diff options
Diffstat (limited to 'modules/pam_time')
-rw-r--r-- | modules/pam_time/Makefile.am | 11 | ||||
-rw-r--r-- | modules/pam_time/Makefile.in | 67 | ||||
-rw-r--r-- | modules/pam_time/README | 3 | ||||
-rw-r--r-- | modules/pam_time/README.xml | 29 | ||||
-rw-r--r-- | modules/pam_time/pam_time.8 | 14 | ||||
-rw-r--r-- | modules/pam_time/pam_time.8.xml | 50 | ||||
-rw-r--r-- | modules/pam_time/pam_time.c | 27 | ||||
-rw-r--r-- | modules/pam_time/time.conf.5 | 8 | ||||
-rw-r--r-- | modules/pam_time/time.conf.5.xml | 23 | ||||
-rw-r--r-- | modules/pam_time/tst-pam_time-retval.c | 107 |
10 files changed, 250 insertions, 89 deletions
diff --git a/modules/pam_time/Makefile.am b/modules/pam_time/Makefile.am index 833d51a6..a71e6781 100644 --- a/modules/pam_time/Makefile.am +++ b/modules/pam_time/Makefile.am @@ -12,13 +12,17 @@ dist_man_MANS = time.conf.5 pam_time.8 endif XMLS = README.xml time.conf.5.xml pam_time.8.xml dist_check_SCRIPTS = tst-pam_time -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -28,6 +32,9 @@ pam_time_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_time.la dist_secureconf_DATA = time.conf +check_PROGRAMS = tst-pam_time-retval +tst_pam_time_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_time/Makefile.in b/modules/pam_time/Makefile.in index 08d02d62..a1f0467c 100644 --- a/modules/pam_time/Makefile.in +++ b/modules/pam_time/Makefile.in @@ -94,6 +94,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_time-retval$(EXEEXT) subdir = modules/pam_time ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -157,6 +158,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_time_retval_SOURCES = tst-pam_time-retval.c +tst_pam_time_retval_OBJECTS = tst-pam_time-retval.$(OBJEXT) +tst_pam_time_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -172,7 +176,8 @@ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/pam_time.Plo +am__depfiles_remade = ./$(DEPDIR)/pam_time.Plo \ + ./$(DEPDIR)/tst-pam_time-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -192,8 +197,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_time.c -DIST_SOURCES = pam_time.c +SOURCES = pam_time.c tst-pam_time-retval.c +DIST_SOURCES = pam_time.c tst-pam_time-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -431,6 +436,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,11 +449,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -479,12 +487,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -507,6 +517,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -517,12 +528,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -594,16 +609,18 @@ EXTRA_DIST = $(XMLS) @HAVE_DOC_TRUE@dist_man_MANS = time.conf.5 pam_time.8 XMLS = README.xml time.conf.5.xml pam_time.8.xml dist_check_SCRIPTS = tst-pam_time -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) pam_time_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_time.la dist_secureconf_DATA = time.conf +tst_pam_time_retval_LDADD = $(top_builddir)/libpam/libpam.la @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -639,6 +656,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -677,6 +703,10 @@ clean-securelibLTLIBRARIES: pam_time.la: $(pam_time_la_OBJECTS) $(pam_time_la_DEPENDENCIES) $(EXTRA_pam_time_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_time_la_OBJECTS) $(pam_time_la_LIBADD) $(LIBS) +tst-pam_time-retval$(EXEEXT): $(tst_pam_time_retval_OBJECTS) $(tst_pam_time_retval_DEPENDENCIES) $(EXTRA_tst_pam_time_retval_DEPENDENCIES) + @rm -f tst-pam_time-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_time_retval_OBJECTS) $(tst_pam_time_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -684,6 +714,7 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_time.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_time-retval.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -997,7 +1028,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: $(dist_check_SCRIPTS) +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1007,7 +1038,7 @@ check-TESTS: $(dist_check_SCRIPTS) log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all $(dist_check_SCRIPTS) +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1025,6 +1056,13 @@ tst-pam_time.log: tst-pam_time --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_time-retval.log: tst-pam_time-retval$(EXEEXT) + @p='tst-pam_time-retval$(EXEEXT)'; \ + b='tst-pam_time-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1074,7 +1112,8 @@ distdir-am: $(DISTFILES) fi; \ done check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1119,11 +1158,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/pam_time.Plo + -rm -f ./$(DEPDIR)/tst-pam_time-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1171,6 +1211,7 @@ installcheck-am: maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/pam_time.Plo + -rm -f ./$(DEPDIR)/tst-pam_time-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1195,7 +1236,7 @@ uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ - check-am clean clean-generic clean-libtool \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ diff --git a/modules/pam_time/README