diff options
Diffstat (limited to 'modules/pam_pwhistory')
-rw-r--r-- | modules/pam_pwhistory/Makefile.am | 21 | ||||
-rw-r--r-- | modules/pam_pwhistory/Makefile.in | 218 | ||||
-rw-r--r-- | modules/pam_pwhistory/README | 6 | ||||
-rw-r--r-- | modules/pam_pwhistory/opasswd.c | 72 | ||||
-rw-r--r-- | modules/pam_pwhistory/opasswd.h | 31 | ||||
-rw-r--r-- | modules/pam_pwhistory/pam_pwhistory.8 | 10 | ||||
-rw-r--r-- | modules/pam_pwhistory/pam_pwhistory.8.xml | 6 | ||||
-rw-r--r-- | modules/pam_pwhistory/pam_pwhistory.c | 220 | ||||
-rw-r--r-- | modules/pam_pwhistory/pwhistory_helper.8 | 54 | ||||
-rw-r--r-- | modules/pam_pwhistory/pwhistory_helper.8.xml | 68 | ||||
-rw-r--r-- | modules/pam_pwhistory/pwhistory_helper.c | 119 |
11 files changed, 721 insertions, 104 deletions
diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am index bd9f1ea9..8a4dbcb2 100644 --- a/modules/pam_pwhistory/Makefile.am +++ b/modules/pam_pwhistory/Makefile.am @@ -1,5 +1,6 @@ # # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2013 Red Hat, Inc. # CLEANFILES = *~ @@ -8,9 +9,9 @@ MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = $(XMLS) if HAVE_DOC -dist_man_MANS = pam_pwhistory.8 +dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 endif -XMLS = README.xml pam_pwhistory.8.xml +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml dist_check_SCRIPTS = tst-pam_pwhistory TESTS = $(dist_check_SCRIPTS) @@ -18,18 +19,26 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) -AM_LDFLAGS = -no-undefined -avoid-version -module + $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" + +pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif noinst_HEADERS = opasswd.h securelib_LTLIBRARIES = pam_pwhistory.la -pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ +pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) +pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c +sbin_PROGRAMS = pwhistory_helper +pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@ +pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c +pwhistory_helper_LDFLAGS = @EXE_LDFLAGS@ +pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ + if ENABLE_REGENERATE_MAN dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_pwhistory/Makefile.in b/modules/pam_pwhistory/Makefile.in index 42a6907d..cf1082b0 100644 --- a/modules/pam_pwhistory/Makefile.in +++ b/modules/pam_pwhistory/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -16,10 +16,12 @@ # # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2013 Red Hat, Inc. # + VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -95,20 +97,24 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +sbin_PROGRAMS = pwhistory_helper$(EXEEXT) subdir = modules/pam_pwhistory ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ @@ -118,6 +124,9 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -145,15 +154,28 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) pam_pwhistory_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la -am_pam_pwhistory_la_OBJECTS = pam_pwhistory.lo opasswd.lo +am_pam_pwhistory_la_OBJECTS = pam_pwhistory_la-pam_pwhistory.lo \ + pam_pwhistory_la-opasswd.lo pam_pwhistory_la_OBJECTS = $(am_pam_pwhistory_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +pam_pwhistory_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(pam_pwhistory_la_CFLAGS) $(CFLAGS) \ + $(pam_pwhistory_la_LDFLAGS) $(LDFLAGS) -o $@ +am_pwhistory_helper_OBJECTS = \ + pwhistory_helper-pwhistory_helper.$(OBJEXT) \ + pwhistory_helper-opasswd.$(OBJEXT) +pwhistory_helper_OBJECTS = $(am_pwhistory_helper_OBJECTS) +pwhistory_helper_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pwhistory_helper_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(pwhistory_helper_CFLAGS) $(CFLAGS) \ + $(pwhistory_helper_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -169,8 +191,10 @@ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/opasswd.Plo \ - ./$(DEPDIR)/pam_pwhistory.Plo +am__depfiles_remade = ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo \ + ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo \ + ./$(DEPDIR)/pwhistory_helper-opasswd.Po \ + ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -190,8 +214,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(pam_pwhistory_la_SOURCES) -DIST_SOURCES = $(pam_pwhistory_la_SOURCES) +SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) +DIST_SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -377,6 +401,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -421,6 +446,9 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ @@ -434,6 +462,8 @@ ECONF_CFLAGS = @ECONF_CFLAGS@ ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ @@ -453,7 +483,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -500,8 +529,6 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -512,6 +539,7 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ @@ -561,7 +589,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -569,9 +596,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -581,6 +605,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ @@ -588,20 +613,26 @@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = $(XMLS) -@HAVE_DOC_TRUE@dist_man_MANS = pam_pwhistory.8 -XMLS = README.xml pam_pwhistory.8.xml +@HAVE_DOC_TRUE@dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml dist_check_SCRIPTS = tst-pam_pwhistory TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" -AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) +pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module \ + $(am__append_1) noinst_HEADERS = opasswd.h securelib_LTLIBRARIES = pam_pwhistory.la -pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ +pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) +pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c +pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@ +pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c +pwhistory_helper_LDFLAGS = @EXE_LDFLAGS@ +pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -636,6 +667,55 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @@ -673,7 +753,11 @@ clean-securelibLTLIBRARIES: } pam_pwhistory.la: $(pam_pwhistory_la_OBJECTS) $(pam_pwhistory_la_DEPENDENCIES) $(EXTRA_pam_pwhistory_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_pwhistory_la_OBJECTS) $(pam_pwhistory_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(pam_pwhistory_la_LINK) -rpath $(securelibdir) $(pam_pwhistory_la_OBJECTS) $(pam_pwhistory_la_LIBADD) $(LIBS) + +pwhistory_helper$(EXEEXT): $(pwhistory_helper_OBJECTS) $(pwhistory_helper_DEPENDENCIES) $(EXTRA_pwhistory_helper_DEPENDENCIES) + @rm -f pwhistory_helper$(EXEEXT) + $(AM_V_CCLD)$(pwhistory_helper_LINK) $(pwhistory_helper_OBJECTS) $(pwhistory_helper_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -681,8 +765,10 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/opasswd.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhistory_helper-opasswd.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -711,6 +797,48 @@ am--depfiles: $(am__depfiles_remade) @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +pam_pwhistory_la-pam_pwhistory.lo: pam_pwhistory.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -MT pam_pwhistory_la-pam_pwhistory.lo -MD -MP -MF $(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Tpo -c -o pam_pwhistory_la-pam_pwhistory.lo `test -f 'pam_pwhistory.c' || echo '$(srcdir)/'`pam_pwhistory.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Tpo $(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pam_pwhistory.c' object='pam_pwhistory_la-pam_pwhistory.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -c -o pam_pwhistory_la-pam_pwhistory.lo `test -f 'pam_pwhistory.c' || echo '$(srcdir)/'`pam_pwhistory.c + +pam_pwhistory_la-opasswd.lo: opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -MT pam_pwhistory_la-opasswd.lo -MD -MP -MF $(DEPDIR)/pam_pwhistory_la-opasswd.Tpo -c -o pam_pwhistory_la-opasswd.lo `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_pwhistory_la-opasswd.Tpo $(DEPDIR)/pam_pwhistory_la-opasswd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='opasswd.c' object='pam_pwhistory_la-opasswd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -c -o pam_pwhistory_la-opasswd.lo `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c + +pwhistory_helper-pwhistory_helper.o: pwhistory_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-pwhistory_helper.o -MD -MP -MF $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo -c -o pwhistory_helper-pwhistory_helper.o `test -f 'pwhistory_helper.c' || echo '$(srcdir)/'`pwhistory_helper.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo $(DEPDIR)/pwhistory_helper-pwhistory_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pwhistory_helper.c' object='pwhistory_helper-pwhistory_helper.