summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/.cvsignore3
-rw-r--r--modules/Makefile.am16
-rw-r--r--modules/modules.map11
-rw-r--r--modules/pam_access/.cvsignore9
-rw-r--r--modules/pam_access/Makefile.am37
-rw-r--r--modules/pam_access/README.xml39
-rw-r--r--modules/pam_access/access.conf122
-rw-r--r--modules/pam_access/access.conf.5.xml203
-rw-r--r--modules/pam_access/pam_access.8.xml253
-rw-r--r--modules/pam_access/pam_access.c922
-rwxr-xr-xmodules/pam_access/tst-pam_access2
-rw-r--r--modules/pam_cracklib/.cvsignore8
-rw-r--r--modules/pam_cracklib/Makefile.am38
-rw-r--r--modules/pam_cracklib/README.xml41
-rw-r--r--modules/pam_cracklib/pam_cracklib.8.xml513
-rw-r--r--modules/pam_cracklib/pam_cracklib.c850
-rwxr-xr-xmodules/pam_cracklib/tst-pam_cracklib2
-rw-r--r--modules/pam_debug/.cvsignore8
-rw-r--r--modules/pam_debug/Makefile.am31
-rw-r--r--modules/pam_debug/README.xml41
-rw-r--r--modules/pam_debug/pam_debug.8.xml231
-rw-r--r--modules/pam_debug/pam_debug.c167
-rwxr-xr-xmodules/pam_debug/tst-pam_debug2
-rw-r--r--modules/pam_deny/.cvsignore8
-rw-r--r--modules/pam_deny/Makefile.am34
-rw-r--r--modules/pam_deny/README.xml36
-rw-r--r--modules/pam_deny/pam_deny.8.xml135
-rw-r--r--modules/pam_deny/pam_deny.c89
-rwxr-xr-xmodules/pam_deny/tst-pam_deny2
-rw-r--r--modules/pam_echo/.cvsignore8
-rw-r--r--modules/pam_echo/Makefile.am31
-rw-r--r--modules/pam_echo/README.xml36
-rw-r--r--modules/pam_echo/pam_echo.8.xml168
-rw-r--r--modules/pam_echo/pam_echo.c269
-rwxr-xr-xmodules/pam_echo/tst-pam_echo2
-rw-r--r--modules/pam_env/.cvsignore9
-rw-r--r--modules/pam_env/Makefile.am35
-rw-r--r--modules/pam_env/README.xml39
-rw-r--r--modules/pam_env/environment5
-rw-r--r--modules/pam_env/pam_env.8.xml206
-rw-r--r--modules/pam_env/pam_env.c832
-rw-r--r--modules/pam_env/pam_env.conf73
-rw-r--r--modules/pam_env/pam_env.conf.5.xml123
-rwxr-xr-xmodules/pam_env/tst-pam_env2
-rw-r--r--modules/pam_exec/.cvsignore8
-rw-r--r--modules/pam_exec/Makefile.am34
-rw-r--r--modules/pam_exec/README.xml41
-rw-r--r--modules/pam_exec/pam_exec.8.xml217
-rw-r--r--modules/pam_exec/pam_exec.c342
-rwxr-xr-xmodules/pam_exec/tst-pam_exec2
-rw-r--r--modules/pam_faildelay/.cvsignore8
-rw-r--r--modules/pam_faildelay/Makefile.am31
-rw-r--r--modules/pam_faildelay/README.xml41
-rw-r--r--modules/pam_faildelay/pam_faildelay.8.xml136
-rw-r--r--modules/pam_faildelay/pam_faildelay.c231
-rwxr-xr-xmodules/pam_faildelay/tst-pam_faildelay2
-rw-r--r--modules/pam_filter/.cvsignore9
-rw-r--r--modules/pam_filter/Makefile.am34
-rw-r--r--modules/pam_filter/README.xml41
-rw-r--r--modules/pam_filter/pam_filter.8.xml261
-rw-r--r--modules/pam_filter/pam_filter.c744
-rw-r--r--modules/pam_filter/pam_filter.h32
-rwxr-xr-xmodules/pam_filter/tst-pam_filter2
-rw-r--r--modules/pam_filter/upperLOWER/.cvsignore5
-rw-r--r--modules/pam_filter/upperLOWER/Makefile.am15
-rw-r--r--modules/pam_filter/upperLOWER/upperLOWER.c141
-rw-r--r--modules/pam_ftp/.cvsignore8
-rw-r--r--modules/pam_ftp/Makefile.am31
-rw-r--r--modules/pam_ftp/README.xml41
-rw-r--r--modules/pam_ftp/pam_ftp.8.xml183
-rw-r--r--modules/pam_ftp/pam_ftp.c235
-rwxr-xr-xmodules/pam_ftp/tst-pam_ftp2
-rw-r--r--modules/pam_group/.cvsignore9
-rw-r--r--modules/pam_group/Makefile.am34
-rw-r--r--modules/pam_group/README.xml34
-rw-r--r--modules/pam_group/group.conf99
-rw-r--r--modules/pam_group/group.conf.5.xml131
-rw-r--r--modules/pam_group/pam_group.8.xml162
-rw-r--r--modules/pam_group/pam_group.c842
-rwxr-xr-xmodules/pam_group/tst-pam_group2
-rw-r--r--modules/pam_issue/.cvsignore8
-rw-r--r--modules/pam_issue/Makefile.am31
-rw-r--r--modules/pam_issue/README.xml41
-rw-r--r--modules/pam_issue/pam_issue.8.xml234
-rw-r--r--modules/pam_issue/pam_issue.c310
-rwxr-xr-xmodules/pam_issue/tst-pam_issue2
-rw-r--r--modules/pam_keyinit/.cvsignore8
-rw-r--r--modules/pam_keyinit/Makefile.am33
-rw-r--r--modules/pam_keyinit/README.xml41
-rw-r--r--modules/pam_keyinit/pam_keyinit.8.xml241
-rw-r--r--modules/pam_keyinit/pam_keyinit.c269
-rwxr-xr-xmodules/pam_keyinit/tst-pam_keyinit2
-rw-r--r--modules/pam_lastlog/.cvsignore8
-rw-r--r--modules/pam_lastlog/Makefile.am31
-rw-r--r--modules/pam_lastlog/README.xml41
-rw-r--r--modules/pam_lastlog/pam_lastlog.8.xml231
-rw-r--r--modules/pam_lastlog/pam_lastlog.c452
-rwxr-xr-xmodules/pam_lastlog/tst-pam_lastlog2
-rw-r--r--modules/pam_limits/.cvsignore9
-rw-r--r--modules/pam_limits/Makefile.am38
-rw-r--r--modules/pam_limits/README.xml39
-rw-r--r--modules/pam_limits/limits.conf50
-rw-r--r--modules/pam_limits/limits.conf.5.xml287
-rw-r--r--modules/pam_limits/pam_limits.8.xml256
-rw-r--r--modules/pam_limits/pam_limits.c777
-rwxr-xr-xmodules/pam_limits/tst-pam_limits2
-rw-r--r--modules/pam_listfile/.cvsignore8
-rw-r--r--modules/pam_listfile/Makefile.am31
-rw-r--r--modules/pam_listfile/README.xml41
-rw-r--r--modules/pam_listfile/pam_listfile.8.xml297
-rw-r--r--modules/pam_listfile/pam_listfile.c462
-rwxr-xr-xmodules/pam_listfile/tst-pam_listfile2
-rw-r--r--modules/pam_localuser/.cvsignore10
-rw-r--r--modules/pam_localuser/Makefile.am31
-rw-r--r--modules/pam_localuser/README.xml41
-rw-r--r--modules/pam_localuser/pam_localuser.8.xml173
-rw-r--r--modules/pam_localuser/pam_localuser.c174
-rwxr-xr-xmodules/pam_localuser/tst-pam_localuser2
-rw-r--r--modules/pam_loginuid/.cvsignore9
-rw-r--r--modules/pam_loginuid/Makefile.am34
-rw-r--r--modules/pam_loginuid/README.xml36
-rw-r--r--modules/pam_loginuid/pam_loginuid.8.xml125
-rw-r--r--modules/pam_loginuid/pam_loginuid.c239
-rwxr-xr-xmodules/pam_loginuid/tst-pam_loginuid2
-rw-r--r--modules/pam_mail/.cvsignore8
-rw-r--r--modules/pam_mail/Makefile.am31
-rw-r--r--modules/pam_mail/README.xml41
-rw-r--r--modules/pam_mail/pam_mail.8.xml279
-rw-r--r--modules/pam_mail/pam_mail.c489
-rwxr-xr-xmodules/pam_mail/tst-pam_mail2
-rw-r--r--modules/pam_mkhomedir/.cvsignore8
-rw-r--r--modules/pam_mkhomedir/Makefile.am33
-rw-r--r--modules/pam_mkhomedir/README.xml36
-rw-r--r--modules/pam_mkhomedir/pam_mkhomedir.8.xml203
-rw-r--r--modules/pam_mkhomedir/pam_mkhomedir.c511
-rwxr-xr-xmodules/pam_mkhomedir/tst-pam_mkhomedir2
-rw-r--r--modules/pam_motd/.cvsignore8
-rw-r--r--modules/pam_motd/Makefile.am31
-rw-r--r--modules/pam_motd/README.xml41
-rw-r--r--modules/pam_motd/pam_motd.8.xml114
-rw-r--r--modules/pam_motd/pam_motd.c130
-rwxr-xr-xmodules/pam_motd/tst-pam_motd2
-rw-r--r--modules/pam_namespace/.cvsignore9
-rw-r--r--modules/pam_namespace/Makefile.am42
-rw-r--r--modules/pam_namespace/README.xml44
-rw-r--r--modules/pam_namespace/argv_parse.c165
-rw-r--r--modules/pam_namespace/argv_parse.h43
-rw-r--r--modules/pam_namespace/md5.c260
-rw-r--r--modules/pam_namespace/md5.h28
-rw-r--r--modules/pam_namespace/namespace.conf28
-rw-r--r--modules/pam_namespace/namespace.conf.5.xml210
-rwxr-xr-xmodules/pam_namespace/namespace.init24
-rw-r--r--modules/pam_namespace/pam_namespace.8.xml390
-rw-r--r--modules/pam_namespace/pam_namespace.c1907
-rw-r--r--modules/pam_namespace/pam_namespace.h168
-rwxr-xr-xmodules/pam_namespace/tst-pam_namespace2
-rw-r--r--modules/pam_nologin/.cvsignore8
-rw-r--r--modules/pam_nologin/Makefile.am31
-rw-r--r--modules/pam_nologin/README.xml46
-rw-r--r--modules/pam_nologin/pam_nologin.8.xml174
-rw-r--r--modules/pam_nologin/pam_nologin.c180
-rwxr-xr-xmodules/pam_nologin/tst-pam_nologin2
-rw-r--r--modules/pam_permit/.cvsignore8
-rw-r--r--modules/pam_permit/Makefile.am31
-rw-r--r--modules/pam_permit/README.xml41
-rw-r--r--modules/pam_permit/pam_permit.8.xml105
-rw-r--r--modules/pam_permit/pam_permit.c116
-rwxr-xr-xmodules/pam_permit/tst-pam_permit2
-rw-r--r--modules/pam_rhosts/.cvsignore8
-rw-r--r--modules/pam_rhosts/Makefile.am32
-rw-r--r--modules/pam_rhosts/README.xml41
-rw-r--r--modules/pam_rhosts/pam_rhosts.8.xml171
-rw-r--r--modules/pam_rhosts/pam_rhosts.c155
-rwxr-xr-xmodules/pam_rhosts/tst-pam_rhosts2
-rw-r--r--modules/pam_rootok/.cvsignore8
-rw-r--r--modules/pam_rootok/Makefile.am33
-rw-r--r--modules/pam_rootok/README.xml41
-rw-r--r--modules/pam_rootok/pam_rootok.8.xml130
-rw-r--r--modules/pam_rootok/pam_rootok.c106
-rwxr-xr-xmodules/pam_rootok/tst-pam_rootok2
-rw-r--r--modules/pam_securetty/.cvsignore8
-rw-r--r--modules/pam_securetty/Makefile.am30
-rw-r--r--modules/pam_securetty/README.xml41
-rw-r--r--modules/pam_securetty/pam_securetty.8.xml167
-rw-r--r--modules/pam_securetty/pam_securetty.c219
-rwxr-xr-xmodules/pam_securetty/tst-pam_securetty2
-rw-r--r--modules/pam_selinux/.cvsignore11
-rw-r--r--modules/pam_selinux/Makefile.am43
-rw-r--r--modules/pam_selinux/README.xml41
-rw-r--r--modules/pam_selinux/pam_selinux.8.xml220
-rw-r--r--modules/pam_selinux/pam_selinux.c720
-rw-r--r--modules/pam_selinux/pam_selinux_check.835
-rw-r--r--modules/pam_selinux/pam_selinux_check.c161
-rwxr-xr-xmodules/pam_selinux/tst-pam_selinux2
-rw-r--r--modules/pam_sepermit/.cvsignore10
-rw-r--r--modules/pam_sepermit/Makefile.am43
-rw-r--r--modules/pam_sepermit/README.xml41
-rw-r--r--modules/pam_sepermit/pam_sepermit.8.xml189
-rw-r--r--modules/pam_sepermit/pam_sepermit.c405
-rw-r--r--modules/pam_sepermit/sepermit.conf11
-rwxr-xr-xmodules/pam_sepermit/tst-pam_sepermit2
-rw-r--r--modules/pam_shells/.cvsignore8
-rw-r--r--modules/pam_shells/Makefile.am31
-rw-r--r--modules/pam_shells/README.xml41
-rw-r--r--modules/pam_shells/pam_shells.8.xml117
-rw-r--r--modules/pam_shells/pam_shells.c146
-rwxr-xr-xmodules/pam_shells/tst-pam_shells2
-rw-r--r--modules/pam_stress/.cvsignore6
-rw-r--r--modules/pam_stress/Makefile.am20
-rw-r--r--modules/pam_stress/README64
-rw-r--r--modules/pam_stress/pam_stress.c570
-rwxr-xr-xmodules/pam_stress/tst-pam_stress2
-rw-r--r--modules/pam_succeed_if/.cvsignore10
-rw-r--r--modules/pam_succeed_if/Makefile.am31
-rw-r--r--modules/pam_succeed_if/README.xml41
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.8.xml297
-rw-r--r--modules/pam_succeed_if/pam_succeed_if.c552
-rwxr-xr-xmodules/pam_succeed_if/tst-pam_succeed_if2
-rw-r--r--modules/pam_tally/.cvsignore9
-rw-r--r--modules/pam_tally/Makefile.am36
-rw-r--r--modules/pam_tally/README.xml41
-rw-r--r--modules/pam_tally/faillog.h55
-rw-r--r--modules/pam_tally/pam_tally.8.xml427
-rw-r--r--modules/pam_tally/pam_tally.c867
-rw-r--r--modules/pam_tally/pam_tally_app.c7
-rwxr-xr-xmodules/pam_tally/tst-pam_tally2
-rw-r--r--modules/pam_time/.cvsignore9
-rw-r--r--modules/pam_time/Makefile.am32
-rw-r--r--modules/pam_time/README.xml34
-rw-r--r--modules/pam_time/pam_time.8.xml183
-rw-r--r--modules/pam_time/pam_time.c687
-rw-r--r--modules/pam_time/time.conf65
-rw-r--r--modules/pam_time/time.conf.5.xml143
-rwxr-xr-xmodules/pam_time/tst-pam_time2
-rw-r--r--modules/pam_tty_audit/.cvsignore8
-rw-r--r--modules/pam_tty_audit/Makefile.am30
-rw-r--r--modules/pam_tty_audit/README.xml41
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.8.xml145
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.c346
-rw-r--r--modules/pam_umask/.cvsignore10
-rw-r--r--modules/pam_umask/Makefile.am32
-rw-r--r--modules/pam_umask/README.xml41
-rw-r--r--modules/pam_umask/pam_umask.8.xml220
-rw-r--r--modules/pam_umask/pam_umask.c319
-rwxr-xr-xmodules/pam_umask/tst-pam_umask2
-rw-r--r--modules/pam_unix/.cvsignore14
-rw-r--r--modules/pam_unix/CHANGELOG55
-rw-r--r--modules/pam_unix/Makefile.am69
-rw-r--r--modules/pam_unix/README.xml41
-rw-r--r--modules/pam_unix/bigcrypt.c148
-rw-r--r--modules/pam_unix/bigcrypt.h1
-rw-r--r--modules/pam_unix/bigcrypt_main.c18
-rw-r--r--modules/pam_unix/lckpwdf.-c142
-rw-r--r--modules/pam_unix/md5.c256
-rw-r--r--modules/pam_unix/md5.h31
-rw-r--r--modules/pam_unix/md5_broken.c4
-rw-r--r--modules/pam_unix/md5_crypt.c154
-rw-r--r--modules/pam_unix/md5_good.c5
-rw-r--r--modules/pam_unix/pam_unix.8.xml379
-rw-r--r--modules/pam_unix/pam_unix_acct.c297
-rw-r--r--modules/pam_unix/pam_unix_auth.c229
-rw-r--r--modules/pam_unix/pam_unix_passwd.c802
-rw-r--r--modules/pam_unix/pam_unix_sess.c143
-rw-r--r--modules/pam_unix/passverify.c1129
-rw-r--r--modules/pam_unix/passverify.h124
-rw-r--r--modules/pam_unix/support.c893
-rw-r--r--modules/pam_unix/support.h162
-rwxr-xr-xmodules/pam_unix/tst-pam_unix2
-rw-r--r--modules/pam_unix/unix_chkpwd.8.xml67
-rw-r--r--modules/pam_unix/unix_chkpwd.c184
-rw-r--r--modules/pam_unix/unix_update.8.xml67
-rw-r--r--modules/pam_unix/unix_update.c187
-rw-r--r--modules/pam_unix/yppasswd.h51
-rw-r--r--modules/pam_unix/yppasswd_xdr.c38
-rw-r--r--modules/pam_userdb/.cvsignore8
-rw-r--r--modules/pam_userdb/Makefile.am34
-rw-r--r--modules/pam_userdb/README.xml41
-rw-r--r--modules/pam_userdb/create.pl23
-rw-r--r--modules/pam_userdb/pam_userdb.8.xml292
-rw-r--r--modules/pam_userdb/pam_userdb.c517
-rw-r--r--modules/pam_userdb/pam_userdb.h62
-rwxr-xr-xmodules/pam_userdb/tst-pam_userdb2
-rw-r--r--modules/pam_warn/.cvsignore8
-rw-r--r--modules/pam_warn/Makefile.am31
-rw-r--r--modules/pam_warn/README.xml41
-rw-r--r--modules/pam_warn/pam_warn.8.xml104
-rw-r--r--modules/pam_warn/pam_warn.c123
-rwxr-xr-xmodules/pam_warn/tst-pam_warn2
-rw-r--r--modules/pam_wheel/.cvsignore8
-rw-r--r--modules/pam_wheel/Makefile.am31
-rw-r--r--modules/pam_wheel/README.xml41
-rw-r--r--modules/pam_wheel/pam_wheel.8.xml242
-rw-r--r--modules/pam_wheel/pam_wheel.c316
-rwxr-xr-xmodules/pam_wheel/tst-pam_wheel2
-rw-r--r--modules/pam_xauth/.cvsignore10
-rw-r--r--modules/pam_xauth/Makefile.am31
-rw-r--r--modules/pam_xauth/README.xml46
-rw-r--r--modules/pam_xauth/pam_xauth.8.xml293
-rw-r--r--modules/pam_xauth/pam_xauth.c686
-rwxr-xr-xmodules/pam_xauth/tst-pam_xauth2
300 files changed, 0 insertions, 38625 deletions
diff --git a/modules/.cvsignore b/modules/.cvsignore
deleted file mode 100644
index 0615b487..00000000
--- a/modules/.cvsignore
+++ /dev/null
@@ -1,3 +0,0 @@
-*~
-Makefile
-Makefile.in
diff --git a/modules/Makefile.am b/modules/Makefile.am
deleted file mode 100644
index c79f5957..00000000
--- a/modules/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
-#
-
-SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
- pam_env pam_filter pam_ftp pam_group pam_issue pam_keyinit \
- pam_lastlog pam_limits pam_listfile pam_localuser pam_mail \
- pam_mkhomedir pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \
- pam_securetty pam_selinux pam_sepermit pam_shells pam_stress \
- pam_succeed_if pam_tally pam_time pam_tty_audit pam_umask \
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth pam_exec \
- pam_namespace pam_loginuid pam_faildelay
-
-CLEANFILES = *~
-
-EXTRA_DIST = modules.map
diff --git a/modules/modules.map b/modules/modules.map
deleted file mode 100644
index 2234aa40..00000000
--- a/modules/modules.map
+++ /dev/null
@@ -1,11 +0,0 @@
-{
- global:
- pam_sm_acct_mgmt;
- pam_sm_authenticate;
- pam_sm_chauthtok;
- pam_sm_close_session;
- pam_sm_open_session;
- pam_sm_setcred;
- local: *;
-};
-
diff --git a/modules/pam_access/.cvsignore b/modules/pam_access/.cvsignore
deleted file mode 100644
index 6e648372..00000000
--- a/modules/pam_access/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-access.conf.5
-pam_access.8
diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am
deleted file mode 100644
index 9b58e81e..00000000
--- a/modules/pam_access/Makefile.am
+++ /dev/null
@@ -1,37 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access
-
-man_MANS = access.conf.5 pam_access.8
-
-XMLS = README.xml access.conf.5.xml pam_access.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\"
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_access.la
-pam_access_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBNSL@
-
-secureconf_DATA = access.conf
-
-if ENABLE_REGENERATE_MAN
-
-noinst_DATA = README
-
-README: pam_access.8.xml access.conf.5.xml
-
--include $(top_srcdir)/Make.xml.rules
-endif
-
-TESTS = tst-pam_access
diff --git a/modules/pam_access/README.xml b/modules/pam_access/README.xml
deleted file mode 100644
index 8c7d078b..00000000
--- a/modules/pam_access/README.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_access.8.xml">
--->
-<!--
-<!ENTITY accessconf SYSTEM "access.conf.5.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_access.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_access-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
deleted file mode 100644
index 74c5fbe8..00000000
--- a/modules/pam_access/access.conf
+++ /dev/null
@@ -1,122 +0,0 @@
-# Login access control table.
-#
-# Comment line must start with "#", no space at front.
-# Order of lines is important.
-#
-# When someone logs in, the table is scanned for the first entry that
-# matches the (user, host) combination, or, in case of non-networked
-# logins, the first entry that matches the (user, tty) combination. The
-# permissions field of that table entry determines whether the login will
-# be accepted or refused.
-#
-# Format of the login access control table is three fields separated by a
-# ":" character:
-#
-# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
-# module, you can change the field separation character to be
-# '|'. This is useful for configurations where you are trying to use
-# pam_access with X applications that provide PAM_TTY values that are
-# the display variable like "host:0".]
-#
-# permission : users : origins
-#
-# The first field should be a "+" (access granted) or "-" (access denied)
-# character.
-#
-# The second field should be a list of one or more login names, group
-# names, or ALL (always matches). A pattern of the form user@host is
-# matched when the login name matches the "user" part, and when the
-# "host" part matches the local machine name.
-#
-# The third field should be a list of one or more tty names (for
-# non-networked logins), host names, domain names (begin with "."), host
-# addresses, internet network numbers (end with "."), ALL (always
-# matches), NONE (matches no tty on non-networked logins) or
-# LOCAL (matches any string that does not contain a "." character).
-#
-# You can use @netgroupname in host or user patterns; this even works
-# for @usergroup@@hostgroup patterns.
-#
-# The EXCEPT operator makes it possible to write very compact rules.
-#
-# The group file is searched only when a name does not match that of the
-# logged-in user. Both the user's primary group is matched, as well as
-# groups in which users are explicitly listed.
-# To avoid problems with accounts, which have the same name as a group,
-# you can use brackets around group names '(group)' to differentiate.
-# In this case, you should also set the "nodefgroup" option.
-#
-# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
-# "/dev" (e.g. tty1 or vc/1)
-#
-##############################################################################
-#
-# Disallow non-root logins on tty1
-#
-#-:ALL EXCEPT root:tty1
-#
-# Disallow console logins to all but a few accounts.
-#
-#-:ALL EXCEPT wheel shutdown sync:LOCAL
-#
-# Same, but make sure that really the group wheel and not the user
-# wheel is used (use nodefgroup argument, too):
-#
-#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
-#
-# Disallow non-local logins to privileged accounts (group wheel).
-#
-#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
-#
-# Some accounts are not allowed to login from anywhere:
-#
-#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
-#
-# All other accounts are allowed to login from anywhere.
-#
-##############################################################################
-# All lines from here up to the end are building a more complex example.
-##############################################################################
-#
-# User "root" should be allowed to get access via cron .. tty5 tty6.
-#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
-#
-# User "root" should be allowed to get access from hosts with ip addresses.
-#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
-#+ : root : 127.0.0.1
-#
-# User "root" should get access from network 192.168.201.
-# This term will be evaluated by string matching.
-# comment: It might be better to use network/netmask instead.
-# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
-#+ : root : 192.168.201.
-#
-# User "root" should be able to have access from domain.
-# Uses string matching also.
-#+ : root : .foo.bar.org
-#
-# User "root" should be denied to get access from all other sources.
-#- : root : ALL
-#
-# User "foo" and members of netgroup "nis_group" should be
-# allowed to get access from all sources.
-# This will only work if netgroup service is available.
-#+ : @nis_group foo : ALL
-#
-# User "john" should get access from ipv4 net/mask
-#+ : john : 127.0.0.0/24
-#
-# User "john" should get access from ipv4 as ipv6 net/mask
-#+ : john : ::ffff:127.0.0.0/127
-#
-# User "john" should get access from ipv6 host address
-#+ : john : 2001:4ca0:0:101::1
-#
-# User "john" should get access from ipv6 host address (same as above)
-#+ : john : 2001:4ca0:0:101:0:0:0:1
-#
-# User "john" should get access from ipv6 net/mask
-#+ : john : 2001:4ca0:0:101::/64
-#
-# All other users should be denied to get access from all sources.
-#- : ALL : ALL
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
deleted file mode 100644
index f8eb7a4e..00000000
--- a/modules/pam_access/access.conf.5.xml
+++ /dev/null
@@ -1,203 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
- "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-
-<refentry id="access.conf">
-
- <refmeta>
- <refentrytitle>access.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv>
- <refname>access.conf</refname>
- <refpurpose>the login access control table file</refpurpose>
- </refnamediv>
-
-
- <refsect1 id='access.conf-description'>
- <title>DESCRIPTION</title>
- <para>
- The <filename>/etc/security/access.conf</filename> file specifies
- (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
- (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
- (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
- combinations for which a login will be either accepted or refused.
- </para>
- <para>
- When someone logs in, the file <filename>access.conf</filename> is
- scanned for the first entry that matches the
- (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>) or
- (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>)
- combination, or, in case of non-networked logins, the first entry
- that matches the
- (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
- combination. The permissions field of that table entry determines
- whether the login will be accepted or refused.
- </para>
-
- <para>
- Each line of the login access control table has three fields separated
- by a ":" character (colon):
- </para>
-
- <para>
- <replaceable>permission</replaceable>:<replaceable>users/groups</replaceable>:<replaceable>origins</replaceable>
- </para>
-
-
- <para>
- The first field, the <replaceable>permission</replaceable> field, can be either a
- "<emphasis>+</emphasis>" character (plus) for access granted or a
- "<emphasis>-</emphasis>" character (minus) for access denied.
- </para>
-
- <para>
- The second field, the
- <replaceable>users</replaceable>/<replaceable>group</replaceable>
- field, should be a list of one or more login names, group names, or
- <emphasis>ALL</emphasis> (which always matches). To differentiate
- user entries from group entries, group entries should be written
- with brackets, e.g. <emphasis>(group)</emphasis>.
- </para>
-
- <para>
- The third field, the <replaceable>origins</replaceable>
- field, should be a list of one or more tty names (for non-networked
- logins), host names, domain names (begin with "."), host addresses,
- internet network numbers (end with "."), internet network addresses
- with network mask (where network mask can be a decimal number or an
- internet address also), <emphasis>ALL</emphasis> (which always matches)
- or <emphasis>LOCAL</emphasis> (which matches any string that does not
- contain a "." character). If supported by the system you can use
- <emphasis>@netgroupname</emphasis> in host or user patterns.
- </para>
-
- <para>
- The <replaceable>EXCEPT</replaceable> operator makes it possible to
- write very compact rules.
- </para>
-
- <para>
- If the <option>nodefgroup</option> is not set, the group file
- is searched when a name does not match that of the logged-in
- user. Only groups are matched in which users are explicitly listed.
- However the PAM module does not look at the primary group id of a user.
- </para>
-
-
- <para>
- The "<emphasis>#</emphasis>" character at start of line (no space
- at front) can be used to mark this line as a comment line.
- </para>
-
- </refsect1>
-
- <refsect1 id="access.conf-examples">
- <title>EXAMPLES</title>
- <para>
- These are some example lines which might be specified in
- <filename>/etc/security/access.conf</filename>.
- </para>
-
- <para>
- User <emphasis>root</emphasis> should be allowed to get access via
- <emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>,
- <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>,
- <emphasis>tty6</emphasis>.
- </para>
- <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
-
- <para>
- User <emphasis>root</emphasis> should be allowed to get access from
- hosts which own the IPv4 addresses. This does not mean that the
- connection have to be a IPv4 one, a IPv6 connection from a host with
- one of this IPv4 addresses does work, too.
- </para>
- <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para>
- <para>+ : root : 127.0.0.1</para>
-
- <para>
- User <emphasis>root</emphasis> should get access from network
- <literal>192.168.201.</literal> where the term will be evaluated by
- string matching. But it might be better to use network/netmask instead.
- The same meaning of <literal>192.168.201.</literal> is
- <emphasis>192.168.201.0/24</emphasis> or
- <emphasis>192.168.201.0/255.255.255.0</emphasis>.
- </para>
- <para>+ : root : 192.168.201.</para>
-
- <para>
- User <emphasis>root</emphasis> should be able to have access from hosts
- <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis>
- (uses string matching also).
- </para>
- <para>+ : root : foo1.bar.org foo2.bar.org</para>
-
- <para>
- User <emphasis>root</emphasis> should be able to have access from
- domain <emphasis>foo.bar.org</emphasis> (uses string matching also).
- </para>
- <para>+ : root : .foo.bar.org</para>
-
- <para>
- User <emphasis>root</emphasis> should be denied to get access
- from all other sources.
- </para>
- <para>- : root : ALL</para>
-
- <para>
- User <emphasis>foo</emphasis> and members of netgroup
- <emphasis>admins</emphasis> should be allowed to get access
- from all sources. This will only work if netgroup service is available.
- </para>
- <para>+ : @admins foo : ALL</para>
-
- <para>
- User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
- should get access from IPv6 host address.
- </para>
- <para>+ : john foo : 2001:4ca0:0:101::1</para>
-
- <para>
- User <emphasis>john</emphasis> should get access from IPv6 net/mask.
- </para>
- <para>+ : john : 2001:4ca0:0:101::/64</para>
-
- <para>
- Disallow console logins to all but the shutdown, sync and all
- other accounts, which are a member of the wheel group.
- </para>
- <para>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</para>
-
- <para>
- All other users should be denied to get access from all sources.
- </para>
- <para>- : ALL : ALL</para>
-
- </refsect1>
-
- <refsect1 id="access.conf-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id="access.conf-author">
- <title>AUTHORS</title>
- <para>
- Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- manual was provided by Guido van Rooij which was renamed to
- <citerefentry><refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- to reflect relation to default config file.
- </para>
- <para>
- Network address / netmask description and example text was
- introduced by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
deleted file mode 100644
index 21970d49..00000000
--- a/modules/pam_access/pam_access.8.xml
+++ /dev/null
@@ -1,253 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
-
-<refentry id='pam_access'>
-
- <refmeta>
- <refentrytitle>pam_access</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id='pam_access-name'>
- <refname>pam_access</refname>
- <refpurpose>
- PAM module for logdaemon style login access control
- </refpurpose>
- </refnamediv>
-
-<!-- body begins here -->
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_access-cmdsynopsis">
- <command>pam_access.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- nodefgroup
- </arg>
- <arg choice="opt">
- noaudit
- </arg>
- <arg choice="opt">
- accessfile=<replaceable>file</replaceable>
- </arg>
- <arg choice="opt">
- fieldsep=<replaceable>sep</replaceable>
- </arg>
- <arg choice="opt">
- listsep=<replaceable>sep</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-
- <refsect1 id="pam_access-description">
- <title>DESCRIPTION</title>
- <para>
- The pam_access PAM module is mainly for access management.
- It provides logdaemon style login access control based on login
- names, host or domain names, internet addresses or network numbers,
- or on terminal line names in case of non-networked logins.
- </para>
- <para>
- By default rules for access management are taken from config file
- <filename>/etc/security/access.conf</filename> if you don't specify
- another file.
- </para>
- <para>
- If Linux PAM is compiled with audit support the module will report
- when it denies access based on origin (host or tty).
- </para>
- </refsect1>
-
- <refsect1 id="pam_access-options">
- <title>OPTIONS</title>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>accessfile=<replaceable>/path/to/access.conf</replaceable></option>
- </term>
- <listitem>
- <para>
- Indicate an alternative <filename>access.conf</filename>
- style configuration file to override the default. This can
- be useful when different services need different access lists.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- A lot of debug informations are printed with
- <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>noaudit</option>
- </term>
- <listitem>
- <para>
- Do not report logins from disallowed hosts and ttys to the audit subsystem.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>fieldsep=<replaceable>separators</replaceable></option>
- </term>
- <listitem>
- <para>
- This option modifies the field separator character that
- pam_access will recognize when parsing the access
- configuration file. For example:
- <emphasis remap='B'>fieldsep=|</emphasis> will cause the
- default `:' character to be treated as part of a field value
- and `|' becomes the field separator. Doing this may be
- useful in conjuction with a system that wants to use
- pam_access with X based applications, since the
- <emphasis remap='B'>PAM_TTY</emphasis> item is likely to be
- of the form "hostname:0" which includes a `:' character in
- its value. But you should not need this.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>listsep=<replaceable>separators</replaceable></option>
- </term>
- <listitem>
- <para>
- This option modifies the list separator character that
- pam_access will recognize when parsing the access
- configuration file. For example:
- <emphasis remap='B'>listsep=,</emphasis> will cause the
- default ` ' (space) and `\t' (tab) characters to be treated
- as part of a list element value and `,' becomes the only
- list element separator. Doing this may be useful on a system
- with group information obtained from a Windows domain,
- where the default built-in groups "Domain Users",
- "Domain Admins" contain a space.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>nodefgroup</option>
- </term>
- <listitem>
- <para>
- The group database will not be used for tokens not
- identified as account name.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_access-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- All services are supported.
- </para>
- </refsect1>
-
- <refsect1 id="pam_access-return_values">
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Access was granted.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_PERM_DENIED</term>
- <listitem>
- <para>
- Access was not granted.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- <function>pam_setcred</function> was called which does nothing.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_ABORT</term>
- <listitem>
- <para>
- Not all relevant data or options could be gotten.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- The user is not known to the system.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_access-files">
- <title>FILES</title>
- <variablelist>
- <varlistentry>
- <term><filename>/etc/security/access.conf</filename></term>
- <listitem>
- <para>Default configuration file</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_access-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>.
- </para>
- </refsect1>
-
- <refsect1 id="pam_access-authors">
- <title>AUTHORS</title>
- <para>
- The logdaemon style login access control scheme was designed and implemented by
- Wietse Venema.
- The pam_access PAM module was developed by
- Alexei Nogin &lt;alexei@nogin.dnttm.ru&gt;.
- The IPv6 support and the network(address) / netmask feature
- was developed and provided by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
deleted file mode 100644
index edb8fb0a..00000000
--- a/modules/pam_access/pam_access.c
+++ /dev/null
@@ -1,922 +0,0 @@
-/* pam_access module */
-
-/*
- * Written by Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15
- * (I took login_access from logdaemon-5.6 and converted it to PAM
- * using parts of pam_time code.)
- *
- ************************************************************************
- * Copyright message from logdaemon-5.6 (original file name DISCLAIMER)
- ************************************************************************
- * Copyright 1995 by Wietse Venema. All rights reserved. Individual files
- * may be covered by other copyrights (as noted in the file itself.)
- *
- * This material was originally written and compiled by Wietse Venema at
- * Eindhoven University of Technology, The Netherlands, in 1990, 1991,
- * 1992, 1993, 1994 and 1995.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this entire copyright notice is duplicated in all such
- * copies.
- *
- * This software is provided "as is" and without any expressed or implied
- * warranties, including, without limitation, the implied warranties of
- * merchantibility and fitness for any particular purpose.
- *************************************************************************
- */
-
-#include "config.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <stdarg.h>
-#include <syslog.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <pwd.h>
-#include <grp.h>
-#include <errno.h>
-#include <ctype.h>
-#include <sys/utsname.h>
-#include <rpcsvc/ypclnt.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <sys/socket.h>
-
-#ifdef HAVE_LIBAUDIT
-#include <libaudit.h>
-#endif
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/_pam_macros.h>
-#include <security/pam_modules.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */
-
- /*
- * This module implements a simple but effective form of login access
- * control based on login names and on host (or domain) names, internet
- * addresses (or network numbers), or on terminal line names in case of
- * non-networked logins. Diagnostics are reported through syslog(3).
- *
- * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
- */
-
-#if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64)
-#undef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN 256
-#endif
-
- /* Delimiters for fields and for lists of users, ttys or hosts. */
-
-
-#define ALL 2
-#define YES 1
-#define NO 0
-
- /*
- * A structure to bundle up all login-related information to keep the
- * functional interfaces as generic as possible.
