diff options
Diffstat (limited to 'modules/pam_xauth')
-rw-r--r-- | modules/pam_xauth/Makefile.am | 4 | ||||
-rw-r--r-- | modules/pam_xauth/Makefile.in | 15 | ||||
-rw-r--r-- | modules/pam_xauth/README.xml | 35 | ||||
-rw-r--r-- | modules/pam_xauth/pam_xauth.8 | 18 | ||||
-rw-r--r-- | modules/pam_xauth/pam_xauth.8.xml | 67 | ||||
-rw-r--r-- | modules/pam_xauth/pam_xauth.c | 22 |
6 files changed, 85 insertions, 76 deletions
diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am index 7c557706..bf736abe 100644 --- a/modules/pam_xauth/Makefile.am +++ b/modules/pam_xauth/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_xauth TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_xauth/Makefile.in b/modules/pam_xauth/Makefile.in index 4838634b..4d3a6b79 100644 --- a/modules/pam_xauth/Makefile.in +++ b/modules/pam_xauth/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_xauth.8.xml dist_check_SCRIPTS = tst-pam_xauth TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_xauth/README.xml b/modules/pam_xauth/README.xml index adefbd98..04fc2468 100644 --- a/modules/pam_xauth/README.xml +++ b/modules/pam_xauth/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_xauth.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_xauth-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-implementation"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-implementation")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 index 90177fbc..e6f23c10 100644 --- a/modules/pam_xauth/pam_xauth.8 +++ b/modules/pam_xauth/pam_xauth.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_xauth .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_XAUTH" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_XAUTH" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -76,12 +76,12 @@ Both the import and export files support wildcards (such as \fI*\fR)\&. Both the import and export files can be empty, signifying that no users are allowed\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR +xauthpath=/path/to/xauth .RS 4 Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth, @@ -90,12 +90,12 @@ Specify the path the xauth program (it is expected in by default)\&. .RE .PP -\fBsystemuser=\fR\fB\fIUID\fR\fR +systemuser=UID .RS 4 Specify the highest UID which will be assumed to belong to a "system" user\&. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\&. .RE .PP -\fBtargetuser=\fR\fB\fIUID\fR\fR +targetuser=UID .RS 4 Specify a single target UID which is exempt from the systemuser check\&. .RE @@ -177,7 +177,7 @@ XXX .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&. diff --git a/modules/pam_xauth/pam_xauth.8.xml b/modules/pam_xauth/pam_xauth.8.xml index 08c06cf8..214226ba 100644 --- a/modules/pam_xauth/pam_xauth.8.xml +++ b/modules/pam_xauth/pam_xauth.8.xml @@ -1,39 +1,36 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_xauth"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_xauth"> <refmeta> <refentrytitle>pam_xauth</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_xauth-name"> + <refnamediv xml:id="pam_xauth-name"> <refname>pam_xauth</refname> <refpurpose>PAM module to forward xauth keys between users</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_xauth-cmdsynopsis"> + <cmdsynopsis xml:id="pam_xauth-cmdsynopsis" sepchar=" "> <command>pam_xauth.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> xauthpath=<replaceable>/path/to/xauth</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> systemuser=<replaceable>UID</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> targetuser=<replaceable>UID</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_xauth-description"> + <refsect1 xml:id="pam_xauth-description"> <title>DESCRIPTION</title> <para> The pam_xauth PAM module is designed to forward xauth keys @@ -81,25 +78,25 @@ If a user has a <filename>.xauth/export</filename> file, the user will only forward cookies to users listed in the file. If there is no <filename>~/.xauth/export</filename> file, and the invoking user is - not <emphasis remap='B'>root</emphasis>, the user will forward cookies + not <emphasis remap="B">root</emphasis>, the user will forward cookies to any other user. If there is no <filename>~/.xauth/export</filename> - file, and the invoking user is <emphasis remap='B'>root</emphasis>, - the user will <emphasis remap='I'>not</emphasis> forward cookies to + file, and the invoking user is <emphasis remap="B">root</emphasis>, + the user will <emphasis remap="I">not</emphasis> forward cookies to other users. </para> <para> Both the import and export files support wildcards (such as - <emphasis remap='I'>*</emphasis>). Both the import and export files + <emphasis remap="I">*</emphasis>). Both the import and export files can be empty, signifying that no users are allowed. </para> </refsect1> - <refsect1 