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-pwhistory_helper.o `test -f 'pwhistory_helper.c' || echo '$(srcdir)/'`pwhistory_helper.c + +pwhistory_helper-pwhistory_helper.obj: pwhistory_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-pwhistory_helper.obj -MD -MP -MF $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo -c -o pwhistory_helper-pwhistory_helper.obj `if test -f 'pwhistory_helper.c'; then $(CYGPATH_W) 'pwhistory_helper.c'; else $(CYGPATH_W) '$(srcdir)/pwhistory_helper.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo $(DEPDIR)/pwhistory_helper-pwhistory_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pwhistory_helper.c' object='pwhistory_helper-pwhistory_helper.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-pwhistory_helper.obj `if test -f 'pwhistory_helper.c'; then $(CYGPATH_W) 'pwhistory_helper.c'; else $(CYGPATH_W) '$(srcdir)/pwhistory_helper.c'; fi` + +pwhistory_helper-opasswd.o: opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-opasswd.o -MD -MP -MF $(DEPDIR)/pwhistory_helper-opasswd.Tpo -c -o pwhistory_helper-opasswd.o `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-opasswd.Tpo $(DEPDIR)/pwhistory_helper-opasswd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='opasswd.c' object='pwhistory_helper-opasswd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-opasswd.o `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c + +pwhistory_helper-opasswd.obj: opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-opasswd.obj -MD -MP -MF $(DEPDIR)/pwhistory_helper-opasswd.Tpo -c -o pwhistory_helper-opasswd.obj `if test -f 'opasswd.c'; then $(CYGPATH_W) 'opasswd.c'; else $(CYGPATH_W) '$(srcdir)/opasswd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-opasswd.Tpo $(DEPDIR)/pwhistory_helper-opasswd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='opasswd.c' object='pwhistory_helper-opasswd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-opasswd.obj `if test -f 'opasswd.c'; then $(CYGPATH_W) 'opasswd.c'; else $(CYGPATH_W) '$(srcdir)/opasswd.c'; fi` + mostlyclean-libtool: -rm -f *.lo @@ -919,7 +1047,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -1012,9 +1140,9 @@ check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1054,12 +1182,14 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -f ./$(DEPDIR)/opasswd.Plo - -rm -f ./$(DEPDIR)/pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pwhistory_helper-opasswd.Po + -rm -f ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1082,7 +1212,7 @@ install-dvi: install-dvi-am install-dvi-am: -install-exec-am: +install-exec-am: install-sbinPROGRAMS install-html: install-html-am @@ -1105,8 +1235,10 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -f ./$(DEPDIR)/opasswd.Plo - -rm -f ./$(DEPDIR)/pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pwhistory_helper-opasswd.Po + -rm -f ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1123,14 +1255,15 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ - check-am clean clean-generic clean-libtool \ + check-am clean clean-generic clean-libtool clean-sbinPROGRAMS \ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ @@ -1138,13 +1271,14 @@ uninstall-man: uninstall-man8 install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am \ + install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man8 uninstall-securelibLTLIBRARIES + uninstall-man8 uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES .PRECIOUS: Makefile diff --git a/modules/pam_pwhistory/README b/modules/pam_pwhistory/README index 1634249b..161bebc7 100644 --- a/modules/pam_pwhistory/README +++ b/modules/pam_pwhistory/README @@ -23,7 +23,7 @@ use_authtok When password changing enforce the module to use the new password provided by a previously stacked password module (this is used in the example of the - stacking of the pam_cracklib module documented below). + stacking of the pam_passwdqc module documented below). enforce_for_root @@ -52,10 +52,10 @@ password required pam_pwhistory.so password required pam_unix.so use_authtok -In combination with pam_cracklib: +In combination with pam_passwdqc: #%PAM-1.0 -password required pam_cracklib.so retry=3 +password required pam_passwdqc.so config=/etc/passwdqc.conf password required pam_pwhistory.so use_authtok password required pam_unix.so use_authtok diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index 77142f2c..a6cd3d2a 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -38,6 +39,7 @@ #endif #include <pwd.h> +#include <shadow.h> #include <time.h> #include <ctype.h> #include <errno.h> @@ -47,15 +49,23 @@ #include <string.h> #include <stdlib.h> #include <syslog.h> +#ifdef HELPER_COMPILE +#include <stdarg.h> +#endif #include <sys/stat.h> -#if defined HAVE_LIBXCRYPT -#include <xcrypt.h> -#elif defined (HAVE_CRYPT_H) +#ifdef HAVE_CRYPT_H #include <crypt.h> #endif +#ifdef HELPER_COMPILE +#define pam_modutil_getpwnam(h,n) getpwnam(n) +#define pam_modutil_getspnam(h,n) getspnam(n) +#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__) +#else +#include <security/pam_modutil.h> #include <security/pam_ext.h> +#endif #include <security/pam_modules.h> #include "opasswd.h" @@ -76,6 +86,20 @@ typedef struct { char *old_passwords; } opwd; +#ifdef HELPER_COMPILE +PAM_FORMAT((printf, 2, 3)) +void +helper_log_err(int err, const char *format, ...) +{ + va_list args; + + va_start(args, format); + openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); + vsyslog(err, format, args); + va_end(args); + closelog(); +} +#endif static int parse_entry (char *line, opwd *data) @@ -117,9 +141,8 @@ compare_password(const char *newpass, const char *oldpass) } /* Check, if the new password is already in the opasswd file. */ -int -check_old_pass (pam_handle_t *pamh, const char *user, - const char *newpass, int debug) +PAMH_ARG_DECL(int +check_old_pass, const char *user, const char *newpass, int debug) { int retval = PAM_SUCCESS; FILE *oldpf; @@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, const char *user, opwd entry; int found = 0; +#ifndef HELPER_COMPILE + if (SELINUX_ENABLED) + return PAM_PWHISTORY_RUN_HELPER; +#endif + if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) { if (errno != ENOENT) @@ -213,9 +241,8 @@ check_old_pass (pam_handle_t *pamh, const char *user, return retval; } -int -save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, - const char *oldpass, int howmany, int debug UNUSED) +PAMH_ARG_DECL(int +save_old_pass, const char *user, int howmany, int debug UNUSED) { char opasswd_tmp[] = TMP_PASSWORDS_FILE; struct stat opasswd_stat; @@ -226,10 +253,35 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, char *buf = NULL; size_t buflen = 0; int found = 0; + struct passwd *pwd; + const char *oldpass; + + pwd = pam_modutil_getpwnam (pamh, user); + if (pwd == NULL) + return PAM_USER_UNKNOWN; if (howmany <= 0) return PAM_SUCCESS; +#ifndef HELPER_COMPILE + if (SELINUX_ENABLED) + return PAM_PWHISTORY_RUN_HELPER; +#endif + + if ((strcmp(pwd->pw_passwd, "x") == 0) || + ((pwd->pw_passwd[0] == '#') && + (pwd->pw_passwd[1] == '#') && + (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) + { + struct spwd *spw = pam_modutil_getspnam (pamh, user); + + if (spw == NULL) + return PAM_USER_UNKNOWN; + oldpass = spw->sp_pwdp; + } + else + oldpass = pwd->pw_passwd; + if (oldpass == NULL || *oldpass == '\0') return PAM_SUCCESS; @@ -452,7 +504,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, { char *out; - if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0) + if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0) { retval = PAM_AUTHTOK_ERR; if (oldpf) diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h index db3e6568..3f257288 100644 --- a/modules/pam_pwhistory/opasswd.h +++ b/modules/pam_pwhistory/opasswd.h @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,10 +37,30 @@ #ifndef __OPASSWD_H__ #define __OPASSWD_H__ -extern int check_old_pass (pam_handle_t *pamh, const char *user, - const char *newpass, int debug); -extern int save_old_pass (pam_handle_t *pamh, const char *user, - uid_t uid, const char *oldpass, - int howmany, int debug); +#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT + +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#define SELINUX_ENABLED (is_selinux_enabled()>0) +#else +#define SELINUX_ENABLED 0 +#endif + +#ifdef HELPER_COMPILE +#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__) +#else +#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__) +#endif + +#ifdef HELPER_COMPILE +void +helper_log_err(int err, const char *format, ...); +#endif + +PAMH_ARG_DECL(int +check_old_pass, const char *user, const char *newpass, int debug); + +PAMH_ARG_DECL(int +save_old_pass, const char *user, int howmany, int debug); #endif /* __OPASSWD_H__ */ diff --git a/modules/pam_pwhistory/pam_pwhistory.8 b/modules/pam_pwhistory/pam_pwhistory.8 index ba5c3235..bdbd6c8d 100644 --- a/modules/pam_pwhistory/pam_pwhistory.8 +++ b/modules/pam_pwhistory/pam_pwhistory.8 @@ -2,12 +2,12 @@ .