- */
-struct login_info {
- const struct passwd *user;
- const char *from;
- const char *config_file;
- int debug; /* Print debugging messages. */
- int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
- int noaudit; /* Do not audit denials */
- const char *fs; /* field separator */
- const char *sep; /* list-element separator */
-};
-
-/* Parse module config arguments */
-
-static int
-parse_args(pam_handle_t *pamh, struct login_info *loginfo,
- int argc, const char **argv)
-{
- int i;
-
- loginfo->noaudit = NO;
- loginfo->debug = NO;
- loginfo->only_new_group_syntax = NO;
- loginfo->fs = ":";
- loginfo->sep = ", \t";
- for (i=0; i<argc; ++i) {
- if (!strncmp("fieldsep=", argv[i], 9)) {
-
- /* the admin wants to override the default field separators */
- loginfo->fs = argv[i]+9;
-
- } else if (!strncmp("listsep=", argv[i], 8)) {
-
- /* the admin wants to override the default list separators */
- loginfo->sep = argv[i]+8;
-
- } else if (!strncmp("accessfile=", argv[i], 11)) {
- FILE *fp = fopen(11 + argv[i], "r");
-
- if (fp) {
- loginfo->config_file = 11 + argv[i];
- fclose(fp);
- } else {
- pam_syslog(pamh, LOG_ERR,
- "failed to open accessfile=[%s]: %m", 11 + argv[i]);
- return 0;
- }
-
- } else if (strcmp (argv[i], "debug") == 0) {
- loginfo->debug = YES;
- } else if (strcmp (argv[i], "nodefgroup") == 0) {
- loginfo->only_new_group_syntax = YES;
- } else if (strcmp (argv[i], "noaudit") == 0) {
- loginfo->noaudit = YES;
- } else {
- pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
- }
- }
-
- return 1; /* OK */
-}
-
-/* --- static functions for checking whether the user should be let in --- */
-
-typedef int match_func (pam_handle_t *, char *, struct login_info *);
-
-static int list_match (pam_handle_t *, char *, char *, struct login_info *,
- match_func *);
-static int user_match (pam_handle_t *, char *, struct login_info *);
-static int group_match (pam_handle_t *, const char *, const char *, int);
-static int from_match (pam_handle_t *, char *, struct login_info *);
-static int string_match (pam_handle_t *, const char *, const char *, int);
-static int network_netmask_match (pam_handle_t *, const char *, const char *, int);
-
-
-/* isipaddr - find out if string provided is an IP address or not */
-
-static int
-isipaddr (const char *string, int *addr_type,
- struct sockaddr_storage *addr)
-{
- struct sockaddr_storage local_addr;
- int is_ip;
-
- /* We use struct sockaddr_storage addr because
- * struct in_addr/in6_addr is an integral part
- * of struct sockaddr and we doesn't want to
- * use its value.
- */
-
- if (addr == NULL)
- addr = &local_addr;
-
- memset(addr, 0, sizeof(struct sockaddr_storage));
-
- /* first ipv4 */
- if (inet_pton(AF_INET, string, addr) > 0)
- {
- if (addr_type != NULL)
- *addr_type = AF_INET;
-
- is_ip = YES;
- }
- else if (inet_pton(AF_INET6, string, addr) > 0)
- { /* then ipv6 */
- if (addr_type != NULL) {
- *addr_type = AF_INET6;
- }
- is_ip = YES;
- }
- else
- is_ip = NO;
-
- return is_ip;
-}
-
-
-/* are_addresses_equal - translate IP address strings to real IP
- * addresses and compare them to find out if they are equal.
- * If netmask was provided it will be used to focus comparation to
- * relevant bits.
- */
-static int
-are_addresses_equal (const char *ipaddr0, const char *ipaddr1,
- const char *netmask)
-{
- struct sockaddr_storage addr0;
- struct sockaddr_storage addr1;
- int addr_type0 = 0;
- int addr_type1 = 0;
-
- if (isipaddr (ipaddr0, &addr_type0, &addr0) == NO)
- return NO;
-
- if (isipaddr (ipaddr1, &addr_type1, &addr1) == NO)
- return NO;
-
- if (addr_type0 != addr_type1)
- /* different address types */
- return NO;
-
- if (netmask != NULL) {
- /* Got a netmask, so normalize addresses? */
- struct sockaddr_storage nmask;
- unsigned char *byte_a, *byte_nm;
-
- memset(&nmask, 0, sizeof(struct sockaddr_storage));
- if (inet_pton(addr_type0, netmask, (void *)&nmask) > 0) {
- unsigned int i;
- byte_a = (unsigned char *)(&addr0);
- byte_nm = (unsigned char *)(&nmask);
- for (i=0; i<sizeof(struct sockaddr_storage); i++) {
- byte_a[i] = byte_a[i] & byte_nm[i];
- }
-
- byte_a = (unsigned char *)(&addr1);
- byte_nm = (unsigned char *)(&nmask);
- for (i=0; i<sizeof(struct sockaddr_storage); i++) {
- byte_a[i] = byte_a[i] & byte_nm[i];
- }
- }
- }
-
-
- /* Are the two addresses equal? */
- if (memcmp((void *)&addr0, (void *)&addr1,
- sizeof(struct sockaddr_storage)) == 0) {
- return(YES);
- }
-
- return(NO);
-}
-
-static char *
-number_to_netmask (long netmask, int addr_type,
- char *ipaddr_buf, size_t ipaddr_buf_len)
-{
- /* We use struct sockaddr_storage addr because
- * struct in_addr/in6_addr is an integral part
- * of struct sockaddr and we doesn't want to
- * use its value.
- */
- struct sockaddr_storage nmask;
- unsigned char *byte_nm;
- const char *ipaddr_dst = NULL;
- int i, ip_bytes;
-
- if (netmask == 0) {
- /* mask 0 is the same like no mask */
- return(NULL);
- }
-
- memset(&nmask, 0, sizeof(struct sockaddr_storage));
- if (addr_type == AF_INET6) {
- /* ipv6 address mask */
- ip_bytes = 16;
- } else {
- /* default might be an ipv4 address mask */
- addr_type = AF_INET;
- ip_bytes = 4;
- }
-
- byte_nm = (unsigned char *)(&nmask);
- /* translate number to mask */
- for (i=0; i<ip_bytes; i++) {
- if (netmask >= 8) {
- byte_nm[i] = 0xff;
- netmask -= 8;
- } else
- if (netmask > 0) {
- byte_nm[i] = 0xff << (8 - netmask);
- break;
- } else
- if (netmask <= 0) {
- break;
- }
- }
-
- /* now generate netmask address string */
- ipaddr_dst = inet_ntop(addr_type, &nmask, ipaddr_buf, ipaddr_buf_len);
- if (ipaddr_dst == ipaddr_buf) {
- return (ipaddr_buf);
- }
-
- return (NULL);
-}
-
-/* login_access - match username/group and host/tty with access control file */
-
-static int
-login_access (pam_handle_t *pamh, struct login_info *item)
-{
- FILE *fp;
- char line[BUFSIZ];
- char *perm; /* becomes permission field */
- char *users; /* becomes list of login names */
- char *froms; /* becomes list of terminals or hosts */
- int match = NO;
- int nonall_match = NO;
- int end;
- int lineno = 0; /* for diagnostics */
- char *sptr;
-
- if (item->debug)
- pam_syslog (pamh, LOG_DEBUG,
- "login_access: user=%s, from=%s, file=%s",
- item->user->pw_name,
- item->from, item->config_file);
-
- /*
- * Process the table one line at a time and stop at the first match.
- * Blank lines and lines that begin with a '#' character are ignored.
- * Non-comment lines are broken at the ':' character. All fields are
- * mandatory. The first field should be a "+" or "-" character. A
- * non-existing table means no access control.
- */
-
- if ((fp = fopen(item->config_file, "r"))!=NULL) {
- while (!match && fgets(line, sizeof(line), fp)) {
- lineno++;
- if (line[end = strlen(line) - 1] != '\n') {
- pam_syslog(pamh, LOG_ERR,
- "%s: line %d: missing newline or line too long",
- item->config_file, lineno);
- continue;
- }
- if (line[0] == '#')
- continue; /* comment line */
- while (end > 0 && isspace(line[end - 1]))
- end--;
- line[end] = 0; /* strip trailing whitespace */
- if (line[0] == 0) /* skip blank lines */
- continue;
-
- /* Allow field seperator in last field of froms */
- if (!(perm = strtok_r(line, item->fs, &sptr))
- || !(users = strtok_r(NULL, item->fs, &sptr))
- || !(froms = strtok_r(NULL, "\n", &sptr))) {
- pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count",
- item->config_file, lineno);
- continue;
- }
- if (perm[0] != '+' && perm[0] != '-') {
- pam_syslog(pamh, LOG_ERR, "%s: line %d: bad first field",
- item->config_file, lineno);
- continue;
- }
- if (item->debug)
- pam_syslog (pamh, LOG_DEBUG,
- "line %d: %s : %s : %s", lineno, perm, users, froms);
- match = list_match(pamh, users, NULL, item, user_match);
- if (item->debug)
- pam_syslog (pamh, LOG_DEBUG, "user_match=%d, \"%s\"",
- match, item->user->pw_name);
- if (match) {
- match = list_match(pamh, froms, NULL, item, from_match);
- if (!match && perm[0] == '+') {
- nonall_match = YES;
- }
- if (item->debug)
- pam_syslog (pamh, LOG_DEBUG,
- "from_match=%d, \"%s\"", match, item->from);
- }
- }
- (void) fclose(fp);
- } else if (errno == ENOENT) {
- /* This is no error. */
- pam_syslog(pamh, LOG_WARNING, "warning: cannot open %s: %m",
- item->config_file);
- } else {
- pam_syslog(pamh, LOG_ERR, "cannot open %s: %m", item->config_file);
- return NO;
- }
-#ifdef HAVE_LIBAUDIT
- if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL &&
- nonall_match == YES))) {
- pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION,
- "pam_access", 0);
- }
-#endif
- return (match == NO || (line[0] == '+'));
-}
-
-
-/* list_match - match an item against a list of tokens with exceptions */
-
-static int
-list_match(pam_handle_t *pamh, char *list, char *sptr,
- struct login_info *item, match_func *match_fn)
-{
- char *tok;
- int match = NO;
-
- if (item->debug && list != NULL)
- pam_syslog (pamh, LOG_DEBUG,
- "list_match: list=%s, item=%s", list, item->user->pw_name);
-
- /*
- * Process tokens one at a time. We have exhausted all possible matches
- * when we reach an "EXCEPT" token or the end of the list. If we do find
- * a match, look for an "EXCEPT" list and recurse to determine whether
- * the match is affected by any exceptions.
- */
-
- for (tok = strtok_r(list, item->sep, &sptr); tok != 0;
- tok = strtok_r(NULL, item->sep, &sptr)) {
- if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */
- break;
- if ((match = (*match_fn) (pamh, tok, item))) /* YES */
- break;
- }
- /* Process exceptions to matches. */
-
- if (match != NO) {
- while ((tok = strtok_r(NULL, item->sep, &sptr)) && strcasecmp(tok, "EXCEPT"))
- /* VOID */ ;
- if (tok == 0)
- return match;
- if (list_match(pamh, NULL, sptr, item, match_fn) == NO)
- return YES; /* drop special meaning of ALL */
- }
- return (NO);
-}
-
-/* myhostname - figure out local machine name */
-
-static char *myhostname(void)
-{
- static char name[MAXHOSTNAMELEN + 1];
-
- if (gethostname(name, MAXHOSTNAMELEN) == 0) {
- name[MAXHOSTNAMELEN] = 0;
- return (name);
- }
- return NULL;
-}
-
-/* netgroup_match - match group against machine or user */
-
-static int
-netgroup_match (pam_handle_t *pamh, const char *netgroup,
- const char *machine, const char *user, int debug)
-{
- char *mydomain = NULL;
- int retval;
-
- yp_get_default_domain(&mydomain);
-
-
- retval = innetgr (netgroup, machine, user, mydomain);
- if (debug == YES)
- pam_syslog (pamh, LOG_DEBUG,
- "netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)",
- retval, netgroup ? netgroup : "NULL",
- machine ? machine : "NULL",
- user ? user : "NULL", mydomain ? mydomain : "NULL");
- return retval;
-
-}
-
-/* user_match - match a username against one token */
-
-static int
-user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
-{
- char *string = item->user->pw_name;
- struct login_info fake_item;
- char *at;
- int rv;
-
- if (item->debug)
- pam_syslog (pamh, LOG_DEBUG,
- "user_match: tok=%s, item=%s", tok, string);
-
- /*
- * If a token has the magic value "ALL" the match always succeeds.
- * Otherwise, return YES if the token fully matches the username, if the
- * token is a group that contains the username, or if the token is the
- * name of the user's primary group.
- */
-
- if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
- *at = 0;
- fake_item.from = myhostname();
- if (fake_item.from == NULL)
- return NO;
- return (user_match (pamh, tok, item) &&
- from_match (pamh, at + 1, &fake_item));
- } else if (tok[0] == '@') /* netgroup */
- return (netgroup_match (pamh, tok + 1, (char *) 0, string, item->debug));
- else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
- return (group_match (pamh, tok, string, item->debug));
- else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
- return rv;
- else if (item->only_new_group_syntax == NO &&
- pam_modutil_user_in_group_nam_nam (pamh,
- item->user->pw_name, tok))
- /* try group membership */
- return YES;
-
- return NO;
-}
-
-
-/* group_match - match a username against token named group */
-
-static int
-group_match (pam_handle_t *pamh, const char *tok, const char* usr,
- int debug)
-{
- char grptok[BUFSIZ];
-
- if (debug)
- pam_syslog (pamh, LOG_DEBUG,
- "group_match: grp=%s, user=%s", grptok, usr);
-
- if (strlen(tok) < 3)
- return NO;
-
- /* token is recieved under the format '(...)' */
- memset(grptok, 0, BUFSIZ);
- strncpy(grptok, tok + 1, strlen(tok) - 2);
-
- if (pam_modutil_user_in_group_nam_nam(pamh, usr, grptok))
- return YES;
-
- return NO;
-}
-
-
-/* from_match - match a host or tty against a list of tokens */
-
-static int
-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
-{
- const char *string = item->from;
- int tok_len;
- int str_len;
- int rv;
-
- if (item->debug)
- pam_syslog (pamh, LOG_DEBUG,
- "from_match: tok=%s, item=%s", tok, string);
-
- /*
- * If a token has the magic value "ALL" the match always succeeds. Return
- * YES if the token fully matches the string. If the token is a domain
- * name, return YES if it matches the last fields of the string. If the
- * token has the magic value "LOCAL", return YES if the string does not
- * contain a "." character. If the token is a network number, return YES
- * if it matches the head of the string.
- */
-
- if (string == NULL) {
- return NO;
- } else if (tok[0] == '@') { /* netgroup */
- return (netgroup_match (pamh, tok + 1, string, (char *) 0, item->debug));
- } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
- /* ALL or exact match */
- return rv;
- } else if (tok[0] == '.') { /* domain: match last fields */
- if ((str_len = strlen(string)) > (tok_len = strlen(tok))
- && strcasecmp(tok, string + str_len - tok_len) == 0)
- return (YES);
- } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */
- if (strchr(string, '.') == 0)
- return (YES);
- } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
- struct addrinfo *res;
- struct addrinfo hint;
-
- memset (&hint, '\0', sizeof (hint));
- hint.ai_flags = AI_CANONNAME;
- hint.ai_family = AF_INET;
-
- if (getaddrinfo (string, NULL, &hint, &res) != 0)
- return NO;
- else
- {
- struct addrinfo *runp = res;
-
- while (runp != NULL)
- {
- char buf[INET_ADDRSTRLEN+2];
-
- if (runp->ai_family == AF_INET)
- {
- inet_ntop (runp->ai_family,
- &((struct sockaddr_in *) runp->ai_addr)->sin_addr,
- buf, sizeof (buf));
-
- strcat (buf, ".");
-
- if (strncmp(tok, buf, tok_len) == 0)
- {
- freeaddrinfo (res);
- return YES;
- }
- }
- runp = runp->ai_next;
- }
- freeaddrinfo (res);
- }
- } else if (isipaddr(string, NULL, NULL) == YES) {
- /* Assume network/netmask with a IP of a host. */
- if (network_netmask_match(pamh, tok, string, item->debug))
- return YES;
- } else {
- /* Assume network/netmask with a name of a host. */
- struct addrinfo *res;
- struct addrinfo hint;
-
- memset (&hint, '\0', sizeof (hint));
- hint.ai_flags = AI_CANONNAME;
- hint.ai_family = AF_UNSPEC;
-
- if (getaddrinfo (string, NULL, &hint, &res) != 0)
- return NO;
- else
- {
- struct addrinfo *runp = res;
-
- while (runp != NULL)
- {
- char buf[INET6_ADDRSTRLEN];
-
- inet_ntop (runp->ai_family,
- runp->ai_family == AF_INET
- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
- buf, sizeof (buf));
-
- if (network_netmask_match(pamh, tok, buf, item->debug))
- {
- freeaddrinfo (res);
- return YES;
- }
- runp = runp->ai_next;
- }
- freeaddrinfo (res);
- }
- }
-
- return NO;
-}
-
-/* string_match - match a string against one token */
-
-static int
-string_match (pam_handle_t *pamh, const char *tok, const char *string,
- int debug)
-{
-
- if (debug)
- pam_syslog (pamh, LOG_DEBUG,
- "string_match: tok=%s, item=%s", tok, string);
-
- /*
- * If the token has the magic value "ALL" the match always succeeds.
- * Otherwise, return YES if the token fully matches the string.
- * "NONE" token matches NULL string.
- */
-
- if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
- return (ALL);
- } else if (string != NULL) {
- if (strcasecmp(tok, string) == 0) { /* try exact match */
- return (YES);
- }
- } else if (strcasecmp(tok, "NONE") == 0) {
- return (YES);
- }
- return (NO);
-}
-
-
-/* network_netmask_match - match a string against one token
- * where string is an ip (v4,v6) address and tok represents
- * whether a single ip (v4,v6) address or a network/netmask
- */
-static int
-network_netmask_match (pam_handle_t *pamh,
- const char *tok, const char *string, int debug)
-{
- if (debug)
- pam_syslog (pamh, LOG_DEBUG,
- "network_netmask_match: tok=%s, item=%s", tok, string);
-
- if (isipaddr(string, NULL, NULL) == YES)
- {
- char *netmask_ptr = NULL;
- static char netmask_string[MAXHOSTNAMELEN + 1] = "";
- int addr_type;
-
- /* OK, check if tok is of type addr/mask */
- if ((netmask_ptr = strchr(tok, '/')) != NULL)
- {
- long netmask = 0;
-
- /* YES */
- *netmask_ptr = 0;
- netmask_ptr++;
-
- if (isipaddr(tok, &addr_type, NULL) == NO)
- { /* no netaddr */
- return(NO);
- }
-
- /* check netmask */
- if (isipaddr(netmask_ptr, NULL, NULL) == NO)
- { /* netmask as integre value */
- char *endptr = NULL;
- netmask = strtol(netmask_ptr, &endptr, 0);
- if ((endptr == NULL) || (*endptr != '\0'))
- { /* invalid netmask value */
- return(NO);
- }
- if ((netmask < 0) || (netmask >= 128))
- { /* netmask value out of range */
- return(NO);
- }
-
- netmask_ptr = number_to_netmask(netmask, addr_type,
- netmask_string, MAXHOSTNAMELEN);
- }
-
- /* Netmask is now an ipv4/ipv6 address.
- * This works also if netmask_ptr is NULL.
- */
- return (are_addresses_equal(string, tok, netmask_ptr));
- }
- else
- /* NO, then check if it is only an addr */
- if (isipaddr(tok, NULL, NULL) == YES)
- { /* check if they are the same, no netmask */
- return(are_addresses_equal(string, tok, NULL));
- }
- }
-
- return (NO);
-}
-
-
-/* --- public PAM management functions --- */
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- struct login_info loginfo;
- const char *user=NULL;
- const void *void_from=NULL;
- const char *from;
- struct passwd *user_pw;
-
- /* set username */
-
- if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
- || *user == '\0') {
- pam_syslog(pamh, LOG_ERR, "cannot determine the user's name");
- return PAM_USER_UNKNOWN;
- }
-
- if ((user_pw=pam_modutil_getpwnam(pamh, user))==NULL)
- return (PAM_USER_UNKNOWN);
-
- /*
- * Bundle up the arguments to avoid unnecessary clumsiness later on.
- */
- loginfo.user = user_pw;
- loginfo.config_file = PAM_ACCESS_CONFIG;
-
- /* parse the argument list */
-
- if (!parse_args(pamh, &loginfo, argc, argv)) {
- pam_syslog(pamh, LOG_ERR, "failed to parse the module arguments");
- return PAM_ABORT;
- }
-
- /* remote host name */
-
- if (pam_get_item(pamh, PAM_RHOST, &void_from)
- != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "cannot find the remote host name");
- return PAM_ABORT;
- }
- from = void_from;
-
- if ((from==NULL) || (*from=='\0')) {
-
- /* local login, set tty name */
-
- if (pam_get_item(pamh, PAM_TTY, &void_from) != PAM_SUCCESS
- || void_from == NULL) {
- D(("PAM_TTY not set, probing stdin"));
- from = ttyname(STDIN_FILENO);
- if (from != NULL) {
- if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS)
- pam_syslog(pamh, LOG_WARNING, "couldn't set tty name");
- } else {
- if (pam_get_item(pamh, PAM_SERVICE, &void_from) != PAM_SUCCESS
- || void_from == NULL) {
- pam_syslog (pamh, LOG_ERR,
- "cannot determine remote host, tty or service name");
- return PAM_ABORT;
- }
- from = void_from;
- if (loginfo.debug)
- pam_syslog (pamh, LOG_DEBUG,
- "cannot determine tty or remote hostname, using service %s",
- from);
- }
- }
- else
- from = void_from;
-
- if (from[0] == '/') { /* full path, remove device path. */
- const char *f;
- from++;
- if ((f = strchr(from, '/')) != NULL) {
- from = f + 1;
- }
- }
- }
-
- loginfo.from = from;
-
- if (login_access(pamh, &loginfo)) {
- return (PAM_SUCCESS);
- } else {
- pam_syslog(pamh, LOG_ERR,
- "access denied for user `%s' from `%s'",user,from);
- return (PAM_PERM_DENIED);
- }
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate (pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-/* end of module definition */
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_access_modstruct = {
- "pam_access",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-#endif
diff --git a/modules/pam_access/tst-pam_access b/modules/pam_access/tst-pam_access
deleted file mode 100755
index 271e69fe..00000000
--- a/modules/pam_access/tst-pam_access
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_access.so
diff --git a/modules/pam_cracklib/.cvsignore b/modules/pam_cracklib/.cvsignore
deleted file mode 100644
index db3b3295..00000000
--- a/modules/pam_cracklib/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_cracklib.8
diff --git a/modules/pam_cracklib/Makefile.am b/modules/pam_cracklib/Makefile.am
deleted file mode 100644
index 619ffc93..00000000
--- a/modules/pam_cracklib/Makefile.am
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_cracklib
-
-man_MANS = pam_cracklib.8
-
-XMLS = README.xml pam_cracklib.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-if HAVE_LIBCRACK
-securelib_LTLIBRARIES = pam_cracklib.la
-
-TESTS = tst-pam_cracklib
-endif
-
-pam_cracklib_la_LIBADD = -L$(top_builddir)/libpam -lpam \
- @LIBCRACK@ @LIBCRYPT@
-
-if ENABLE_REGENERATE_MAN
-
-noinst_DATA = README
-
-README: pam_cracklib.8.xml
-
--include $(top_srcdir)/Make.xml.rules
-endif
diff --git a/modules/pam_cracklib/README.xml b/modules/pam_cracklib/README.xml
deleted file mode 100644
index c4a7b54c..00000000
--- a/modules/pam_cracklib/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_cracklib.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_cracklib.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_cracklib-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
deleted file mode 100644
index 589e7b44..00000000
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ /dev/null
@@ -1,513 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_cracklib">
-
- <refmeta>
- <refentrytitle>pam_cracklib</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_cracklib-name">
- <refname>pam_cracklib</refname>
- <refpurpose>PAM module to check the password against dictionary words</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_cracklib-cmdsynopsis">
- <command>pam_cracklib.so</command>
- <arg choice="opt">
- <replaceable>...</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_cracklib-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- This module can be plugged into the <emphasis>password</emphasis> stack of
- a given application to provide some plug-in strength-checking for passwords.
- </para>
-
- <para>
- The action of this module is to prompt the user for a password and
- check its strength against a system dictionary and a set of rules for
- identifying poor choices.
- </para>
-
- <para>
- The first action is to prompt for a single password, check its
- strength and then, if it is considered strong, prompt for the password
- a second time (to verify that it was typed correctly on the first
- occasion). All being well, the password is passed on to subsequent
- modules to be installed as the new authentication token.
- </para>
-
- <para>
- The strength checks works in the following manner: at first the
- <function>Cracklib</function> routine is called to check if the password
- is part of a dictionary; if this is not the case an additional set of
- strength checks is done. These checks are:
- </para>
-
- <variablelist>
- <varlistentry>
- <term>Palindrome</term>
- <listitem>
- <para>
- Is the new password a palindrome of the old one?
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Case Change Only</term>
- <listitem>
- <para>
- Is the new password the the old one with only a change of case?
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Similar</term>
- <listitem>
- <para>
- Is the new password too much like the old one?
- This is primarily controlled by one argument,
- <option>difok</option> which is a number of characters
- that if different between the old and new are enough to accept
- the new password, this defaults to 10 or 1/2 the size of the
- new password whichever is smaller.
- </para>
- <para>
- To avoid the lockup associated with trying to change a long and
- complicated password, <option>difignore</option> is available.
- This argument can be used to specify the minimum length a new
- password needs to be before the <option>difok</option> value is
- ignored. The default value for <option>difignore</option> is 23.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Simple</term>
- <listitem>
- <para>
- Is the new password too small?
- This is controlled by 5 arguments <option>minlen</option>,
- <option>dcredit</option>, <option>ucredit</option>,
- <option>lcredit</option>, and <option>ocredit</option>. See the section
- on the arguments for the details of how these work and there defaults.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Rotated</term>
- <listitem>
- <para>
- Is the new password a rotated version of the old password?
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Already used</term>
- <listitem>
- <para>
- Was the password used in the past? Previously used passwords
- are to be found in <filename>/etc/security/opasswd</filename>.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- <para>
- This module with no arguments will work well for standard unix
- password encryption. With md5 encryption, passwords can be longer
- than 8 characters and the default settings for this module can make it
- hard for the user to choose a satisfactory new password. Notably, the
- requirement that the new password contain no more than 1/2 of the
- characters in the old password becomes a non-trivial constraint. For
- example, an old password of the form "the quick brown fox jumped over
- the lazy dogs" would be difficult to change... In addition, the
- default action is to allow passwords as small as 5 characters in
- length. For a md5 systems it can be a good idea to increase the
- required minimum size of a password. One can then allow more credit
- for different kinds of characters but accept that the new password may
- share most of these characters with the old password.
- </para>
-
- </refsect1>
-
- <refsect1 id="pam_cracklib-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- This option makes the module write information to
- <citerefentry>
- <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>
- indicating the behavior of the module (this option does
- not write password information to the log file).
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>type=<replaceable>XXX</replaceable></option>
- </term>
- <listitem>
- <para>
- The default action is for the module to use the
- following prompts when requesting passwords:
- "New UNIX password: " and "Retype UNIX password: ".
- The default word <emphasis>UNIX</emphasis> can
- be replaced with this option.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>retry=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- Prompt user at most <replaceable>N</replaceable> times
- before returning with error. The default is
- <emphasis>1</emphasis>
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>difok=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- This argument will change the default of
- <emphasis>5</emphasis> for the number of characters in
- the new password that must not be present in the old
- password. In addition, if 1/2 of the characters in the
- new password are different then the new password will
- be accepted anyway.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>difignore=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- How many characters should the password have before
- difok will be ignored. The default is
- <emphasis>23</emphasis>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>minlen=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- The minimum acceptable size for the new password (plus
- one if credits are not disabled which is the default).
- In addition to the number of characters in the new password,
- credit (of +1 in length) is given for each different kind
- of character (<emphasis>other</emphasis>,
- <emphasis>upper</emphasis>, <emphasis>lower</emphasis> and
- <emphasis>digit</emphasis>). The default for this parameter
- is <emphasis>9</emphasis> which is good for a old style UNIX
- password all of the same type of character but may be too low
- to exploit the added security of a md5 system. Note that
- there is a pair of length limits in
- <emphasis>Cracklib</emphasis> itself, a "way too short" limit
- of 4 which is hard coded in and a defined limit (6) that will
- be checked without reference to <option>minlen</option>.
- If you want to allow passwords as short as 5 characters you
- should not use this module.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>dcredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having digits in
- the new password. If you have less than or
- <replaceable>N</replaceable>
- digits, each digit will count +1 towards meeting the current
- <option>minlen</option> value. The default for
- <option>dcredit</option> is 1 which is the recommended
- value for <option>minlen</option> less than 10.
- </para>
- <para>
- (N &lt; 0) This is the minimum number of digits that must
- be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>ucredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having upper
- case letters in the new password. If you have less than
- or <replaceable>N</replaceable> upper case letters each
- letter will count +1 towards meeting the current
- <option>minlen</option> value. The default for
- <option>ucredit</option> is <emphasis>1</emphasis> which
- is the recommended value for <option>minlen</option> less
- than 10.
- </para>
- <para>
- (N &gt; 0) This is the minimum number of upper
- case letters that must be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>lcredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having
- lower case letters in the new password. If you have
- less than or <replaceable>N</replaceable> lower case
- letters, each letter will count +1 towards meeting the
- current <option>minlen</option> value. The default for
- <option>lcredit</option> is 1 which is the recommended
- value for <option>minlen</option> less than 10.
- </para>
- <para>
- (N &lt; 0) This is the minimum number of lower
- case letters that must be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>ocredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having other
- characters in the new password. If you have less than or
- <replaceable>N</replaceable> other characters, each
- character will count +1 towards meeting the current
- <option>minlen</option> value. The default for
- <option>ocredit</option> is 1 which is the recommended
- value for <option>minlen</option> less than 10.
- </para>
- <para>
- (N &lt; 0) This is the minimum number of other
- characters that must be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>minclass=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- The minimum number of required classes of characters for
- the new password. The default number is zero. The four
- classes are digits, upper and lower letters and other
- characters.
- The difference to the <option>credit</option> check is
- that a specific class if of characters is not required.
- Instead <replaceable>N</replaceable> out of four of the
- classes are required.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>use_authtok</option>
- </term>
- <listitem>
- <para>
- This argument is used to <emphasis>force</emphasis> the
- module to not prompt the user for a new password but use
- the one provided by the previously stacked
- <emphasis>password</emphasis> module.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>dictpath=<replaceable>/path/to/dict</replaceable></option>
- </term>
- <listitem>
- <para>
- Path to the cracklib dictionaries.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id="pam_cracklib-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only he <option>password</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_cracklib-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The new password passes all checks.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_AUTHTOK_ERR</term>
- <listitem>
- <para>
- No new password was entered,
- the username could not be determined or the new
- password fails the strength checks.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_AUTHTOK_RECOVERY_ERR</term>
- <listitem>
- <para>
- The old password was not supplied by a previous stacked
- module or got not requested from the user.
- The first error can happen if <option>use_authtok</option>
- is specified.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- A internal error occured.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_cracklib-examples'>
- <title>EXAMPLES</title>
- <para>
- For an example of the use of this module, we show how it may be
- stacked with the password component of
- <citerefentry>
- <refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- <programlisting>
-#
-# These lines stack two password type modules. In this example the
-# user is given 3 opportunities to enter a strong password. The
-# "use_authtok" argument ensures that the pam_unix module does not
-# prompt for a password, but instead uses the one provided by
-# pam_cracklib.
-#
-passwd password required pam_cracklib.so retry=3
-passwd password required pam_unix.so use_authtok
- </programlisting>
- </para>
-
- <para>
- Another example (in the <filename>/etc/pam.d/passwd</filename> format)
- is for the case that you want to use md5 password encryption:
- <programlisting>
-#%PAM-1.0
-#
-# These lines allow a md5 systems to support passwords of at least 14
-# bytes with extra credit of 2 for digits and 2 for others the new
-# password must have at least three bytes that are not present in the
-# old password
-#
-password required pam_cracklib.so \
- difok=3 minlen=15 dcredit= 2 ocredit=2
-password required pam_unix.so use_authtok nullok md5
- </programlisting>
- </para>
-
- <para>
- And here is another example in case you don't want to use credits:
- <programlisting>
-#%PAM-1.0
-#
-# These lines require the user to select a password with a minimum
-# length of 8 and with at least 1 digit number, 1 upper case letter,
-# and 1 other character
-#
-password required pam_cracklib.so \
- dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
-password required pam_unix.so use_authtok nullok md5
- </programlisting>
- </para>
-
- </refsect1>
-
- <refsect1 id='pam_cracklib-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_cracklib-author'>
- <title>AUTHOR</title>
- <para>
- pam_cracklib was written by Cristian Gafton &lt;gafton@redhat.com&gt;
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
deleted file mode 100644
index 532a72b2..00000000
--- a/modules/pam_cracklib/pam_cracklib.c
+++ /dev/null
@@ -1,850 +0,0 @@
-/*
- * pam_cracklib module
- */
-
-/*
- * 0.9. switch to using a distance algorithm in similar()
- * 0.86. added support for setting minimum numbers of digits, uppers,
- * lowers, and others
- * 0.85. added six new options to use this with long passwords.
- * 0.8. tidied output and improved D(()) usage for debugging.
- * 0.7. added support for more obscure checks for new passwd.
- * 0.6. root can reset user passwd to any values (it's only warned)
- * 0.5. supports retries - 'retry=N' argument
- * 0.4. added argument 'type=XXX' for 'New XXX password' prompt
- * 0.3. Added argument 'debug'
- * 0.2. new password is feeded to cracklib for verify after typed once
- * 0.1. First release
- */
-
-/*
- * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10
- * Long password support by Philip W. Dalrymple <pwd@mdtsoft.com> 1997/07/18
- * See the end of the file for Copyright Information
- *
- * Modification for long password systems (>8 chars). The original
- * module had problems when used in a md5 password system in that it
- * allowed too short passwords but required that at least half of the
- * bytes in the new password did not appear in the old one. this
- * action is still the default and the changes should not break any
- * current user. This modification adds 6 new options, one to set the
- * number of bytes in the new password that are not in the old one,
- * the other five to control the length checking, these are all
- * documented (or will be before anyone else sees this code) in the PAM
- * S.A.G. in the section on the cracklib module.
- */
-
-#include "config.h"
-
-#include <stdio.h>
-#ifdef HAVE_CRYPT_H
-# include <crypt.h>
-#endif
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <ctype.h>
-#include <limits.h>
-
-#ifdef HAVE_CRACK_H
-#include <crack.h>
-#else
-extern char *FascistCheck(char *pw, const char *dictpath);
-#endif
-
-#ifndef CRACKLIB_DICTS
-#define CRACKLIB_DICTS NULL
-#endif
-
-/* For Translators: "%s%s" could be replaced with "<service> " or "". */
-#define PROMPT1 _("New %s%spassword: ")
-/* For Translators: "%s%s" could be replaced with "<service> " or "". */
-#define PROMPT2 _("Retype new %s%spassword: ")
-#define MISTYPED_PASS _("Sorry, passwords do not match.")
-
-#ifdef MIN
-#undef MIN
-#endif
-#define MIN(_a, _b) (((_a) < (_b)) ? (_a) : (_b))
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_ext.h>
-
-/* argument parsing */
-#define PAM_DEBUG_ARG 0x0001
-
-struct cracklib_options {
- int retry_times;
- int diff_ok;
- int diff_ignore;
- int min_length;
- int dig_credit;
- int up_credit;
- int low_credit;
- int oth_credit;
- int min_class;
- int use_authtok;
- char prompt_type[BUFSIZ];
- const char *cracklib_dictpath;
-};
-
-#define CO_RETRY_TIMES 1
-#define CO_DIFF_OK 5
-#define CO_DIFF_IGNORE 23
-#define CO_MIN_LENGTH 9
-# define CO_MIN_LENGTH_BASE 5
-#define CO_DIG_CREDIT 1
-#define CO_UP_CREDIT 1
-#define CO_LOW_CREDIT 1
-#define CO_OTH_CREDIT 1
-#define CO_USE_AUTHTOK 0
-
-static int
-_pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
- int argc, const char **argv)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
- char *ep = NULL;
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"type=",5))
- strncpy(opt->prompt_type, *argv+5, sizeof(opt->prompt_type) - 1);
- else if (!strncmp(*argv,"retry=",6)) {
- opt->retry_times = strtol(*argv+6,&ep,10);
- if (!ep || (opt->retry_times < 1))
- opt->retry_times = CO_RETRY_TIMES;
- } else if (!strncmp(*argv,"difok=",6)) {
- opt->diff_ok = strtol(*argv+6,&ep,10);
- if (!ep || (opt->diff_ok < 0))
- opt->diff_ok = CO_DIFF_OK;
- } else if (!strncmp(*argv,"difignore=",10)) {
- opt->diff_ignore = strtol(*argv+10,&ep,10);
- if (!ep || (opt->diff_ignore < 0))
- opt->diff_ignore = CO_DIFF_IGNORE;
- } else if (!strncmp(*argv,"minlen=",7)) {
- opt->min_length = strtol(*argv+7,&ep,10);
- if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE))
- opt->min_length = CO_MIN_LENGTH_BASE;
- } else if (!strncmp(*argv,"dcredit=",8)) {
- opt->dig_credit = strtol(*argv+8,&ep,10);
- if (!ep)
- opt->dig_credit = 0;
- } else if (!strncmp(*argv,"ucredit=",8)) {
- opt->up_credit = strtol(*argv+8,&ep,10);
- if (!ep)
- opt->up_credit = 0;
- } else if (!strncmp(*argv,"lcredit=",8)) {
- opt->low_credit = strtol(*argv+8,&ep,10);
- if (!ep)
- opt->low_credit = 0;
- } else if (!strncmp(*argv,"ocredit=",8)) {
- opt->oth_credit = strtol(*argv+8,&ep,10);
- if (!ep)
- opt->oth_credit = 0;
- } else if (!strncmp(*argv,"minclass=",9)) {
- opt->min_class = strtol(*argv+9,&ep,10);
- if (!ep)
- opt->min_class = 0;
- if (opt->min_class > 4)
- opt->min_class = 4 ;
- } else if (!strncmp(*argv,"use_authtok",11)) {
- opt->use_authtok = 1;
- } else if (!strncmp(*argv,"dictpath=",9)) {
- opt->cracklib_dictpath = *argv+9;
- if (!*(opt->cracklib_dictpath)) {
- opt->cracklib_dictpath = CRACKLIB_DICTS;
- }
- } else {
- pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
- }
- }
- opt->prompt_type[sizeof(opt->prompt_type) - 1] = '\0';
-
- return ctrl;
-}
-
-/* Helper functions */
-
-/* use this to free strings. ESPECIALLY password strings */
-static char *_pam_delete(register char *xx)
-{
- _pam_overwrite(xx);
- free(xx);
- return NULL;
-}
-
-/*
- * can't be a palindrome - like `R A D A R' or `M A D A M'
- */
-static int palindrome(const char *new)
-{
- int i, j;
-
- i = strlen (new);
-
- for (j = 0;j < i;j++)
- if (new[i - j - 1] != new[j])
- return 0;
-
- return 1;
-}
-
-/*
- * Calculate how different two strings are in terms of the number of
- * character removals, additions, and changes needed to go from one to
- * the other
- */
-
-static int distdifferent(const char *old, const char *new,
- size_t i, size_t j)
-{
- char c, d;
-
- if ((i == 0) || (strlen(old) < i)) {
- c = 0;
- } else {
- c = old[i - 1];
- }
- if ((j == 0) || (strlen(new) < j)) {
- d = 0;
- } else {
- d = new[j - 1];
- }
- return (c != d);
-}
-
-static int distcalculate(int **distances, const char *old, const char *new,
- size_t i, size_t j)
-{
- int tmp = 0;
-
- if (distances[i][j] != -1) {
- return distances[i][j];
- }
-
- tmp = distcalculate(distances, old, new, i - 1, j - 1);
- tmp = MIN(tmp, distcalculate(distances, old, new, i, j - 1));
- tmp = MIN(tmp, distcalculate(distances, old, new, i - 1, j));
- tmp += distdifferent(old, new, i, j);
-
- distances[i][j] = tmp;
-
- return tmp;
-}
-
-static int distance(const char *old, const char *new)
-{
- int **distances = NULL;
- size_t m, n, i, j, r;
-
- m = strlen(old);
- n = strlen(new);
- distances = malloc(sizeof(int*) * (m + 1));
-
- for (i = 0; i <= m; i++) {
- distances[i] = malloc(sizeof(int) * (n + 1));
- for(j = 0; j <= n; j++) {
- distances[i][j] = -1;
- }
- }
- for (i = 0; i <= m; i++) {
- distances[i][0] = i;
- }
- for (j = 0; j <= n; j++) {
- distances[0][j] = j;
- }
- distances[0][0] = 0;
-
- r = distcalculate(distances, old, new, m, n);
-
- for (i = 0; i <= m; i++) {
- memset(distances[i], 0, sizeof(int) * (n + 1));
- free(distances[i]);
- }
- free(distances);
-
- return r;
-}
-
-static int similar(struct cracklib_options *opt,
- const char *old, const char *new)
-{
- if (distance(old, new) >= opt->diff_ok) {
- return 0;
- }
-
- if (strlen(new) >= (strlen(old) * 2)) {
- return 0;
- }
-
- /* passwords are too similar */
- return 1;
-}
-
-/*
- * enough classes of charecters
- */
-
-static int minclass (struct cracklib_options *opt,
- const char *new)
-{
- int digits = 0;
- int uppers = 0;
- int lowers = 0;
- int others = 0;
- int total_class;
- int i;
- int retval;
-
- D(( "called" ));
- for (i = 0; new[i]; i++)
- {
- if (isdigit (new[i]))
- digits = 1;
- else if (isupper (new[i]))
- uppers = 1;
- else if (islower (new[i]))
- lowers = 1;
- else
- others = 1;
- }
-
- total_class = digits + uppers + lowers + others;
-
- D (("total class: %d\tmin_class: %d", total_class, opt->min_class));
-
- if (total_class >= opt->min_class)
- retval = 0;
- else
- retval = 1;
-
- return retval;
-}
-
-
-/*
- * a nice mix of characters.
