is the user default, and, if it is, creates a new anonymous session -keyring with which to replace it. - -If a new session keyring is created, it will install a link to the user common -keyring in the session keyring so that keys common to the user will be -automatically accessible through it. - -The session keyring of the invoking process will thenceforth be inherited by -all its children unless they override it. +The module checks to see if the process's session keyring is the +user-session-keyring(7), and, if it is, creates a new session-keyring(7) with +which to replace it. If a new session keyring is created, it will install a +link to the user-keyring(7) in the session keyring so that keys common to the +user will be automatically accessible through it. The session keyring of the +invoking process will thenceforth be inherited by all its children unless they +override it. + +In order to allow other PAM modules to attach tokens to the keyring, this +module provides both an auth (limited to pam_setcred(3) and a session +component. The session keyring is created in the module called. Moreover this +module should be included as early as possible in a PAM configuration. This module is intended primarily for use by login processes. Be aware that after the session keyring has been replaced, the old session keyring and the @@ -26,9 +28,6 @@ This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this. -This module should be included as early as possible in a PAM configuration, so -that other PAM modules can attach tokens to the keyring. - The keyutils package is used to manipulate keys more directly. This can be obtained from: diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 index 4dfbffbc..814008c3 100644 --- a/modules/pam_keyinit/pam_keyinit.8 +++ b/modules/pam_keyinit/pam_keyinit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_keyinit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 06/08/2020 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_KEYINIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_KEYINIT" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -36,19 +36,26 @@ pam_keyinit \- Kernel session keyring initialiser module .PP The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. .PP -The session component of the module checks to see if the process\*(Aqs session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. -.PP -If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. -.PP -The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. +The module checks to see if the process\*(Aqs session keyring is the +\fBuser-session-keyring\fR(7), and, if it is, creates a new +\fBsession-keyring\fR(7) +with which to replace it\&. If a new session keyring is created, it will install a link to the +\fBuser-keyring\fR(7) +in the session keyring so that keys common to the user will be automatically accessible through it\&. The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. +.PP +In order to allow other PAM modules to attach tokens to the keyring, this module provides both an +\fIauth\fR +(limited to +\fBpam_setcred\fR(3) +and a +\fIsession\fR +component\&. The session keyring is created in the module called\&. Moreover this module should be included as early as possible in a PAM configuration\&. .PP This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. .PP This module should not, generally, be invoked by programs like \fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. .PP -This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. -.PP The keyutils package is used to manipulate keys more directly\&. This can be obtained from: .PP \m[blue]\fBKeyutils\fR\m[]\&\s-2\u[1]\d\s+2 @@ -130,7 +137,8 @@ This will prevent keys from one session leaking into another session for the sam .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\fBkeyctl\fR(1) +\fBpam\fR(8), +\fBkeyctl\fR(1) .SH "AUTHOR" .PP pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&. diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml index bcc50964..ff1e7d00 100644 --- a/modules/pam_keyinit/pam_keyinit.8.xml +++ b/modules/pam_keyinit/pam_keyinit.8.xml @@ -37,18 +37,32 @@ session keyring other than the user default session keyring. </para> <para> - The session component of the module checks to see if the process's - session keyring is the user default, and, if it is, creates a new - anonymous session keyring with which to replace it. - </para> - <para> - If a new session keyring is created, it will install a link to the user - common keyring in the session keyring so that keys common to the user - will be automatically accessible through it. + The module checks to see if the process's session keyring is the + <citerefentry> + <refentrytitle>user-session-keyring</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + and, if it is, creates a new + <citerefentry> + <refentrytitle>session-keyring</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + with which to replace it. If a new session keyring is created, it will + install a link to the + <citerefentry> + <refentrytitle>user-keyring</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + in the session keyring so that keys common to the user will be + automatically accessible through it. The session keyring of the invoking + process will thenceforth be inherited by all its children unless they override it. </para> <para> - The session keyring of the invoking process will thenceforth be inherited - by all its children unless they override it. + In order to allow other PAM modules to attach tokens to the keyring, this module + provides both an <emphasis>auth</emphasis> (limited to + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + and a <emphasis>session</emphasis> component. The session keyring is created + in the module called. Moreover this module should be included as early as + possible in a PAM configuration. </para> <para> This module is intended primarily for use by login processes. Be aware @@ -62,11 +76,6 @@ their own permissions system to manage this. </para> <para> - This module should be included as early as possible in a PAM - configuration, so that other PAM modules can attach tokens to the - keyring. - </para> - <para> The keyutils package is used to manipulate keys more directly. This can be obtained from: </para> @@ -224,7 +233,7 @@ session required pam_keyinit.so </citerefentry>, <citerefentry> <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> + </citerefentry>, <citerefentry> <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum> </citerefentry> diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index b2fa5d95..92e4953b 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -1,4 +1,5 @@ -/* pam_keyinit.c: Initialise the session keyring on login through a PAM module +/* + * pam_keyinit: Initialise the session keyring on login through a PAM module * * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) @@ -30,11 +31,11 @@ #define KEYCTL_REVOKE 3 /* revoke a key */ #define KEYCTL_LINK 8 /* link a key into a keyring */ -static int my_session_keyring; -static int session_counter; -static int do_revoke; -static int revoke_as_uid; -static int revoke_as_gid; +static int my_session_keyring = 0; +static int session_counter = 0; +static int do_revoke = 0; +static uid_t revoke_as_uid; +static gid_t revoke_as_gid; static int xdebug = 0; static void debug(pam_handle_t *pamh, const char *fmt, ...) @@ -51,24 +52,22 @@ static void debug(pam_handle_t *pamh, const char *fmt, ...) } } -static int error(pam_handle_t *pamh, const char *fmt, ...) +static void error(pam_handle_t *pamh, const char *fmt, ...) __attribute__((format(printf, 2, 3))); -static int error(pam_handle_t *pamh, const char *fmt, ...) +static void error(pam_handle_t *pamh, const char *fmt, ...) { va_list va; va_start(va, fmt); pam_vsyslog(pamh, LOG_ERR, fmt, va); va_end(va); - - return PAM_SESSION_ERR; } /* * initialise the session keyring for this process */ -static int init_keyrings(pam_handle_t *pamh, int force) +static int init_keyrings(pam_handle_t *pamh, int force, int error_ret) { int session, usession, ret; @@ -85,7 +84,7 @@ static int init_keyrings(pam_handle_t *pamh, int force) * installed */ if (errno == ENOSYS) return PAM_SUCCESS; - return PAM_SESSION_ERR; + return error_ret; } usession = syscall(__NR_keyctl, @@ -94,7 +93,7 @@ static int init_keyrings(pam_handle_t *pamh, int force) 0); debug(pamh, "GET SESSION = %d", usession); if (usession < 0) - return PAM_SESSION_ERR; + return error_ret; /* if the user session keyring is our keyring, then we don't * need to do anything if we're not forcing */ @@ -108,7 +107,7 @@ static int init_keyrings(pam_handle_t *pamh, int force) NULL); debug(pamh, "JOIN = %d", ret); if (ret < 0) - return PAM_SESSION_ERR; + return error_ret; my_session_keyring = ret; @@ -118,15 +117,17 @@ static int init_keyrings(pam_handle_t *pamh, int force) KEY_SPEC_USER_KEYRING, KEY_SPEC_SESSION_KEYRING); - return ret < 0 ? PAM_SESSION_ERR : PAM_SUCCESS; + return ret < 0 ? error_ret : PAM_SUCCESS; } /* * revoke the session keyring for this process */ -static void kill_keyrings(pam_handle_t *pamh) +static int kill_keyrings(pam_handle_t *pamh, int error_ret) { - int old_uid, old_gid; + uid_t old_uid; + gid_t old_gid; + int ret = PAM_SUCCESS; /* revoke the session keyring we created earlier */ if (my_session_keyring > 0) { @@ -139,38 +140,45 @@ static void kill_keyrings(pam_handle_t *pamh) /* switch to the real UID and GID so that we have permission to * revoke the key */ - if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) - error(pamh, "Unable