\" Title: pam_pwhistory .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/08/2020 +.\" Date: 09/03/2021 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_PWHISTORY" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PWHISTORY" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -50,7 +50,7 @@ Turns on debugging via When password changing enforce the module to use the new password provided by a previously stacked \fBpassword\fR module (this is used in the example of the stacking of the -\fBpam_cracklib\fR +\fBpam_passwdqc\fR module documented below)\&. .RE .PP @@ -130,14 +130,14 @@ password required pam_unix\&.so use_authtok .\} .PP In combination with -\fBpam_cracklib\fR: +\fBpam_passwdqc\fR: .sp .if n \{\ .RS 4 .\} .nf #%PAM\-1\&.0 -password required pam_cracklib\&.so retry=3 +password required pam_passwdqc\&.so config=/etc/passwdqc\&.conf password required pam_pwhistory\&.so use_authtok password required pam_unix\&.so use_authtok diff --git a/modules/pam_pwhistory/pam_pwhistory.8.xml b/modules/pam_pwhistory/pam_pwhistory.8.xml index 9e1056b2..d88115c2 100644 --- a/modules/pam_pwhistory/pam_pwhistory.8.xml +++ b/modules/pam_pwhistory/pam_pwhistory.8.xml @@ -83,7 +83,7 @@ When password changing enforce the module to use the new password provided by a previously stacked <option>password</option> module (this is used in the example of the stacking of the - <command>pam_cracklib</command> module documented below). + <command>pam_passwdqc</command> module documented below). </para> </listitem> </varlistentry> @@ -197,10 +197,10 @@ password required pam_unix.so use_authtok </programlisting> </para> <para> - In combination with <command>pam_cracklib</command>: + In combination with <command>pam_passwdqc</command>: <programlisting> #%PAM-1.0 -password required pam_cracklib.so retry=3 +password required pam_passwdqc.so config=/etc/passwdqc.conf password required pam_pwhistory.so use_authtok password required pam_unix.so use_authtok </programlisting> diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index cf4fc078..ce2c21f5 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -3,6 +3,7 @@ * * Copyright (c) 2008, 2012 Thorsten Kukuk * Author: Thorsten Kukuk <kukuk@thkukuk.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -46,10 +47,14 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> -#include <shadow.h> #include <syslog.h> #include <sys/types.h> #include <sys/stat.h> +#include <sys/time.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <signal.h> +#include <fcntl.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -59,8 +64,6 @@ #include "opasswd.h" #include "pam_inline.h" -#define DEFAULT_BUFLEN 2048 - struct options_t { int debug; int enforce_for_root; @@ -105,14 +108,186 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); } +static int +run_save_helper(pam_handle_t *pamh, const char *user, + int howmany, int debug) +{ + int retval, child; + struct sigaction newsa, oldsa; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); + + child = fork(); + if (child == 0) + { + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; + + if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD) < 0) + { + _exit(PAM_SYSTEM_ERR); + } + + /* exec binary helper */ + DIAG_PUSH_IGNORE_CAST_QUAL; + args[0] = (char *)PWHISTORY_HELPER; + args[1] = (char *)"save"; + args[2] = (char *)user; + DIAG_POP_IGNORE_CAST_QUAL; + if (asprintf(&args[3], "%d", howmany) < 0 || + asprintf(&args[4], "%d", debug) < 0) + { + pam_syslog(pamh, LOG_ERR, "asprintf: %m"); + _exit(PAM_SYSTEM_ERR); + } + + execve(args[0], args, envp); + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %s: %m", args[0]); + + _exit(PAM_SYSTEM_ERR); + } + else if (child > 0) + { + /* wait for child */ + int rc = 0; + while ((rc = waitpid (child, &retval, 0)) == -1 && + errno == EINTR); + if (rc < 0) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper save: waitpid: %m"); + retval = PAM_SYSTEM_ERR; + } + else if (!WIFEXITED(retval)) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval); + retval = PAM_SYSTEM_ERR; + } + else + { + retval = WEXITSTATUS(retval); + } + } + else + { + pam_syslog(pamh, LOG_ERR, "fork failed: %m"); + retval = PAM_SYSTEM_ERR; + } + + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + + return retval; +} + +static int +run_check_helper(pam_handle_t *pamh, const char *user, + const char *newpass, int debug) +{ + int