- */
-static int simple(struct cracklib_options *opt, const char *new)
-{
- int digits = 0;
- int uppers = 0;
- int lowers = 0;
- int others = 0;
- int size;
- int i;
-
- for (i = 0;new[i];i++) {
- if (isdigit (new[i]))
- digits++;
- else if (isupper (new[i]))
- uppers++;
- else if (islower (new[i]))
- lowers++;
- else
- others++;
- }
-
- /*
- * The scam was this - a password of only one character type
- * must be 8 letters long. Two types, 7, and so on.
- * This is now changed, the base size and the credits or defaults
- * see the docs on the module for info on these parameters, the
- * defaults cause the effect to be the same as before the change
- */
-
- if ((opt->dig_credit >= 0) && (digits > opt->dig_credit))
- digits = opt->dig_credit;
-
- if ((opt->up_credit >= 0) && (uppers > opt->up_credit))
- uppers = opt->up_credit;
-
- if ((opt->low_credit >= 0) && (lowers > opt->low_credit))
- lowers = opt->low_credit;
-
- if ((opt->oth_credit >= 0) && (others > opt->oth_credit))
- others = opt->oth_credit;
-
- size = opt->min_length;
-
- if (opt->dig_credit >= 0)
- size -= digits;
- else if (digits < opt->dig_credit * -1)
- return 1;
-
- if (opt->up_credit >= 0)
- size -= uppers;
- else if (uppers < opt->up_credit * -1)
- return 1;
-
- if (opt->low_credit >= 0)
- size -= lowers;
- else if (lowers < opt->low_credit * -1)
- return 1;
-
- if (opt->oth_credit >= 0)
- size -= others;
- else if (others < opt->oth_credit * -1)
- return 1;
-
- if (size <= i)
- return 0;
-
- return 1;
-}
-
-static char * str_lower(char *string)
-{
- char *cp;
-
- for (cp = string; *cp; cp++)
- *cp = tolower(*cp);
- return string;
-}
-
-static const char *password_check(struct cracklib_options *opt,
- const char *old, const char *new)
-{
- const char *msg = NULL;
- char *oldmono = NULL, *newmono, *wrapped = NULL;
-
- if (old && strcmp(new, old) == 0) {
- msg = _("is the same as the old one");
- return msg;
- }
-
- newmono = str_lower(x_strdup(new));
- if (old) {
- oldmono = str_lower(x_strdup(old));
- wrapped = malloc(strlen(oldmono) * 2 + 1);
- strcpy (wrapped, oldmono);
- strcat (wrapped, oldmono);
- }
-
- if (palindrome(newmono))
- msg = _("is a palindrome");
-
- if (!msg && oldmono && strcmp(oldmono, newmono) == 0)
- msg = _("case changes only");
-
- if (!msg && oldmono && similar(opt, oldmono, newmono))
- msg = _("is too similar to the old one");
-
- if (!msg && simple(opt, new))
- msg = _("is too simple");
-
- if (!msg && wrapped && strstr(wrapped, newmono))
- msg = _("is rotated");
-
- if (!msg && minclass (opt, new))
- msg = _("not enough character classes");
-
- memset(newmono, 0, strlen(newmono));
- free(newmono);
- if (old) {
- memset(oldmono, 0, strlen(oldmono));
- memset(wrapped, 0, strlen(wrapped));
- free(oldmono);
- free(wrapped);
- }
-
- return msg;
-}
-
-
-#define OLD_PASSWORDS_FILE "/etc/security/opasswd"
-
-static const char * check_old_password(const char *forwho, const char *newpass)
-{
- static char buf[16384];
- char *s_luser, *s_uid, *s_npas, *s_pas;
- const char *msg = NULL;
- FILE *opwfile;
-
- opwfile = fopen(OLD_PASSWORDS_FILE, "r");
- if (opwfile == NULL)
- return NULL;
-
- while (fgets(buf, 16380, opwfile)) {
- if (!strncmp(buf, forwho, strlen(forwho))) {
- char *sptr;
- buf[strlen(buf)-1] = '\0';
- s_luser = strtok_r(buf, ":,", &sptr);
- s_uid = strtok_r(NULL, ":,", &sptr);
- s_npas = strtok_r(NULL, ":,", &sptr);
- s_pas = strtok_r(NULL, ":,", &sptr);
- while (s_pas != NULL) {
- if (!strcmp(crypt(newpass, s_pas), s_pas)) {
- msg = _("has been already used");
- break;
- }
- s_pas = strtok_r(NULL, ":,", &sptr);
- }
- break;
- }
- }
- fclose(opwfile);
-
- return msg;
-}
-
-
-static int _pam_unix_approve_pass(pam_handle_t *pamh,
- unsigned int ctrl,
- struct cracklib_options *opt,
- const char *pass_old,
- const char *pass_new)
-{
- const char *msg = NULL;
- const void *user;
- int retval;
-
- if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
- pam_error(pamh, "%s", pass_new == NULL ?
- _("No password supplied"):_("Password unchanged"));
- return PAM_AUTHTOK_ERR;
- }
-
- /*
- * if one wanted to hardwire authentication token strength
- * checking this would be the place
- */
- msg = password_check(opt, pass_old, pass_new);
- if (!msg) {
- retval = pam_get_item(pamh, PAM_USER, &user);
- if (retval != PAM_SUCCESS || user == NULL) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh,LOG_ERR,"Can not get username");
- return PAM_AUTHTOK_ERR;
- }
- msg = check_old_password(user, pass_new);
- }
-
- if (msg) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_NOTICE,
- "new passwd fails strength check: %s", msg);
- pam_error(pamh, _("BAD PASSWORD: %s"), msg);
- return PAM_AUTHTOK_ERR;
- };
- return PAM_SUCCESS;
-
-}
-
-/* The Main Thing (by Cristian Gafton, CEO at this module :-)
- * (stolen from http://home.netscape.com)
- */
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- struct cracklib_options options;
-
- D(("called."));
-
- memset(&options, 0, sizeof(options));
- options.retry_times = CO_RETRY_TIMES;
- options.diff_ok = CO_DIFF_OK;
- options.diff_ignore = CO_DIFF_IGNORE;
- options.min_length = CO_MIN_LENGTH;
- options.dig_credit = CO_DIG_CREDIT;
- options.up_credit = CO_UP_CREDIT;
- options.low_credit = CO_LOW_CREDIT;
- options.oth_credit = CO_OTH_CREDIT;
- options.use_authtok = CO_USE_AUTHTOK;
- memset(options.prompt_type, 0, BUFSIZ);
- strcpy(options.prompt_type,"UNIX");
- options.cracklib_dictpath = CRACKLIB_DICTS;
-
- ctrl = _pam_parse(pamh, &options, argc, argv);
-
- if (flags & PAM_PRELIM_CHECK) {
- /* Check for passwd dictionary */
- /* We cannot do that, since the original path is compiled
- into the cracklib library and we don't know it. */
- return PAM_SUCCESS;
- } else if (flags & PAM_UPDATE_AUTHTOK) {
- int retval;
- char *token1, *token2, *resp;
- const void *oldtoken;
-
- D(("do update"));
- retval = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldtoken);
- if (retval != PAM_SUCCESS) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh,LOG_ERR,"Can not get old passwd");
- oldtoken=NULL;
- retval = PAM_SUCCESS;
- }
-
- do {
- /*
- * make sure nothing inappropriate gets returned
- */
- token1 = token2 = NULL;
-
- if (!options.retry_times) {
- D(("returning %s because maxtries reached",
- pam_strerror(pamh, retval)));
- return retval;
- }
-
- /* Planned modus operandi:
- * Get a passwd.
- * Verify it against cracklib.
- * If okay get it a second time.
- * Check to be the same with the first one.
- * set PAM_AUTHTOK and return
- */
-
- if (options.use_authtok == 1) {
- const void *item = NULL;
-
- retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
- if (retval != PAM_SUCCESS) {
- /* very strange. */
- pam_syslog(pamh, LOG_ALERT,
- "pam_get_item returned error to pam_cracklib");
- } else if (item != NULL) { /* we have a password! */
- token1 = x_strdup(item);
- item = NULL;
- } else {
- retval = PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */
- }
-
- } else {
- /* Prepare to ask the user for the first time */
- resp = NULL;
- retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
- PROMPT1, options.prompt_type,
- options.prompt_type[0]?" ":"");
-
- if (retval == PAM_SUCCESS) { /* a good conversation */
- token1 = x_strdup(resp);
- if (token1 == NULL) {
- pam_syslog(pamh, LOG_NOTICE,
- "could not recover authentication token 1");
- retval = PAM_AUTHTOK_RECOVERY_ERR;
- }
- /*
- * tidy up the conversation (resp_retcode) is ignored
- */
- _pam_drop(resp);
- } else {
- retval = (retval == PAM_SUCCESS) ?
- PAM_AUTHTOK_RECOVERY_ERR:retval ;
- }
- }
-
- if (retval != PAM_SUCCESS) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh,LOG_DEBUG,"unable to obtain a password");
- continue;
- }
-
- D(("testing password, retval = %s", pam_strerror(pamh, retval)));
- /* now test this passwd against cracklib */
- {
- const char *crack_msg;
-
- D(("against cracklib"));
- if ((crack_msg = FascistCheck(token1,options.cracklib_dictpath))) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
- pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg);
- if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
- retval = PAM_AUTHTOK_ERR;
- else
- retval = PAM_SUCCESS;
- } else {
- /* check it for strength too... */
- D(("for strength"));
- retval = _pam_unix_approve_pass (pamh, ctrl, &options,
- oldtoken, token1);
- if (retval != PAM_SUCCESS) {
- if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
- retval = PAM_AUTHTOK_ERR;
- else
- retval = PAM_SUCCESS;
- }
- }
- }
-
- D(("after testing: retval = %s", pam_strerror(pamh, retval)));
- /* if cracklib/strength check said it is a bad passwd... */
- if ((retval != PAM_SUCCESS) && (retval != PAM_IGNORE)) {
- int temp_unused;
-
- temp_unused = pam_set_item(pamh, PAM_AUTHTOK, NULL);
- token1 = _pam_delete(token1);
- continue;
- }
-
- /* Now we have a good passwd. Ask for it once again */
-
- if (options.use_authtok == 0) {
- resp = NULL;
- retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
- PROMPT2, options.prompt_type,
- options.prompt_type[0]?" ":"");
- if (retval == PAM_SUCCESS) { /* a good conversation */
- token2 = x_strdup(resp);
- if (token2 == NULL) {
- pam_syslog(pamh,LOG_NOTICE,
- "could not recover authentication token 2");
- retval = PAM_AUTHTOK_RECOVERY_ERR;
- }
- /*
- * tidy up the conversation (resp_retcode) is ignored
- */
- _pam_drop(resp);
- }
-
- /* No else, the a retval == PAM_SUCCESS path can change retval
- to a failure code. */
- if (retval != PAM_SUCCESS) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh,LOG_DEBUG,"unable to obtain retyped password");
- continue;
- }
-
- /* Hopefully now token1 and token2 the same password ... */
- if (strcmp(token1,token2) != 0) {
- /* tell the user */
- pam_error(pamh, "%s", MISTYPED_PASS);
- token1 = _pam_delete(token1);
- token2 = _pam_delete(token2);
- pam_set_item(pamh, PAM_AUTHTOK, NULL);
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh,LOG_NOTICE,"Password mistyped");
- retval = PAM_AUTHTOK_RECOVERY_ERR;
- continue;
- }
-
- /* Yes, the password was typed correct twice
- * we store this password as an item
- */
-
- {
- const void *item = NULL;
-
- retval = pam_set_item(pamh, PAM_AUTHTOK, token1);
-
- /* clean up */
- token1 = _pam_delete(token1);
- token2 = _pam_delete(token2);
-
- if ( (retval != PAM_SUCCESS) ||
- ((retval = pam_get_item(pamh, PAM_AUTHTOK, &item)
- ) != PAM_SUCCESS) ) {
- pam_syslog(pamh, LOG_CRIT, "error manipulating password");
- continue;
- }
- item = NULL; /* break link to password */
- return PAM_SUCCESS;
- }
- }
-
- } while (options.retry_times--);
-
- } else {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_NOTICE, "UNKNOWN flags setting %02X",flags);
- return PAM_SERVICE_ERR;
- }
-
- /* Not reached */
- return PAM_SERVICE_ERR;
-}
-
-
-
-#ifdef PAM_STATIC
-/* static module data */
-struct pam_module _pam_cracklib_modstruct = {
- "pam_cracklib",
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- pam_sm_chauthtok
-};
-#endif
-
-/*
- * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1996.
- * All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * The following copyright was appended for the long password support
- * added with the libpam 0.58 release:
- *
- * Modificaton Copyright (c) Philip W. Dalrymple III <pwd@mdtsoft.com>
- * 1997. All rights reserved
- *
- * THE MODIFICATION THAT PROVIDES SUPPORT FOR LONG PASSWORD TYPE CHECKING TO
- * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_cracklib/tst-pam_cracklib b/modules/pam_cracklib/tst-pam_cracklib
deleted file mode 100755
index 46a7060d..00000000
--- a/modules/pam_cracklib/tst-pam_cracklib
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_cracklib.so
diff --git a/modules/pam_debug/.cvsignore b/modules/pam_debug/.cvsignore
deleted file mode 100644
index af38ef08..00000000
--- a/modules/pam_debug/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_debug.8
diff --git a/modules/pam_debug/Makefile.am b/modules/pam_debug/Makefile.am
deleted file mode 100644
index 0b798516..00000000
--- a/modules/pam_debug/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_debug
-
-man_MANS = pam_debug.8
-XMLS = README.xml pam_debug.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_debug.la
-pam_debug_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-TESTS = tst-pam_debug
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_debug.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_debug/README.xml b/modules/pam_debug/README.xml
deleted file mode 100644
index ef41911b..00000000
--- a/modules/pam_debug/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_debug.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_debug.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_debug-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_debug/pam_debug.8.xml b/modules/pam_debug/pam_debug.8.xml
deleted file mode 100644
index 65519852..00000000
--- a/modules/pam_debug/pam_debug.8.xml
+++ /dev/null
@@ -1,231 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_debug">
-
- <refmeta>
- <refentrytitle>pam_debug</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_debug-name">
- <refname>pam_debug</refname>
- <refpurpose>PAM module to debug the PAM stack</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_debug-cmdsynopsis">
- <command>pam_debug.so</command>
- <arg choice="opt">
- auth=<replaceable>value</replaceable>
- </arg>
- <arg choice="opt">
- cred=<replaceable>value</replaceable>
- </arg>
- <arg choice="opt">
- acct=<replaceable>value</replaceable>
- </arg>
- <arg choice="opt">
- prechauthtok=<replaceable>value</replaceable>
- </arg>
- <arg choice="opt">
- chauthtok=<replaceable>value</replaceable>
- </arg>
- <arg choice="opt">
- auth=<replaceable>value</replaceable>
- </arg>
- <arg choice="opt">
- open_session=<replaceable>value</replaceable>
- </arg>
- <arg choice="opt">
- close_session=<replaceable>value</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_debug-description">
- <title>DESCRIPTION</title>
- <para>
- The pam_debug PAM module is intended as a debugging aide for
- determining how the PAM stack is operating. This module returns
- what its module arguments tell it to return.
- </para>
- </refsect1>
-
- <refsect1 id="pam_debug-options">
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>auth=<replaceable>value</replaceable></option>
- </term>
- <listitem>
- <para>
- The
- <citerefentry>
- <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function will return
- <replaceable>value</replaceable>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>cred=<replaceable>value</replaceable></option>
- </term>
- <listitem>
- <para>
- The
- <citerefentry>
- <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function will return
- <replaceable>value</replaceable>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>acct=<replaceable>value</replaceable></option>
- </term>
- <listitem>
- <para>
- The
- <citerefentry>
- <refentrytitle>pam_sm_acct_mgmt</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function will return
- <replaceable>value</replaceable>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>prechauthtok=<replaceable>value</replaceable></option>
- </term>
- <listitem>
- <para>
- The
- <citerefentry>
- <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function will return
- <replaceable>value</replaceable> if the
- <emphasis>PAM_PRELIM_CHECK</emphasis> flag is set.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>chauthtok=<replaceable>value</replaceable></option>
- </term>
- <listitem>
- <para>
- The
- <citerefentry>
- <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function will return
- <replaceable>value</replaceable> if the
- <emphasis>PAM_PRELIM_CHECK</emphasis> flag is
- <emphasis remap='B'>not</emphasis> set.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>open_session=<replaceable>value</replaceable></option>
- </term>
- <listitem>
- <para>
- The
- <citerefentry>
- <refentrytitle>pam_sm_open_session</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function will return
- <replaceable>value</replaceable>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>close_session=<replaceable>value</replaceable></option>
- </term>
- <listitem>
- <para>
- The
- <citerefentry>
- <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function will return
- <replaceable>value</replaceable>.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- <para>
- Where <replaceable>value</replaceable> can be one of: success,
- open_err, symbol_err, service_err, system_err, buf_err, perm_denied,
- auth_err, cred_insufficient, authinfo_unavail, user_unknown,
- maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail,
- cred_expired, cred_err, no_module_data, conv_err, authtok_err,
- authtok_recover_err, authtok_lock_busy, authtok_disable_aging,
- try_again, ignore, abort, authtok_expired, module_unknown,
- bad_item, conv_again, incomplete.
- </para>
- </refsect1>
-
- <refsect1 id="pam_debug-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The services <option>auth</option>, <option>account</option>,
- <option>password</option> and <option>session</option> are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_debug-return_values'>
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Default return code if no other value was specified,
- else specified return value.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_debug-examples'>
- <title>EXAMPLES</title>
- <programlisting>
-auth requisite pam_permit.so
-auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success
-auth [default=reset] pam_debug.so auth=success cred=perm_denied
-auth [success=done default=die] pam_debug.so
-auth optional pam_debug.so auth=perm_denied cred=perm_denied
-auth sufficient pam_debug.so auth=success cred=success
- </programlisting>
- </refsect1>
-
- <refsect1 id='pam_debug-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_debug-author'>
- <title>AUTHOR</title>
- <para>
- pam_debug was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c
deleted file mode 100644
index a65d1bf2..00000000
--- a/modules/pam_debug/pam_debug.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* pam_permit module */
-
-/*
- * $Id$
- *
- * Written by Andrew Morgan <morgan@kernel.org> 2001/02/04
- *
- */
-
-#define DEFAULT_USER "nobody"
-
-#include "config.h"
-
-#include <stdio.h>
-
-/*
- * This module is intended as a debugging aide for determining how
- * the PAM stack is operating.
- *
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_ext.h>
-
-#define _PAM_ACTION_UNDEF (-10)
-#include "../../libpam/pam_tokens.h"
-
-/* --- authentication management functions --- */
-
-static int state(pam_handle_t *pamh, const char *text)
-{
- int retval;
-
- retval = pam_info (pamh, "%s", text);
-
- if (retval != PAM_SUCCESS) {
- D(("pam_info failed"));
- }
-
- return retval;
-}
-
-static int parse_args(int retval, const char *event,
- pam_handle_t *pamh, int argc, const char **argv)
-{
- int i;
-
- for (i=0; i<argc; ++i) {
- int length = strlen(event);
- if (!strncmp(event, argv[i], length) && (argv[i][length] == '=')) {
- int j;
- const char *return_string = argv[i] + (length+1);
-
- for (j=0; j<_PAM_RETURN_VALUES; ++j) {
- if (!strcmp(return_string, _pam_token_returns[j])) {
- retval = j;
- state(pamh, argv[i]);
- break;
- }
- }
- break;
- }
- }
-
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval;
- const char *user=NULL;
-
- /*
- * authentication requires we know who the user wants to be
- */
- retval = pam_get_user(pamh, &user, NULL);
- if (retval != PAM_SUCCESS) {
- D(("get user returned error: %s", pam_strerror(pamh,retval)));
- return retval;
- }
- if (user == NULL || *user == '\0') {
- D(("username not known"));
- retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
- if (retval != PAM_SUCCESS)
- return retval;
- }
- user = NULL; /* clean up */
-
- retval = parse_args(PAM_SUCCESS, "auth", pamh, argc, argv);
-
- return retval;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return parse_args(PAM_SUCCESS, "cred", pamh, argc, argv);
-}
-
-/* --- account management functions --- */
-
-PAM_EXTERN
-int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return parse_args(PAM_SUCCESS, "acct", pamh, argc, argv);
-}
-
-/* --- password management --- */
-
-PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- if (flags & PAM_PRELIM_CHECK) {
- return parse_args(PAM_SUCCESS, "prechauthtok", pamh, argc, argv);
- } else {
- return parse_args(PAM_SUCCESS, "chauthtok", pamh, argc, argv);
- }
-}
-
-/* --- session management --- */
-
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return parse_args(PAM_SUCCESS, "open_session", pamh, argc, argv);
-}
-
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return parse_args(PAM_SUCCESS, "close_session", pamh, argc, argv);
-}
-
-/* end of module definition */
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_debug_modstruct = {
- "pam_debug",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-
-#endif
diff --git a/modules/pam_debug/tst-pam_debug b/modules/pam_debug/tst-pam_debug
deleted file mode 100755
index f07ff640..00000000
--- a/modules/pam_debug/tst-pam_debug
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_debug.so
diff --git a/modules/pam_deny/.cvsignore b/modules/pam_deny/.cvsignore
deleted file mode 100644
index 180c6155..00000000
--- a/modules/pam_deny/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_deny.8
diff --git a/modules/pam_deny/Makefile.am b/modules/pam_deny/Makefile.am
deleted file mode 100644
index 94b5f0f6..00000000
--- a/modules/pam_deny/Makefile.am
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_deny
-
-man_MANS = pam_deny.8
-
-XMLS = README.xml pam_deny.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_deny.la
-pam_deny_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-
-noinst_DATA = README
-
-README: pam_deny.8.xml
-
--include $(top_srcdir)/Make.xml.rules
-endif
-
-TESTS = tst-pam_deny
diff --git a/modules/pam_deny/README.xml b/modules/pam_deny/README.xml
deleted file mode 100644
index ff2e82b0..00000000
--- a/modules/pam_deny/README.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_deny.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_deny.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_deny-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_deny/pam_deny.8.xml b/modules/pam_deny/pam_deny.8.xml
deleted file mode 100644
index e50beb2d..00000000
--- a/modules/pam_deny/pam_deny.8.xml
+++ /dev/null
@@ -1,135 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_deny">
-
- <refmeta>
- <refentrytitle>pam_deny</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_deny-name">
- <refname>pam_deny</refname>
- <refpurpose>The locking-out PAM module</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_deny-cmdsynopsis">
- <command>pam_deny.so</command>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_deny-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- This module can be used to deny access. It always indicates a failure
- to the application through the PAM framework. It might be suitable
- for using for default (the <emphasis>OTHER</emphasis>) entries.
- </para>
-
- </refsect1>
-
- <refsect1 id="pam_deny-options">
- <title>OPTIONS</title>
- <para>This module does not recognise any options.</para>
- </refsect1>
-
- <refsect1 id="pam_deny-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- All services (<option>account</option>, <option>auth</option>,
- <option>password</option> and <option>session</option>) are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_deny-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_AUTH_ERR</term>
- <listitem>
- <para>
- This is returned by the account and auth services.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_CRED_ERR</term>
- <listitem>
- <para>
- This is returned by the setcred function.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_AUTHTOK_ERR</term>
- <listitem>
- <para>
- This is returned by the password service.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SESSION_ERR</term>
- <listitem>
- <para>
- This is returned by the session service.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_deny-examples'>
- <title>EXAMPLES</title>
- <programlisting>
-#%PAM-1.0
-#
-# If we don't have config entries for a service, the
-# OTHER entries are used. To be secure, warn and deny
-# access to everything.
-other auth required pam_warn.so
-other auth required pam_deny.so
-other account required pam_warn.so
-other account required pam_deny.so
-other password required pam_warn.so
-other password required pam_deny.so
-other session required pam_warn.so
-other session required pam_deny.so
- </programlisting>
- </refsect1>
-
- <refsect1 id='pam_deny-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_deny-author'>
- <title>AUTHOR</title>
- <para>
- pam_deny was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_deny/pam_deny.c b/modules/pam_deny/pam_deny.c
deleted file mode 100644
index 544c5bdb..00000000
--- a/modules/pam_deny/pam_deny.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/* pam_deny module */
-
-/*
- * $Id$
- *
- * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11
- *
- */
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#include "config.h"
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-
-/* --- authentication management functions --- */
-
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_AUTH_ERR;
-}
-
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_CRED_ERR;
-}
-
-/* --- account management functions --- */
-
-PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_AUTH_ERR;
-}
-
-/* --- password management --- */
-
-PAM_EXTERN int
-pam_sm_chauthtok(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_AUTHTOK_ERR;
-}
-
-/* --- session management --- */
-
-PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_SESSION_ERR;
-}
-
-PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_SESSION_ERR;
-}
-
-/* end of module definition */
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_deny_modstruct = {
- "pam_deny",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-#endif
diff --git a/modules/pam_deny/tst-pam_deny b/modules/pam_deny/tst-pam_deny
deleted file mode 100755
index 7d9d6bad..00000000
--- a/modules/pam_deny/tst-pam_deny
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_deny.so
diff --git a/modules/pam_echo/.cvsignore b/modules/pam_echo/.cvsignore
deleted file mode 100644
index 2d5569ad..00000000
--- a/modules/pam_echo/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_echo.8
diff --git a/modules/pam_echo/Makefile.am b/modules/pam_echo/Makefile.am
deleted file mode 100644
index d004e8f4..00000000
--- a/modules/pam_echo/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_echo
-
-man_MANS = pam_echo.8
-
-XMLS = README.xml pam_echo.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_echo.la
-pam_echo_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_echo.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
-TESTS = tst-pam_echo
diff --git a/modules/pam_echo/README.xml b/modules/pam_echo/README.xml
deleted file mode 100644
index b1556e38..00000000
--- a/modules/pam_echo/README.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_echo.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_echo.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_echo-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_echo/pam_echo.8.xml b/modules/pam_echo/pam_echo.8.xml
deleted file mode 100644
index 4a495195..00000000
--- a/modules/pam_echo/pam_echo.8.xml
+++ /dev/null
@@ -1,168 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
-
-<refentry id='pam_echo'>
- <refmeta>
- <refentrytitle>pam_echo</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id='pam_echo-name'>
- <refname>pam_echo</refname>
- <refpurpose>PAM module for printing text messages</refpurpose>
- </refnamediv>
-
-<!-- body begins here -->
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_echo-cmdsynopsis">
- <command>pam_echo.so</command>
- <arg choice="opt">
- file=<replaceable>/path/message</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id='pam_echo-description'>
- <title>DESCRIPTION</title>
- <para>
- The <emphasis>pam_echo</emphasis> PAM module is for printing
- text messages to inform user about special things. Sequences
- starting with the <emphasis>%</emphasis> character are
- interpreted in the following way:
- </para>
- <variablelist>
- <varlistentry>
- <term><emphasis>%H</emphasis></term>
- <listitem>
- <para>The name of the remote host (PAM_RHOST).</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>%h</emphasis></term>
- <listitem>
- <para>The name of the local host.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis>%s</emphasis></term>
- <listitem>
- <para>The service name (PAM_SERVICE).</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis>%t</emphasis></term>
- <listitem>
- <para>The name of the controlling terminal (PAM_TTY).</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis>%U</emphasis></term>
- <listitem>
- <para>The remote user name (PAM_RUSER).</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis>%u</emphasis></term>
- <listitem>
- <para>The local user name (PAM_USER).</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <para>
- All other sequences beginning with <emphasis>%</emphasis>
- expands to the characters following the <emphasis>%</emphasis>
- character.
- </para>
- </refsect1>
-
- <refsect1 id='pam_echo-options'>
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>file=<replaceable>/path/message</replaceable></option>
- </term>
- <listitem>
- <para>
- The content of the file <filename>/path/message</filename>
- will be printed with the PAM conversion function as PAM_TEXT_INFO.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_echo-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- All services are supported.
- </para>
- </refsect1>
-
-
- <refsect1 id="pam_echo-return_values">
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Message was successful printed.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- PAM_SILENT flag was given or message file does not
- exist, no message printed.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_echo-examples'>
- <title>EXAMPLES</title>
- <para>
- For an example of the use of this module, we show how it may be
- used to print informations about good passwords:
- <programlisting>
-password optional pam_echo.so file=/usr/share/doc/good-password.txt
-password required pam_unix.so
- </programlisting>
- </para>
- </refsect1>
-
-
- <refsect1 id='pam_echo-see_also'><title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry></para>
- </refsect1>
-
- <refsect1 id='pam_echo-author'>
- <title>AUTHOR</title>
- <para>Thorsten Kukuk &lt;kukuk@thkukuk.de&gt;</para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c
deleted file mode 100644
index 31ebca22..00000000
--- a/modules/pam_echo/pam_echo.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#if defined(HAVE_CONFIG_H)
-#include "config.h"
-#endif
-
-#include <errno.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <string.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <limits.h>
-#include <syslog.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#ifndef HOST_NAME_MAX
-#define HOST_NAME_MAX 255
-#endif
-
-#define PAM_SM_ACCOUNT
-#define PAM_SM_AUTH
-#define PAM_SM_PASSWORD
-#define PAM_SM_SESSION
-
-#include <security/pam_modules.h>
-#include <security/pam_modutil.h>
-#include <security/_pam_macros.h>
-#include <security/pam_ext.h>
-
-static int
-replace_and_print (pam_handle_t *pamh, const char *mesg)
-{
- char *output;
- size_t length = strlen (mesg) + PAM_MAX_MSG_SIZE;
- char myhostname[HOST_NAME_MAX+1];
- const void *str = NULL;
- const char *p, *q;
- int item;
- size_t len;
-
- output = malloc (length);
- if (output == NULL)
- {
- pam_syslog (pamh, LOG_ERR, "running out of memory");
- return PAM_BUF_ERR;
- }
-
- for (p = mesg, len = 0; *p != '\0' && len < length - 1; ++p)
- {
- if (*p != '%' || p[1] == '\0')
- {
- output[len++] = *p;
- continue;
- }
- switch (*++p)
- {
- case 'H':
- item = PAM_RHOST;
- break;
- case 'h':
- item = -2; /* aka PAM_LOCALHOST */
- break;
- case 's':
- item = PAM_SERVICE;
- break;
- case 't':
- item = PAM_TTY;
- break;
- case 'U':
- item = PAM_RUSER;
- break;
- case 'u':
- item = PAM_USER;
- break;
- default:
- output[len++] = *p;
- continue;
- }
- if (item == -2)
- {
- if (gethostname (myhostname, sizeof (myhostname)) == -1)
- str = NULL;
- else
- str = &myhostname;
- }
- else
- pam_get_item (pamh, item, &str);
- if (str == NULL)
- str = "(null)";
- for (q = str; *q != '\0' && len < length - 1; ++q)
- output[len++] = *q;
- }
- output[len] = '\0';
-
- pam_info (pamh, "%s", output);
- free (output);
-
- return PAM_SUCCESS;
-}
-
-static int
-pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- int fd;
- int orig_argc = argc;
- const char **orig_argv = argv;
- const char *file = NULL;
- int retval;
-
- if (flags & PAM_SILENT)
- return PAM_IGNORE;
-
- for (; argc-- > 0; ++argv)
- {
- if (!strncmp (*argv, "file=", 5))
- file = (5 + *argv);
- }
-
- /* No file= option, use argument for output. */
- if (file == NULL || file[0] == '\0')
- {
- char msg[PAM_MAX_MSG_SIZE];
- const char *p;
- int i;
- size_t len;
-
- for (i = 0, len = 0; i < orig_argc && len < sizeof (msg) - 1; ++i)
- {
- if (i > 0)
- msg[len++] = ' ';
- for (p = orig_argv[i]; *p != '\0' && len < sizeof(msg) - 1; ++p)
- msg[len++] = *p;
- }
- msg[len] = '\0';
-
- retval = replace_and_print (pamh, msg);
- }
- else if ((fd = open (file, O_RDONLY, 0)) >= 0)
- {
- char *mtmp = NULL;
- struct stat st;
-
- /* load file into message buffer. */
- if ((fstat (fd, &st) < 0) || !st.st_size)
- return PAM_IGNORE;
-
- mtmp = malloc (st.st_size + 1);
- if (!mtmp)
- return PAM_BUF_ERR;
-
- if (pam_modutil_read (fd, mtmp, st.st_size) == -1)
- {
- pam_syslog (pamh, LOG_ERR, "Error while reading %s: %m", file);
- free (mtmp);
- return PAM_IGNORE;
- }
-
- if (mtmp[st.st_size - 1] == '\n')
- mtmp[st.st_size - 1] = '\0';
- else
- mtmp[st.st_size] = '\0';
-
- close (fd);
- retval = replace_and_print (pamh, mtmp);
- free (mtmp);
- }
- else
- {
- pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", file);
- retval = PAM_IGNORE;
- }
- return retval;
-}
-
-int
-pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return pam_echo (pamh, flags, argc, argv);
-}
-
-int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-int
-pam_sm_acct_mgmt (pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return pam_echo (pamh, flags, argc, argv);
-}
-
-int
-pam_sm_open_session (pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return pam_echo (pamh, flags, argc, argv);
-}
-
-int
-pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-int
-pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- if (flags & PAM_PRELIM_CHECK)
- return pam_echo (pamh, flags, argc, argv);
- else
- return PAM_IGNORE;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_echo_modstruct = {
- "pam_echo",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-
-#endif
diff --git a/modules/pam_echo/tst-pam_echo b/modules/pam_echo/tst-pam_echo
deleted file mode 100755
index 483a2c23..00000000
--- a/modules/pam_echo/tst-pam_echo
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_echo.so
diff --git a/modules/pam_env/.cvsignore b/modules/pam_env/.cvsignore
deleted file mode 100644
index e35f869e..00000000
--- a/modules/pam_env/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_env.8
-pam_env.conf.5
diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am
deleted file mode 100644
index 87813688..00000000
--- a/modules/pam_env/Makefile.am
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
-
-man_MANS = pam_env.conf.5 pam_env.8
-
-XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\"
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_env.la
-pam_env_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-secureconf_DATA = pam_env.conf
-sysconf_DATA = environment
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_env.8.xml pam_env.conf.5.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
-TESTS = tst-pam_env
diff --git a/modules/pam_env/README.xml b/modules/pam_env/README.xml
deleted file mode 100644
index 21a9b855..00000000
--- a/modules/pam_env/README.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_env.8.xml">
--->
-<!--
-<!ENTITY accessconf SYSTEM "pam_env.conf.5.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_env.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_env-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_env/environment b/modules/pam_env/environment
deleted file mode 100644
index f46b8d94..00000000
--- a/modules/pam_env/environment
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# This file is parsed by pam_env module
-#
-# Syntax: simple "KEY=VAL" pairs on seperate lines
-#
diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml
deleted file mode 100644
index 731c20b2..00000000
--- a/modules/pam_env/pam_env.8.xml
+++ /dev/null
@@ -1,206 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
-
-<refentry id='pam_env'>
-
- <refmeta>
- <refentrytitle>pam_env</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id='pam_env-name'>
- <refname>pam_env</refname>
- <refpurpose>
- PAM module to set/unset environment variables
- </refpurpose>
- </refnamediv>
-
-<!-- body begins here -->
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_env-cmdsynopsis">
- <command>pam_env.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- conffile=<replaceable>conf-file</replaceable>
- </arg>
- <arg choice="opt">
- envfile=<replaceable>env-file</replaceable>
- </arg>
- <arg choice="opt">
- readenv=<replaceable>0|1</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-
- <refsect1 id="pam_env-description">
- <title>DESCRIPTION</title>
- <para>
- The pam_env PAM module allows the (un)setting of environment
- variables. Supported is the use of previously set environment
- variables as well as <emphasis>PAM_ITEM</emphasis>s such as
- <emphasis>PAM_RHOST</emphasis>.
- </para>
- <para>
- By default rules for (un)setting of variables is taken from the
- config file <filename>/etc/security/pam_env.conf</filename> if
- no other file is specified.
- </para>
- <para>
- This module can also parse a file with simple
- <emphasis>KEY=VAL</emphasis> pairs on seperate lines
- (<filename>/etc/environment</filename> by default). You can
- change the default file to parse, with the <emphasis>envfile</emphasis>
- flag and turn it on or off by setting the <emphasis>readenv</emphasis>
- flag to 1 or 0 respectively.