to change GID to %d temporarily\n", - revoke_as_gid); + if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) { + error(pamh, "Unable to change GID to %d temporarily\n", revoke_as_gid); + return error_ret; + } - if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0) - error(pamh, "Unable to change UID to %d temporarily\n", - revoke_as_uid); + if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0) { + error(pamh, "Unable to change UID to %d temporarily\n", revoke_as_uid); + if (getegid() != old_gid && setregid(-1, old_gid) < 0) + error(pamh, "Unable to change GID back to %d\n", old_gid); + return error_ret; + } - syscall(__NR_keyctl, - KEYCTL_REVOKE, - my_session_keyring); + if (syscall(__NR_keyctl, KEYCTL_REVOKE, my_session_keyring) < 0) { + ret = error_ret; + } - /* return to the orignal UID and GID (probably root) */ - if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) + /* return to the original UID and GID (probably root) */ + if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) { error(pamh, "Unable to change UID back to %d\n", old_uid); + ret = error_ret; + } - if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) + if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) { error(pamh, "Unable to change GID back to %d\n", old_gid); + ret = error_ret; + } my_session_keyring = 0; } + return ret; } -/* - * open a PAM session by making sure there's a session keyring - */ -int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error_ret) { struct passwd *pw; const char *username; - int ret, old_uid, uid, old_gid, gid, loop, force = 0; + int ret, loop, force = 0; + uid_t old_uid, uid; + gid_t old_gid, gid; for (loop = 0; loop < argc; loop++) { if (strcmp(argv[loop], "force") == 0) @@ -184,10 +192,6 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, /* don't do anything if already created a keyring (will be called * multiple times if mentioned more than once in a pam script) */ - session_counter++; - - debug(pamh, "OPEN %d", session_counter); - if (my_session_keyring > 0) return PAM_SUCCESS; @@ -198,7 +202,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, pw = pam_modutil_getpwnam(pamh, username); if (!pw) { - error(pamh, "Unable to look up user \"%s\"\n", username); + pam_syslog(pamh, LOG_NOTICE, "Unable to look up user \"%s\"\n", + username); return PAM_USER_UNKNOWN; } @@ -212,29 +217,70 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, * the right user */ if (gid != old_gid && setregid(gid, -1) < 0) { error(pamh, "Unable to change GID to %d temporarily\n", gid); - return PAM_SESSION_ERR; + return error_ret; } if (uid != old_uid && setreuid(uid, -1) < 0) { error(pamh, "Unable to change UID to %d temporarily\n", uid); if (setregid(old_gid, -1) < 0) error(pamh, "Unable to change GID back to %d\n", old_gid); - return PAM_SESSION_ERR; + return error_ret; } - ret = init_keyrings(pamh, force); + ret = init_keyrings(pamh, force, error_ret); - /* return to the orignal UID and GID (probably root) */ - if (uid != old_uid && setreuid(old_uid, -1) < 0) - ret = error(pamh, "Unable to change UID back to %d\n", old_uid); + /* return to the original UID and GID (probably root) */ + if (uid != old_uid && setreuid(old_uid, -1) < 0) { + error(pamh, "Unable to change UID back to %d\n", old_uid); + ret = error_ret; + } - if (gid != old_gid && setregid(old_gid, -1) < 0) - ret = error(pamh, "Unable to change GID back to %d\n", old_gid); + if (gid != old_gid && setregid(old_gid, -1) < 0) { + error(pamh, "Unable to change GID back to %d\n", old_gid); + ret = error_ret; + } return ret; } /* + * Dummy + */ +int pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +/* + * since setcred and open_session are called in different orders, a + * session ring is invoked by the first of these functions called. + */ +int pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + if (flags & PAM_ESTABLISH_CRED) { + debug(pamh, "ESTABLISH_CRED"); + return do_keyinit(pamh, argc, argv, PAM_CRED_ERR); + } + if (flags & PAM_DELETE_CRED && my_session_keyring > 0 && do_revoke) { + debug(pamh, "DELETE_CRED"); + return kill_keyrings(pamh, PAM_CRED_ERR); + } + return PAM_IGNORE; +} + +int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + session_counter++; + + debug(pamh, "OPEN %d", session_counter); + + return do_keyinit(pamh, argc, argv, PAM_SESSION_ERR); +} + +/* * close a PAM session by revoking the session keyring if requested */ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, @@ -245,8 +291,8 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, session_counter--; - if (session_counter == 0 && my_session_keyring > 0 && do_revoke) - kill_keyrings(pamh); + if (session_counter <= 0 && my_session_keyring > 0 && do_revoke) + kill_keyrings(pamh, PAM_SESSION_ERR); return PAM_SUCCESS; } |