retval, child, fds[2]; + struct sigaction newsa, oldsa; + + /* create a pipe for the password */ + if (pipe(fds) != 0) + return PAM_SYSTEM_ERR; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); + + child = fork(); + if (child == 0) + { + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL }; + + /* reopen stdin as pipe */ + if (dup2(fds[0], STDIN_FILENO) != STDIN_FILENO) + { + pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", "stdin"); + _exit(PAM_SYSTEM_ERR); + } -/* This module saves the current crypted password in /etc/security/opasswd + if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_IGNORE_FD, + PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD) < 0) + { + _exit(PAM_SYSTEM_ERR); + } + + /* exec binary helper */ + DIAG_PUSH_IGNORE_CAST_QUAL; + args[0] = (char *)PWHISTORY_HELPER; + args[1] = (char *)"check"; + args[2] = (char *)user; + DIAG_POP_IGNORE_CAST_QUAL; + if (asprintf(&args[3], "%d", debug) < 0) + { + pam_syslog(pamh, LOG_ERR, "asprintf: %m"); + _exit(PAM_SYSTEM_ERR); + } + + execve(args[0], args, envp); + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %s: %m", args[0]); + + _exit(PAM_SYSTEM_ERR); + } + else if (child > 0) + { + /* wait for child */ + int rc = 0; + if (newpass == NULL) + newpass = ""; + + /* send the password to the child */ + if (write(fds[1], newpass, strlen(newpass)+1) == -1) + { + pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_SYSTEM_ERR; + } + newpass = NULL; + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); + while ((rc = waitpid (child, &retval, 0)) == -1 && + errno == EINTR); + if (rc < 0) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper check: waitpid: %m"); + retval = PAM_SYSTEM_ERR; + } + else if (!WIFEXITED(retval)) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval); + retval = PAM_SYSTEM_ERR; + } + else + { + retval = WEXITSTATUS(retval); + } + } + else + { + pam_syslog(pamh, LOG_ERR, "fork failed: %m"); + close(fds[0]); + close(fds[1]); + retval = PAM_SYSTEM_ERR; + } + + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + + return retval; +} + +/* This module saves the current hashed password in /etc/security/opasswd and then compares the new password with all entries in this file. */ int pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) { - struct passwd *pwd; const char *newpass; const char *user; int retval, tries; @@ -148,31 +323,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SUCCESS; } - pwd = pam_modutil_getpwnam (pamh, user); - if (pwd == NULL) - return PAM_USER_UNKNOWN; + retval = save_old_pass (pamh, user, options.remember, options.debug); - if ((strcmp(pwd->pw_passwd, "x") == 0) || - ((pwd->pw_passwd[0] == '#') && - (pwd->pw_passwd[1] == '#') && - (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) - { - struct spwd *spw = pam_modutil_getspnam (pamh, user); - if (spw == NULL) - return PAM_USER_UNKNOWN; + if (retval == PAM_PWHISTORY_RUN_HELPER) + retval = run_save_helper(pamh, user, options.remember, options.debug); - retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, - options.remember, options.debug); - if (retval != PAM_SUCCESS) - return retval; - } - else - { - retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, - options.remember, options.debug); - if (retval != PAM_SUCCESS) - return retval; - } + if (retval != PAM_SUCCESS) + return retval; newpass = NULL; tries = 0; @@ -201,8 +358,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - if (check_old_pass (pamh, user, newpass, - options.debug) != PAM_SUCCESS) + retval = check_old_pass (pamh, user, newpass, options.debug); + if (retval == PAM_PWHISTORY_RUN_HELPER) + retval = run_check_helper(pamh, user, newpass, options.debug); + + if (retval != PAM_SUCCESS) { if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) diff --git a/modules/pam_pwhistory/pwhistory_helper.8 b/modules/pam_pwhistory/pwhistory_helper.8 new file mode 100644 index 00000000..684b5b02 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.8 @@ -0,0 +1,54 @@ +'\" t +.\" Title: pwhistory_helper +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PWHISTORY_HELPER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pwhistory_helper \- Helper binary that transfers password hashes from passwd or shadow to opasswd +.SH "SYNOPSIS" +.HP \w'\fBpwhistory_helper\fR\ 'u +\fBpwhistory_helper\fR [\&.\&.