- </para>
- </refsect1>
-
- <refsect1 id="pam_env-options">
- <title>OPTIONS</title>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>conffile=<replaceable>/path/to/pam_env.conf</replaceable></option>
- </term>
- <listitem>
- <para>
- Indicate an alternative <filename>pam_env.conf</filename>
- style configuration file to override the default. This can
- be useful when different services need different environments.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- A lot of debug informations are printed with
- <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>envfile=<replaceable>/path/to/environment</replaceable></option>
- </term>
- <listitem>
- <para>
- Indicate an alternative <filename>environment</filename>
- file to override the default. This can be useful when different
- services need different environments.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>readenv=<replaceable>0|1</replaceable></option>
- </term>
- <listitem>
- <para>
- Turns on or off the reading of the file specified by envfile
- (0 is off, 1 is on). By default this option is on.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_env-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The <option>auth</option> and <option>session</option> services
- are supported.
- </para>
- </refsect1>
-
- <refsect1 id="pam_env-return_values">
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_ABORT</term>
- <listitem>
- <para>
- Not all relevant data or options could be gotten.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- No pam_env.conf and environment file was found.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Environment variables were set.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_env-files">
- <title>FILES</title>
- <variablelist>
- <varlistentry>
- <term><filename>/etc/security/pam_env.conf</filename></term>
- <listitem>
- <para>Default configuration file</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><filename>/etc/environment</filename></term>
- <listitem>
- <para>Default environment file</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_env-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam_env.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>.
- </para>
- </refsect1>
-
- <refsect1 id="pam_env-authors">
- <title>AUTHOR</title>
- <para>
- pam_env was written by Dave Kinchlea &lt;kinch@kinch.ark.com&gt;.
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
deleted file mode 100644
index bcbb1881..00000000
--- a/modules/pam_env/pam_env.c
+++ /dev/null
@@ -1,832 +0,0 @@
-/* pam_env module */
-
-/*
- * $Id$
- *
- * Written by Dave Kinchlea <kinch@kinch.ark.com> 1997/01/31
- * Inspired by Andrew Morgan <morgan@kernel.org>, who also supplied the
- * template for this file (via pam_mail)
- */
-
-#define DEFAULT_ETC_ENVFILE "/etc/environment"
-#define DEFAULT_READ_ENVFILE 1
-
-#include "config.h"
-
-#include <ctype.h>
-#include <errno.h>
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH /* This is primarily a AUTH_SETCRED module */
-#define PAM_SM_SESSION /* But I like to be friendly */
-#define PAM_SM_PASSWORD /* "" */
-#define PAM_SM_ACCOUNT /* "" */
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_ext.h>
-
-/* This little structure makes it easier to keep variables together */
-
-typedef struct var {
- char *name;
- char *value;
- char *defval;
- char *override;
-} VAR;
-
-#define BUF_SIZE 1024
-#define MAX_ENV 8192
-
-#define GOOD_LINE 0
-#define BAD_LINE 100 /* This must be > the largest PAM_* error code */
-
-#define DEFINE_VAR 101
-#define UNDEFINE_VAR 102
-#define ILLEGAL_VAR 103
-
-static int _assemble_line(FILE *, char *, int);
-static int _parse_line(const pam_handle_t *, char *, VAR *);
-static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */
-static void _clean_var(VAR *);
-static int _expand_arg(pam_handle_t *, char **);
-static const char * _pam_get_item_byname(pam_handle_t *, const char *);
-static int _define_var(pam_handle_t *, VAR *);
-static int _undefine_var(pam_handle_t *, VAR *);
-
-/* This is a flag used to designate an empty string */
-static char quote='Z';
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x01
-#define PAM_NEW_CONF_FILE 0x02
-#define PAM_ENV_SILENT 0x04
-#define PAM_NEW_ENV_FILE 0x10
-
-static int
-_pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
- const char **conffile, const char **envfile, int *readenv)
-{
- int ctrl=0;
-
-
- /* step through arguments */
- for (; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"conffile=",9)) {
- *conffile = 9 + *argv;
- if (**conffile != '\0') {
- D(("new Configuration File: %s", *conffile));
- ctrl |= PAM_NEW_CONF_FILE;
- } else {
- pam_syslog(pamh, LOG_ERR,
- "conffile= specification missing argument - ignored");
- }
- } else if (!strncmp(*argv,"envfile=",8)) {
- *envfile = 8 + *argv;
- if (**envfile != '\0') {
- D(("new Env File: %s", *envfile));
- ctrl |= PAM_NEW_ENV_FILE;
- } else {
- pam_syslog (pamh, LOG_ERR,
- "envfile= specification missing argument - ignored");
- }
- } else if (!strncmp(*argv,"readenv=",8))
- *readenv = atoi(8+*argv);
- else
- pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
- }
-
- return ctrl;
-}
-
-static int
-_parse_config_file(pam_handle_t *pamh, int ctrl, const char *conffile)
-{
- int retval;
- const char *file;
- char buffer[BUF_SIZE];
- FILE *conf;
- VAR Var, *var=&Var;
-
- var->name=NULL; var->defval=NULL; var->override=NULL;
- D(("Called."));
-
- if (ctrl & PAM_NEW_CONF_FILE) {
- file = conffile;
- } else {
- file = DEFAULT_CONF_FILE;
- }
-
- D(("Config file name is: %s", file));
-
- /*
- * Lets try to open the config file, parse it and process
- * any variables found.
- */
-
- if ((conf = fopen(file,"r")) == NULL) {
- pam_syslog(pamh, LOG_ERR, "Unable to open config file: %s: %m", file);
- return PAM_IGNORE;
- }
-
- /* _pam_assemble_line will provide a complete line from the config file,
- * with all comments removed and any escaped newlines fixed up
- */
-
- while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) {
- D(("Read line: %s", buffer));
-
- if ((retval = _parse_line(pamh, buffer, var)) == GOOD_LINE) {
- retval = _check_var(pamh, var);
-
- if (DEFINE_VAR == retval) {
- retval = _define_var(pamh, var);
-
- } else if (UNDEFINE_VAR == retval) {
- retval = _undefine_var(pamh, var);
- }
- }
- if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval
- && BAD_LINE != retval && PAM_BAD_ITEM != retval) break;
-
- _clean_var(var);
-
- } /* while */
-
- (void) fclose(conf);
-
- /* tidy up */
- _clean_var(var); /* We could have got here prematurely,
- * this is safe though */
- D(("Exit."));
- return (retval != 0 ? PAM_ABORT : PAM_SUCCESS);
-}
-
-static int
-_parse_env_file(pam_handle_t *pamh, int ctrl, const char *env_file)
-{
- int retval=PAM_SUCCESS, i, t;
- const char *file;
- char buffer[BUF_SIZE], *key, *mark;
- FILE *conf;
-
- if (ctrl & PAM_NEW_ENV_FILE)
- file = env_file;
- else
- file = DEFAULT_ETC_ENVFILE;
-
- D(("Env file name is: %s", file));
-
- if ((conf = fopen(file,"r")) == NULL) {
- pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %m", file);
- return PAM_IGNORE;
- }
-
- while (_assemble_line(conf, buffer, BUF_SIZE) > 0) {
- D(("Read line: %s", buffer));
- key = buffer;
-
- /* skip leading white space */
- key += strspn(key, " \n\t");
-
- /* skip blanks lines and comments */
- if (!key || key[0] == '#')
- continue;
-
- /* skip over "export " if present so we can be compat with
- bash type declarations */
- if (strncmp(key, "export ", (size_t) 7) == 0)
- key += 7;
-
- /* now find the end of value */
- mark = key;
- while(mark[0] != '\n' && mark[0] != '#' && mark[0] != '\0')
- mark++;
- if (mark[0] != '\0')
- mark[0] = '\0';
-
- /*
- * sanity check, the key must be alpha-numeric
- */
-
- for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ )
- if (!isalnum(key[i]) && key[i] != '_') {
- D(("key is not alpha numeric - '%s', ignoring", key));
- continue;
- }
-
- /* now we try to be smart about quotes around the value,
- but not too smart, we can't get all fancy with escaped
- values like bash */
- if (key[i] == '=' && (key[++i] == '\"' || key[i] == '\'')) {
- for ( t = i+1 ; key[t] != '\0' ; t++)
- if (key[t] != '\"' && key[t] != '\'')
- key[i++] = key[t];
- else if (key[t+1] != '\0')
- key[i++] = key[t];
- key[i] = '\0';
- }
-
- /* set the env var, if it fails, we break out of the loop */
- retval = pam_putenv(pamh, key);
- if (retval != PAM_SUCCESS) {
- D(("error setting env \"%s\"", key));
- break;
- }
- }
-
- (void) fclose(conf);
-
- /* tidy up */
- D(("Exit."));
- return retval;
-}
-
-/*
- * This is where we read a line of the PAM config file. The line may be
- * preceeded by lines of comments and also extended with "\\\n"
- */
-
-static int _assemble_line(FILE *f, char *buffer, int buf_len)
-{
- char *p = buffer;
- char *s, *os;
- int used = 0;
-
- /* loop broken with a 'break' when a non-'\\n' ended line is read */
-
- D(("called."));
- for (;;) {
- if (used >= buf_len) {
- /* Overflow */
- D(("_assemble_line: overflow"));
- return -1;
- }
- if (fgets(p, buf_len - used, f) == NULL) {
- if (used) {
- /* Incomplete read */
- return -1;
- } else {
- /* EOF */
- return 0;
- }
- }
-
- /* skip leading spaces --- line may be blank */
-
- s = p + strspn(p, " \n\t");
- if (*s && (*s != '#')) {
- os = s;
-
- /*
- * we are only interested in characters before the first '#'
- * character
- */
-
- while (*s && *s != '#')
- ++s;
- if (*s == '#') {
- *s = '\0';
- used += strlen(os);
- break; /* the line has been read */
- }
-
- s = os;
-
- /*
- * Check for backslash by scanning back from the end of
- * the entered line, the '\n' has been included since
- * normally a line is terminated with this
- * character. fgets() should only return one though!
- */
-
- s += strlen(s);
- while (s > os && ((*--s == ' ') || (*s == '\t')
- || (*s == '\n')));
-
- /* check if it ends with a backslash */
- if (*s == '\\') {
- *s = '\0'; /* truncate the line here */
- used += strlen(os);
- p = s; /* there is more ... */
- } else {
- /* End of the line! */
- used += strlen(os);
- break; /* this is the complete line */
- }
-
- } else {
- /* Nothing in this line */
- /* Don't move p */
- }
- }
-
- return used;
-}
-
-static int
-_parse_line (const pam_handle_t *pamh, char *buffer, VAR *var)
-{
- /*
- * parse buffer into var, legal syntax is
- * VARIABLE [DEFAULT=[[string]] [OVERRIDE=[value]]
- *
- * Any other options defined make this a bad line,
- * error logged and no var set
- */
-
- int length, quoteflg=0;
- char *ptr, **valptr, *tmpptr;
-
- D(("Called buffer = <%s>", buffer));
-
- length = strcspn(buffer," \t\n");
-
- if ((var->name = malloc(length + 1)) == NULL) {
- pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1);
- return PAM_BUF_ERR;
- }
-
- /*
- * The first thing on the line HAS to be the variable name,
- * it may be the only thing though.
- */
- strncpy(var->name, buffer, length);
- var->name[length] = '\0';
- D(("var->name = <%s>, length = %d", var->name, length));
-
- /*
- * Now we check for arguments, we only support two kinds and ('cause I am lazy)
- * each one can actually be listed any number of times
- */
-
- ptr = buffer+length;
- while ((length = strspn(ptr, " \t")) > 0) {
- ptr += length; /* remove leading whitespace */
- D((ptr));
- if (strncmp(ptr,"DEFAULT=",8) == 0) {
- ptr+=8;
- D(("Default arg found: <%s>", ptr));
- valptr=&(var->defval);
- } else if (strncmp(ptr, "OVERRIDE=", 9) == 0) {
- ptr+=9;
- D(("Override arg found: <%s>", ptr));
- valptr=&(var->override);
- } else {
- D(("Unrecognized options: <%s> - ignoring line", ptr));
- pam_syslog(pamh, LOG_ERR, "Unrecognized Option: %s - ignoring line", ptr);
- return BAD_LINE;
- }
-
- if ('"' != *ptr) { /* Escaped quotes not supported */
- length = strcspn(ptr, " \t\n");
- tmpptr = ptr+length;
- } else {
- tmpptr = strchr(++ptr, '"');
- if (!tmpptr) {
- D(("Unterminated quoted string: %s", ptr-1));
- pam_syslog(pamh, LOG_ERR, "Unterminated quoted string: %s", ptr-1);
- return BAD_LINE;
- }
- length = tmpptr - ptr;
- if (*++tmpptr && ' ' != *tmpptr && '\t' != *tmpptr && '\n' != *tmpptr) {
- D(("Quotes must cover the entire string: <%s>", ptr));
- pam_syslog(pamh, LOG_ERR, "Quotes must cover the entire string: <%s>", ptr);
- return BAD_LINE;
- }
- quoteflg++;
- }
- if (length) {
- if ((*valptr = malloc(length + 1)) == NULL) {
- D(("Couldn't malloc %d bytes", length+1));
- pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1);
- return PAM_BUF_ERR;
- }
- (void)strncpy(*valptr,ptr,length);
- (*valptr)[length]='\0';
- } else if (quoteflg--) {
- *valptr = &quote; /* a quick hack to handle the empty string */
- }
- ptr = tmpptr; /* Start the search where we stopped */
- } /* while */
-
- /*
- * The line is parsed, all is well.
- */
-
- D(("Exit."));
- ptr = NULL; tmpptr = NULL; valptr = NULL;
- return GOOD_LINE;
-}
-
-static int _check_var(pam_handle_t *pamh, VAR *var)
-{
- /*
- * Examine the variable and determine what action to take.
- * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take
- * or a PAM_* error code if passed back from other routines
- *
- * if no DEFAULT provided, the empty string is assumed
- * if no OVERRIDE provided, the empty string is assumed
- * if DEFAULT= and OVERRIDE evaluates to the empty string,
- * this variable should be undefined
- * if DEFAULT="" and OVERRIDE evaluates to the empty string,
- * this variable should be defined with no value
- * if OVERRIDE=value and value turns into the empty string, DEFAULT is used
- *
- * If DEFINE_VAR is to be returned, the correct value to define will
- * be pointed to by var->value
- */
-
- int retval;
-
- D(("Called."));
-
- /*
- * First thing to do is to expand any arguments, but only
- * if they are not the special quote values (cause expand_arg
- * changes memory).
- */
-
- if (var->defval && (&quote != var->defval) &&
- ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) {
- return retval;
- }
- if (var->override && (&quote != var->override) &&
- ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) {
- return retval;
- }
-
- /* Now its easy */
-
- if (var->override && *(var->override) && &quote != var->override) {
- /* if there is a non-empty string in var->override, we use it */
- D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override));
- var->value = var->override;
- retval = DEFINE_VAR;
- } else {
-
- var->value = var->defval;
- if (&quote == var->defval) {
- /*
- * This means that the empty string was given for defval value
- * which indicates that a variable should be defined with no value
- */
- *var->defval = '\0';
- D(("An empty variable: <%s>", var->name));
- retval = DEFINE_VAR;
- } else if (var->defval) {
- D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval));
- retval = DEFINE_VAR;
- } else {
- D(("UNDEFINE variable <%s>", var->name));
- retval = UNDEFINE_VAR;
- }
- }
-
- D(("Exit."));
- return retval;
-}
-
-static int _expand_arg(pam_handle_t *pamh, char **value)
-{
- const char *orig=*value, *tmpptr=NULL;
- char *ptr; /*
- * Sure would be nice to use tmpptr but it needs to be
- * a constant so that the compiler will shut up when I
- * call pam_getenv and _pam_get_item_byname -- sigh
- */
-
- /* No unexpanded variable can be bigger than BUF_SIZE */
- char type, tmpval[BUF_SIZE];
-
- /* I know this shouldn't be hard-coded but it's so much easier this way */
- char tmp[MAX_ENV];
-
- D(("Remember to initialize tmp!"));
- memset(tmp, 0, MAX_ENV);
-
- /*
- * (possibly non-existent) environment variables can be used as values
- * by prepending a "$" and wrapping in {} (ie: ${HOST}), can escape with "\"
- * (possibly non-existent) PAM items can be used as values
- * by prepending a "@" and wrapping in {} (ie: @{PAM_RHOST}, can escape
- *
- */
- D(("Expanding <%s>",orig));
- while (*orig) { /* while there is some input to deal with */
- if ('\\' == *orig) {
- ++orig;
- if ('$' != *orig && '@' != *orig) {
- D(("Unrecognized escaped character: <%c> - ignoring", *orig));
- pam_syslog(pamh, LOG_ERR,
- "Unrecognized escaped character: <%c> - ignoring",
- *orig);
- } else if ((strlen(tmp) + 1) < MAX_ENV) {
- tmp[strlen(tmp)] = *orig++; /* Note the increment */
- } else {
- /* is it really a good idea to try to log this? */
- D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
- tmp, tmpptr);
- }
- continue;
- }
- if ('$' == *orig || '@' == *orig) {
- if ('{' != *(orig+1)) {
- D(("Expandable variables must be wrapped in {}"
- " <%s> - ignoring", orig));
- pam_syslog(pamh, LOG_ERR, "Expandable variables must be wrapped in {}"
- " <%s> - ignoring", orig);
- if ((strlen(tmp) + 1) < MAX_ENV) {
- tmp[strlen(tmp)] = *orig++; /* Note the increment */
- }
- continue;
- } else {
- D(("Expandable argument: <%s>", orig));
- type = *orig;
- orig+=2; /* skip the ${ or @{ characters */
- ptr = strchr(orig, '}');
- if (ptr) {
- *ptr++ = '\0';
- } else {
- D(("Unterminated expandable variable: <%s>", orig-2));
- pam_syslog(pamh, LOG_ERR,
- "Unterminated expandable variable: <%s>", orig-2);
- return PAM_ABORT;
- }
- strncpy(tmpval, orig, sizeof(tmpval));
- tmpval[sizeof(tmpval)-1] = '\0';
- orig=ptr;
- /*
- * so, we know we need to expand tmpval, it is either
- * an environment variable or a PAM_ITEM. type will tell us which
- */
- switch (type) {
-
- case '$':
- D(("Expanding env var: <%s>",tmpval));
- tmpptr = pam_getenv(pamh, tmpval);
- D(("Expanded to <%s>", tmpptr));
- break;
-
- case '@':
- D(("Expanding pam item: <%s>",tmpval));
- tmpptr = _pam_get_item_byname(pamh, tmpval);
- D(("Expanded to <%s>", tmpptr));
- break;
-
- default:
- D(("Impossible error, type == <%c>", type));
- pam_syslog(pamh, LOG_CRIT, "Impossible error, type == <%c>", type);
- return PAM_ABORT;
- } /* switch */
-
- if (tmpptr) {
- if ((strlen(tmp) + strlen(tmpptr)) < MAX_ENV) {
- strcat(tmp, tmpptr);
- } else {
- /* is it really a good idea to try to log this? */
- D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- pam_syslog (pamh, LOG_ERR,
- "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
- }
- }
- } /* if ('{' != *orig++) */
- } else { /* if ( '$' == *orig || '@' == *orig) */
- if ((strlen(tmp) + 1) < MAX_ENV) {
- tmp[strlen(tmp)] = *orig++; /* Note the increment */
- } else {
- /* is it really a good idea to try to log this? */
- D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
- pam_syslog(pamh, LOG_ERR,
- "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
- }
- }
- } /* for (;*orig;) */
-
- if (strlen(tmp) > strlen(*value)) {
- free(*value);
- if ((*value = malloc(strlen(tmp) +1)) == NULL) {
- D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1));
- pam_syslog (pamh, LOG_ERR, "Couldn't malloc %lu bytes for expanded var",
- (unsigned long)strlen(tmp)+1);
- return PAM_BUF_ERR;
- }
- }
- strcpy(*value, tmp);
- memset(tmp,'\0',sizeof(tmp));
- D(("Exit."));
-
- return PAM_SUCCESS;
-}
-
-static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name)
-{
- /*
- * This function just allows me to use names as given in the config
- * file and translate them into the appropriate PAM_ITEM macro
- */
-
- int item;
- const void *itemval;
-
- D(("Called."));
- if (strcmp(name, "PAM_USER") == 0) {
- item = PAM_USER;
- } else if (strcmp(name, "PAM_USER_PROMPT") == 0) {
- item = PAM_USER_PROMPT;
- } else if (strcmp(name, "PAM_TTY") == 0) {
- item = PAM_TTY;
- } else if (strcmp(name, "PAM_RUSER") == 0) {
- item = PAM_RUSER;
- } else if (strcmp(name, "PAM_RHOST") == 0) {
- item = PAM_RHOST;
- } else {
- D(("Unknown PAM_ITEM: <%s>", name));
- pam_syslog (pamh, LOG_ERR, "Unknown PAM_ITEM: <%s>", name);
- return NULL;
- }
-
- if (pam_get_item(pamh, item, &itemval) != PAM_SUCCESS) {
- D(("pam_get_item failed"));
- return NULL; /* let pam_get_item() log the error */
- }
- D(("Exit."));
- return itemval;
-}
-
-static int _define_var(pam_handle_t *pamh, VAR *var)
-{
- /* We have a variable to define, this is a simple function */
-
- char *envvar;
- int retval = PAM_SUCCESS;
-
- D(("Called."));
- if (asprintf(&envvar, "%s=%s", var->name, var->value) < 0) {
- pam_syslog(pamh, LOG_ERR, "out of memory");
- return PAM_BUF_ERR;
- }
-
- retval = pam_putenv(pamh, envvar);
- _pam_drop(envvar);
- D(("Exit."));
- return retval;
-}
-
-static int _undefine_var(pam_handle_t *pamh, VAR *var)
-{
- /* We have a variable to undefine, this is a simple function */
-
- D(("Called and exit."));
- return pam_putenv(pamh, var->name);
-}
-
-static void _clean_var(VAR *var)
-{
- if (var->name) {
- free(var->name);
- }
- if (var->defval && (&quote != var->defval)) {
- free(var->defval);
- }
- if (var->override && (&quote != var->override)) {
- free(var->override);
- }
- var->name = NULL;
- var->value = NULL; /* never has memory specific to it */
- var->defval = NULL;
- var->override = NULL;
- return;
-}
-
-
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval, ctrl, readenv=DEFAULT_READ_ENVFILE;
- const char *conf_file = NULL, *env_file = NULL;
-
- /*
- * this module sets environment variables read in from a file
- */
-
- D(("Called."));
- ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv);
-
- retval = _parse_config_file(pamh, ctrl, conf_file);
-
- if(readenv && retval == PAM_SUCCESS) {
- retval = _parse_env_file(pamh, ctrl, env_file);
- if (retval == PAM_IGNORE)
- retval = PAM_SUCCESS;
- }
-
- /* indicate success or failure */
-
- D(("Exit."));
- return retval;
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- pam_syslog (pamh, LOG_NOTICE, "pam_sm_acct_mgmt called inappropriately");
- return PAM_SERVICE_ERR;
-}
-
-PAM_EXTERN int
-pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval, ctrl, readenv=DEFAULT_READ_ENVFILE;
- const char *conf_file = NULL, *env_file = NULL;
-
- /*
- * this module sets environment variables read in from a file
- */
-
- D(("Called."));
- ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv);
-
- retval = _parse_config_file(pamh, ctrl, conf_file);
-
- if(readenv && retval == PAM_SUCCESS) {
- retval = _parse_env_file(pamh, ctrl, env_file);
- if (retval == PAM_IGNORE)
- retval = PAM_SUCCESS;
- }
-
- /* indicate success or failure */
-
- D(("Exit."));
- return retval;
-}
-
-PAM_EXTERN int
-pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- D(("Called and Exit"));
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN int
-pam_sm_chauthtok (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- pam_syslog (pamh, LOG_NOTICE, "pam_sm_chauthtok called inappropriately");
- return PAM_SERVICE_ERR;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_env_modstruct = {
- "pam_env",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/modules/pam_env/pam_env.conf b/modules/pam_env/pam_env.conf
deleted file mode 100644
index d0ba35c2..00000000
--- a/modules/pam_env/pam_env.conf
+++ /dev/null
@@ -1,73 +0,0 @@
-#
-# This is the configuration file for pam_env, a PAM module to load in
-# a configurable list of environment variables for a
-#
-# The original idea for this came from Andrew G. Morgan ...
-#<quote>
-# Mmm. Perhaps you might like to write a pam_env module that reads a
-# default environment from a file? I can see that as REALLY
-# useful... Note it would be an "auth" module that returns PAM_IGNORE
-# for the auth part and sets the environment returning PAM_SUCCESS in
-# the setcred function...
-#</quote>
-#
-# What I wanted was the REMOTEHOST variable set, purely for selfish
-# reasons, and AGM didn't want it added to the SimpleApps login
-# program (which is where I added the patch). So, my first concern is
-# that variable, from there there are numerous others that might/would
-# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
-#
-# Of course, these are a different kind of variable than REMOTEHOST in
-# that they are things that are likely to be configured by
-# administrators rather than set by logging in, how to treat them both
-# in the same config file?
-#
-# Here is my idea:
-#
-# Each line starts with the variable name, there are then two possible
-# options for each variable DEFAULT and OVERRIDE.
-# DEFAULT allows and administrator to set the value of the
-# variable to some default value, if none is supplied then the empty
-# string is assumed. The OVERRIDE option tells pam_env that it should
-# enter in its value (overriding the default value) if there is one
-# to use. OVERRIDE is not used, "" is assumed and no override will be
-# done.
-#
-# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
-#
-# (Possibly non-existent) environment variables may be used in values
-# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
-# be used in values using the @{string} syntax. Both the $ and @
-# characters can be backslash escaped to be used as literal values
-# values can be delimited with "", escaped " not supported.
-# Note that many environment variables that you would like to use
-# may not be set by the time the module is called.
-# For example, HOME is used below several times, but
-# many PAM applications don't make it available by the time you need it.
-#
-#
-# First, some special variables
-#
-# Set the REMOTEHOST variable for any hosts that are remote, default
-# to "localhost" rather than not being set at all
-#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
-#
-# Set the DISPLAY variable if it seems reasonable
-#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
-#
-#
-# Now some simple variables
-#
-#PAGER DEFAULT=less
-#MANPAGER DEFAULT=less
-#LESS DEFAULT="M q e h15 z23 b80"
-#NNTPSERVER DEFAULT=localhost
-#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
-#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
-#
-# silly examples of escaped variables, just to show how they work.
-#
-#DOLLAR DEFAULT=\$
-#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
-#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
-#ATSIGN DEFAULT="" OVERRIDE=\@
diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml
deleted file mode 100644
index 090e0e75..00000000
--- a/modules/pam_env/pam_env.conf.5.xml
+++ /dev/null
@@ -1,123 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_env.conf">
-
- <refmeta>
- <refentrytitle>pam_env.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv>
- <refname>pam_env.conf</refname>
- <refpurpose>the environment variables config file</refpurpose>
- </refnamediv>
-
-
- <refsect1 id='pam_env.conf-description'>
- <title>DESCRIPTION</title>
-
- <para>
- The <filename>/etc/security/pam_env.conf</filename> file specifies
- the environment variables to be set, unset or modified by
- <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- When someone logs in, this file is read and the environment
- variables are set according.
- </para>
- <para>
- Each line starts with the variable name, there are then two possible
- options for each variable DEFAULT and OVERRIDE. DEFAULT allows and
- administrator to set the value of the variable to some default
- value, if none is supplied then the empty string is assumed. The
- OVERRIDE option tells pam_env that it should enter in its value
- (overriding the default value) if there is one to use. OVERRIDE is
- not used, "" is assumed and no override will be done.
- </para>
- <para>
- <replaceable>VARIABLE</replaceable>
- [<replaceable>DEFAULT=[value]</replaceable>]
- [<replaceable>OVERRIDE=[value]</replaceable>]
- </para>
-
- <para>
- (Possibly non-existent) environment variables may be used in values
- using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
- be used in values using the @{string} syntax. Both the $ and @
- characters can be backslash escaped to be used as literal values
- values can be delimited with "", escaped " not supported.
- Note that many environment variables that you would like to use
- may not be set by the time the module is called.
- For example, HOME is used below several times, but
- many PAM applications don't make it available by the time you need it.
- </para>
-
- <para>
- The "<emphasis>#</emphasis>" character at start of line (no space
- at front) can be used to mark this line as a comment line.
- </para>
-
- </refsect1>
-
- <refsect1 id="pam_env.conf-examples">
- <title>EXAMPLES</title>
- <para>
- These are some example lines which might be specified in
- <filename>/etc/security/pam_env.conf</filename>.
- </para>
-
- <para>
- Set the REMOTEHOST variable for any hosts that are remote, default
- to "localhost" rather than not being set at all
- </para>
- <programlisting>
- REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
- </programlisting>
-
- <para>
- Set the DISPLAY variable if it seems reasonable
- </para>
- <programlisting>
- DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
- </programlisting>
-
- <para>
- Now some simple variables
- </para>
- <programlisting>
- PAGER DEFAULT=less
- MANPAGER DEFAULT=less
- LESS DEFAULT="M q e h15 z23 b80"
- NNTPSERVER DEFAULT=localhost
- PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
- :/usr/bin:/usr/local/bin/X11:/usr/bin/X11
- </programlisting>
-
- <para>
- Silly examples of escaped variables, just to show how they work.
- </para>
- <programlisting>
- DOLLAR DEFAULT=\$
- DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
- DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
- ATSIGN DEFAULT="" OVERRIDE=\@
- </programlisting>
- </refsect1>
-
- <refsect1 id="pam_env.conf-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id="pam_env.conf-author">
- <title>AUTHOR</title>
- <para>
- pam_env was written by Dave Kinchlea &lt;kinch@kinch.ark.com&gt;.
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_env/tst-pam_env b/modules/pam_env/tst-pam_env
deleted file mode 100755
index c40e70a8..00000000
--- a/modules/pam_env/tst-pam_env
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_env.so
diff --git a/modules/pam_exec/.cvsignore b/modules/pam_exec/.cvsignore
deleted file mode 100644
index 47c8610e..00000000
--- a/modules/pam_exec/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_exec.8
diff --git a/modules/pam_exec/Makefile.am b/modules/pam_exec/Makefile.am
deleted file mode 100644
index 55fe9297..00000000
--- a/modules/pam_exec/Makefile.am
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_exec
-
-man_MANS = pam_exec.8
-
-XMLS = README.xml pam_exec.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_exec.la
-pam_exec_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-
-noinst_DATA = README
-
-README: pam_exec.8.xml
-
--include $(top_srcdir)/Make.xml.rules
-endif
-
-TESTS = tst-pam_exec
diff --git a/modules/pam_exec/README.xml b/modules/pam_exec/README.xml
deleted file mode 100644
index 5e76cab3..00000000
--- a/modules/pam_exec/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_exec.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_exec-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
deleted file mode 100644
index f4dc1e15..00000000
--- a/modules/pam_exec/pam_exec.8.xml
+++ /dev/null
@@ -1,217 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_exec">
-
- <refmeta>
- <refentrytitle>pam_exec</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_exec-name">
- <refname>pam_exec</refname>
- <refpurpose>PAM module which calls an external command</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_exec-cmdsynopsis">
- <command>pam_exec.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- seteuid
- </arg>
- <arg choice="opt">
- quiet
- </arg>
- <arg choice="opt">
- log=<replaceable>file</replaceable>
- </arg>
- <arg choice="plain">
- <replaceable>command</replaceable>
- </arg>
- <arg choice="opt">
- <replaceable>...</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_exec-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_exec is a PAM module that can be used to run
- an external command.
- </para>
-
- <para>
- The child's environment is set to the current PAM environment list, as
- returned by
- <citerefentry>
- <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>
- In addition, the following PAM items are
- exported as environment variables: <emphasis>PAM_RHOST</emphasis>,
- <emphasis>PAM_RUSER</emphasis>, <emphasis>PAM_SERVICE</emphasis>,
- <emphasis>PAM_TTY</emphasis>, and <emphasis>PAM_USER</emphasis>.
- </para>
-
- </refsect1>
-
- <refsect1 id="pam_exec-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>log=<replaceable>file</replaceable></option>
- </term>
- <listitem>
- <para>
- The output of the command is appended to
- <filename>file</filename>
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>quiet</option>
- </term>
- <listitem>
- <para>
- Per default pam_exec.so will echo the exit status of the
- external command if it fails.
- Specifying this option will suppress the message.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>seteuid</option>
- </term>
- <listitem>
- <para>
- Per default pam_exec.so will execute the external command
- with the real user ID of the calling process.
- Specifying this option means the command is run
- with the effective user ID.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_exec-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The services <option>auth</option>, <option>account</option>,
- <option>password</option> and <option>session</option> are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_exec-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The external command runs successfull.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- No argument or a wrong number of arguments were given.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SYSTEM_ERR</term>
- <listitem>
- <para>
- A system error occured or the command to execute failed.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- <function>pam_setcred</function> was called, which
- does not execute the command.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_exec-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/passwd</filename> to
- rebuild the NIS database after each local password change:
- <programlisting>
- passwd optional pam_exec.so seteuid make -C /var/yp
- </programlisting>
-
- This will execute the command
- <programlisting>make -C /var/yp</programlisting>
- with effective user ID.
- </para>
- </refsect1>
-
- <refsect1 id='pam_exec-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_exec-author'>
- <title>AUTHOR</title>
- <para>
- pam_exec was written by Thorsten Kukuk &lt;kukuk@thkukuk.de&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
deleted file mode 100644
index 766c0a06..00000000
--- a/modules/pam_exec/pam_exec.c
+++ /dev/null
@@ -1,342 +0,0 @@
-/*
- * Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#if defined(HAVE_CONFIG_H)
-#include "config.h"
-#endif
-
-#include <time.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/wait.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-#define ENV_ITEM(n) { (n), #n }
-static struct {
- int item;
- const char *name;
-} env_items[] = {
- ENV_ITEM(PAM_SERVICE),
- ENV_ITEM(PAM_USER),
- ENV_ITEM(PAM_TTY),
- ENV_ITEM(PAM_RHOST),
- ENV_ITEM(PAM_RUSER),
-};
-
-static int
-call_exec (pam_handle_t *pamh, int argc, const char **argv)
-{
- int debug = 0;
- int call_setuid = 0;
- int quiet = 0;
- int optargc;
- const char *logfile = NULL;
- pid_t pid;
-
- if (argc < 1) {
- pam_syslog (pamh, LOG_ERR,
- "This module needs at least one argument");
- return PAM_SERVICE_ERR;
- }
-
- for (optargc = 0; optargc < argc; optargc++)
- {
- if (argv[optargc][0] == '/') /* paths starts with / */
- break;
-
- if (strcasecmp (argv[optargc], "debug") == 0)
- debug = 1;
- else if (strncasecmp (argv[optargc], "log=", 4) == 0)
- logfile = &argv[optargc][4];
- else if (strcasecmp (argv[optargc], "seteuid") == 0)
- call_setuid = 1;
- else if (strcasecmp (argv[optargc], "quiet") == 0)
- quiet = 1;
- else
- break; /* Unknown option, assume program to execute. */
- }
-
-
- if (optargc >= argc) {
- pam_syslog (pamh, LOG_ERR, "No path given as argument");
- return PAM_SERVICE_ERR;
- }
-
- pid = fork();
- if (pid == -1)
- return PAM_SYSTEM_ERR;
- if (pid > 0) /* parent */
- {
- int status = 0;
- pid_t retval;
- while ((retval = waitpid (pid, &status, 0)) == -1 &&
- errno == EINTR);
- if (retval == (pid_t)-1)
- {
- pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m");
- return PAM_SYSTEM_ERR;
- }
- else if (status != 0)
- {
- if (WIFEXITED(status))
- {
- pam_syslog (pamh, LOG_ERR, "%s failed: exit code %d",
- argv[optargc], WEXITSTATUS(status));
- if (!quiet)
- pam_error (pamh, _("%s failed: exit code %d"),
- argv[optargc], WEXITSTATUS(status));
- }
- else if (WIFSIGNALED(status))
- {
- pam_syslog (pamh, LOG_ERR, "%s failed: caught signal %d%s",
- argv[optargc], WTERMSIG(status),
- WCOREDUMP(status) ? " (core dumped)" : "");
- if (!quiet)
- pam_error (pamh, _("%s failed: caught signal %d%s"),
- argv[optargc], WTERMSIG(status),
- WCOREDUMP(status) ? " (core dumped)" : "");
- }
- else
- {
- pam_syslog (pamh, LOG_ERR, "%s failed: unknown status 0x%x",
- argv[optargc], status);
- if (!quiet)
- pam_error (pamh, _("%s failed: unknown status 0x%x"),
- argv[optargc], status);
- }
- return PAM_SYSTEM_ERR;
- }
- return PAM_SUCCESS;
- }
- else /* child */
- {
- char **arggv;
- int i;
-
- for (i = 0; i < sysconf (_SC_OPEN_MAX); i++)
- close (i);
-
- /* New stdin. */
- if ((i = open ("/dev/null", O_RDWR)) < 0)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "open of /dev/null failed: %m");
- exit (err);
- }
- /* New stdout and stderr. */
- if (logfile)
- {
- time_t tm = time (NULL);
- char *buffer = NULL;
-
- if ((i = open (logfile, O_CREAT|O_APPEND|O_WRONLY,
- S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "open of %s failed: %m",
- logfile);
- exit (err);
- }
- if (asprintf (&buffer, "*** %s", ctime (&tm)) > 0)
- {
- pam_modutil_write (i, buffer, strlen (buffer));
- free (buffer);
- }
- }
- else
- if (dup (i) == -1)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "dup failed: %m");
- exit (err);
- }
- if (dup (i) == -1)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "dup failed: %m");
- exit (err);
- }
-
- if (call_setuid)
- if (setuid (geteuid ()) == -1)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "setuid(%lu) failed: %m",
- (unsigned long) geteuid ());
- exit (err);
- }
-
- if (setsid () == -1)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "setsid failed: %m");
- exit (err);
- }
-
- arggv = calloc (argc + 4, sizeof (char *));
- if (arggv == NULL)
- exit (ENOMEM);
-
- for (i = 0; i < (argc - optargc); i++)
- arggv[i] = strdup(argv[i+optargc]);
- arggv[i] = NULL;
-
- char **envlist, **tmp;
- int envlen, nitems;
-
- /*
- * Set up the child's environment list. It consists of the PAM
- * environment, plus a few hand-picked PAM items.