b/modules/pam_time/README index 9b20847c..2fa4c164 100644 --- a/modules/pam_time/README +++ b/modules/pam_time/README @@ -14,6 +14,9 @@ from which they are making their request. By default rules for time/port access are taken from config file /etc/security/ time.conf. An alternative file can be specified with the conffile option. +If there is no explicitly specified configuration file and /etc/security/ +time.conf does not exist, %vendordir%/security/time.conf is used. + If Linux PAM is compiled with audit support the module will report when it denies access. diff --git a/modules/pam_time/README.xml b/modules/pam_time/README.xml index 6c11eec1..8a2faa0b 100644 --- a/modules/pam_time/README.xml +++ b/modules/pam_time/README.xml @@ -1,34 +1,19 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamtime SYSTEM "pam_time.8.xml"> ---> -<!-- -<!ENTITY timeconf SYSTEM "time.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_time-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_time.8.xml" xpointer='xpointer(id("pam_time-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_time.8.xml" xpointer='xpointer(id("pam_time-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="time.conf.5.xml" xpointer='xpointer(id("time.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 index 28d84d75..48c7ffce 100644 --- a/modules/pam_time/pam_time.8 +++ b/modules/pam_time/pam_time.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_time .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIME" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_TIME" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -44,18 +44,18 @@ option\&. If Linux PAM is compiled with audit support the module will report when it denies access\&. .SH "OPTIONS" .PP -\fBconffile=/path/to/time\&.conf\fR +conffile=/path/to/time\&.conf .RS 4 Indicate an alternative time\&.conf style configuration file to override the default\&. .RE .PP -\fBdebug\fR +debug .RS 4 Some debug information is printed with \fBsyslog\fR(3)\&. .RE .PP -\fBnoaudit\fR +noaudit .RS 4 Do not report logins at disallowed time to the audit subsystem\&. .RE diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml index 4708220c..1fa60a10 100644 --- a/modules/pam_time/pam_time.8.xml +++ b/modules/pam_time/pam_time.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_time'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_time"> <refmeta> <refentrytitle>pam_time</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_time-name'> + <refnamediv xml:id="pam_time-name"> <refname>pam_time</refname> <refpurpose> PAM module for time control access @@ -20,22 +17,22 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_time-cmdsynopsis"> + <cmdsynopsis xml:id="pam_time-cmdsynopsis" sepchar=" "> <command>pam_time.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conffile=conf-file </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noaudit </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_time-description"> + <refsect1 xml:id="pam_time-description"> <title>DESCRIPTION</title> <para> The pam_time PAM module does not authenticate the user, but instead @@ -51,19 +48,24 @@ <filename>/etc/security/time.conf</filename>. An alternative file can be specified with the <emphasis>conffile</emphasis> option. </para> + <para condition="with_vendordir"> + If there is no explicitly specified configuration file and + <filename>/etc/security/time.conf</filename> does not exist, + <filename>%vendordir%/security/time.conf</filename> is used. + </para> <para> If Linux PAM is compiled with audit support the module will report when it denies access. </para> </refsect1> - <refsect1 id="pam_time-options"> + <refsect1 xml:id="pam_time-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>conffile=/path/to/time.conf</option> + conffile=/path/to/time.conf </term> <listitem> <para> @@ -74,7 +76,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -86,7 +88,7 @@ <varlistentry> <term> - <option>noaudit</option> + noaudit </term> <listitem> <para> @@ -98,14 +100,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_time-types"> + <refsect1 xml:id="pam_time-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>account</option> type is provided. </para> </refsect1> - <refsect1 id="pam_time-return_values"> + <refsect1 xml:id="pam_time-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -151,11 +153,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_time-files"> + <refsect1 xml:id="pam_time-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/time.conf</filename></term> + <term>/etc/security/time.conf</term> <listitem> <para>Default configuration file</para> </listitem> @@ -163,7 +165,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_time-examples'> + <refsect1 xml:id="pam_time-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -174,7 +176,7 @@ login account required pam_time.so </programlisting> </refsect1> - <refsect1 id="pam_time-see_also"> + <refsect1 xml:id="pam_time-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -189,10 +191,10 @@ login account required pam_time.so </para> </refsect1> - <refsect1 id="pam_time-authors"> + <refsect1 xml:id="pam_time-authors"> <title>AUTHOR</title> <para> pam_time was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index 089ae22d..6b7adefc 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -33,6 +33,11 @@ #include <libaudit.h> #endif +#define PAM_TIME_CONF (SCONFIGDIR "/time.