\&.] +.SH "DESCRIPTION" +.PP +\fIpwhistory_helper\fR +is a helper program for the +\fIpam_pwhistory\fR +module that transfers password hashes from passwd or shadow file to the opasswd file and checks a password supplied by user against the existing hashes in the opasswd file\&. +.PP +The purpose of the helper is to enable tighter confinement of login and password changing services\&. The helper is thus called only when SELinux is enabled on the system\&. +.PP +The interface of the helper \- command line options, and input/output data format are internal to the +\fIpam_pwhistory\fR +module and it should not be called directly from applications\&. +.SH "SEE ALSO" +.PP +\fBpam_pwhistory\fR(8) +.SH "AUTHOR" +.PP +Written by Tomas Mraz based on the code originally in +\fIpam_pwhistory and pam_unix\fR +modules\&. diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml new file mode 100644 index 00000000..a0301764 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.8.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pwhistory_helper"> + + <refmeta> + <refentrytitle>pwhistory_helper</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pwhistory_helper-name"> + <refname>pwhistory_helper</refname> + <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pwhistory_helper-cmdsynopsis"> + <command>pwhistory_helper</command> + <arg choice="opt"> + ... + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pwhistory_helper-description"> + + <title>DESCRIPTION</title> + + <para> + <emphasis>pwhistory_helper</emphasis> is a helper program for the + <emphasis>pam_pwhistory</emphasis> module that transfers password hashes + from passwd or shadow file to the opasswd file and checks a password + supplied by user against the existing hashes in the opasswd file. + </para> + + <para> + The purpose of the helper is to enable tighter confinement of + login and password changing services. The helper is thus called only + when SELinux is enabled on the system. + </para> + + <para> + The interface of the helper - command line options, and input/output + data format are internal to the <emphasis>pam_pwhistory</emphasis> + module and it should not be called directly from applications. + </para> + </refsect1> + + <refsect1 id='pwhistory_helper-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pwhistory_helper-author'> + <title>AUTHOR</title> + <para> + Written by Tomas Mraz based on the code originally in + <emphasis>pam_pwhistory and pam_unix</emphasis> modules. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c new file mode 100644 index 00000000..b08a14a7 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.c @@ -0,0 +1,119 @@ +/* + * Copyright (c) 2013 Red Hat, Inc. + * Author: Tomas Mraz <tmraz@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <errno.h> +#include <unistd.h> +#include <signal.h> +#include <security/_pam_types.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include "opasswd.h" +#include "pam_inline.h" + + +static int +check_history(const char *user, const char *debug) +{ + char pass[PAM_MAX_RESP_SIZE + 1]; + char *passwords[] = { pass }; + int npass; + int dbg = atoi(debug); /* no need to be too fancy here */ + int retval; + + /* read the password from stdin (a pipe from the pam_pwhistory module) */ + npass = pam_read_passwords(STDIN_FILENO, 1, passwords); + + if (npass != 1) + { /* is it a valid password? */ + helper_log_err(LOG_DEBUG, "no password supplied"); + return PAM_AUTHTOK_ERR; + } + + retval = check_old_pass(user, pass, dbg); + + memset(pass, '\0', PAM_MAX_RESP_SIZE); /* clear memory of the password */ + + return retval; +} + +static int +save_history(const char *user, const char *howmany, const char *debug) +{ + int num = atoi(howmany); + int dbg = atoi(debug); /* no need to be too fancy here */ + int retval; + + retval = save_old_pass(user, num, dbg); + + return retval; +} + +int +main(int argc, char *argv[]) +{ + const char *option; + const char *user; + + /* + * we establish that this program is running with non-tty stdin. + * this is to discourage casual use. + */ + + if (isatty(STDIN_FILENO) || argc < 4) + { + fprintf(stderr, + "This binary is not designed for running in this way.\n"); + return PAM_SYSTEM_ERR; + } + + option = argv[1]; + user = argv[2]; + + if (strcmp(option, "check") == 0 && argc == 4) + return check_history(user, argv[3]); + else if (strcmp(option, "save") == 0 && argc == 5) + return save_history(user, argv[3], argv[4]); + + fprintf(stderr, "This binary is not designed for running in this way.\n"); + + return PAM_SYSTEM_ERR; +} |