- */
- envlist = pam_getenvlist(pamh);
- for (envlen = 0; envlist[envlen] != NULL; ++envlen)
- /* nothing */ ;
- nitems = sizeof(env_items) / sizeof(*env_items);
- tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist));
- if (tmp == NULL)
- {
- free(envlist);
- pam_syslog (pamh, LOG_ERR, "realloc environment failed : %m");
- exit (ENOMEM);
- }
- envlist = tmp;
- for (i = 0; i < nitems; ++i)
- {
- const void *item;
- char *envstr;
-
- if (pam_get_item(pamh, env_items[i].item, &item) != PAM_SUCCESS || item == NULL)
- continue;
- asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item);
- if (envstr == NULL)
- {
- free(envlist);
- pam_syslog (pamh, LOG_ERR, "prepare environment failed : %m");
- exit (ENOMEM);
- }
- envlist[envlen++] = envstr;
- envlist[envlen] = NULL;
- }
-
- if (debug)
- pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]);
-
- if (execve (arggv[0], arggv, envlist) == -1)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "execve(%s,...) failed: %m",
- arggv[0]);
- free(envlist);
- exit (err);
- }
- free(envlist);
- exit (1); /* should never be reached. */
- }
- return PAM_SYSTEM_ERR; /* will never be reached. */
-}
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return call_exec (pamh, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-/* password updating functions */
-
-PAM_EXTERN int
-pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- if (flags & PAM_PRELIM_CHECK)
- return PAM_SUCCESS;
- return call_exec (pamh, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return call_exec (pamh, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return call_exec (pamh, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- return call_exec (pamh, argc, argv);
-}
-
-#ifdef PAM_STATIC
-struct pam_module _pam_exec_modstruct = {
- "pam_exec",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-#endif
diff --git a/modules/pam_exec/tst-pam_exec b/modules/pam_exec/tst-pam_exec
deleted file mode 100755
index a0b00393..00000000
--- a/modules/pam_exec/tst-pam_exec
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_exec.so
diff --git a/modules/pam_faildelay/.cvsignore b/modules/pam_faildelay/.cvsignore
deleted file mode 100644
index cc931c87..00000000
--- a/modules/pam_faildelay/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_faildelay.8
diff --git a/modules/pam_faildelay/Makefile.am b/modules/pam_faildelay/Makefile.am
deleted file mode 100644
index 2796018c..00000000
--- a/modules/pam_faildelay/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faildelay
-
-man_MANS = pam_faildelay.8
-XMLS = README.xml pam_faildelay.8.xml
-
-TESTS = tst-pam_faildelay
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_faildelay.la
-pam_faildelay_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_faildelay.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_faildelay/README.xml b/modules/pam_faildelay/README.xml
deleted file mode 100644
index 64d4accc..00000000
--- a/modules/pam_faildelay/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.docbook.org/xml/4.4/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_faildelay.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_faildelay.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faildelay-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_faildelay/pam_faildelay.8.xml b/modules/pam_faildelay/pam_faildelay.8.xml
deleted file mode 100644
index d2dfd266..00000000
--- a/modules/pam_faildelay/pam_faildelay.8.xml
+++ /dev/null
@@ -1,136 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
- "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-
-<refentry id="pam_faildelay">
-
- <refmeta>
- <refentrytitle>pam_faildelay</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_faildelay-name">
- <refname>pam_faildelay</refname>
- <refpurpose>Change the delay on failure per-application</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_faildelay-cmdsynopsis">
- <command>pam_faildelay.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- delay=<replaceable>microseconds</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_faildelay-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_faildelay is a PAM module that can be used to set
- the delay on failure per-application.
- </para>
- <para>
- If no <option>delay</option> is given, pam_faildelay will
- use the value of FAIL_DELAY from <filename>/etc/login.defs</filename>.
- </para>
- </refsect1>
-
- <refsect1 id="pam_faildelay-options">
-
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Turns on debugging messages sent to syslog.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>delay=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- Set the delay on failure to N microseconds.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_faildelay-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only the <option>auth</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_faildelay-return_values'>
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- Delay was successful adjusted.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SYSTEM_ERR</term>
- <listitem>
- <para>
- The specified delay was not valid.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_faildelay-examples'>
- <title>EXAMPLES</title>
- <para>
- The following example will set the delay on failure to
- 10 seconds:
- <programlisting>
-auth optional pam_faildelay.so delay=10000000
- </programlisting>
- </para>
- </refsect1>
-
- <refsect1 id='pam_faildelay-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_faildelay-author'>
- <title>AUTHOR</title>
- <para>
- pam_faildelay was written by Darren Tucker &lt;dtucker@zip.com.au&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_faildelay/pam_faildelay.c b/modules/pam_faildelay/pam_faildelay.c
deleted file mode 100644
index 072b7dd3..00000000
--- a/modules/pam_faildelay/pam_faildelay.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/* pam_faildelay module */
-
-/*
- * Allows an admin to set the delay on failure per-application.
- * Provides "auth" interface only.
- *
- * Use by putting something like this in the relevant pam config:
- * auth required pam_faildelay.so delay=[microseconds]
- *
- * eg:
- * auth required pam_faildelay.so delay=10000000
- * will set the delay on failure to 10 seconds.
- *
- * If no delay option was given, pam_faildelay.so will use the
- * FAIL_DELAY value of /etc/login.defs.
- *
- * Based on pam_rootok and parts of pam_unix both by Andrew Morgan
- * <morgan@linux.kernel.org>
- *
- * Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
- * - Rewrite to use extended PAM functions
- * - Add /etc/login.defs support
- *
- * Portions Copyright (c) 2005 Darren Tucker <dtucker at zip com au>.
- *
- * Redistribution and use in source and binary forms of, with
- * or without modification, are permitted provided that the following
- * conditions are met:
- *
- * 1. Redistributions of source code must retain any existing copyright
- * notice, and this entire permission notice in its entirety,
- * including the disclaimer of warranties.
- *
- * 2. Redistributions in binary form must reproduce all prior and current
- * copyright notices, this list of conditions, and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * 3. The name of any author may not be used to endorse or promote
- * products derived from this software without their specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of the
- * GNU General Public License, in which case the provisions of the GNU
- * GPL are required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential conflict between the GNU GPL and the
- * restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
- * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
- * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
- * DAMAGE.
- */
-
-#include "config.h"
-
-#include <errno.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <limits.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <string.h>
-#include <stdlib.h>
-
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/pam_ext.h>
-
-
-#define BUF_SIZE 8192
-#define LOGIN_DEFS "/etc/login.defs"
-
-static char *
-search_key (const char *filename)
-{
- FILE *fp;
- char *buf = NULL;
- size_t buflen = 0;
- char *retval = NULL;
-
- fp = fopen (filename, "r");
- if (NULL == fp)
- return NULL;
-
- while (!feof (fp))
- {
- char *tmp, *cp;
-#if defined(HAVE_GETLINE)
- ssize_t n = getline (&buf, &buflen, fp);
-#elif defined (HAVE_GETDELIM)
- ssize_t n = getdelim (&buf, &buflen, '\n', fp);
-#else
- ssize_t n;
-
- if (buf == NULL)
- {
- buflen = BUF_SIZE;
- buf = malloc (buflen);
- }
- buf[0] = '\0';
- if (fgets (buf, buflen - 1, fp) == NULL)
- break;
- else if (buf != NULL)
- n = strlen (buf);
- else
- n = 0;
-#endif /* HAVE_GETLINE / HAVE_GETDELIM */
- cp = buf;
-
- if (n < 1)
- break;
-
- tmp = strchr (cp, '#'); /* remove comments */
- if (tmp)
- *tmp = '\0';
- while (isspace ((int)*cp)) /* remove spaces and tabs */
- ++cp;
- if (*cp == '\0') /* ignore empty lines */
- continue;
-
- if (cp[strlen (cp) - 1] == '\n')
- cp[strlen (cp) - 1] = '\0';
-
- tmp = strsep (&cp, " \t=");
- if (cp != NULL)
- while (isspace ((int)*cp) || *cp == '=')
- ++cp;
-
- if (strcasecmp (tmp, "FAIL_DELAY") == 0)
- {
- retval = strdup (cp);
- break;
- }
- }
- fclose (fp);
-
- free (buf);
-
- return retval;
-}
-
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int i, debug_flag = 0;
- long int delay = -1;
-
- /* step through arguments */
- for (i = 0; i < argc; i++) {
- if (sscanf(argv[i], "delay=%ld", &delay) == 1) {
- /* sscanf did already everything necessary */
- } else if (strcmp (argv[i], "debug") == 0)
- debug_flag = 1;
- else
- pam_syslog (pamh, LOG_ERR, "unknown option; %s", argv[i]);
- }
-
- if (delay == -1)
- {
- char *endptr;
- char *val = search_key (LOGIN_DEFS);
- const char *val_orig = val;
-
- if (val == NULL)
- return PAM_IGNORE;
-
- errno = 0;
- delay = strtol (val, &endptr, 10) & 0777;
- if (((delay == 0) && (val_orig == endptr)) ||
- ((delay == LONG_MIN || delay == LONG_MAX) && (errno == ERANGE)))
- {
- pam_syslog (pamh, LOG_ERR, "FAIL_DELAY=%s in %s not valid",
- val, LOGIN_DEFS);
- free (val);
- return PAM_IGNORE;
- }
-
- free (val);
- /* delay is in seconds, convert to microseconds. */
- delay *= 1000000;
- }
-
- if (debug_flag)
- pam_syslog (pamh, LOG_DEBUG, "setting fail delay to %ld", delay);
-
- i = pam_fail_delay(pamh, delay);
- if (i == PAM_SUCCESS)
- return PAM_IGNORE;
- else
- return i;
-}
-
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_faildelay_modstruct = {
- "pam_faildelay",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/modules/pam_faildelay/tst-pam_faildelay b/modules/pam_faildelay/tst-pam_faildelay
deleted file mode 100755
index 87f7fd44..00000000
--- a/modules/pam_faildelay/tst-pam_faildelay
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_faildelay.so
diff --git a/modules/pam_filter/.cvsignore b/modules/pam_filter/.cvsignore
deleted file mode 100644
index dc6908c2..00000000
--- a/modules/pam_filter/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-security
-README
-pam_filter.8
diff --git a/modules/pam_filter/Makefile.am b/modules/pam_filter/Makefile.am
deleted file mode 100644
index ab2ceee9..00000000
--- a/modules/pam_filter/Makefile.am
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
-#
-
-SUBDIRS = upperLOWER
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_filter
-
-man_MANS = pam_filter.8
-XMLS = README.xml pam_filter.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-include_HEADERS=pam_filter.h
-pam_filter_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-securelib_LTLIBRARIES = pam_filter.la
-TESTS = tst-pam_filter
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_filter.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_filter/README.xml b/modules/pam_filter/README.xml
deleted file mode 100644
index b76cb743..00000000
--- a/modules/pam_filter/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_filter.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_filter.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_filter-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_filter/pam_filter.8.xml b/modules/pam_filter/pam_filter.8.xml
deleted file mode 100644
index d15d7e97..00000000
--- a/modules/pam_filter/pam_filter.8.xml
+++ /dev/null
@@ -1,261 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_filter">
-
- <refmeta>
- <refentrytitle>pam_filter</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_filter-name">
- <refname>pam_filter</refname>
- <refpurpose>PAM filter module</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_filter-cmdsynopsis">
- <command>pam_filter.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- new_term
- </arg>
- <arg choice="opt">
- non_term
- </arg>
- <arg choice="plain">
- run1|run2
- </arg>
- <arg choice="plain">
- <replaceable>filter</replaceable>
- </arg>
- <arg choice="opt">
- <replaceable>...</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_filter-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- This module is intended to be a platform for providing access to all
- of the input/output that passes between the user and the application.
- It is only suitable for tty-based and (stdin/stdout) applications.
- </para>
- <para>
- To function this module requires <emphasis>filters</emphasis> to be
- installed on the system.
- The single filter provided with the module simply transposes upper and
- lower case letters in the input and output streams. (This can be very
- annoying and is not kind to termcap based editors).
- </para>
- <para>
- Each component of the module has the potential to invoke the
- desired filter. The filter is always
- <citerefentry>
- <refentrytitle>execv</refentrytitle><manvolnum>2</manvolnum>
- </citerefentry> with the privilege of the calling application
- and <emphasis>not</emphasis> that of the user. For this reason it
- cannot usually be killed by the user without closing their session.
- </para>
- </refsect1>
-
- <refsect1 id="pam_filter-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>new_term</option>
- </term>
- <listitem>
- <para>
- The default action of the filter is to set the
- <emphasis>PAM_TTY</emphasis> item to indicate the
- terminal that the user is using to connect to the
- application. This argument indicates that the filter
- should set <emphasis>PAM_TTY</emphasis> to the filtered
- pseudo-terminal.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>non_term</option>
- </term>
- <listitem>
- <para>
- don't try to set the <emphasis>PAM_TTY</emphasis> item.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>runX</option>
- </term>
- <listitem>
- <para>
- In order that the module can invoke a filter it should
- know when to invoke it. This argument is required to tell
- the filter when to do this.
- </para>
- <para>
- Permitted values for <emphasis>X</emphasis> are
- <emphasis>1</emphasis> and <emphasis>2</emphasis>. These
- indicate the precise time that the filter is to be run.
- To understand this concept it will be useful to have read
- the <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> manual page.
- Basically, for each management group there are up to two ways
- of calling the module's functions.
- In the case of the <emphasis>authentication</emphasis> and
- <emphasis>session</emphasis> components there are actually
- two separate functions. For the case of authentication, these
- functions are
- <citerefentry>
- <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> and
- <citerefentry>
- <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>, here <option>run1</option> means run the
- filter from the <function>pam_authenticate</function> function
- and <option>run2</option> means run the filter from
- <function>pam_setcred</function>. In the case of the
- session modules, <emphasis>run1</emphasis> implies
- that the filter is invoked at the
- <citerefentry>
- <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> stage, and <emphasis>run2</emphasis> for
- <citerefentry>
- <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>.
- </para>
- <para>
- For the case of the account component. Either
- <emphasis>run1</emphasis> or <emphasis>run2</emphasis>
- may be used.
- </para>
- <para>
- For the case of the password component, <emphasis>run1</emphasis>
- is used to indicate that the filter is run on the first
- occasion of
- <citerefentry>
- <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> (the <emphasis>PAM_PRELIM_CHECK</emphasis>
- phase) and <emphasis>run2</emphasis> is used to indicate
- that the filter is run on the second occasion (the
- <emphasis>PAM_UPDATE_AUTHTOK</emphasis> phase).
-
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>filter</option>
- </term>
- <listitem>
- <para>
- The full pathname of the filter to be run and any command line
- arguments that the filter might expect.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_filter-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The services <option>auth</option>, <option>account</option>,
- <option>password</option> and <option>session</option> are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_filter-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The new filter was set successfull.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_ABORT</term>
- <listitem>
- <para>
- Critical error, immediate abort.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_filter-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/login</filename> to
- see how to configure login to transpose upper and lower case letters
- once the user has logged in:
-
- <programlisting>
- session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER
- </programlisting>
- </para>
- </refsect1>
-
- <refsect1 id='pam_filter-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_filter-author'>
- <title>AUTHOR</title>
- <para>
- pam_filter was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
deleted file mode 100644
index 86bc172b..00000000
--- a/modules/pam_filter/pam_filter.c
+++ /dev/null
@@ -1,744 +0,0 @@
-/*
- * $Id$
- *
- * written by Andrew Morgan <morgan@transmeta.com> with much help from
- * Richard Stevens' UNIX Network Programming book.
- */
-
-#include "config.h"
-
-#include <stdlib.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <string.h>
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <termios.h>
-
-#include <signal.h>
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/pam_modules.h>
-#include <security/pam_ext.h>
-#include "pam_filter.h"
-
-/* ------ some tokens used for convenience throughout this file ------- */
-
-#define FILTER_DEBUG 01
-#define FILTER_RUN1 02
-#define FILTER_RUN2 04
-#define NEW_TERM 010
-#define NON_TERM 020
-
-/* -------------------------------------------------------------------- */
-
-/* log errors */
-
-#include <stdarg.h>
-
-#define TERMINAL_LEN 12
-
-static int
-master (const pam_handle_t *pamh, char *terminal)
-/*
- * try to open all of the terminals in sequence return first free one,
- * or -1
- */
-{
- const char ptys[] = "pqrs", *pty = ptys;
- const char hexs[] = "0123456789abcdef", *hex;
- struct stat tstat;
- int fd;
-
- strcpy(terminal, "/dev/pty??");
-
- while (*pty) { /* step through four types */
- terminal[8] = *pty++;
- terminal[9] = '0';
- if (stat(terminal,&tstat) < 0) {
- pam_syslog(pamh, LOG_WARNING,
- "unknown pseudo terminal: %s", terminal);
- break;
- }
- for (hex = hexs; *hex; ) { /* step through 16 of these */
- terminal[9] = *hex++;
- if ((fd = open(terminal, O_RDWR)) >= 0) {
- return fd;
- }
- }
- }
-
- /* no terminal found */
-
- return -1;
-}
-
-static int process_args(pam_handle_t *pamh
- , int argc, const char **argv, const char *type
- , char ***evp, const char **filtername)
-{
- int ctrl=0;
-
- while (argc-- > 0) {
- if (strcmp("debug",*argv) == 0) {
- ctrl |= FILTER_DEBUG;
- } else if (strcmp("new_term",*argv) == 0) {
- ctrl |= NEW_TERM;
- } else if (strcmp("non_term",*argv) == 0) {
- ctrl |= NON_TERM;
- } else if (strcmp("run1",*argv) == 0) {
- ctrl |= FILTER_RUN1;
- if (argc <= 0) {
- pam_syslog(pamh, LOG_ALERT, "no run filter supplied");
- } else
- break;
- } else if (strcmp("run2",*argv) == 0) {
- ctrl |= FILTER_RUN2;
- if (argc <= 0) {
- pam_syslog(pamh, LOG_ALERT, "no run filter supplied");
- } else
- break;
- } else {
- pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", *argv);
- }
- ++argv; /* step along list */
- }
-
- if (argc < 0) {
- /* there was no reference to a filter */
- *filtername = NULL;
- *evp = NULL;
- } else {
- char **levp;
- const char *user = NULL;
- const void *tmp;
- int i,size, retval;
-
- *filtername = *++argv;
- if (ctrl & FILTER_DEBUG) {
- pam_syslog(pamh, LOG_DEBUG, "will run filter %s", *filtername);
- }
-
- levp = (char **) malloc(5*sizeof(char *));
- if (levp == NULL) {
- pam_syslog(pamh, LOG_CRIT, "no memory for environment of filter");
- return -1;
- }
-
- for (size=i=0; i<argc; ++i) {
- size += strlen(argv[i])+1;
- }
-
- /* the "ARGS" variable */
-
-#define ARGS_OFFSET 5 /* strlen('ARGS='); */
-#define ARGS_NAME "ARGS="
-
- size += ARGS_OFFSET;
-
- levp[0] = (char *) malloc(size);
- if (levp[0] == NULL) {
- pam_syslog(pamh, LOG_CRIT, "no memory for filter arguments");
- if (levp) {
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[0],ARGS_NAME,ARGS_OFFSET);
- for (i=0,size=ARGS_OFFSET; i<argc; ++i) {
- strcpy(levp[0]+size, argv[i]);
- size += strlen(argv[i]);
- levp[0][size++] = ' ';
- }
- levp[0][--size] = '\0'; /* <NUL> terminate */
-
- /* the "SERVICE" variable */
-
-#define SERVICE_OFFSET 8 /* strlen('SERVICE='); */
-#define SERVICE_NAME "SERVICE="
-
- retval = pam_get_item(pamh, PAM_SERVICE, &tmp);
- if (retval != PAM_SUCCESS || tmp == NULL) {
- pam_syslog(pamh, LOG_CRIT, "service name not found");
- if (levp) {
- free(levp[0]);
- free(levp);
- }
- return -1;
- }
- size = SERVICE_OFFSET+strlen(tmp);
-
- levp[1] = (char *) malloc(size+1);
- if (levp[1] == NULL) {
- pam_syslog(pamh, LOG_CRIT, "no memory for service name");
- if (levp) {
- free(levp[0]);
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[1],SERVICE_NAME,SERVICE_OFFSET);
- strcpy(levp[1]+SERVICE_OFFSET, tmp);
- levp[1][size] = '\0'; /* <NUL> terminate */
-
- /* the "USER" variable */
-
-#define USER_OFFSET 5 /* strlen('USER='); */
-#define USER_NAME "USER="
-
- pam_get_user(pamh, &user, NULL);
- if (user == NULL) {
- user = "<unknown>";
- }
- size = USER_OFFSET+strlen(user);
-
- levp[2] = (char *) malloc(size+1);
- if (levp[2] == NULL) {
- pam_syslog(pamh, LOG_CRIT, "no memory for user's name");
- if (levp) {
- free(levp[1]);
- free(levp[0]);
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[2],USER_NAME,USER_OFFSET);
- strcpy(levp[2]+USER_OFFSET, user);
- levp[2][size] = '\0'; /* <NUL> terminate */
-
- /* the "USER" variable */
-
-#define TYPE_OFFSET 5 /* strlen('TYPE='); */
-#define TYPE_NAME "TYPE="
-
- size = TYPE_OFFSET+strlen(type);
-
- levp[3] = (char *) malloc(size+1);
- if (levp[3] == NULL) {
- pam_syslog(pamh, LOG_CRIT, "no memory for type");
- if (levp) {
- free(levp[2]);
- free(levp[1]);
- free(levp[0]);
- free(levp);
- }
- return -1;
- }
-
- strncpy(levp[3],TYPE_NAME,TYPE_OFFSET);
- strcpy(levp[3]+TYPE_OFFSET, type);
- levp[3][size] = '\0'; /* <NUL> terminate */
-
- levp[4] = NULL; /* end list */
-
- *evp = levp;
- }
-
- if ((ctrl & FILTER_DEBUG) && *filtername) {
- char **e;
-
- pam_syslog(pamh, LOG_DEBUG, "filter[%s]: %s", type, *filtername);
- pam_syslog(pamh, LOG_DEBUG, "environment:");
- for (e=*evp; e && *e; ++e) {
- pam_syslog(pamh, LOG_DEBUG, " %s", *e);
- }
- }
-
- return ctrl;
-}
-
-static void free_evp(char *evp[])
-{
- int i;
-
- if (evp)
- for (i=0; i<4; ++i) {
- if (evp[i])
- free(evp[i]);
- }
- free(evp);
-}
-
-static int
-set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
- const char **evp, const char *filtername)
-{
- int status=-1;
- char terminal[TERMINAL_LEN];
- struct termios stored_mode; /* initial terminal mode settings */
- int fd[2], child=0, child2=0, aterminal;
-
- if (filtername == NULL || *filtername != '/') {
- pam_syslog(pamh, LOG_ALERT,
- "filtername not permitted; full pathname required");
- return PAM_ABORT;
- }
-
- if (!isatty(STDIN_FILENO) || !isatty(STDOUT_FILENO)) {
- aterminal = 0;
- } else {
- aterminal = 1;
- }
-
- if (aterminal) {
-
- /* open the master pseudo terminal */
-
- fd[0] = master(pamh,terminal);
- if (fd[0] < 0) {
- pam_syslog(pamh, LOG_CRIT, "no master terminal");
- return PAM_AUTH_ERR;
- }
-
- /* set terminal into raw mode.. remember old mode so that we can
- revert to it after the child has quit. */
-
- /* this is termios terminal handling... */
-
- if ( tcgetattr(STDIN_FILENO, &stored_mode) < 0 ) {
- pam_syslog(pamh, LOG_CRIT, "couldn't copy terminal mode: %m");
- /* in trouble, so close down */
- close(fd[0]);
- return PAM_ABORT;
- } else {
- struct termios t_mode = stored_mode;
-
- t_mode.c_iflag = 0; /* no input control */
- t_mode.c_oflag &= ~OPOST; /* no ouput post processing */
-
- /* no signals, canonical input, echoing, upper/lower output */
-#ifdef XCASE
- t_mode.c_lflag &= ~(XCASE);
-#endif
- t_mode.c_lflag &= ~(ISIG|ICANON|ECHO);
- t_mode.c_cflag &= ~(CSIZE|PARENB); /* no parity */
- t_mode.c_cflag |= CS8; /* 8 bit chars */
-
- t_mode.c_cc[VMIN] = 1; /* number of chars to satisfy a read */
- t_mode.c_cc[VTIME] = 0; /* 0/10th second for chars */
-
- if ( tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_mode) < 0 ) {
- pam_syslog(pamh, LOG_WARNING,
- "couldn't put terminal in RAW mode: %m");
- close(fd[0]);
- return PAM_ABORT;
- }
-
- /*
- * NOTE: Unlike the stream socket case here the child
- * opens the slave terminal as fd[1] *after* the fork...
- */
- }
- } else {
-
- /*
- * not a terminal line so just open a stream socket fd[0-1]
- * both set...
- */
-
- if ( socketpair(AF_UNIX, SOCK_STREAM, 0, fd) < 0 ) {
- pam_syslog(pamh, LOG_CRIT, "couldn't open a stream pipe: %m");
- return PAM_ABORT;
- }
- }
-
- /* start child process */
-
- if ( (child = fork()) < 0 ) {
-
- pam_syslog(pamh, LOG_WARNING, "first fork failed: %m");
- if (aterminal) {
- (void) tcsetattr(STDIN_FILENO, TCSAFLUSH, &stored_mode);
- }
-
- return PAM_AUTH_ERR;
- }
-
- if ( child == 0 ) { /* child process *is* application */
-
- if (aterminal) {
-
- /* close the controlling tty */
-
-#if defined(__hpux) && defined(O_NOCTTY)
- int t = open("/dev/tty", O_RDWR|O_NOCTTY);
-#else
- int t = open("/dev/tty",O_RDWR);
- if (t > 0) {
- (void) ioctl(t, TIOCNOTTY, NULL);
- close(t);
- }
-#endif /* defined(__hpux) && defined(O_NOCTTY) */
-
- /* make this process it's own process leader */
- if (setsid() == -1) {
- pam_syslog(pamh, LOG_WARNING,
- "child cannot become new session: %m");
- return PAM_ABORT;
- }
-
- /* find slave's name */
- terminal[5] = 't'; /* want to open slave terminal */
- fd[1] = open(terminal, O_RDWR);
- close(fd[0]); /* process is the child -- uses line fd[1] */
-
- if (fd[1] < 0) {
- pam_syslog(pamh, LOG_WARNING,
- "cannot open slave terminal: %s: %m", terminal);
- return PAM_ABORT;
- }
-
- /* initialize the child's terminal to be the way the
- parent's was before we set it into RAW mode */
-
- if ( tcsetattr(fd[1], TCSANOW, &stored_mode) < 0 ) {
- pam_syslog(pamh, LOG_WARNING,
- "cannot set slave terminal mode: %s: %m", terminal);
- close(fd[1]);
- return PAM_ABORT;
- }
-
- } else {
-
- /* nothing to do for a simple stream socket */
-
- }
-
- /* re-assign the stdin/out to fd[1] <- (talks to filter). */
-
- if ( dup2(fd[1],STDIN_FILENO) != STDIN_FILENO ||
- dup2(fd[1],STDOUT_FILENO) != STDOUT_FILENO ||
- dup2(fd[1],STDERR_FILENO) != STDERR_FILENO ) {
- pam_syslog(pamh, LOG_WARNING,
- "unable to re-assign STDIN/OUT/ERR: %m");
- close(fd[1]);
- return PAM_ABORT;
- }
-
- /* make sure that file descriptors survive 'exec's */
-
- if ( fcntl(STDIN_FILENO, F_SETFD, 0) ||
- fcntl(STDOUT_FILENO,F_SETFD, 0) ||
- fcntl(STDERR_FILENO,F_SETFD, 0) ) {
- pam_syslog(pamh, LOG_WARNING,
- "unable to re-assign STDIN/OUT/ERR: %m");
- return PAM_ABORT;
- }
-
- /* now the user input is read from the parent/filter: forget fd */
-
- close(fd[1]);
-
- /* the current process is now aparently working with filtered
- stdio/stdout/stderr --- success! */
-
- return PAM_SUCCESS;
- }
-
- /*
- * process is the parent here. So we can close the application's
- * input/output
- */
-
- close(fd[1]);
-
- /* Clear out passwords... there is a security problem here in
- * that this process never executes pam_end. Consequently, any
- * other sensitive data in this process is *not* explicitly
- * overwritten, before the process terminates */
-
- (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
- (void) pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
-
- /* fork a copy of process to run the actual filter executable */
-
- if ( (child2 = fork()) < 0 ) {
-
- pam_syslog(pamh, LOG_WARNING, "filter fork failed: %m");
- child2 = 0;
-
- } else if ( child2 == 0 ) { /* exec the child filter */
-
- if ( dup2(fd[0],APPIN_FILENO) != APPIN_FILENO ||
- dup2(fd[0],APPOUT_FILENO) != APPOUT_FILENO ||
- dup2(fd[0],APPERR_FILENO) != APPERR_FILENO ) {
- pam_syslog(pamh, LOG_WARNING,
- "unable to re-assign APPIN/OUT/ERR: %m");
- close(fd[0]);
- exit(1);
- }
-
- /* make sure that file descriptors survive 'exec's */
-
- if ( fcntl(APPIN_FILENO, F_SETFD, 0) == -1 ||
- fcntl(APPOUT_FILENO,F_SETFD, 0) == -1 ||
- fcntl(APPERR_FILENO,F_SETFD, 0) == -1 ) {
- pam_syslog(pamh, LOG_WARNING,
- "unable to retain APPIN/OUT/ERR: %m");
- close(APPIN_FILENO);
- close(APPOUT_FILENO);
- close(APPERR_FILENO);
- exit(1);
- }
-
- /* now the user input is read from the parent through filter */
-
- execle(filtername, "<pam_filter>", NULL, evp);
-
- /* getting to here is an error */
-
- pam_syslog(pamh, LOG_ALERT, "filter: %s: %m", filtername);
-
- } else { /* wait for either of the two children to exit */
-
- while (child && child2) { /* loop if there are two children */
- int lstatus=0;
- int chid;
-
- chid = wait(&lstatus);
- if (chid == child) {
-
- if (WIFEXITED(lstatus)) { /* exited ? */
- status = WEXITSTATUS(lstatus);
- } else if (WIFSIGNALED(lstatus)) { /* killed ? */
- status = -1;
- } else
- continue; /* just stopped etc.. */
- child = 0; /* the child has exited */
-
- } else if (chid == child2) {
- /*
- * if the filter has exited. Let the child die
- * naturally below
- */
- if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus))
- child2 = 0;
- } else {
-
- pam_syslog(pamh, LOG_ALERT,
- "programming error <chid=%d,lstatus=%x> "
- "in file %s at line %d",
- chid, lstatus, __FILE__, __LINE__);
- child = child2 = 0;
- status = -1;
-
- }
- }
- }
-
- close(fd[0]);
-
- /* if there is something running, wait for it to exit */
-
- while (child || child2) {
- int lstatus=0;
- int chid;
-
- chid = wait(&lstatus);
-
- if (child && chid == child) {
-
- if (WIFEXITED(lstatus)) { /* exited ? */
- status = WEXITSTATUS(lstatus);
- } else if (WIFSIGNALED(lstatus)) { /* killed ? */
- status = -1;
- } else
- continue; /* just stopped etc.. */
- child = 0; /* the child has exited */
-
- } else if (child2 && chid == child2) {
-
- if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus))
- child2 = 0;
-
- } else {
-
- pam_syslog(pamh, LOG_ALERT,
- "programming error <chid=%d,lstatus=%x> "
- "in file %s at line %d",
- chid, lstatus, __FILE__, __LINE__);
- child = child2 = 0;
- status = -1;
-
- }
- }
-
- if (aterminal) {
- /* reset to initial terminal mode */
- (void) tcsetattr(STDIN_FILENO, TCSANOW, &stored_mode);
- }
-
- if (ctrl & FILTER_DEBUG) {
- pam_syslog(pamh, LOG_DEBUG, "parent process exited"); /* clock off */
- }
-
- /* quit the parent process, returning the child's exit status */
-
- exit(status);
- return status; /* never reached, to make gcc happy */
-}
-
-static int set_the_terminal(pam_handle_t *pamh)
-{
- const void *tty;
-
- if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS
- || tty == NULL) {
- tty = ttyname(STDIN_FILENO);
- if (tty == NULL) {
- pam_syslog(pamh, LOG_ERR, "couldn't get the tty name");
- return PAM_ABORT;
- }
- if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "couldn't set tty name");
- return PAM_ABORT;
- }
- }
- return PAM_SUCCESS;
-}
-
-static int need_a_filter(pam_handle_t *pamh
- , int flags, int argc, const char **argv
- , const char *name, int which_run)
-{
- int ctrl;
- char **evp;
- const char *filterfile;
- int retval;
-
- ctrl = process_args(pamh, argc, argv, name, &evp, &filterfile);
- if (ctrl == -1) {
- return PAM_AUTHINFO_UNAVAIL;
- }
-
- /* set the tty to the old or the new one? */
-
- if (!(ctrl & NON_TERM) && !(ctrl & NEW_TERM)) {
- retval = set_the_terminal(pamh);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "tried and failed to set PAM_TTY");
- }
- } else {
- retval = PAM_SUCCESS; /* nothing to do which is always a success */
- }
-
- if (retval == PAM_SUCCESS && (ctrl & which_run)) {
- retval = set_filter(pamh, flags, ctrl
- , (const char **)evp, filterfile);
- }
-
- if (retval == PAM_SUCCESS
- && !(ctrl & NON_TERM) && (ctrl & NEW_TERM)) {
- retval = set_the_terminal(pamh);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR,
- "tried and failed to set new terminal as PAM_TTY");
- }
- }
-
- free_evp(evp);
-
- if (ctrl & FILTER_DEBUG) {
- pam_syslog(pamh, LOG_DEBUG, "filter/%s, returning %d", name, retval);
- pam_syslog(pamh, LOG_DEBUG, "[%s]", pam_strerror(pamh, retval));
- }
-
- return retval;
-}
-
-/* ----------------- public functions ---------------- */
-
-/*
- * here are the advertised access points ...
- */
-
-/* ------------------ authentication ----------------- */
-
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh
- , int flags, int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "authenticate", FILTER_RUN1);
-}
-
-PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv, "setcred", FILTER_RUN2);
-}
-
-/* --------------- account management ---------------- */
-
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "setcred", FILTER_RUN1|FILTER_RUN2 );
-}
-
-/* --------------- session management ---------------- */
-
-PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "open_session", FILTER_RUN1);
-}
-
-PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- return need_a_filter(pamh, flags, argc, argv
- , "close_session", FILTER_RUN2);
-}
-
-/* --------- updating authentication tokens --------- */
-
-
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- int runN;
-
- if (flags & PAM_PRELIM_CHECK)
- runN = FILTER_RUN1;
- else if (flags & PAM_UPDATE_AUTHTOK)
- runN = FILTER_RUN2;
- else {
- pam_syslog(pamh, LOG_ERR, "unknown flags for chauthtok (0x%X)", flags);
- return PAM_TRY_AGAIN;
- }
-
- return need_a_filter(pamh, flags, argc, argv, "chauthtok", runN);
-}
-
-#ifdef PAM_STATIC
-
-/* ------------ stuff for static modules ------------ */
-
-struct pam_module _pam_filter_modstruct = {
- "pam_filter",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-
-#endif
diff --git a/modules/pam_filter/pam_filter.h b/modules/pam_filter/pam_filter.h
deleted file mode 100644
index 630198ee..00000000
--- a/modules/pam_filter/pam_filter.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * $Id$
- *
- * this file is associated with the Linux-PAM filter module.
- * it was written by Andrew G. Morgan <morgan@linux.kernel.org>
- *
- */
-
-#ifndef PAM_FILTER_H
-#define PAM_FILTER_H
-
-#include <sys/file.h>
-
-/*
- * this will fail if there is some problem with these file descriptors
- * being allocated by the pam_filter Linux-PAM module. The numbers
- * here are thought safe, but the filter developer should use the
- * macros, as these numbers are subject to change.
- *
- * The APPXXX_FILENO file descriptors are the STDIN/OUT/ERR_FILENO of the
- * application. The filter uses the STDIN/OUT/ERR_FILENO's to converse
- * with the user, passes (modified) user input to the application via
- * APPIN_FILENO, and receives application output from APPOUT_FILENO/ERR.
- */
-
-#define APPIN_FILENO 3 /* write here to give application input */
-#define APPOUT_FILENO 4 /* read here to get application output */
-#define APPERR_FILENO 5 /* read here to get application errors */
-
-#define APPTOP_FILE 6 /* used by select */
-
-#endif
diff --git a/modules/pam_filter/tst-pam_filter b/modules/pam_filter/tst-pam_filter
deleted file mode 100755
index 56a5d083..00000000
--- a/modules/pam_filter/tst-pam_filter
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_filter.so
diff --git a/modules/pam_filter/upperLOWER/.cvsignore b/modules/pam_filter/upperLOWER/.cvsignore
deleted file mode 100644
index ceceb1b9..00000000
--- a/modules/pam_filter/upperLOWER/.cvsignore
+++ /dev/null
@@ -1,5 +0,0 @@
-.deps
-.libs
-upperLOWER
-Makefile
-Makefile.in
diff --git a/modules/pam_filter/upperLOWER/Makefile.am b/modules/pam_filter/upperLOWER/Makefile.am
deleted file mode 100644
index 93d24ff5..00000000
--- a/modules/pam_filter/upperLOWER/Makefile.am
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-securelibfilterdir = $(SECUREDIR)/pam_filter
-
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -I$(srcdir)/.. @PIE_CFLAGS@
-AM_LDFLAGS = @PIE_LDFLAGS@
-LDADD = -L$(top_builddir)/libpam -lpam
-
-securelibfilter_PROGRAMS = upperLOWER
diff --git a/modules/pam_filter/upperLOWER/upperLOWER.c b/modules/pam_filter/upperLOWER/upperLOWER.c
deleted file mode 100644
index 0ede4a0d..00000000
--- a/modules/pam_filter/upperLOWER/upperLOWER.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * This is a sample filter program, for use with pam_filter (a module
- * provided with Linux-PAM). This filter simply transposes upper and
- * lower case letters, it is intended for demonstration purposes and
- * it serves no purpose other than to annoy the user...