id="pam_xauth-options"> + <refsect1 xml:id="pam_xauth-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -109,7 +106,7 @@ </varlistentry> <varlistentry> <term> - <option>xauthpath=<replaceable>/path/to/xauth</replaceable></option> + xauthpath=/path/to/xauth </term> <listitem> <para> @@ -122,7 +119,7 @@ </varlistentry> <varlistentry> <term> - <option>systemuser=<replaceable>UID</replaceable></option> + systemuser=UID </term> <listitem> <para> @@ -135,7 +132,7 @@ </varlistentry> <varlistentry> <term> - <option>targetuser=<replaceable>UID</replaceable></option> + targetuser=UID </term> <listitem> <para> @@ -147,14 +144,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_xauth-types"> + <refsect1 xml:id="pam_xauth-types"> <title>MODULE TYPES PROVIDED</title> <para> - Only the <emphasis remap='B'>session</emphasis> type is provided. + Only the <emphasis remap="B">session</emphasis> type is provided. </para> </refsect1> - <refsect1 id='pam_xauth-return_values'> + <refsect1 xml:id="pam_xauth-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -205,7 +202,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_xauth-examples'> + <refsect1 xml:id="pam_xauth-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/su</filename> to @@ -216,10 +213,10 @@ session optional pam_xauth.so </para> </refsect1> - <refsect1 id="pam_xauth-implementation"> + <refsect1 xml:id="pam_xauth-implementation"> <title>IMPLEMENTATION DETAILS</title> <para> - pam_xauth will work <emphasis remap='I'>only</emphasis> if it is + pam_xauth will work <emphasis remap="I">only</emphasis> if it is used from a setuid application in which the <function>getuid</function>() call returns the id of the user running the application, and for which PAM can supply the name @@ -247,17 +244,17 @@ session optional pam_xauth.so </para> </refsect1> - <refsect1 id="pam_lastlog-files"> + <refsect1 xml:id="pam_lastlog-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>~/.xauth/import</filename></term> + <term>~/.xauth/import</term> <listitem> <para>XXX</para> </listitem> </varlistentry> <varlistentry> - <term><filename>~/.xauth/export</filename></term> + <term>~/.xauth/export</term> <listitem> <para>XXX</para> </listitem> @@ -266,7 +263,7 @@ session optional pam_xauth.so </refsect1> - <refsect1 id='pam_xauth-see_also'> + <refsect1 xml:id="pam_xauth-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -276,12 +273,12 @@ session optional pam_xauth.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_xauth-author'> + <refsect1 xml:id="pam_xauth-author"> <title>AUTHOR</title> <para> pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, @@ -290,4 +287,4 @@ session optional pam_xauth.so </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index 03f8dc78..f3e2a40d 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -52,6 +52,7 @@ #include <stdlib.h> #include <string.h> #include <syslog.h> +#include <signal.h> #include <security/pam_modules.h> #include <security/_pam_macros.h> @@ -99,6 +100,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, char *buffer = NULL; size_t buffer_size = 0; va_list ap; + struct sigaction newsa, oldsa; *output = NULL; @@ -114,6 +116,17 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, return -1; } + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(pamh, LOG_ERR, "failed to reset SIGCHLD handler: %m"); + close(ipipe[0]); + close(ipipe[1]); + close(opipe[0]); + close(opipe[1]); + return -1; + } + /* Fork off a child. */ child = fork(); if (child == -1) { @@ -128,7 +141,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, if (child == 0) { /* We're the child. */ size_t j; - const char *args[10]; + const char *args[10] = {}; /* Drop privileges. */ if (setgid(gid) == -1) { @@ -168,8 +181,6 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, PAM_MODUTIL_NULL_FD) < 0) { _exit(1); } - /* Initialize the argument list. */ - memset(args, 0, sizeof(args)); /* Convert the varargs list into a regular array of strings. */ va_start(ap, command); args[0] = command; @@ -209,6 +220,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, } close(opipe[0]); waitpid(child, NULL, 0); + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ return -1; } /* Save the new buffer location, copy the newly-read data into @@ -225,6 +237,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, close(opipe[0]); *output = buffer; waitpid(child, NULL, 0); + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ return 0; } @@ -549,9 +562,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, } /* Allocate enough space to hold an adjusted name. */ tlen = strlen(display) + LINE_MAX + 1; - t = malloc(tlen); + t = calloc(1, tlen); if (t != NULL) { - memset(t, 0, tlen); if (gethostname(t, tlen - 1) != -1) { /* Append the protocol and then the * screen number. */ |