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_PAM_TIME_CONF (VENDOR_SCONFIGDIR "/time.conf") +#endif + #define PAM_TIME_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ @@ -53,7 +58,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, const char ** { int ctrl = 0; - *conffile = PAM_TIME_CONF; + *conffile = NULL; /* step through arguments */ for (; argc-- > 0; ++argv) { const char *str; @@ -77,6 +82,20 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, const char ** } } + if (*conffile == NULL) { + *conffile = PAM_TIME_CONF; +#ifdef VENDOR_PAM_TIME_CONF + /* + * Check whether PAM_TIME_CONF file is available. + * If it does not exist, fall back to VENDOR_PAM_TIME_CONF file. + */ + struct stat buffer; + if (stat(*conffile, &buffer) != 0 && errno == ENOENT) { + *conffile = VENDOR_PAM_TIME_CONF; + } +#endif + } + return ctrl; } @@ -88,7 +107,7 @@ shift_buf(char *mem, int from) char *start = mem; while ((*mem = mem[from]) != '\0') ++mem; - memset(mem, '\0', PAM_TIME_BUFLEN - (mem - start)); + pam_overwrite_n(mem, PAM_TIME_BUFLEN - (mem - start)); return mem; } @@ -149,7 +168,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state, if (i < 0) { pam_syslog(pamh, LOG_ERR, "error reading %s: %m", file); close(fd); - memset(*buf, 0, PAM_TIME_BUFLEN); + pam_overwrite_n(*buf, PAM_TIME_BUFLEN); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -168,7 +187,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state, return -1; } - memset(to, '\0', PAM_TIME_BUFLEN - (to - *buf)); + pam_overwrite_n(to, PAM_TIME_BUFLEN - (to - *buf)); to = *buf; onspace = 1; /* delete any leading spaces */ diff --git a/modules/pam_time/time.conf.5 b/modules/pam_time/time.conf.5 index 2dda8bee..c68dfa74 100644 --- a/modules/pam_time/time.conf.5 +++ b/modules/pam_time/time.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: time.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "TIME\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "TIME\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_time/time.conf.5.xml b/modules/pam_time/time.conf.5.xml index acbe2329..3fe263d5 100644 --- a/modules/pam_time/time.conf.5.xml +++ b/modules/pam_time/time.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="time.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="time.conf"> <refmeta> <refentrytitle>time.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_time module</refpurpose> </refnamediv> - <refsect1 id='time.conf-description'> + <refsect1 xml:id="time.conf-description"> <title>DESCRIPTION</title> <para> @@ -43,9 +40,9 @@ </para> <para> In words, each rule occupies a line, terminated with a newline - or the beginning of a comment; a '<emphasis remap='B'>#</emphasis>'. + or the beginning of a comment; a '<emphasis remap="B">#</emphasis>'. It contains four fields separated with semicolons, - '<emphasis remap='B'>;</emphasis>'. + '<emphasis remap="B">;</emphasis>'. </para> <para> @@ -107,7 +104,7 @@ </para> </refsect1> - <refsect1 id="time.conf-examples"> + <refsect1 xml:id="time.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -131,7 +128,7 @@ games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 </para> </refsect1> - <refsect1 id="time.conf-see_also"> + <refsect1 xml:id="time.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>, @@ -140,10 +137,10 @@ games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 </para> </refsect1> - <refsect1 id="time.conf-author"> + <refsect1 xml:id="time.conf-author"> <title>AUTHOR</title> <para> pam_time was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_time/tst-pam_time-retval.c b/modules/pam_time/tst-pam_time-retval.c new file mode 100644 index 00000000..281ac80d --- /dev/null +++ b/modules/pam_time/tst-pam_time-retval.c @@ -0,0 +1,107 @@ +/* + * Check pam_time return values. + * + * Copyright (c) 2020-2022 Dmitry V. Levin <ldv@altlinux.org> + * Copyright (c) 2022 Stefan Schubert <schubi@suse.de> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_time" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char config_file[] = TEST_NAME ".conf"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_NE(NULL, fp = fopen(config_file, "w")); + ASSERT_LT(0, fprintf(fp, "# only root can access %s\n" + "%s ; * ; !root ; !Al0000-2400\n", + service_file, service_file)); + ASSERT_EQ(0, fclose(fp)); + + /* conffile= specifies an existing file */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conffile=%s\n" + "account required %s/.libs/%s.so conffile=%s\n" + "password required %s/.libs/%s.so conffile=%s\n" + "session required %s/.libs/%s.so conffile=%s\n", + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "noone", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* cleanup */ + ASSERT_EQ(0, unlink(config_file)); + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} |