- */
-
-#include "config.h"
-
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "pam_filter.h"
-#include <security/pam_modutil.h>
-
-/* ---------------------------------------------------------------- */
-
-static void do_transpose(char *buffer,int len)
-{
- int i;
- for (i=0; i<len; ++i) {
- if (islower(buffer[i])) {
- buffer[i] = toupper(buffer[i]);
- } else {
- buffer[i] = tolower(buffer[i]);
- }
- }
-}
-
-extern char **environ;
-
-int main(int argc, char **argv UNUSED)
-{
- char buffer[BUFSIZ];
- fd_set readers;
- void (*before_user)(char *,int);
- void (*before_app)(char *,int);
-
- openlog("upperLOWER", LOG_CONS|LOG_PID, LOG_AUTHPRIV);
-
-#ifdef DEBUG
- {
- int i;
-
- fprintf(stderr,"environment :[\r\n");
- for (i=0; environ[i]; ++i) {
- fprintf(stderr,"-> %s\r\n",environ[i]);
- }
- fprintf(stderr,"]: end\r\n");
- }
-#endif
-
- if (argc != 1) {
-#ifdef DEBUG
- fprintf(stderr,"filter invoked as conventional executable\n");
-#else
- syslog(LOG_ERR, "filter invoked as conventional executable");
-#endif
- exit(1);
- }
-
- before_user = before_app = do_transpose; /* assign filter functions */
-
- /* enter a loop that deals with the input and output of the
- user.. passing it to and from the application */
-
- FD_ZERO(&readers); /* initialize reading mask */
-
- for (;;) {
-
- FD_SET(APPOUT_FILENO, &readers); /* wake for output */
- FD_SET(APPERR_FILENO, &readers); /* wake for error */
- FD_SET(STDIN_FILENO, &readers); /* wake for input */
-
- if ( select(APPTOP_FILE,&readers,NULL,NULL,NULL) < 0 ) {
-#ifdef DEBUG
- fprintf(stderr,"select failed\n");
-#else
- syslog(LOG_WARNING,"select failed");
-#endif
- break;
- }
-
- /* application errors */
-
- if ( FD_ISSET(APPERR_FILENO,&readers) ) {
- int got = pam_modutil_read(APPERR_FILENO, buffer, BUFSIZ);
- if (got <= 0) {
- break;
- } else {
- /* translate to give to real terminal */
- if (before_user != NULL)
- before_user(buffer, got);
- if (pam_modutil_write(STDERR_FILENO, buffer, got) != got ) {
- syslog(LOG_WARNING,"couldn't write %d bytes?!",got);
- break;
- }
- }
- } else if ( FD_ISSET(APPOUT_FILENO,&readers) ) { /* app output */
- int got = pam_modutil_read(APPOUT_FILENO, buffer, BUFSIZ);
- if (got <= 0) {
- break;
- } else {
- /* translate to give to real terminal */
- if (before_user != NULL)
- before_user(buffer, got);
- if (pam_modutil_write(STDOUT_FILENO, buffer, got) != got ) {
- syslog(LOG_WARNING,"couldn't write %d bytes!?",got);
- break;
- }
- }
- }
-
- if ( FD_ISSET(STDIN_FILENO, &readers) ) { /* user input */
- int got = pam_modutil_read(STDIN_FILENO, buffer, BUFSIZ);
- if (got < 0) {
- syslog(LOG_WARNING,"user input junked");
- break;
- } else if (got) {
- /* translate to give to application */
- if (before_app != NULL)
- before_app(buffer, got);
- if (pam_modutil_write(APPIN_FILENO, buffer, got) != got ) {
- syslog(LOG_WARNING,"couldn't pass %d bytes!?",got);
- break;
- }
- } else {
- /* nothing received -- an error? */
- syslog(LOG_WARNING,"user input null?");
- break;
- }
- }
- }
-
- exit(0);
-}
diff --git a/modules/pam_ftp/.cvsignore b/modules/pam_ftp/.cvsignore
deleted file mode 100644
index 02e0ab6b..00000000
--- a/modules/pam_ftp/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_ftp.8
diff --git a/modules/pam_ftp/Makefile.am b/modules/pam_ftp/Makefile.am
deleted file mode 100644
index a4ce03df..00000000
--- a/modules/pam_ftp/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_ftp
-
-man_MANS = pam_ftp.8
-XMLS = README.xml pam_ftp.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_ftp.la
-pam_ftp_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-TESTS = tst-pam_ftp
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_ftp.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_ftp/README.xml b/modules/pam_ftp/README.xml
deleted file mode 100644
index 65de28e3..00000000
--- a/modules/pam_ftp/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_ftp.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_ftp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_ftp-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_ftp/pam_ftp.8.xml b/modules/pam_ftp/pam_ftp.8.xml
deleted file mode 100644
index aca21694..00000000
--- a/modules/pam_ftp/pam_ftp.8.xml
+++ /dev/null
@@ -1,183 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_ftp">
-
- <refmeta>
- <refentrytitle>pam_ftp</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_ftp-name">
- <refname>pam_ftp</refname>
- <refpurpose>PAM module for anonymous access module</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_ftp-cmdsynopsis">
- <command>pam_ftp.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- ignore
- </arg>
- <arg choice="opt" rep='repeat'>
- users=<replaceable>XXX,YYY,</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_ftp-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_ftp is a PAM module which provides a pluggable
- anonymous ftp mode of access.
- </para>
- <para>
- This module intercepts the user's name and password. If the name is
- <emphasis>ftp</emphasis> or <emphasis>anonymous</emphasis>, the
- user's password is broken up at the <emphasis>@</emphasis> delimiter
- into a <emphasis>PAM_RUSER</emphasis> and a
- <emphasis>PAM_RHOST</emphasis> part; these pam-items being set
- accordingly. The username (<emphasis>PAM_USER</emphasis>) is set
- to <emphasis>ftp</emphasis>. In this case the module succeeds.
- Alternatively, the module sets the <emphasis>PAM_AUTHTOK</emphasis>
- item with the entered password and fails.
- </para>
- <para>
- This module is not safe and easily spoofable.
- </para>
- </refsect1>
-
- <refsect1 id="pam_ftp-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>ignore</option>
- </term>
- <listitem>
- <para>
- Pay no attention to the email address of the user
- (if supplied).
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>ftp=<replaceable>XXX,YYY,...</replaceable></option>
- </term>
- <listitem>
- <para>
- Instead of <emphasis>ftp</emphasis> or
- <emphasis>anonymous</emphasis>, provide anonymous login
- to the comma separated list of users:
- <option><replaceable>XXX,YYY,...</replaceable></option>.
- Should the applicant enter
- one of these usernames the returned username is set to
- the first in the list: <emphasis>XXX</emphasis>.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_ftp-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only the <option>auth</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_ftp-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The authentication was successfull.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- User not known.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_ftp-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/ftpd</filename> to
- handle ftp style anonymous login:
- <programlisting>
-#
-# ftpd; add ftp-specifics. These lines enable anonymous ftp over
-# standard UN*X access (the listfile entry blocks access to
-# users listed in /etc/ftpusers)
-#
-auth sufficient pam_ftp.so
-auth required pam_unix.so use_first_pass
-auth required pam_listfile.so \
- onerr=succeed item=user sense=deny file=/etc/ftpusers
- </programlisting>
- </para>
- </refsect1>
-
- <refsect1 id='pam_ftp-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_ftp-author'>
- <title>AUTHOR</title>
- <para>
- pam_ftp was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c
deleted file mode 100644
index 11cdf590..00000000
--- a/modules/pam_ftp/pam_ftp.c
+++ /dev/null
@@ -1,235 +0,0 @@
-/* pam_ftp module */
-
-/*
- * $Id$
- *
- * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11
- *
- */
-
-#define PLEASE_ENTER_PASSWORD "Password required for %s."
-#define GUEST_LOGIN_PROMPT "Guest login ok, " \
-"send your complete e-mail address as password."
-
-/* the following is a password that "can't be correct" */
-#define BLOCK_PASSWORD "\177BAD PASSWPRD\177"
-
-#include "config.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <string.h>
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_ext.h>
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 01
-#define PAM_IGNORE_EMAIL 02
-#define PAM_NO_ANON 04
-
-static int
-_pam_parse(pam_handle_t *pamh, int argc, const char **argv, const char **users)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strncmp(*argv,"users=",6)) {
- *users = 6 + *argv;
- } else if (!strcmp(*argv,"ignore")) {
- ctrl |= PAM_IGNORE_EMAIL;
- } else {
- pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
- }
- }
-
- return ctrl;
-}
-
-/*
- * check if name is in list or default list. place users name in *_user
- * return 1 if listed 0 if not.
- */
-
-static int lookup(const char *name, const char *list, const char **_user)
-{
- int anon = 0;
-
- *_user = name; /* this is the default */
- if (list && *list) {
- const char *l;
- char *list_copy, *x;
- char *sptr;
-
- list_copy = x_strdup(list);
- x = list_copy;
- while (list_copy && (l = strtok_r(x, ",", &sptr))) {
- x = NULL;
- if (!strcmp(name, l)) {
- *_user = list;
- anon = 1;
- }
- }
- _pam_overwrite(list_copy);
- _pam_drop(list_copy);
- } else {
-#define MAX_L 2
- static const char *l[MAX_L] = { "ftp", "anonymous" };
- int i;
-
- for (i=0; i<MAX_L; ++i) {
- if (!strcmp(l[i], name)) {
- *_user = l[0];
- anon = 1;
- break;
- }
- }
- }
-
- return anon;
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval, anon=0, ctrl;
- const char *user;
- const char *users = NULL;
-
- /*
- * this module checks if the user name is ftp or annonymous. If
- * this is the case, it can set the PAM_RUSER to the entered email
- * address and SUCCEEDS, otherwise it FAILS.
- */
-
- ctrl = _pam_parse(pamh, argc, argv, &users);
-
- retval = pam_get_user(pamh, &user, NULL);
- if (retval != PAM_SUCCESS || user == NULL) {
- pam_syslog(pamh, LOG_ERR, "no user specified");
- return PAM_USER_UNKNOWN;
- }
-
- if (!(ctrl & PAM_NO_ANON)) {
- anon = lookup(user, users, &user);
- }
-
- if (anon) {
- retval = pam_set_item(pamh, PAM_USER, (const void *)user);
- if (retval != PAM_SUCCESS || user == NULL) {
- pam_syslog(pamh, LOG_ERR, "user resetting failed");
- return PAM_USER_UNKNOWN;
- }
- }
-
- /*
- * OK. we require an email address for user or the user's password.
- * - build conversation and get their input.
- */
-
- {
- char *resp = NULL;
- const char *token;
-
- if (!anon)
- retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
- PLEASE_ENTER_PASSWORD, user);
- else
- retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
- GUEST_LOGIN_PROMPT);
-
- if (retval != PAM_SUCCESS) {
- _pam_drop (resp);
- return ((retval == PAM_CONV_AGAIN)
- ? PAM_INCOMPLETE:PAM_AUTHINFO_UNAVAIL);
- }
-
- if (anon) {
- /* XXX: Some effort should be made to verify this email address! */
-
- if (!(ctrl & PAM_IGNORE_EMAIL)) {
- char *sptr;
- token = strtok_r(resp, "@", &sptr);
- retval = pam_set_item(pamh, PAM_RUSER, token);
-
- if ((token) && (retval == PAM_SUCCESS)) {
- token = strtok_r(NULL, "@", &sptr);
- retval = pam_set_item(pamh, PAM_RHOST, token);
- }
- }
-
- /* we are happy to grant annonymous access to the user */
- retval = PAM_SUCCESS;
-
- } else {
- /*
- * we have a password so set AUTHTOK
- */
-
- pam_set_item(pamh, PAM_AUTHTOK, resp);
-
- /*
- * this module failed, but the next one might succeed with
- * this password.
- */
-
- retval = PAM_AUTH_ERR;
- }
-
- /* clean up */
- _pam_drop(resp);
-
- /* success or failure */
-
- return retval;
- }
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_ftp_modstruct = {
- "pam_ftp",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/modules/pam_ftp/tst-pam_ftp b/modules/pam_ftp/tst-pam_ftp
deleted file mode 100755
index 1a4f67c7..00000000
--- a/modules/pam_ftp/tst-pam_ftp
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_ftp.so
diff --git a/modules/pam_group/.cvsignore b/modules/pam_group/.cvsignore
deleted file mode 100644
index 49b88179..00000000
--- a/modules/pam_group/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-group.conf.5
-pam_group.8
diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am
deleted file mode 100644
index 22dc831b..00000000
--- a/modules/pam_group/Makefile.am
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group
-
-man_MANS = group.conf.5 pam_group.8
-XMLS = README.xml group.conf.5.xml pam_group.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\"
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_group.la
-pam_group_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-secureconf_DATA = group.conf
-
-TESTS = tst-pam_group
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_group.8.xml group.conf.5.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_group/README.xml b/modules/pam_group/README.xml
deleted file mode 100644
index 387d6987..00000000
--- a/modules/pam_group/README.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamgroup SYSTEM "pam_group.8.xml">
--->
-<!--
-<!ENTITY groupconf SYSTEM "group.conf.5.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_group.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_group-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_group/group.conf b/modules/pam_group/group.conf
deleted file mode 100644
index b766becb..00000000
--- a/modules/pam_group/group.conf
+++ /dev/null
@@ -1,99 +0,0 @@
-#
-# This is the configuration file for the pam_group module.
-#
-
-#
-# *** Please note that giving group membership on a session basis is
-# *** NOT inherently secure. If a user can create an executable that
-# *** is setgid a group that they are infrequently given membership
-# *** of, they can basically obtain group membership any time they
-# *** like. Example: games are allowed between the hours of 6pm and 6am
-# *** user joe logs in at 7pm writes a small C-program toplay.c that
-# *** invokes their favorite shell, compiles it and does
-# *** "chgrp play toplay; chmod g+s toplay". They are basically able
-# *** to play games any time... You have been warned. AGM
-#
-
-#
-# The syntax of the lines is as follows:
-#
-# services;ttys;users;times;groups
-#
-# white space is ignored and lines maybe extended with '\\n' (escaped
-# newlines). From reading these comments, it is clear that
-# text following a '#' is ignored to the end of the line.
-#
-# the combination of individual users/terminals etc is a logic list
-# namely individual tokens that are optionally prefixed with '!' (logical
-# not) and separated with '&' (logical and) and '|' (logical or).
-#
-# services
-# is a logic list of PAM service names that the rule applies to.
-#
-# ttys
-# is a logic list of terminal names that this rule applies to.
-#
-# users
-# is a logic list of users or a netgroup of users to whom this
-# rule applies.
-#
-# NB. For these items the simple wildcard '*' may be used only once.
-# With netgroups no wildcards or logic operators are allowed.
-#
-# times
-# It is used to indicate "when" these groups are to be given to the
-# user. The format here is a logic list of day/time-range
-# entries the days are specified by a sequence of two character
-# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
-# that repeated days are unset MoMo = no day, and MoWk = all weekdays
-# bar Monday. The two character combinations accepted are
-#
-# Mo Tu We Th Fr Sa Su Wk Wd Al
-#
-# the last two being week-end days and all 7 days of the week
-# respectively. As a final example, AlFr means all days except Friday.
-#
-# Each day/time-range can be prefixed with a '!' to indicate "anything
-# but"
-#
-# The time-range part is two 24-hour times HHMM separated by a hyphen
-# indicating the start and finish time (if the finish time is smaller
-# than the start time it is deemed to apply on the following day).
-#
-# groups
-# The (comma or space separated) list of groups that the user
-# inherits membership of. These groups are added if the previous
-# fields are satisfied by the user's request
-#
-# For a rule to be active, ALL of service+ttys+users must be satisfied
-# by the applying process.
-#
-
-#
-# Note, to get this to work as it is currently typed you need
-#
-# 1. to run an application as root
-# 2. add the following groups to the /etc/group file:
-# floppy, play, sound
-#
-
-#
-# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
-# the user 'us' is given access to the floppy (through membership of
-# the floppy group)
-#
-
-#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
-
-#
-# another example: running 'xsh' on tty* (any ttyXXX device),
-# the user 'sword' is given access to games (through membership of
-# the sound and play group) after work hours.
-#
-
-#xsh; tty* ;sword;!Wk0900-1800;sound, play
-#xsh; tty* ;*;Al0900-1800;floppy
-
-#
-# End of group.conf file
-#
diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml
deleted file mode 100644
index 9c008eb0..00000000
--- a/modules/pam_group/group.conf.5.xml
+++ /dev/null
@@ -1,131 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="group.conf">
-
- <refmeta>
- <refentrytitle>group.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv>
- <refname>group.conf</refname>
- <refpurpose>configuration file for the pam_group module</refpurpose>
- </refnamediv>
-
- <refsect1 id='group.conf-description'>
- <title>DESCRIPTION</title>
-
- <para>
- The pam_group PAM module does not authenticate the user, but instead
- it grants group memberships (in the credential setting phase of the
- authentication module) to the user. Such memberships are based on the
- service they are applying for.
- </para>
- <para>
- For this module to function correctly there must be a correctly
- formatted <filename>/etc/security/group.conf</filename> file present.
- White spaces are ignored and lines maybe extended with '\' (escaped
- newlines). Text following a '#' is ignored to the end of the line.
- </para>
-
- <para>
- The syntax of the lines is as follows:
- </para>
-
- <para>
- <replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable>;<replaceable>groups</replaceable>
- </para>
-
-
- <para>
- The first field, the <replaceable>services</replaceable> field, is a logic list
- of PAM service names that the rule applies to.
- </para>
-
- <para>
- The second field, the <replaceable>tty</replaceable>
- field, is a logic list of terminal names that this rule applies to.
- </para>
-
- <para>
- The third field, the <replaceable>users</replaceable>
- field, is a logic list of users or a netgroup of users to whom this
- rule applies.
- </para>
-
- <para>
- For these items the simple wildcard '*' may be used only once.
- With netgroups no wildcards or logic operators are allowed.
- </para>
-
- <para>
- The <replaceable>times</replaceable> field is used to indicate "when"
- these groups are to be given to the user. The format here is a logic
- list of day/time-range entries. The days are specified by a sequence of
- two character entries, MoTuSa for example is Monday Tuesday and Saturday.
- Note that repeated days are unset MoMo = no day, and MoWk = all weekdays
- bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa
- Su Wk Wd Al, the last two being week-end days and all 7 days of the week
- respectively. As a final example, AlFr means all days except Friday.
- </para>
- <para>
- Each day/time-range can be prefixed with a '!' to indicate "anything but".
- The time-range part is two 24-hour times HHMM, separated by a hyphen,
- indicating the start and finish time (if the finish time is smaller
- than the start time it is deemed to apply on the following day).
- </para>
-
- <para>
- The <replaceable>groups</replaceable> field is a comma or space
- separated list of groups that the user inherits membership of. These
- groups are added if the previous fields are satisfied by the user's request.
- </para>
-
- <para>
- For a rule to be active, ALL of service+ttys+users must be satisfied
- by the applying process.
- </para>
- </refsect1>
-
- <refsect1 id="group.conf-examples">
- <title>EXAMPLES</title>
- <para>
- These are some example lines which might be specified in
- <filename>/etc/security/group.conf</filename>.
- </para>
-
- <para>
- Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access
- to the floppy (through membership of the floppy group)
- </para>
- <programlisting>xsh;tty*&amp;!ttyp*;us;Al0000-2400;floppy</programlisting>
-
- <para>
- Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access
- to games (through membership of the floppy group) after work hours.
- </para>
- <programlisting>
-xsh; tty* ;sword;!Wk0900-1800;games, sound
-xsh; tty* ;*;Al0900-1800;floppy
- </programlisting>
- </refsect1>
-
- <refsect1 id="group.conf-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id="group.conf-author">
- <title>AUTHOR</title>
- <para>
- pam_group was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_group/pam_group.8.xml b/modules/pam_group/pam_group.8.xml
deleted file mode 100644
index f7488fb3..00000000
--- a/modules/pam_group/pam_group.8.xml
+++ /dev/null
@@ -1,162 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
-
-<refentry id='pam_group'>
-
- <refmeta>
- <refentrytitle>pam_group</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id='pam_group-name'>
- <refname>pam_group</refname>
- <refpurpose>
- PAM module for group access
- </refpurpose>
- </refnamediv>
-
-<!-- body begins here -->
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_group-cmdsynopsis">
- <command>pam_group.so</command>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-
- <refsect1 id="pam_group-description">
- <title>DESCRIPTION</title>
- <para>
- The pam_group PAM module does not authenticate the user, but instead
- it grants group memberships (in the credential setting phase of the
- authentication module) to the user. Such memberships are based on the
- service they are applying for.
- </para>
- <para>
- By default rules for group memberships are taken from config file
- <filename>/etc/security/group.conf</filename>.
- </para>
- <para>
- This module's usefulness relies on the file-systems
- accessible to the user. The point being that once granted the
- membership of a group, the user may attempt to create a
- <function>setgid</function> binary with a restricted group ownership.
- Later, when the user is not given membership to this group, they can
- recover group membership with the precompiled binary. The reason that
- the file-systems that the user has access to are so significant, is the
- fact that when a system is mounted <emphasis>nosuid</emphasis> the user
- is unable to create or execute such a binary file. For this module to
- provide any level of security, all file-systems that the user has write
- access to should be mounted <emphasis>nosuid</emphasis>.
- </para>
- <para>
- The pam_group module fuctions in parallel with the
- <filename>/etc/group</filename> file. If the user is granted any groups
- based on the behavior of this module, they are granted
- <emphasis>in addition</emphasis> to those entries
- <filename>/etc/group</filename> (or equivalent).
- </para>
- </refsect1>
-
- <refsect1 id="pam_group-options">
- <title>OPTIONS</title>
- <para>This module does not recognise any options.</para>
- </refsect1>
-
- <refsect1 id="pam_group-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only the <option>auth</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id="pam_group-return_values">
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- group membership was granted.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_ABORT</term>
- <listitem>
- <para>
- Not all relevant data could be gotten.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_CRED_ERR</term>
- <listitem>
- <para>
- Group membership was not granted.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- <function>pam_sm_authenticate</function> was called which does nothing.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- The user is not known to the system.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_group-files">
- <title>FILES</title>
- <variablelist>
- <varlistentry>
- <term><filename>/etc/security/group.conf</filename></term>
- <listitem>
- <para>Default configuration file</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_group-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>group.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>.
- </para>
- </refsect1>
-
- <refsect1 id="pam_group-authors">
- <title>AUTHORS</title>
- <para>
- pam_group was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
deleted file mode 100644
index 4a54da14..00000000
--- a/modules/pam_group/pam_group.c
+++ /dev/null
@@ -1,842 +0,0 @@
-/* pam_group module */
-
-/*
- * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/7/6
- */
-
-#include "config.h"
-
-#include <sys/file.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <time.h>
-#include <syslog.h>
-#include <string.h>
-
-#include <grp.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <netdb.h>
-
-#define PAM_GROUP_BUFLEN 1000
-#define FIELD_SEPARATOR ';' /* this is new as of .02 */
-
-#ifndef TRUE
-# define TRUE 1
-#endif
-#ifndef FALSE
-# define FALSE 0
-#endif
-
-typedef enum { AND, OR } operator;
-
-/*
- * here, we make definitions for the externally accessible functions
- * in this file (these definitions are required for static modules
- * but strongly encouraged generally) they are used to instruct the
- * modules include file to define their prototypes.
- */
-
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-/* --- static functions for checking whether the user should be let in --- */
-
-static void shift_bytes(char *mem, int from, int by)
-{
- while (by-- > 0) {
- *mem = mem[from];
- ++mem;
- }
-}
-
-/* This function should initially be called with buf = NULL. If
- * an error occurs, the file descriptor is closed. Subsequent
- * calls with a closed descriptor will cause buf to be deallocated.
- * Therefore, always check buf after calling this to see if an error
- * occurred.
- */
-static int
-read_field (const pam_handle_t *pamh, int fd, char **buf, int *from, int *to)
-{
- /* is buf set ? */
-
- if (! *buf) {
- *buf = (char *) malloc(PAM_GROUP_BUFLEN);
- if (! *buf) {
- pam_syslog(pamh, LOG_ERR, "out of memory");
- return -1;
- }
- *from = *to = 0;
- fd = open(PAM_GROUP_CONF, O_RDONLY);
- }
-
- /* do we have a file open ? return error */
-
- if (fd < 0 && *to <= 0) {
- pam_syslog(pamh, LOG_ERR, "%s not opened", PAM_GROUP_CONF);
- memset(*buf, 0, PAM_GROUP_BUFLEN);
- _pam_drop(*buf);
- return -1;
- }
-
- /* check if there was a newline last time */
-
- if ((*to > *from) && (*to > 0)
- && ((*buf)[*from] == '\0')) { /* previous line ended */
- (*from)++;
- (*buf)[0] = '\0';
- return fd;
- }
-
- /* ready for more data: first shift the buffer's remaining data */
-
- *to -= *from;
- shift_bytes(*buf, *from, *to);
- *from = 0;
- (*buf)[*to] = '\0';
-
- while (fd >= 0 && *to < PAM_GROUP_BUFLEN) {
- int i;
-
- /* now try to fill the remainder of the buffer */
-
- i = read(fd, *to + *buf, PAM_GROUP_BUFLEN - *to);
- if (i < 0) {
- pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_GROUP_CONF);
- close(fd);
- return -1;
- } else if (!i) {
- close(fd);
- fd = -1; /* end of file reached */
- } else
- *to += i;
-
- /*
- * contract the buffer. Delete any comments, and replace all
- * multiple spaces with single commas
- */
-
- i = 0;
-#ifdef DEBUG_DUMP
- D(("buffer=<%s>",*buf));
-#endif
- while (i < *to) {
- if ((*buf)[i] == ',') {
- int j;
-
- for (j=++i; j<*to && (*buf)[j] == ','; ++j);
- if (j!=i) {
- shift_bytes(i + (*buf), j-i, (*to) - j);
- *to -= j-i;
- }
- }
- switch ((*buf)[i]) {
- int j, c;
- case '#':
- c = 0;
- for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j);
- if (j >= *to) {
- (*buf)[*to = ++i] = '\0';
- } else if (c == '\n') {
- shift_bytes(i + (*buf), j-i, (*to) - j);
- *to -= j-i;
- ++i;
- } else {
- pam_syslog(pamh, LOG_CRIT,
- "internal error in file %s at line %d",
- __FILE__, __LINE__);
- close(fd);
- return -1;
- }
- break;
- case '\\':
- if ((*buf)[i+1] == '\n') {
- shift_bytes(i + *buf, 2, *to - (i+2));
- *to -= 2;
- } else {
- ++i; /* we don't escape non-newline characters */
- }
- break;
- case '!':
- case ' ':
- case '\t':
- if ((*buf)[i] != '!')
- (*buf)[i] = ',';
- /* delete any trailing spaces */
- for (j=++i; j < *to && ( (c = (*buf)[j]) == ' '
- || c == '\t' ); ++j);
- shift_bytes(i + *buf, j-i, (*to)-j );
- *to -= j-i;
- break;
- default:
- ++i;
- }
- }
- }
-
- (*buf)[*to] = '\0';
-
- /* now return the next field (set the from/to markers) */
- {
- int i;
-
- for (i=0; i<*to; ++i) {
- switch ((*buf)[i]) {
- case '#':
- case '\n': /* end of the line/file */
- (*buf)[i] = '\0';
- *from = i;
- return fd;
- case FIELD_SEPARATOR: /* end of the field */
- (*buf)[i] = '\0';
- *from = ++i;
- return fd;
- }
- }
- *from = i;
- (*buf)[*from] = '\0';
- }
-
- if (*to <= 0) {
- D(("[end of text]"));
- *buf = NULL;
- }
- return fd;
-}
-
-/* read a member from a field */
-
-static int logic_member(const char *string, int *at)
-{
- int c,to;
- int done=0;
- int token=0;
-
- to=*at;
- do {
- c = string[to++];
-
- switch (c) {
-
- case '\0':
- --to;
- done = 1;
- break;
-
- case '&':
- case '|':
- case '!':
- if (token) {
- --to;
- }
- done = 1;
- break;
-
- default:
- if (isalpha(c) || c == '*' || isdigit(c) || c == '_'
- || c == '-' || c == '.' || c == '/' || c == ':') {
- token = 1;
- } else if (token) {
- --to;
- done = 1;
- } else {
- ++*at;
- }
- }
- } while (!done);
-
- return to - *at;
-}
-
-typedef enum { VAL, OP } expect;
-
-static int
-logic_field (const pam_handle_t *pamh, const void *me,
- const char *x, int rule,
- int (*agrees)(const pam_handle_t *pamh, const void *,
- const char *, int, int))
-{
- int left=FALSE, right, not=FALSE;
- operator oper=OR;
- int at=0, l;
- expect next=VAL;
-
- while ((l = logic_member(x,&at))) {
- int c = x[at];
-
- if (next == VAL) {
- if (c == '!')
- not = !not;
- else if (isalpha(c) || c == '*' || isdigit(c) || c == '_'
- || c == '-' || c == '.' || c == '/' || c == ':') {
- right = not ^ agrees(pamh, me, x+at, l, rule);
- if (oper == AND)
- left &= right;
- else
- left |= right;
- next = OP;
- } else {
- pam_syslog(pamh, LOG_ERR,
- "garbled syntax; expected name (rule #%d)",
- rule);
- return FALSE;
- }
- } else { /* OP */
- switch (c) {
- case '&':
- oper = AND;
- break;
- case '|':
- oper = OR;
- break;
- default:
- pam_syslog(pamh, LOG_ERR,
- "garbled syntax; expected & or | (rule #%d)",
- rule);
- D(("%c at %d",c,at));
- return FALSE;
- }
- next = VAL;
- }
- at += l;
- }
-
- return left;
-}
-
-static int
-is_same (const pam_handle_t *pamh UNUSED,
- const void *A, const char *b, int len, int rule UNUSED)
-{
- int i;
- const char *a;
-
- a = A;
- for (i=0; len > 0; ++i, --len) {
- if (b[i] != a[i]) {
- if (b[i++] == '*') {
- return (!--len || !strncmp(b+i,a+strlen(a)-len,len));
- } else
- return FALSE;
- }
- }
-
- /* Ok, we know that b is a substring from A and does not contain
- wildcards, but now the length of both strings must be the same,
- too. */
- if (strlen (a) != strlen(b))
- return FALSE;
-
- return ( !len );
-}
-
-typedef struct {
- int day; /* array of 7 bits, one set for today */
- int minute; /* integer, hour*100+minute for now */
-} TIME;
-
-static struct day {
- const char *d;
- int bit;
-} const days[11] = {
- { "su", 01 },
- { "mo", 02 },
- { "tu", 04 },
- { "we", 010 },
- { "th", 020 },
- { "fr", 040 },
- { "sa", 0100 },
- { "wk", 076 },
- { "wd", 0101 },
- { "al", 0177 },
- { NULL, 0 }
-};
-
-static TIME time_now(void)
-{
- struct tm *local;
- time_t the_time;
- TIME this;
-
- the_time = time((time_t *)0); /* get the current time */
- local = localtime(&the_time);
- this.day = days[local->tm_wday].bit;
- this.minute = local->tm_hour*100 + local->tm_min;
-
- D(("day: 0%o, time: %.4d", this.day, this.minute));
- return this;
-}
-
-/* take the current date and see if the range "date" passes it */
-static int
-check_time (const pam_handle_t *pamh, const void *AT,
- const char *times, int len, int rule)
-{
- int not,pass;
- int marked_day, time_start, time_end;
- const TIME *at;
- int i,j=0;
-
- at = AT;
- D(("checking: 0%o/%.4d vs. %s", at->day, at->minute, times));
-
- if (times == NULL) {
- /* this should not happen */
- pam_syslog(pamh, LOG_CRIT, "internal error in file %s at line %d",
- __FILE__, __LINE__);
- return FALSE;
- }
-
- if (times[j] == '!') {
- ++j;
- not = TRUE;
- } else {
- not = FALSE;
- }
-
- for (marked_day = 0; len > 0 && isalpha(times[j]); --len) {
- int this_day=-1;
-
- D(("%c%c ?", times[j], times[j+1]));
- for (i=0; days[i].d != NULL; ++i) {
- if (tolower(times[j]) == days[i].d[0]
- && tolower(times[j+1]) == days[i].d[1] ) {
- this_day = days[i].bit;
- break;
- }
- }
- j += 2;
- if (this_day == -1) {
- pam_syslog(pamh, LOG_ERR, "bad day specified (rule #%d)", rule);
- return FALSE;
- }
- marked_day ^= this_day;
- }
- if (marked_day == 0) {
- pam_syslog(pamh, LOG_ERR, "no day specified");
- return FALSE;
- }
- D(("day range = 0%o", marked_day));
-
- time_start = 0;
- for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) {
- time_start *= 10;
- time_start += times[i+j]-'0'; /* is this portable? */
- }
- j += i;
-
- if (times[j] == '-') {
- time_end = 0;
- for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) {
- time_end *= 10;
- time_end += times[i+j]-'0'; /* is this portable? */
- }
- j += i;
- } else
- time_end = -1;
-
- D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j]));
- if (i != 5 || time_end == -1) {
- pam_syslog(pamh, LOG_ERR, "no/bad times specified (rule #%d)", rule);
- return TRUE;
- }
- D(("times(%d to %d)", time_start,time_end));
- D(("marked_day = 0%o", marked_day));
-
- /* compare with the actual time now */
-
- pass = FALSE;
- if (time_start < time_end) { /* start < end ? --> same day */
- if ((at->day & marked_day) && (at->minute >= time_start)
- && (at->minute < time_end)) {
- D(("time is listed"));
- pass = TRUE;
- }
- } else { /* spans two days */
- if ((at->day & marked_day) && (at->minute >= time_start)) {
- D(("caught on first day"));
- pass = TRUE;
- } else {
- marked_day <<= 1;
- marked_day |= (marked_day & 0200) ? 1:0;
- D(("next day = 0%o", marked_day));
- if ((at->day & marked_day) && (at->minute <= time_end)) {
- D(("caught on second day"));
- pass = TRUE;
- }
- }
- }
-
- return (not ^ pass);
-}
-
-static int find_member(const char *string, int *at)
-{
- int c,to;
- int done=0;
- int token=0;
-
- to=*at;
- do {
- c = string[to++];
-
- switch (c) {
-
- case '\0':
- --to;
- done = 1;
- break;
-
- case '&':
- case '|':
- case '!':
- if (token) {
- --to;
- }
- done = 1;
- break;
-
- default:
- if (isalpha(c) || isdigit(c) || c == '_' || c == '*'
- || c == '-') {
- token = 1;
- } else if (token) {
- --to;
- done = 1;
- } else {
- ++*at;
- }
- }
- } while (!done);
-
- return to - *at;
-}
-
-#define GROUP_BLK 10
-#define blk_size(len) (((len-1 + GROUP_BLK)/GROUP_BLK)*GROUP_BLK)
-
-static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len)
-{
- int l,at=0;
- int blks;
-
- blks = blk_size(len);
- D(("cf. blks=%d and len=%d", blks,len));
-
- while ((l = find_member(buf,&at))) {
- int edge;
-
- if (len >= blks) {
- gid_t *tmp;
-
- D(("allocating new block"));
- tmp = (gid_t *) realloc((*list)
- , sizeof(gid_t) * (blks += GROUP_BLK));
- if (tmp != NULL) {
- (*list) = tmp;
- } else {
- pam_syslog(pamh, LOG_ERR, "out of memory for group list");
- free(*list);
- (*list) = NULL;
- return -1;
- }
- }
-
- /* '\0' terminate the entry */
-
- edge = (buf[at+l]) ? 1:0;
- buf[at+l] = '\0';
- D(("found group: %s",buf+at));
-
- /* this is where we convert a group name to a gid_t */
- {
- const struct group *grp;
-
- grp = pam_modutil_getgrnam(pamh, buf+at);
- if (grp == NULL) {
- pam_syslog(pamh, LOG_ERR, "bad group: %s", buf+at);
- } else {
- D(("group %s exists", buf+at));
- (*list)[len++] = grp->gr_gid;
- }
- }
-
- /* next entry along */
-
- at += l + edge;
- }
- D(("returning with [%p/len=%d]->%p",list,len,*list));
- return len;
-}
-
-
-static int check_account(pam_handle_t *pamh, const char *service,
- const char *tty, const char *user)
-{
- int from=0,to=0,fd=-1;
- char *buffer=NULL;
- int count=0;
- TIME here_and_now;
- int retval=PAM_SUCCESS;
- gid_t *grps;
- int no_grps;
-
- /*
- * first we get the current list of groups - the application
- * will have previously done an initgroups(), or equivalent.
- */
-
- D(("counting supplementary groups"));
- no_grps = getgroups(0, NULL); /* find the current number of groups */
- if (no_grps > 0) {
- grps = calloc( blk_size(no_grps) , sizeof(gid_t) );
- D(("copying current list into grps [%d big]",blk_size(no_grps)));
- if (getgroups(no_grps, grps) < 0) {
- D(("getgroups call failed"));
- no_grps = 0;
- grps = NULL;
- }
-#ifdef DEBUG
- {
- int z;
- for (z=0; z<no_grps; ++z) {
- D(("gid[%d]=%d", z, grps[z]));
- }
- }
-#endif
- } else {
- D(("no supplementary groups known"));
- no_grps = 0;
- grps = NULL;
- }
-
- here_and_now = time_now(); /* find current time */
-
- /* parse the rules in the configuration file */
- do {
- int good=TRUE;
-
- /* here we get the service name field */
-
- fd = read_field(pamh,fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- /* empty line .. ? */
- continue;
- }
- ++count;
- D(("working on rule #%d",count));
-
- good = logic_field(pamh,service, buffer, count, is_same);
- D(("with service: %s", good ? "passes":"fails" ));
-
- /* here we get the terminal name field */
-
- fd = read_field(pamh,fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- pam_syslog(pamh, LOG_ERR,
- "%s: no tty entry #%d", PAM_GROUP_CONF, count);
- continue;
- }
- good &= logic_field(pamh,tty, buffer, count, is_same);
- D(("with tty: %s", good ? "passes":"fails" ));
-
- /* here we get the username field */
-
- fd = read_field(pamh,fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- pam_syslog(pamh, LOG_ERR,
- "%s: no user entry #%d", PAM_GROUP_CONF, count);
- continue;
- }
- /* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
- good &= innetgr (&buffer[1], NULL, user, NULL);
- else
- good &= logic_field(pamh,user, buffer, count, is_same);
- D(("with user: %s", good ? "passes":"fails" ));
-
- /* here we get the time field */
-
- fd = read_field(pamh,fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- pam_syslog(pamh, LOG_ERR,
- "%s: no time entry #%d", PAM_GROUP_CONF, count);
- continue;
- }
-
- good &= logic_field(pamh,&here_and_now, buffer, count, check_time);
- D(("with time: %s", good ? "passes":"fails" ));
-
- fd = read_field(pamh,fd,&buffer,&from,&to);
- if (!buffer || !buffer[0]) {
- pam_syslog(pamh, LOG_ERR,
- "%s: no listed groups for rule #%d", PAM_GROUP_CONF, count);
- continue;
- }
-
- /*
- * so we have a list of groups, we need to turn it into
- * something to send to setgroups(2)
- */
-
- if (good) {
- D(("adding %s to gid list", buffer));
- good = mkgrplist(pamh, buffer, &grps, no_grps);
- if (good < 0) {
- no_grps = 0;
- } else {
- no_grps = good;
- }
- }
-
- /* check the line is terminated correctly */
-
- fd = read_field(pamh,fd,&buffer,&from,&to);
- if (buffer && buffer[0]) {
- pam_syslog(pamh, LOG_ERR,
- "%s: poorly terminated rule #%d", PAM_GROUP_CONF, count);
- }
-
- if (good > 0) {
- D(("rule #%d passed, added %d groups", count, good));
- } else if (good < 0) {
- retval = PAM_BUF_ERR;
- } else {
- D(("rule #%d failed", count));
- }
-
- } while (buffer);
-
- /* now set the groups for the user */
-
- if (no_grps > 0) {
-#ifdef DEBUG
- int err;
-#endif
- D(("trying to set %d groups", no_grps));
-#ifdef DEBUG
- for (err=0; err<no_grps; ++err) {
- D(("gid[%d]=%d", err, grps[err]));
- }
-#endif
- if (setgroups(no_grps, grps) != 0) {
- D(("but couldn't set groups %m"));
- pam_syslog(pamh, LOG_ERR,
- "unable to set the group membership for user: %m");
- retval = PAM_CRED_ERR;
- }
- }
-
- if (grps) { /* tidy up */
- memset(grps, 0, sizeof(gid_t) * blk_size(no_grps));
- _pam_drop(grps);
- no_grps = 0;
- }
-
- return retval;
-}
-
-/* --- public authentication management functions --- */
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh, int flags,
- int argc UNUSED, const char **argv UNUSED)
-{
- const void *service=NULL, *void_tty=NULL;
- const char *user=NULL;
- const char *tty;
- int retval;
- unsigned setting;
-
- /* only interested in establishing credentials */
-
- setting = flags;
- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
- D(("ignoring call - not for establishing credentials"));
- return PAM_SUCCESS; /* don't fail because of this */
- }
-
- /* set service name */
-
- if (pam_get_item(pamh, PAM_SERVICE, &service)
- != PAM_SUCCESS || service == NULL) {
- pam_syslog(pamh, LOG_ERR, "cannot find the current service name");
- return PAM_ABORT;
- }
-
- /* set username */
-
- if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
- || *user == '\0') {
- pam_syslog(pamh, LOG_ERR, "cannot determine the user's name");
- return PAM_USER_UNKNOWN;
- }
-
- /* set tty name */
-
- if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS
- || void_tty == NULL) {
- D(("PAM_TTY not set, probing stdin"));
- tty = ttyname(STDIN_FILENO);
- if (tty == NULL) {
- tty = "";
- }
- if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "couldn't set tty name");
- return PAM_ABORT;
- }
- }
- else
- tty = (const char *) void_tty;
-
- if (tty[0] == '/') { /* full path */
- const char *t;
- tty++;
- if ((t = strchr(tty, '/')) != NULL) {
- tty = t + 1;
- }
- }
-
- /* good, now we have the service name, the user and the terminal name */
-
- D(("service=%s", service));
- D(("user=%s", user));
- D(("tty=%s", tty));
-
- retval = check_account(pamh,service,tty,user); /* get groups */
-
- return retval;
-}
-
-/* end of module definition */
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_group_modstruct = {
- "pam_group",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL
-};
-#endif
diff --git a/modules/pam_group/tst-pam_group b/modules/pam_group/tst-pam_group
deleted file mode 100755
index 29f7ba06..00000000
--- a/modules/pam_group/tst-pam_group
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_group.so
diff --git a/modules/pam_issue/.cvsignore b/modules/pam_issue/.cvsignore
deleted file mode 100644
index 8754cdf0..00000000
--- a/modules/pam_issue/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_issue.8
diff --git a/modules/pam_issue/Makefile.am b/modules/pam_issue/Makefile.am
deleted file mode 100644
index 8161fd81..00000000
--- a/modules/pam_issue/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_issue
-
-man_MANS = pam_issue.8
-XMLS = README.xml pam_issue.8.xml
-
-TESTS = tst-pam_issue
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_issue.la
-pam_issue_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_issue.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_issue/README.xml b/modules/pam_issue/README.xml
deleted file mode 100644
index b5b61c3a..00000000
--- a/modules/pam_issue/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_issue.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_issue.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_issue-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_issue/pam_issue.8.xml b/modules/pam_issue/pam_issue.8.xml
deleted file mode 100644
index fd0d06ae..00000000
--- a/modules/pam_issue/pam_issue.8.xml
+++ /dev/null
@@ -1,234 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_issue">
-
- <refmeta>
- <refentrytitle>pam_issue</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_issue-name">
- <refname>pam_issue</refname>
- <refpurpose>PAM module to add issue file to user prompt</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_issue-cmdsynopsis">
- <command>pam_issue.so</command>
- <arg choice="opt">
- noesc
- </arg>
- <arg choice="opt">
- issue=<replaceable>issue-file-name</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_issue-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_issue is a PAM module to prepend an issue file to the username
- prompt. It also by default parses escape codes in the issue file
- similar to some common getty's (using &bsol;x format).
- </para>
- <para>
- Recognized escapes:
- </para>
- <variablelist>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;d</emphasis></term>
- <listitem>
- <para>current day</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;l</emphasis></term>
- <listitem>
- <para>name of this tty</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;m</emphasis></term>
- <listitem>
- <para>machine architecture (uname -m)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;n</emphasis></term>
- <listitem>
- <para>machine's network node hostname (uname -n)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;o</emphasis></term>
- <listitem>
- <para>domain name of this system</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;r</emphasis></term>
- <listitem>
- <para>release number of operating system (uname -r)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;t</emphasis></term>
- <listitem>
- <para>current time</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;s</emphasis></term>
- <listitem>
- <para>operating system name (uname -s)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;u</emphasis></term>
- <listitem>
- <para>number of users currently logged in</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;U</emphasis></term>
- <listitem>
- <para>
- same as &bsol;u except it is suffixed with "user" or
- "users" (eg. "1 user" or "10 users")
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><emphasis remap='B'>&bsol;v</emphasis></term>
- <listitem>
- <para>operating system version and build date (uname -v)</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- </refsect1>
-
- <refsect1 id="pam_issue-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>noesc</option>
- </term>
- <listitem>
- <para>
- Turns off escape code parsing.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>issue=<replaceable>issue-file-name</replaceable></option>
- </term>
- <listitem>
- <para>
- The file to output if not using the default.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_issue-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only the <option>auth</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_issue-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- The prompt was already changed.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- A service module error occured.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The new prompt was set successfull.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_issue-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/login</filename> to
- set the user specific issue at login:
- <programlisting>
- auth optional pam_issue.so issue=/etc/issue
- </programlisting>
- </para>
- </refsect1>
-
- <refsect1 id='pam_issue-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_issue-author'>
- <title>AUTHOR</title>
- <para>
- pam_issue was written by Ben Collins &lt;bcollins@debian.org&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c
deleted file mode 100644
index 7a8a24d5..00000000
--- a/modules/pam_issue/pam_issue.c
+++ /dev/null
@@ -1,310 +0,0 @@
-/* pam_issue module - a simple /etc/issue parser to set PAM_USER_PROMPT
- *
- * Copyright 1999 by Ben Collins <bcollins@debian.org>
- *
- * Needs to be called before any other auth modules so we can setup the
- * user prompt before it's first used. Allows one argument option, which
- * is the full path to a file to be used for issue (uses /etc/issue as a
- * default) such as "issue=/etc/issue.telnet".
- *
- * We can also parse escapes within the the issue file (enabled by
- * default, but can be disabled with the "noesc" option). It's the exact
- * same parsing as util-linux's agetty program performs.
- *
- * Released under the GNU LGPL version 2 or later
- */
-
-#include "config.h"
-
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/utsname.h>
-#include <utmp.h>
-#include <time.h>
-#include <syslog.h>
-
-#define PAM_SM_AUTH
-
-#include <security/_pam_macros.h>
-#include <security/pam_modules.h>
-#include <security/pam_ext.h>
-
-static int _user_prompt_set = 0;
-
-static int read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt);
-static int read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt);
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval = PAM_SERVICE_ERR;
- FILE *fp;
- const char *issue_file = NULL;
- int parse_esc = 1;
- const void *item = NULL;
- const char *cur_prompt;
- char *issue_prompt = NULL;
-
- /* If we've already set the prompt, don't set it again */
- if(_user_prompt_set)
- return PAM_IGNORE;
-
- /* We set this here so if we fail below, we wont get further
- than this next time around (only one real failure) */
- _user_prompt_set = 1;
-
- for ( ; argc-- > 0 ; ++argv ) {
- if (!strncmp(*argv,"issue=",6)) {
- issue_file = 6 + *argv;
- D(("set issue_file to: %s", issue_file));
- } else if (!strcmp(*argv,"noesc")) {
- parse_esc = 0;
- D(("turning off escape parsing by request"));
- } else
- D(("unknown option passed: %s", *argv));
- }
-
- if (issue_file == NULL)
- issue_file = "/etc/issue";
-
- if ((fp = fopen(issue_file, "r")) == NULL) {
- pam_syslog(pamh, LOG_ERR, "error opening %s: %m", issue_file);
- return PAM_SERVICE_ERR;
- }
-
- if ((retval = pam_get_item(pamh, PAM_USER_PROMPT, &item)) != PAM_SUCCESS) {
- fclose(fp);
- return retval;
- }
-
- cur_prompt = item;
- if (cur_prompt == NULL)
- cur_prompt = "";
-
- if (parse_esc)
- retval = read_issue_quoted(pamh, fp, &issue_prompt);
- else
- retval = read_issue_raw(pamh, fp, &issue_prompt);
-
- fclose(fp);
-
- if (retval != PAM_SUCCESS)
- goto out;
-
- {
- size_t size = strlen(issue_prompt) + strlen(cur_prompt) + 1;
- char *new_prompt = realloc(issue_prompt, size);
-
- if (new_prompt == NULL) {
- pam_syslog(pamh, LOG_ERR, "out of memory");
- retval = PAM_BUF_ERR;
- goto out;
- }
- issue_prompt = new_prompt;
- }
-
- strcat(issue_prompt, cur_prompt);
- retval = pam_set_item(pamh, PAM_USER_PROMPT,
- (const void *) issue_prompt);
- out:
- _pam_drop(issue_prompt);
- return (retval == PAM_SUCCESS) ? PAM_IGNORE : retval;
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-static int
-read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt)
-{
- char *issue;
- struct stat st;
-
- *prompt = NULL;
-
- if (fstat(fileno(fp), &st) < 0) {
- pam_syslog(pamh, LOG_ERR, "stat error: %m");
- return PAM_SERVICE_ERR;
- }
-
- if ((issue = malloc(st.st_size + 1)) == NULL) {
- pam_syslog(pamh, LOG_ERR, "out of memory");
- return PAM_BUF_ERR;
- }
-
- if (fread(issue, 1, st.st_size, fp) != st.st_size) {
- pam_syslog(pamh, LOG_ERR, "read error: %m");
- _pam_drop(issue);
- return PAM_SERVICE_ERR;
- }
-
- issue[st.st_size] = '\0';
- *prompt = issue;
- return PAM_SUCCESS;
-}
-
-static int
-read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt)
-{
- int c;
- size_t size = 1024;
- char *issue;
- struct utsname uts;
-
- *prompt = NULL;
-
- if ((issue = malloc(size)) == NULL) {
- pam_syslog(pamh, LOG_ERR, "out of memory");
- return PAM_BUF_ERR;
- }
-
- issue[0] = '\0';
- (void) uname(&uts);
-
- while ((c = getc(fp)) != EOF) {
- char buf[1024];
-
- buf[0] = '\0';
- if (c == '\\') {
- if ((c = getc(fp)) == EOF)
- break;
- switch (c) {
- case 's':
- strncat(buf, uts.sysname, sizeof(buf) - 1);
- break;
- case 'n':
- strncat(buf, uts.nodename, sizeof(buf) - 1);
- break;
- case 'r':
- strncat(buf, uts.release, sizeof(buf) - 1);
- break;
- case 'v':
- strncat(buf, uts.version, sizeof(buf) - 1);
- break;
- case 'm':
- strncat(buf, uts.machine, sizeof(buf) - 1);
- break;
- case 'o':
- {
- char domainname[256];
-
- if (getdomainname(domainname, sizeof(domainname)) >= 0) {
- domainname[sizeof(domainname)-1] = '\0';
- strncat(buf, domainname, sizeof(buf) - 1);
- }
- }
- break;
- case 'd':
- case 't':
- {
- const char *weekday[] = {
- "Sun", "Mon", "Tue", "Wed", "Thu",
- "Fri", "Sat" };
- const char *month[] = {
- "Jan", "Feb", "Mar", "Apr", "May",
- "Jun", "Jul", "Aug", "Sep", "Oct",
- "Nov", "Dec" };
- time_t now;
- struct tm *tm;
-
- (void) time (&now);
- tm = localtime(&now);
-
- if (c == 'd')
- snprintf (buf, sizeof buf, "%s %s %d %d",
- weekday[tm->tm_wday], month[tm->tm_mon],
- tm->tm_mday, tm->tm_year + 1900);
- else
- snprintf (buf, sizeof buf, "%02d:%02d:%02d",
- tm->tm_hour, tm->tm_min, tm->tm_sec);
- }
- break;
- case 'l':
- {
- char *ttyn = ttyname(1);
- if (ttyn) {
- if (!strncmp(ttyn, "/dev/", 5))
- ttyn += 5;
- strncat(buf, ttyn, sizeof(buf) - 1);
- }
- }
- break;
- case 'u':
- case 'U':
- {
- unsigned int users = 0;
- struct utmp *ut;
- setutent();
- while ((ut = getutent())) {
- if (ut->ut_type == USER_PROCESS)
- ++users;
- }
- endutent();
- if (c == 'U')
- snprintf (buf, sizeof buf, "%u %s", users,
- (users == 1) ? "user" : "users");
- else
- snprintf (buf, sizeof buf, "%u", users);
- break;
- }
- default:
- buf[0] = c; buf[1] = '\0';
- }
- } else {
- buf[0] = c; buf[1] = '\0';
- }
-
- if ((strlen(issue) + strlen(buf)) + 1 > size) {
- char *new_issue;
-
- size += strlen(buf) + 1;
- new_issue = (char *) realloc (issue, size);
- if (new_issue == NULL) {
- _pam_drop(issue);
- return PAM_BUF_ERR;
- }
- issue = new_issue;
- strcat(issue, buf);
- }
- }
-
- if (ferror(fp)) {
- pam_syslog(pamh, LOG_ERR, "read error: %m");
- _pam_drop(issue);
- return PAM_SERVICE_ERR;
- }
-
- *prompt = issue;
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_issue_modstruct = {
- "pam_issue",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- NULL,
- NULL,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/modules/pam_issue/tst-pam_issue b/modules/pam_issue/tst-pam_issue
deleted file mode 100755
index 0fe4f763..00000000
--- a/modules/pam_issue/tst-pam_issue
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_issue.so
diff --git a/modules/pam_keyinit/.cvsignore b/modules/pam_keyinit/.cvsignore
deleted file mode 100644
index a2072fc9..00000000
--- a/modules/pam_keyinit/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_keyinit.8
diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am
deleted file mode 100644
index 5039705a..00000000
--- a/modules/pam_keyinit/Makefile.am
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# Copyright (c) 2006 David Howells <dhowells@redhat.com>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit
-XMLS = README.xml pam_keyinit.8.xml
-
-if HAVE_KEY_MANAGEMENT
- man_MANS = pam_keyinit.8
- TESTS = tst-pam_keyinit
-endif
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_keyinit.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-if HAVE_KEY_MANAGEMENT
- securelib_LTLIBRARIES = pam_keyinit.la
-endif
-pam_keyinit_la_LIBADD = -L$(top_builddir)/libpam -lpam
diff --git a/modules/pam_keyinit/README.xml b/modules/pam_keyinit/README.xml
deleted file mode 100644
index 47659e89..00000000
--- a/modules/pam_keyinit/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml
deleted file mode 100644
index c7dddf54..00000000
--- a/modules/pam_keyinit/pam_keyinit.8.xml
+++ /dev/null
@@ -1,241 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_keyinit">
-
- <refmeta>
- <refentrytitle>pam_keyinit</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_keyinit-name">
- <refname>pam_keyinit</refname>
- <refpurpose>Kernel session keyring initialiser module</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_keyinit-cmdsynopsis">
- <command>pam_keyinit.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- force
- </arg>
- <arg choice="opt">
- revoke
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_keyinit-description">
- <title>DESCRIPTION</title>
- <para>
- The pam_keyinit PAM module ensures that the invoking process has a
- session keyring other than the user default session keyring.
- </para>
- <para>
- The session component of the module checks to see if the process's
- session keyring is the user default, and, if it is, creates a new
- anonymous session keyring with which to replace it.
- </para>
- <para>
- If a new session keyring is created, it will install a link to the user
- common keyring in the session keyring so that keys common to the user
- will be automatically accessible through it.
- </para>
- <para>
- The session keyring of the invoking process will thenceforth be inherited
- by all its children unless they override it.
- </para>
- <para>
- This module is intended primarily for use by login processes. Be aware
- that after the session keyring has been replaced, the old session keyring
- and the keys it contains will no longer be accessible.
- </para>
- <para>
- This module should not, generally, be invoked by programs like
- <emphasis remap='B'>su</emphasis>, since it is usually desirable for the
- key set to percolate through to the alternate context. The keys have
- their own permissions system to manage this.
- </para>
- <para>
- This module should be included as early as possible in a PAM
- configuration, so that other PAM modules can attach tokens to the
- keyring.
- </para>
- <para>
- The keyutils package is used to manipulate keys more directly. This
- can be obtained from:
- </para>
- <para>
- <ulink url="http://people.redhat.com/~dhowells/keyutils/">
- Keyutils
- </ulink>
- </para>
- </refsect1>
-
- <refsect1 id="pam_keyinit-options">
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Log debug information with <citerefentry>
- <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>force</option>
- </term>
- <listitem>
- <para>
- Causes the session keyring of the invoking process to be replaced
- unconditionally.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>revoke</option>
- </term>
- <listitem>
- <para>
- Causes the session keyring of the invoking process to be revoked
- when the invoking process exits if the session keyring was created
- for this process in the first place.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_keyinit-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only the <emphasis remap='B'>session</emphasis> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_keyinit-return_values'>
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- This module will usually return this value
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_AUTH_ERR</term>
- <listitem>
- <para>
- Authentication failure.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- The return value should be ignored by PAM dispatch.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- Cannot determine the user name.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SESSION_ERR</term>
- <listitem>
- <para>
- This module will return this value if its arguments are invalid or
- if a system error such as ENOMEM occurs.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- User not known.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_keyinit-examples'>
- <title>EXAMPLES</title>
- <para>
- Add this line to your login entries to start each login session with its
- own session keyring:
- <programlisting>
-session required pam_keyinit.so
- </programlisting>
- </para>
- <para>
- This will prevent keys from one session leaking into another session for
- the same user.
- </para>
- </refsect1>
-
- <refsect1 id='pam_keyinit-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- <citerefentry>
- <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_keyinit-author'>
- <title>AUTHOR</title>
- <para>
- pam_keyinit was written by David Howells, &lt;dhowells@redhat.com&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c
deleted file mode 100644
index 378a7723..00000000
--- a/modules/pam_keyinit/pam_keyinit.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/* pam_keyinit.c: Initialise the session keyring on login through a PAM module
- *
- * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
- * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version
- * 2 of the License, or (at your option) any later version.
- */
-
-#include "config.h"
-#include <stdarg.h>
-#include <string.h>
-#include <syslog.h>
-#include <pwd.h>
-#include <unistd.h>
-#include <errno.h>
-#include <security/pam_modules.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-#include <sys/syscall.h>
-
-#define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */
-#define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */
-#define KEY_SPEC_USER_SESSION_KEYRING -5 /* - key ID for UID-session keyring */
-
-#define KEYCTL_GET_KEYRING_ID 0 /* ask for a keyring's ID */
-#define KEYCTL_JOIN_SESSION_KEYRING 1 /* start named session keyring */
-#define KEYCTL_REVOKE 3 /* revoke a key */
-#define KEYCTL_LINK 8 /* link a key into a keyring */
-
-static int my_session_keyring;
-static int session_counter;
-static int do_revoke;
-static int revoke_as_uid;
-static int revoke_as_gid;
-static int xdebug = 0;
-
-static void debug(pam_handle_t *pamh, const char *fmt, ...)
- __attribute__((format(printf, 2, 3)));
-
-static void debug(pam_handle_t *pamh, const char *fmt, ...)
-{
- va_list va;
-
- if (xdebug) {
- va_start(va, fmt);
- pam_vsyslog(pamh, LOG_DEBUG, fmt, va);
- va_end(va);
- }
-}
-
-static int error(pam_handle_t *pamh, const char *fmt, ...)
- __attribute__((format(printf, 2, 3)));
-
-static int error(pam_handle_t *pamh, const char *fmt, ...)
-{
- va_list va;
-
- va_start(va, fmt);
- pam_vsyslog(pamh, LOG_ERR, fmt, va);
- va_end(va);
-
- return PAM_SESSION_ERR;
-}
-
-/*
- * initialise the session keyring for this process
- */
-static int init_keyrings(pam_handle_t *pamh, int force)
-{
- int session, usession, ret;
-
- if (!force) {
- /* get the IDs of the session keyring and the user session
- * keyring */
- session = syscall(__NR_keyctl,
- KEYCTL_GET_KEYRING_ID,
- KEY_SPEC_SESSION_KEYRING,
- 0);
- debug(pamh, "GET SESSION = %d", session);
- if (session < 0) {
- /* don't worry about keyrings if facility not
- * installed */
- if (errno == ENOSYS)
- return PAM_SUCCESS;
- return PAM_SESSION_ERR;
- }
-
- usession = syscall(__NR_keyctl,
- KEYCTL_GET_KEYRING_ID,
- KEY_SPEC_USER_SESSION_KEYRING,
- 0);
- debug(pamh, "GET SESSION = %d", usession);
- if (usession < 0)
- return PAM_SESSION_ERR;
-
- /* if the user session keyring is our keyring, then we don't
- * need to do anything if we're not forcing */
- if (session != usession)
- return PAM_SUCCESS;
- }
-
- /* create a session keyring, discarding the old one */
- ret = syscall(__NR_keyctl,
- KEYCTL_JOIN_SESSION_KEYRING,
- NULL);
- debug(pamh, "JOIN = %d", ret);
- if (ret < 0)
- return PAM_SESSION_ERR;
-
- my_session_keyring = ret;
-
- /* make a link from the session keyring to the user keyring */
- ret = syscall(__NR_keyctl,
- KEYCTL_LINK,
- KEY_SPEC_USER_KEYRING,
- KEY_SPEC_SESSION_KEYRING);
-
- return ret < 0 ? PAM_SESSION_ERR : PAM_SUCCESS;
-}
-
-/*
- * revoke the session keyring for this process
- */
-static void kill_keyrings(pam_handle_t *pamh)
-{
- int old_uid, old_gid;
-
- /* revoke the session keyring we created earlier */
- if (my_session_keyring > 0) {
- debug(pamh, "REVOKE %d", my_session_keyring);
-
- old_uid = geteuid();
- old_gid = getegid();
- debug(pamh, "UID:%d [%d] GID:%d [%d]",
- revoke_as_uid, old_uid, revoke_as_gid, old_gid);
-
- /* switch to the real UID and GID so that we have permission to
- * revoke the key */
- if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
- error(pamh, "Unable to change GID to %d temporarily\n",
- revoke_as_gid);
-
- if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
- error(pamh, "Unable to change UID to %d temporarily\n",
- revoke_as_uid);
-
- syscall(__NR_keyctl,
- KEYCTL_REVOKE,
- my_session_keyring);
-
- /* return to the orignal UID and GID (probably root) */
- if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
- error(pamh, "Unable to change UID back to %d\n", old_uid);
-
- if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
- error(pamh, "Unable to change GID back to %d\n", old_gid);
-
- my_session_keyring = 0;
- }
-}
-
-/*
- * open a PAM session by making sure there's a session keyring
- */
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- struct passwd *pw;
- const char *username;
- int ret, old_uid, uid, old_gid, gid, loop, force = 0;
-
- for (loop = 0; loop < argc; loop++) {
- if (strcmp(argv[loop], "force") == 0)
- force = 1;
- else if (strcmp(argv[loop], "debug") == 0)
- xdebug = 1;
- else if (strcmp(argv[loop], "revoke") == 0)
- do_revoke = 1;
- }
-
- /* don't do anything if already created a keyring (will be called
- * multiple times if mentioned more than once in a pam script)
- */
- session_counter++;
-
- debug(pamh, "OPEN %d", session_counter);
-
- if (my_session_keyring > 0)
- return PAM_SUCCESS;
-
- /* look up the target UID */
- ret = pam_get_user(pamh, &username, "key user");
- if (ret != PAM_SUCCESS)
- return ret;
-
- pw = pam_modutil_getpwnam(pamh, username);
- if (!pw) {
- error(pamh, "Unable to look up user \"%s\"\n", username);
- return PAM_USER_UNKNOWN;
- }
-
- revoke_as_uid = uid = pw->pw_uid;
- old_uid = getuid();
- revoke_as_gid = gid = pw->pw_gid;
- old_gid = getgid();
- debug(pamh, "UID:%d [%d] GID:%d [%d]", uid, old_uid, gid, old_gid);
-
- /* switch to the real UID and GID so that the keyring ends up owned by
- * the right user */
- if (gid != old_gid && setregid(gid, -1) < 0) {
- error(pamh, "Unable to change GID to %d temporarily\n", gid);
- return PAM_SESSION_ERR;
- }
-
- if (uid != old_uid && setreuid(uid, -1) < 0) {
- error(pamh, "Unable to change UID to %d temporarily\n", uid);
- setregid(old_gid, -1);
- return PAM_SESSION_ERR;
- }
-
- ret = init_keyrings(pamh, force);
-
- /* return to the orignal UID and GID (probably root) */
- if (uid != old_uid && setreuid(old_uid, -1) < 0)
- ret = error(pamh, "Unable to change UID back to %d\n", old_uid);
-
- if (gid != old_gid && setregid(old_gid, -1) < 0)
- ret = error(pamh, "Unable to change GID back to %d\n", old_gid);
-
- return ret;
-}
-
-/*
- * close a PAM session by revoking the session keyring if requested
- */
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- debug(pamh, "CLOSE %d,%d,%d",
- session_counter, my_session_keyring, do_revoke);
-
- session_counter--;
-
- if (session_counter == 0 && my_session_keyring > 0 && do_revoke)
- kill_keyrings(pamh);
-
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_keyinit_modstruct = {
- "pam_keyinit",
- NULL,
- NULL,
- NULL,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL
-};
-#endif
-
diff --git a/modules/pam_keyinit/tst-pam_keyinit b/modules/pam_keyinit/tst-pam_keyinit
deleted file mode 100755
index f0a7b9bc..00000000
--- a/modules/pam_keyinit/tst-pam_keyinit
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_keyinit.so
diff --git a/modules/pam_lastlog/.cvsignore b/modules/pam_lastlog/.cvsignore
deleted file mode 100644
index 9b0768f7..00000000
--- a/modules/pam_lastlog/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_lastlog.8
diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am
deleted file mode 100644
index 899bda7b..00000000
--- a/modules/pam_lastlog/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog
-
-man_MANS = pam_lastlog.8
-XMLS = README.xml pam_lastlog.8.xml
-
-TESTS = tst-pam_lastlog
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_lastlog.la
-pam_lastlog_la_LIBADD = -L$(top_builddir)/libpam -lpam -lutil
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_lastlog.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_lastlog/README.xml b/modules/pam_lastlog/README.xml
deleted file mode 100644
index 7fe70339..00000000
--- a/modules/pam_lastlog/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_lastlog.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_lastlog.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_lastlog-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
deleted file mode 100644
index 066eff58..00000000
--- a/modules/pam_lastlog/pam_lastlog.8.xml
+++ /dev/null
@@ -1,231 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_lastlog">
-
- <refmeta>
- <refentrytitle>pam_lastlog</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_lastlog-name">
- <refname>pam_lastlog</refname>
- <refpurpose>PAM module to display date of last login</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_lastlog-cmdsynopsis">
- <command>pam_lastlog.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- silent
- </arg>
- <arg choice="opt">
- never
- </arg>
- <arg choice="opt">
- nodate
- </arg>
- <arg choice="opt">
- nohost
- </arg>
- <arg choice="opt">
- noterm
- </arg>
- <arg choice="opt">
- nowtmp
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_lastlog-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_lastlog is a PAM module to display a line of information
- about the last login of the user. In addition, the module maintains
- the <filename>/var/log/lastlog</filename> file.
- </para>
- <para>
- Some applications may perform this function themselves. In such
- cases, this module is not necessary.
- </para>
- </refsect1>
-
- <refsect1 id="pam_lastlog-options">
-
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>silent</option>
- </term>
- <listitem>
- <para>
- Don't inform the user about any previous login,
- just upate the <filename>/var/log/lastlog</filename> file.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>never</option>
- </term>
- <listitem>
- <para>
- If the <filename>/var/log/lastlog</filename> file does
- not contain any old entries for the user, indicate that
- the user has never previously logged in with a welcome
- message.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>nodate</option>
- </term>
- <listitem>
- <para>
- Don't display the date of the last login.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>noterm</option>
- </term>
- <listitem>
- <para>
- Don't display the terminal name on which the
- last login was attempted.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>nohost</option>
- </term>
- <listitem>
- <para>
- Don't indicate from which host the last login was
- attempted.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>nowtmp</option>
- </term>
- <listitem>
- <para>
- Don't update the wtmp entry.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_lastlog-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only the <option>session</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_lastlog-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Everything was successfull.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- Internal service module error.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- User not known.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_lastlog-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/login</filename> to
- display the last login time of an user:
- </para>
- <programlisting>
- session required pam_lastlog.so nowtmp
- </programlisting>
- </refsect1>
-
- <refsect1 id="pam_lastlog-files">
- <title>FILES</title>
- <variablelist>
- <varlistentry>
- <term><filename>/var/log/lastlog</filename></term>
- <listitem>
- <para>Lastlog logging file</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_lastlog-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_lastlog-author'>
- <title>AUTHOR</title>
- <para>
- pam_lastlog was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
deleted file mode 100644
index a75e1ce7..00000000
--- a/modules/pam_lastlog/pam_lastlog.c
+++ /dev/null
@@ -1,452 +0,0 @@
-/* pam_lastlog module */
-
-/*
- * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11
- *
- * This module does the necessary work to display the last login
- * time+date for this user, it then updates this entry for the
- * present (login) service.
- */
-
-#include "config.h"
-
-#include <fcntl.h>
-#include <time.h>
-#include <errno.h>
-#ifdef HAVE_UTMP_H
-# include <utmp.h>
-#else
-# include <lastlog.h>
-#endif
-#include <pwd.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <syslog.h>
-#include <unistd.h>
-
-#if defined(hpux) || defined(sunos) || defined(solaris)
-# ifndef _PATH_LASTLOG
-# define _PATH_LASTLOG "/usr/adm/lastlog"
-# endif /* _PATH_LASTLOG */
-# ifndef UT_HOSTSIZE
-# define UT_HOSTSIZE 16
-# endif /* UT_HOSTSIZE */
-# ifndef UT_LINESIZE
-# define UT_LINESIZE 12
-# endif /* UT_LINESIZE */
-#endif
-#if defined(hpux)
-struct lastlog {
- time_t ll_time;
- char ll_line[UT_LINESIZE];
- char ll_host[UT_HOSTSIZE]; /* same as in utmp */
-};
-#endif /* hpux */
-
-/* XXX - time before ignoring lock. Is 1 sec enough? */
-#define LASTLOG_IGNORE_LOCK_TIME 1
-
-#define DEFAULT_HOST "" /* "[no.where]" */
-#define DEFAULT_TERM "" /* "tt???" */
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_SESSION
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-/* argument parsing */
-
-#define LASTLOG_DATE 01 /* display the date of the last login */
-#define LASTLOG_HOST 02 /* display the last host used (if set) */
-#define LASTLOG_LINE 04 /* display the last terminal used */
-#define LASTLOG_NEVER 010 /* display a welcome message for first login */
-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
-#define LASTLOG_QUIET 040 /* keep quiet about things */
-#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
-
-static int
-_pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP);
-
- /* does the appliction require quiet? */
- if (flags & PAM_SILENT) {
- ctrl |= LASTLOG_QUIET;
- }
-
- /* step through arguments */
- for (; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug")) {
- ctrl |= LASTLOG_DEBUG;
- } else if (!strcmp(*argv,"nodate")) {
- ctrl &= ~LASTLOG_DATE;
- } else if (!strcmp(*argv,"noterm")) {
- ctrl &= ~LASTLOG_LINE;
- } else if (!strcmp(*argv,"nohost")) {
- ctrl &= ~LASTLOG_HOST;
- } else if (!strcmp(*argv,"silent")) {
- ctrl |= LASTLOG_QUIET;
- } else if (!strcmp(*argv,"never")) {
- ctrl |= LASTLOG_NEVER;
- } else if (!strcmp(*argv,"nowtmp")) {
- ctrl &= ~LASTLOG_WTMP;
- } else {
- pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
- }
- }
-
- D(("ctrl = %o", ctrl));
- return ctrl;
-}
-
-static const char *
-get_tty(pam_handle_t *pamh)
-{
- const void *void_terminal_line = NULL;
- const char *terminal_line;
-
- if (pam_get_item(pamh, PAM_TTY, &void_terminal_line) != PAM_SUCCESS
- || void_terminal_line == NULL) {
- terminal_line = DEFAULT_TERM;
- } else {
- terminal_line = void_terminal_line;
- }
- if (!strncmp("/dev/", terminal_line, 5)) {
- /* strip leading "/dev/" from tty. */
- terminal_line += 5;
- }
- D(("terminal = %s", terminal_line));
- return terminal_line;
-}
-
-static int
-last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid)
-{
- struct flock last_lock;
- struct lastlog last_login;
- int retval = PAM_SUCCESS;
- char the_time[256];
- char *date = NULL;
- char *host = NULL;
- char *line = NULL;
-
- memset(&last_lock, 0, sizeof(last_lock));
- last_lock.l_type = F_RDLCK;
- last_lock.l_whence = SEEK_SET;
- last_lock.l_start = sizeof(last_login) * (off_t) uid;
- last_lock.l_len = sizeof(last_login);
-
- if (fcntl(last_fd, F_SETLK, &last_lock) < 0) {
- D(("locking %s failed..(waiting a little)", _PATH_LASTLOG));
- pam_syslog(pamh, LOG_WARNING,
- "file %s is locked/read", _PATH_LASTLOG);
- sleep(LASTLOG_IGNORE_LOCK_TIME);
- }
-
- if (pam_modutil_read(last_fd, (char *) &last_login,
- sizeof(last_login)) != sizeof(last_login)) {
- memset(&last_login, 0, sizeof(last_login));
- }
-
- last_lock.l_type = F_UNLCK;
- (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
-
- if (!last_login.ll_time) {
- if (announce & LASTLOG_DEBUG) {
- pam_syslog(pamh, LOG_DEBUG,
- "first login for user with uid %lu",
- (unsigned long int)uid);
- }
- }
-
- if (!(announce & LASTLOG_QUIET)) {
-
- if (last_login.ll_time) {
-
- /* we want the date? */
- if (announce & LASTLOG_DATE) {
- struct tm *tm, tm_buf;
- time_t ll_time;
-
- ll_time = last_login.ll_time;
- tm = localtime_r (&ll_time, &tm_buf);
- strftime (the_time, sizeof (the_time),
- /* TRANSLATORS: "strftime options for date of last login" */
- _(" %a %b %e %H:%M:%S %Z %Y"), tm);
-
- date = the_time;
- }
-
- /* we want & have the host? */
- if ((announce & LASTLOG_HOST)
- && (last_login.ll_host[0] != '\0')) {
- /* TRANSLATORS: " from <host>" */
- if (asprintf(&host, _(" from %.*s"), UT_HOSTSIZE,
- last_login.ll_host) < 0) {
- pam_syslog(pamh, LOG_ERR, "out of memory");
- retval = PAM_BUF_ERR;
- goto cleanup;
- }
- }
-
- /* we want and have the terminal? */
- if ((announce & LASTLOG_LINE)
- && (last_login.ll_line[0] != '\0')) {
- /* TRANSLATORS: " on <terminal>" */
- if (asprintf(&line, _(" on %.*s"), UT_LINESIZE,
- last_login.ll_line) < 0) {
- pam_syslog(pamh, LOG_ERR, "out of memory");
- retval = PAM_BUF_ERR;
- goto cleanup;
- }
- }
-
- /* TRANSLATORS: "Last login: <date> from <host> on <terminal>" */
- retval = pam_info(pamh, _("Last login:%s%s%s"),
- date ? date : "",
- host ? host : "",
- line ? line : "");
- } else if (announce & LASTLOG_NEVER) {
- D(("this is the first time this user has logged in"));
- retval = pam_info(pamh, "%s", _("Welcome to your new account!"));
- }
- }
-
- /* cleanup */
- cleanup:
- memset(&last_login, 0, sizeof(last_login));
- _pam_overwrite(date);
- _pam_overwrite(host);
- _pam_drop(host);
- _pam_overwrite(line);
- _pam_drop(line);
-
- return retval;
-}
-
-static int
-last_login_write(pam_handle_t *pamh, int announce, int last_fd,
- uid_t uid, const char *user)
-{
- struct flock last_lock;
- struct lastlog last_login;
- time_t ll_time;
- const void *void_remote_host = NULL;
- const char *remote_host;
- const char *terminal_line;
- int retval = PAM_SUCCESS;
-
- /* rewind */
- if (lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET) < 0) {
- pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG);
- return PAM_SERVICE_ERR;
- }
-
- /* set this login date */
- D(("set the most recent login time"));
- (void) time(&ll_time); /* set the time */
- last_login.ll_time = ll_time;
-
- /* set the remote host */
- if (pam_get_item(pamh, PAM_RHOST, &void_remote_host) != PAM_SUCCESS
- || void_remote_host == NULL) {
- remote_host = DEFAULT_HOST;
- } else {
- remote_host = void_remote_host;
- }
-
- /* copy to last_login */
- last_login.ll_host[0] = '\0';
- strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1);
-
- /* set the terminal line */
- terminal_line = get_tty(pamh);
-
- /* copy to last_login */
- last_login.ll_line[0] = '\0';
- strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1);
- terminal_line = NULL;
-
- D(("locking lastlog file"));
-
- /* now we try to lock this file-record exclusively; non-blocking */
- memset(&last_lock, 0, sizeof(last_lock));
- last_lock.l_type = F_WRLCK;
- last_lock.l_whence = SEEK_SET;
- last_lock.l_start = sizeof(last_login) * (off_t) uid;
- last_lock.l_len = sizeof(last_login);
-
- if (fcntl(last_fd, F_SETLK, &last_lock) < 0) {
- D(("locking %s failed..(waiting a little)", _PATH_LASTLOG));
- pam_syslog(pamh, LOG_WARNING, "file %s is locked/write", _PATH_LASTLOG);
- sleep(LASTLOG_IGNORE_LOCK_TIME);
- }
-
- D(("writing to the lastlog file"));
- if (pam_modutil_write (last_fd, (char *) &last_login,
- sizeof (last_login)) != sizeof(last_login)) {
- pam_syslog(pamh, LOG_ERR, "failed to write %s: %m", _PATH_LASTLOG);
- retval = PAM_SERVICE_ERR;
- }
-
- last_lock.l_type = F_UNLCK;
- (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
- D(("unlocked"));
-
- if (announce & LASTLOG_WTMP) {
- /* write wtmp entry for user */
- logwtmp(last_login.ll_line, user, remote_host);
- }
-
- /* cleanup */
- memset(&last_login, 0, sizeof(last_login));
-
- return retval;
-}
-
-static int
-last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user)
-{
- int retval;
- int last_fd;
-
- /* obtain the last login date and all the relevant info */
- last_fd = open(_PATH_LASTLOG, O_RDWR);
- if (last_fd < 0) {
- if (errno == ENOENT) {
- last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT,
- S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- if (last_fd < 0) {
- pam_syslog(pamh, LOG_ERR,
- "unable to create %s: %m", _PATH_LASTLOG);
- D(("unable to create %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
- }
- pam_syslog(pamh, LOG_WARNING,
- "file %s created", _PATH_LASTLOG);
- D(("file %s created", _PATH_LASTLOG));
- } else {
- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG);
- D(("unable to open %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
- }
- }
-
- if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) {
- pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG);
- D(("unable to lseek %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
- }
-
- retval = last_login_read(pamh, announce, last_fd, uid);
- if (retval != PAM_SUCCESS)
- {
- close(last_fd);
- D(("error while reading lastlog file"));
- return retval;
- }
-
- retval = last_login_write(pamh, announce, last_fd, uid, user);
-
- close(last_fd);
- D(("all done with last login"));
-
- return retval;
-}
-
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- int retval, ctrl;
- const void *user;
- const struct passwd *pwd;
- uid_t uid;
-
- /*
- * this module gets the uid of the PAM_USER. Uses it to display
- * last login info and then updates the lastlog for that user.
- */
-
- ctrl = _pam_parse(pamh, flags, argc, argv);
-
- /* which user? */
-
- retval = pam_get_item(pamh, PAM_USER, &user);
- if (retval != PAM_SUCCESS || user == NULL || *(const char *)user == '\0') {
- pam_syslog(pamh, LOG_NOTICE, "user unknown");
- return PAM_USER_UNKNOWN;
- }
-
- /* what uid? */
-
- pwd = pam_modutil_getpwnam (pamh, user);
- if (pwd == NULL) {
- D(("couldn't identify user %s", user));
- return PAM_USER_UNKNOWN;
- }
- uid = pwd->pw_uid;
- pwd = NULL; /* tidy up */
-
- /* process the current login attempt (indicate last) */
-
- retval = last_login_date(pamh, ctrl, uid, user);
-
- /* indicate success or failure */
-
- uid = -1; /* forget this */
-
- return retval;
-}
-
-PAM_EXTERN int
-pam_sm_close_session (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- const char *terminal_line;
-
- if (!(_pam_parse(pamh, flags, argc, argv) & LASTLOG_WTMP))
- return PAM_SUCCESS;
-
- terminal_line = get_tty(pamh);
-
- /* Wipe out utmp logout entry */
- logwtmp(terminal_line, "", "");
-
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_lastlog_modstruct = {
- "pam_lastlog",
- NULL,
- NULL,
- NULL,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/modules/pam_lastlog/tst-pam_lastlog b/modules/pam_lastlog/tst-pam_lastlog
deleted file mode 100755
index ea9a5eb0..00000000
--- a/modules/pam_lastlog/tst-pam_lastlog
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_lastlog.so
diff --git a/modules/pam_limits/.cvsignore b/modules/pam_limits/.cvsignore
deleted file mode 100644
index b2519a1c..00000000
--- a/modules/pam_limits/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-limits.conf.5
-pam_limits.8
diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am
deleted file mode 100644
index 13232ea6..00000000
--- a/modules/pam_limits/Makefile.am
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) limits.conf tst-pam_limits
-
-man_MANS = limits.conf.5 pam_limits.8
-XMLS = README.xml limits.conf.5.xml pam_limits.8.xml
-
-TESTS = tst-pam_limits
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-limits_conf_dir = $(SCONFIGDIR)/limits.d
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -DLIMITS_FILE_DIR=\"$(limits_conf_dir)/*.conf\" \
- -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\"
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_limits.la
-pam_limits_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-secureconf_DATA = limits.conf
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_limits.8.xml limits.conf.5.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
-install-data-local:
- mkdir -p $(DESTDIR)$(limits_conf_dir)
diff --git a/modules/pam_limits/README.xml b/modules/pam_limits/README.xml
deleted file mode 100644
index 964a5a21..00000000
--- a/modules/pam_limits/README.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamlimits SYSTEM "pam_limits.8.xml">
--->
-<!--
-<!ENTITY limitsconf SYSTEM "limits.conf.5.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_limits.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_limits-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-examples"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf
deleted file mode 100644
index 5d5c3f70..00000000
--- a/modules/pam_limits/limits.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-# /etc/security/limits.conf
-#
-#Each line describes a limit for a user in the form:
-#
-#<domain> <type> <item> <value>
-#
-#Where:
-#<domain> can be:
-# - an user name
-# - a group name, with @group syntax
-# - the wildcard *, for default entry
-# - the wildcard %, can be also used with %group syntax,
-# for maxlogin limit
-#
-#<type> can have the two values:
-# - "soft" for enforcing the soft limits
-# - "hard" for enforcing hard limits
-#
-#<item> can be one of the following:
-# - core - limits the core file size (KB)
-# - data - max data size (KB)
-# - fsize - maximum filesize (KB)
-# - memlock - max locked-in-memory address space (KB)
-# - nofile - max number of open files
-# - rss - max resident set size (KB)
-# - stack - max stack size (KB)
-# - cpu - max CPU time (MIN)
-# - nproc - max number of processes
-# - as - address space limit (KB)
-# - maxlogins - max number of logins for this user
-# - maxsyslogins - max number of logins on the system
-# - priority - the priority to run user process with
-# - locks - max number of file locks the user can hold
-# - sigpending - max number of pending signals
-# - msgqueue - max memory used by POSIX message queues (bytes)
-# - nice - max nice priority allowed to raise to values: [-20, 19]
-# - rtprio - max realtime priority
-#
-#<domain> <type> <item> <value>
-#
-
-#* soft core 0
-#* hard rss 10000
-#@student hard nproc 20
-#@faculty soft nproc 20
-#@faculty hard nproc 50
-#ftp hard nproc 0
-#@student - maxlogins 4
-
-# End of file
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
deleted file mode 100644
index fb1fad27..00000000
--- a/modules/pam_limits/limits.conf.5.xml
+++ /dev/null
@@ -1,287 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="limits.conf">
-
- <refmeta>
- <refentrytitle>limits.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv>
- <refname>limits.conf</refname>
- <refpurpose>configuration file for the pam_limits module</refpurpose>
- </refnamediv>
-
- <refsect1 id='limits.conf-description'>
- <title>DESCRIPTION</title>
- <para>
- The syntax of the lines is as follows:
- </para>
- <para>
- <replaceable>&lt;domain&gt;</replaceable> <replaceable>&lt;type&gt;</replaceable>
- <replaceable>&lt;item&gt;</replaceable> <replaceable>&lt;value&gt;</replaceable>
- </para>
- <para>
- The fields listed above should be filled as follows:
- </para>
- <variablelist>
- <varlistentry>
- <term>
- <option>&lt;domain&gt;</option>
- </term>
- <listitem>
- <itemizedlist>
- <listitem>
- <para>
- a username
- </para>
- </listitem>
- <listitem>
- <para>
- a groupname, with <emphasis remap='B'>@group</emphasis> syntax.
- This should not be confused with netgroups.
- </para>
- </listitem>
- <listitem>
- <para>
- the wildcard <emphasis remap='B'>*</emphasis>, for default entry.
- </para>
- </listitem>
- <listitem>
- <para>
- the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only,
- can also be used with <emphasis remap='b'>%group</emphasis> syntax.
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>&lt;type&gt;</option>
- </term>
- <listitem>
- <variablelist>
- <varlistentry>
- <term><option>hard</option></term>
- <listitem>
- <para>
- for enforcing <emphasis remap='B'>hard</emphasis> resource limits.
- These limits are set by the superuser and enforced by the Kernel.
- The user cannot raise his requirement of system resources above such values.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>soft</option></term>
- <listitem>
- <para>
- for enforcing <emphasis remap='B'>soft</emphasis> resource limits.
- These limits are ones that the user can move up or down within the
- permitted range by any pre-existing <emphasis remap='B'>hard</emphasis>
- limits. The values specified with this token can be thought of as
- <emphasis>default</emphasis> values, for normal system usage.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>-</option></term>
- <listitem>
- <para>
- for enforcing both <emphasis remap='B'>soft</emphasis> and
- <emphasis remap='B'>hard</emphasis> resource limits together.
- </para>
- <para>
- Note, if you specify a type of '-' but neglect to supply the
- item and value fields then the module will never enforce any
- limits on the specified user/group etc. .
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>&lt;item&gt;</option>
- </term>
- <listitem>
- <variablelist>
- <varlistentry>
- <term><option>core</option></term>
- <listitem>
- <para>limits the core file size (KB)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>data</option></term>
- <listitem>
- <para>maximum data size (KB)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>fsize</option></term>
- <listitem>
- <para>maximum filesize (KB)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>memlock</option></term>
- <listitem>
- <para>maximum locked-in-memory address space (KB)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>nofile</option></term>
- <listitem>
- <para>maximum number of open files</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>rss</option></term>
- <listitem>
- <para>maximum resident set size (KB)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>stack</option></term>
- <listitem>
- <para>maximum stack size (KB)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>cpu</option></term>
- <listitem>
- <para>maximum CPU time (minutes)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>nproc</option></term>
- <listitem>
- <para>maximum number of processes</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>as</option></term>
- <listitem>
- <para>address space limit (KB)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>maxlogins</option></term>
- <listitem>
- <para>maximum number of logins for this user except
- for this with <emphasis>uid=0</emphasis></para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>maxsyslogins</option></term>
- <listitem>
- <para>maximum number of logins on system</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>priority</option></term>
- <listitem>
- <para>the priority to run user process with (negative
- values boost process priority)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>locks</option></term>
- <listitem>
- <para>maximum locked files (Linux 2.4 and higher)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>sigpending</option></term>
- <listitem>
- <para>maximum number of pending signals (Linux 2.6 and higher)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>msqqueue</option></term>
- <listitem>
- <para>maximum memory used by POSIX message queues (bytes)
- (Linux 2.6 and higher)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>nice</option></term>
- <listitem>
- <para>maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>rtprio</option></term>
- <listitem>
- <para>maximum realtime priority allowed for non-privileged processes
- (Linux 2.6.12 and higher)</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </listitem>
- </varlistentry>
-
- </variablelist>
- <para>
- In general, individual limits have priority over group limits, so if
- you impose no limits for <emphasis>admin</emphasis> group, but one of
- the members in this group have a limits line, the user will have its
- limits set according to this line.
- </para>
- <para>
- Also, please note that all limit settings are set
- <emphasis>per login</emphasis>. They are not global, nor are they
- permanent; existing only for the duration of the session.
- </para>
- <para>
- In the <emphasis>limits</emphasis> configuration file, the
- '<emphasis remap='B'>#</emphasis>' character introduces a comment
- - after which the rest of the line is ignored.
- </para>
- <para>
- The pam_limits module does its best to report configuration problems
- found in its configuration file via <citerefentry>
- <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- </para>
- </refsect1>
-
- <refsect1 id="limits.conf-examples">
- <title>EXAMPLES</title>
- <para>
- These are some example lines which might be specified in
- <filename>/etc/security/limits.conf</filename>.
- </para>
- <programlisting>
-* soft core 0
-* hard rss 10000
-@student hard nproc 20
-@faculty soft nproc 20
-@faculty hard nproc 50
-ftp hard nproc 0
-@student - maxlogins 4
- </programlisting>
- </refsect1>
-
- <refsect1 id="limits.conf-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id="limits.conf-author">
- <title>AUTHOR</title>
- <para>
- pam_limits was initially written by Cristian Gafton &lt;gafton@redhat.com&gt;
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml
deleted file mode 100644
index 98afdcd4..00000000
--- a/modules/pam_limits/pam_limits.8.xml
+++ /dev/null
@@ -1,256 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
-
-<refentry id='pam_limits'>
-
- <refmeta>
- <refentrytitle>pam_limits</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id='pam_limits-name'>
- <refname>pam_limits</refname>
- <refpurpose>
- PAM module to limit resources
- </refpurpose>
- </refnamediv>
-
-<!-- body begins here -->
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_limits-cmdsynopsis">
- <command>pam_limits.so</command>
- <arg choice="opt">
- change_uid
- </arg>
- <arg choice="opt">
- conf=<replaceable>/path/to/limits.conf</replaceable>
- </arg>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- utmp_early
- </arg>
- <arg choice="opt">
- noaudit
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-
- <refsect1 id="pam_limits-description">
- <title>DESCRIPTION</title>
- <para>
- The pam_limits PAM module sets limits on the system resources that can be
- obtained in a user-session. Users of <emphasis>uid=0</emphasis> are affected
- by this limits, too.
- </para>
- <para>
- By default limits are taken from the <filename>/etc/security/limits.conf</filename>
- config file. Then individual files from the <filename>/etc/security/limits.d/</filename>
- directory are read. The files are parsed one after another in the order of "C" locale.
- The effect of the individual files is the same as if all the files were
- concatenated together in the order of parsing.
- If a config file is explicitely specified with a module option then the
- files in the above directory are not parsed.
- </para>
- <para>
- The module must not be called by a multithreaded application.
- </para>
- <para>
- If Linux PAM is compiled with audit support the module will report
- when it denies access based on limit of maximum number of concurrent
- login sessions.
- </para>
- </refsect1>
-
- <refsect1 id="pam_limits-options">
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>change_uid</option>
- </term>
- <listitem>
- <para>
- Change real uid to the user for who the limits are set up. Use this
- option if you have problems like login not forking a shell for user
- who has no processes. Be warned that something else may break when
- you do this.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>conf=<replaceable>/path/to/limits.conf</replaceable></option>
- </term>
- <listitem>
- <para>
- Indicate an alternative limits.conf style configuration file to
- override the default.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>utmp_early</option>
- </term>
- <listitem>
- <para>
- Some broken applications actually allocate a utmp entry for
- the user before the user is admitted to the system. If some
- of the services you are configuring PAM for do this, you can
- selectively use this module argument to compensate for this
- behavior and at the same time maintain system-wide consistency
- with a single limits.conf file.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>noaudit</option>
- </term>
- <listitem>
- <para>
- Do not report exceeded maximum logins count to the audit subsystem.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_limits-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- Only the <option>session</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id="pam_limits-return_values">
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_ABORT</term>
- <listitem>
- <para>
- Cannot get current limits.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- No limits found for this user.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_PERM_DENIED</term>
- <listitem>
- <para>
- New limits could not be set.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- Cannot read config file.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SESSEION_ERR</term>
- <listitem>
- <para>
- Error recovering account name.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Limits were changed.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- The user is not known to the system.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_limits-files">
- <title>FILES</title>
- <variablelist>
- <varlistentry>
- <term><filename>/etc/security/limits.conf</filename></term>
- <listitem>
- <para>Default configuration file</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_limits-examples'>
- <title>EXAMPLES</title>
- <para>
- For the services you need resources limits (login for example) put a
- the following line in <filename>/etc/pam.d/login</filename> as the last
- line for that service (usually after the pam_unix session line):
- </para>
- <programlisting>
-#%PAM-1.0
-#
-# Resource limits imposed on login sessions via pam_limits
-#
-session required pam_limits.so
- </programlisting>
- <para>
- Replace "login" for each service you are using this module.
- </para>
- </refsect1>
-
- <refsect1 id="pam_limits-see_also">
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>.
- </para>
- </refsect1>
-
- <refsect1 id="pam_limits-authors">
- <title>AUTHORS</title>
- <para>
- pam_limits was initially written by Cristian Gafton &lt;gafton@redhat.com&gt;
- </para>
- </refsect1>
-</refentry>
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
deleted file mode 100644
index f1e29b85..00000000
--- a/modules/pam_limits/pam_limits.c
+++ /dev/null
@@ -1,777 +0,0 @@
-/*
- * pam_limits - impose resource limits when opening a user session
- *
- * 1.6 - modified for PLD (added process priority settings)
- * by Marcin Korzonek <mkorz@shadow.eu.org>
- * 1.5 - Elliot Lee's "max system logins patch"
- * 1.4 - addressed bug in configuration file parser
- * 1.3 - modified the configuration file format
- * 1.2 - added 'debug' and 'conf=' arguments
- * 1.1 - added @group support
- * 1.0 - initial release - Linux ONLY
- *
- * See end for Copyright information
- */
-
-#if !defined(linux) && !defined(__linux)
-#warning THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!!
-#endif
-
-#include "config.h"
-
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/resource.h>
-#include <limits.h>
-#include <glob.h>
-#include <utmp.h>
-#ifndef UT_USER /* some systems have ut_name instead of ut_user */
-#define UT_USER ut_user
-#endif
-
-#include <grp.h>
-#include <pwd.h>
-#include <locale.h>
-
-#ifdef HAVE_LIBAUDIT
-#include <libaudit.h>
-#endif
-
-/* Module defines */
-#define LINE_LENGTH 1024
-
-#define LIMITS_DEF_USER 0 /* limit was set by an user entry */
-#define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */
-#define LIMITS_DEF_ALLGROUP 2 /* limit was set by a group entry */
-#define LIMITS_DEF_ALL 3 /* limit was set by an default entry */
-#define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */
-#define LIMITS_DEF_NONE 5 /* this limit was not set yet */
-
-static const char *limits_def_names[] = {
- "USER",
- "GROUP",
- "ALLGROUP",
- "ALL",
- "DEFAULT",
- "NONE",
- NULL
-};
-
-struct user_limits_struct {
- int supported;
- int src_soft;
- int src_hard;
- struct rlimit limit;
-};
-
-/* internal data */
-struct pam_limit_s {
- int login_limit; /* the max logins limit */
- int login_limit_def; /* which entry set the login limit */
- int flag_numsyslogins; /* whether to limit logins only for a
- specific user or to count all logins */
- int priority; /* the priority to run user process with */
- struct user_limits_struct limits[RLIM_NLIMITS];
- const char *conf_file;
- int utmp_after_pam_call;
- char login_group[LINE_LENGTH];
-};
-
-#define LIMIT_LOGIN RLIM_NLIMITS+1
-#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
-
-#define LIMIT_PRI RLIM_NLIMITS+3
-
-#define LIMIT_SOFT 1
-#define LIMIT_HARD 2
-
-#define PAM_SM_SESSION
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x0001
-#define PAM_DO_SETREUID 0x0002
-#define PAM_UTMP_EARLY 0x0004
-#define PAM_NO_AUDIT 0x0008
-
-/* Limits from globbed files. */
-#define LIMITS_CONF_GLOB LIMITS_FILE_DIR
-
-#define CONF_FILE (pl->conf_file != NULL)?pl->conf_file:LIMITS_FILE
-
-static int
-_pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
- struct pam_limit_s *pl)
-{
- int ctrl=0;
-
- /* step through arguments */
- for (ctrl=0; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug")) {
- ctrl |= PAM_DEBUG_ARG;
- } else if (!strncmp(*argv,"conf=",5)) {
- pl->conf_file = *argv+5;
- } else if (!strncmp(*argv,"change_uid",10)) {
- ctrl |= PAM_DO_SETREUID;
- } else if (!strcmp(*argv,"utmp_early")) {
- ctrl |= PAM_UTMP_EARLY;
- } else if (!strcmp(*argv,"noaudit")) {
- ctrl |= PAM_NO_AUDIT;
- } else {
- pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
- }
- }
-
- return ctrl;
-}
-
-
-#define LIMITED_OK 0 /* limit setting appeared to work */
-#define LIMIT_ERR 1 /* error setting a limit */
-#define LOGIN_ERR 2 /* too many logins err */
-
-/* Counts the number of user logins and check against the limit*/
-static int
-check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
- struct pam_limit_s *pl)
-{
- struct utmp *ut;
- int count;
-
- if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
- "checking logins for '%s' (maximum of %d)", name, limit);
- }
-
- if (limit < 0)
- return 0; /* no limits imposed */
- if (limit == 0) /* maximum 0 logins ? */ {
- pam_syslog(pamh, LOG_WARNING, "No logins allowed for '%s'", name);
- return LOGIN_ERR;
- }
-
- setutent();
-
- /* Because there is no definition about when an application
- actually adds a utmp entry, some applications bizarrely do the
- utmp call before the have PAM authenticate them to the system:
- you're logged it, sort of...? Anyway, you can use the
- "utmp_early" module argument in your PAM config file to make
- allowances for this sort of problem. (There should be a PAM
- standard for this, since if a module wants to actually map a
- username then any early utmp entry will be for the unmapped
- name = broken.) */
-
- if (ctrl & PAM_UTMP_EARLY) {
- count = 0;
- } else {
- count = 1;
- }
-
- while((ut = getutent())) {
-#ifdef USER_PROCESS
- if (ut->ut_type != USER_PROCESS) {
- continue;
- }
-#endif
- if (ut->UT_USER[0] == '\0') {
- continue;
- }
- if (!pl->flag_numsyslogins) {
- if (((pl->login_limit_def == LIMITS_DEF_USER)
- || (pl->login_limit_def == LIMITS_DEF_GROUP)
- || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
- continue;
- }
- if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
- continue;
- }
- }
- if (++count > limit) {
- break;
- }
- }
- endutent();
- if (count > limit) {
- if (name) {
- pam_syslog(pamh, LOG_WARNING,
- "Too many logins (max %d) for %s", limit, name);
- } else {
- pam_syslog(pamh, LOG_WARNING, "Too many system logins (max %d)", limit);
- }
- return LOGIN_ERR;
- }
- return 0;
-}
-
-static int init_limits(struct pam_limit_s *pl)
-{
- int i;
- int retval = PAM_SUCCESS;
-
- D(("called."));
-
- for(i = 0; i < RLIM_NLIMITS; i++) {
- int r = getrlimit(i, &pl->limits[i].limit);
- if (r == -1) {
- pl->limits[i].supported = 0;
- if (errno != EINVAL) {
- retval = !PAM_SUCCESS;
- }
- } else {
- pl->limits[i].supported = 1;
- pl->limits[i].src_soft = LIMITS_DEF_NONE;
- pl->limits[i].src_hard = LIMITS_DEF_NONE;
- }
- }
-
- errno = 0;
- pl->priority = getpriority (PRIO_PROCESS, 0);
- if (pl->priority == -1 && errno != 0)
- retval = !PAM_SUCCESS;
- pl->login_limit = -2;
- pl->login_limit_def = LIMITS_DEF_NONE;
-
- return retval;
-}
-
-static void
-process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
- const char *lim_item, const char *lim_value,
- int ctrl, struct pam_limit_s *pl)
-{
- int limit_item;
- int limit_type = 0;
- int int_value = 0;
- rlim_t rlimit_value = 0;
- char *endptr;
- const char *value_orig = lim_value;
-
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_DEBUG, "%s: processing %s %s %s for %s",
- __FUNCTION__, lim_type, lim_item, lim_value,
- limits_def_names[source]);
-
- if (strcmp(lim_item, "cpu") == 0)
- limit_item = RLIMIT_CPU;
- else if (strcmp(lim_item, "fsize") == 0)
- limit_item = RLIMIT_FSIZE;
- else if (strcmp(lim_item, "data") == 0)
- limit_item = RLIMIT_DATA;
- else if (strcmp(lim_item, "stack") == 0)
- limit_item = RLIMIT_STACK;
- else if (strcmp(lim_item, "core") == 0)
- limit_item = RLIMIT_CORE;
- else if (strcmp(lim_item, "rss") == 0)
- limit_item = RLIMIT_RSS;
- else if (strcmp(lim_item, "nproc") == 0)
- limit_item = RLIMIT_NPROC;
- else if (strcmp(lim_item, "nofile") == 0)
- limit_item = RLIMIT_NOFILE;
- else if (strcmp(lim_item, "memlock") == 0)
- limit_item = RLIMIT_MEMLOCK;
-#ifdef RLIMIT_AS
- else if (strcmp(lim_item, "as") == 0)
- limit_item = RLIMIT_AS;
-#endif /*RLIMIT_AS*/
-#ifdef RLIMIT_LOCKS
- else if (strcmp(lim_item, "locks") == 0)
- limit_item = RLIMIT_LOCKS;
-#endif
-#ifdef RLIMIT_SIGPENDING
- else if (strcmp(lim_item, "sigpending") == 0)
- limit_item = RLIMIT_SIGPENDING;
-#endif
-#ifdef RLIMIT_MSGQUEUE
- else if (strcmp(lim_item, "msgqueue") == 0)
- limit_item = RLIMIT_MSGQUEUE;
-#endif
-#ifdef RLIMIT_NICE
- else if (strcmp(lim_item, "nice") == 0)
- limit_item = RLIMIT_NICE;
-#endif
-#ifdef RLIMIT_RTPRIO
- else if (strcmp(lim_item, "rtprio") == 0)
- limit_item = RLIMIT_RTPRIO;
-#endif
- else if (strcmp(lim_item, "maxlogins") == 0) {
- limit_item = LIMIT_LOGIN;
- pl->flag_numsyslogins = 0;
- } else if (strcmp(lim_item, "maxsyslogins") == 0) {
- limit_item = LIMIT_NUMSYSLOGINS;
- pl->flag_numsyslogins = 1;
- } else if (strcmp(lim_item, "priority") == 0) {
- limit_item = LIMIT_PRI;
- } else {
- pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
- return;
- }
-
- if (strcmp(lim_type,"soft")==0)
- limit_type=LIMIT_SOFT;
- else if (strcmp(lim_type, "hard")==0)
- limit_type=LIMIT_HARD;
- else if (strcmp(lim_type,"-")==0)
- limit_type=LIMIT_SOFT | LIMIT_HARD;
- else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) {
- pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type);
- return;
- }
- if (limit_item != LIMIT_PRI
-#ifdef RLIMIT_NICE
- && limit_item != RLIMIT_NICE
-#endif
- && (strcmp(lim_value, "-1") == 0
- || strcmp(lim_value, "-") == 0 || strcmp(lim_value, "unlimited") == 0
- || strcmp(lim_value, "infinity") == 0)) {
- int_value = -1;
- rlimit_value = RLIM_INFINITY;
- } else if (limit_item == LIMIT_PRI || limit_item == LIMIT_LOGIN ||
-#ifdef RLIMIT_NICE
- limit_item == RLIMIT_NICE ||
-#endif
- limit_item == LIMIT_NUMSYSLOGINS) {
- long temp;
- temp = strtol (lim_value, &endptr, 10);
- temp = temp < INT_MAX ? temp : INT_MAX;
- int_value = temp > INT_MIN ? temp : INT_MIN;
- if (int_value == 0 && value_orig == endptr) {
- pam_syslog(pamh, LOG_DEBUG,
- "wrong limit value '%s' for limit type '%s'",
- lim_value, lim_type);
- return;
- }
- } else {
-#ifdef __USE_FILE_OFFSET64
- rlimit_value = strtoull (lim_value, &endptr, 10);
-#else
- rlimit_value = strtoul (lim_value, &endptr, 10);
-#endif
- if (rlimit_value == 0 && value_orig == endptr) {
- pam_syslog(pamh, LOG_DEBUG,
- "wrong limit value '%s' for limit type '%s'",
- lim_value, lim_type);
- return;
- }
- }
-
- /* one more special case when limiting logins */
- if ((source == LIMITS_DEF_ALL || source == LIMITS_DEF_ALLGROUP)
- && (limit_item != LIMIT_LOGIN)) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_DEBUG,
- "'%%' domain valid for maxlogins type only");
- return;
- }
-
- switch(limit_item) {
- case RLIMIT_CPU:
- if (rlimit_value != RLIM_INFINITY)
- {
- if (rlimit_value >= RLIM_INFINITY/60)
- rlimit_value = RLIM_INFINITY;
- else
- rlimit_value *= 60;
- }
- break;
- case RLIMIT_FSIZE:
- case RLIMIT_DATA:
- case RLIMIT_STACK:
- case RLIMIT_CORE:
- case RLIMIT_RSS:
- case RLIMIT_MEMLOCK:
-#ifdef RLIMIT_AS
- case RLIMIT_AS:
-#endif
- if (rlimit_value != RLIM_INFINITY)
- {
- if (rlimit_value >= RLIM_INFINITY/1024)
- rlimit_value = RLIM_INFINITY;
- else
- rlimit_value *= 1024;
- }
- break;
-#ifdef RLIMIT_NICE
- case RLIMIT_NICE:
- if (int_value > 19)
- int_value = 19;
- if (int_value < -20)
- int_value = -20;
- rlimit_value = 20 - int_value;
-#endif
- break;
- }
-
- if ( (limit_item != LIMIT_LOGIN)
- && (limit_item != LIMIT_NUMSYSLOGINS)
- && (limit_item != LIMIT_PRI) ) {
- if (limit_type & LIMIT_SOFT) {
- if (pl->limits[limit_item].src_soft < source) {
- return;
- } else {
- pl->limits[limit_item].limit.rlim_cur = rlimit_value;
- pl->limits[limit_item].src_soft = source;
- }
- }
- if (limit_type & LIMIT_HARD) {
- if (pl->limits[limit_item].src_hard < source) {
- return;
- } else {
- pl->limits[limit_item].limit.rlim_max = rlimit_value;
- pl->limits[limit_item].src_hard = source;
- }
- }
- } else {
- /* recent kernels support negative priority limits (=raise priority) */
-
- if (limit_item == LIMIT_PRI) {
- pl->priority = int_value;
- } else {
- if (pl->login_limit_def < source) {
- return;
- } else {
- pl->login_limit = int_value;
- pl->login_limit_def = source;
- }
- }
- }
- return;
-}
-
-static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl,
- struct pam_limit_s *pl)
-{
- FILE *fil;
- char buf[LINE_LENGTH];
-
- /* check for the LIMITS_FILE */
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
- fil = fopen(CONF_FILE, "r");
- if (fil == NULL) {
- pam_syslog (pamh, LOG_WARNING,
- "cannot read settings from %s: %m", CONF_FILE);
- return PAM_SERVICE_ERR;
- }
-
- /* start the show */
- while (fgets(buf, LINE_LENGTH, fil) != NULL) {
- char domain[LINE_LENGTH];
- char ltype[LINE_LENGTH];
- char item[LINE_LENGTH];
- char value[LINE_LENGTH];
- int i;
- size_t j;
- char *tptr,*line;
-
- line = buf;
- /* skip the leading white space */
- while (*line && isspace(*line))
- line++;
-
- /* Rip off the comments */
- tptr = strchr(line,'#');
- if (tptr)
- *tptr = '\0';
- /* Rip off the newline char */
- tptr = strchr(line,'\n');
- if (tptr)
- *tptr = '\0';
- /* Anything left ? */
- if (!strlen(line))
- continue;
-
- domain[0] = ltype[0] = item[0] = value[0] = '\0';
-
- i = sscanf(line,"%s%s%s%s", domain, ltype, item, value);
- D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]",
- i, domain, ltype, item, value));
-
- for(j=0; j < strlen(ltype); j++)
- ltype[j]=tolower(ltype[j]);
-
- if (i == 4) { /* a complete line */
- for(j=0; j < strlen(item); j++)
- item[j]=tolower(item[j]);
- for(j=0; j < strlen(value); j++)
- value[j]=tolower(value[j]);
-
- if (strcmp(uname, domain) == 0) /* this user have a limit */
- process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
- else if (domain[0]=='@') {
- if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
- "checking if %s is in group %s",
- uname, domain + 1);
- }
- if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
- process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
- pl);
- } else if (domain[0]=='%') {
- if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
- "checking if %s is in group %s",
- uname, domain + 1);
- }
- if (strcmp(domain,"%") == 0)
- process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl,
- pl);
- else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
- strcpy(pl->login_group, domain+1);
- process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
- pl);
- }
- } else if (strcmp(domain, "*") == 0)
- process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
- pl);
- } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
- if (strcmp(uname, domain) == 0) {
- if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname);
- }
- fclose(fil);
- return PAM_IGNORE;
- } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
- if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
- "no limits for '%s' in group '%s'",
- uname, domain+1);
- }
- fclose(fil);
- return PAM_IGNORE;
- }
- } else {
- pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
- }
- }
- fclose(fil);
- return PAM_SUCCESS;
-}
-
-static int setup_limits(pam_handle_t *pamh,
- const char *uname, uid_t uid, int ctrl,
- struct pam_limit_s *pl)
-{
- int i;
- int status;
- int retval = LIMITED_OK;
-
- for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
- if (!pl->limits[i].supported) {
- /* skip it if its not known to the system */
- continue;
- }
- if (pl->limits[i].src_soft == LIMITS_DEF_NONE &&
- pl->limits[i].src_hard == LIMITS_DEF_NONE) {
- /* skip it if its not initialized */
- continue;
- }
- if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
- pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
- status |= setrlimit(i, &pl->limits[i].limit);
- }
-
- if (status) {
- retval = LIMIT_ERR;
- }
-
- status = setpriority(PRIO_PROCESS, 0, pl->priority);
- if (status != 0) {
- retval = LIMIT_ERR;
- }
-
- if (uid == 0) {
- D(("skip login limit check for uid=0"));
- } else if (pl->login_limit > 0) {
- if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
-#ifdef HAVE_LIBAUDIT
- if (!(ctrl & PAM_NO_AUDIT)) {
- pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
- "pam_limits", PAM_PERM_DENIED);
- /* ignore return value as we fail anyway */
- }
-#endif
- retval |= LOGIN_ERR;
- }
- } else if (pl->login_limit == 0) {
- retval |= LOGIN_ERR;
- }
-
- return retval;
-}
-
-/* now the session stuff */
-PAM_EXTERN int
-pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval;
- int i;
- int glob_rc;
- char *user_name;
- struct passwd *pwd;
- int ctrl;
- struct pam_limit_s plstruct;
- struct pam_limit_s *pl = &plstruct;
- glob_t globbuf;
- const char *oldlocale;
-
- D(("called."));
-
- memset(pl, 0, sizeof(*pl));
- memset(&globbuf, 0, sizeof(globbuf));
-
- ctrl = _pam_parse(pamh, argc, argv, pl);
- retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- pam_syslog(pamh, LOG_CRIT, "open_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- pwd = pam_modutil_getpwnam(pamh, user_name);
- if (!pwd) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_WARNING,
- "open_session username '%s' does not exist", user_name);
- return PAM_USER_UNKNOWN;
- }
-
- retval = init_limits(pl);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_WARNING, "cannot initialize");
- return PAM_ABORT;
- }
-
- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
- if (retval == PAM_IGNORE) {
- D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
- return PAM_SUCCESS;
- }
- if (retval != PAM_SUCCESS || pl->conf_file != NULL)
- /* skip reading limits.d if config file explicitely specified */
- goto out;
-
- /* Read subsequent *.conf files, if they exist. */
-
- /* set the LC_COLLATE so the sorting order doesn't depend
- on system locale */
-
- oldlocale = setlocale(LC_COLLATE, "C");
- glob_rc = glob(LIMITS_CONF_GLOB, GLOB_ERR, NULL, &globbuf);
-
- if (oldlocale != NULL)
- setlocale (LC_COLLATE, oldlocale);
-
- if (!glob_rc) {
- /* Parse the *.conf files. */
- for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
- pl->conf_file = globbuf.gl_pathv[i];
- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
- if (retval == PAM_IGNORE) {
- D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file));
- globfree(&globbuf);
- return PAM_SUCCESS;
- }
- if (retval != PAM_SUCCESS)
- goto out;
- }
- }
-
-out:
- globfree(&globbuf);
- if (retval != PAM_SUCCESS)
- {
- pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE);
- return retval;
- }
-
- if (ctrl & PAM_DO_SETREUID) {
- setreuid(pwd->pw_uid, -1);
- }
-
- retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl);
- if (retval & LOGIN_ERR)
- pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name);
- if (retval != LIMITED_OK) {
- return PAM_PERM_DENIED;
- }
-
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN int
-pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- /* nothing to do */
- return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_limits_modstruct = {
- "pam_limits",
- NULL,
- NULL,
- NULL,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL
-};
-#endif
-
-/*
- * Copyright (c) Cristian Gafton, 1996-1997, <gafton@redhat.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_limits/tst-pam_limits b/modules/pam_limits/tst-pam_limits
deleted file mode 100755
index f563beb7..00000000
--- a/modules/pam_limits/tst-pam_limits
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_limits.so
diff --git a/modules/pam_listfile/.cvsignore b/modules/pam_listfile/.cvsignore
deleted file mode 100644
index f54f6f27..00000000
--- a/modules/pam_listfile/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_listfile.8
diff --git a/modules/pam_listfile/Makefile.am b/modules/pam_listfile/Makefile.am
deleted file mode 100644
index 2f211320..00000000
--- a/modules/pam_listfile/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_listfile
-
-man_MANS = pam_listfile.8
-XMLS = README.xml pam_listfile.8.xml
-
-TESTS = tst-pam_listfile
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_listfile.la
-pam_listfile_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_listfile.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_listfile/README.xml b/modules/pam_listfile/README.xml
deleted file mode 100644
index d851aef3..00000000
--- a/modules/pam_listfile/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_listfile.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_listfile-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_listfile/pam_listfile.8.xml b/modules/pam_listfile/pam_listfile.8.xml
deleted file mode 100644
index e54e80a4..00000000
--- a/modules/pam_listfile/pam_listfile.8.xml
+++ /dev/null
@@ -1,297 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_listfile">
-
- <refmeta>
- <refentrytitle>pam_listfile</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_listfile-name">
- <refname>pam_listfile</refname>
- <refpurpose>deny or allow services based on an arbitrary file</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_listfile-cmdsynopsis">
- <command>pam_listfile.so</command>
- <arg choice="plain">
- item=[tty|user|rhost|ruser|group|shell]
- </arg>
- <arg choice="plain">
- sense=[allow|deny]
- </arg>
- <arg choice="plain">
- file=<replaceable>/path/filename</replaceable>
- </arg>
- <arg choice="plain">
- onerr=[succeed|fail]
- </arg>
- <arg choice="opt">
- apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]
- </arg>
- <arg choice="opt">
- quiet
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_listfile-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_listfile is a PAM module which provides a way to deny or
- allow services based on an arbitrary file.
- </para>
- <para>
- The module gets the <option>item</option> of the type specified --
- <emphasis>user</emphasis> specifies the username,
- <emphasis>PAM_USER</emphasis>; tty specifies the name of the terminal
- over which the request has been made, <emphasis>PAM_TTY</emphasis>;
- rhost specifies the name of the remote host (if any) from which the
- request was made, <emphasis>PAM_RHOST</emphasis>; and ruser specifies
- the name of the remote user (if available) who made the request,
- <emphasis>PAM_RUSER</emphasis> -- and looks for an instance of that
- item in the <option>file=<replaceable>filename</replaceable></option>.
- <filename>filename</filename> contains one line per item listed. If
- the item is found, then if
- <option>sense=<replaceable>allow</replaceable></option>,
- <emphasis>PAM_SUCCESS</emphasis> is returned, causing the authorization
- request to succeed; else if
- <option>sense=<replaceable>deny</replaceable></option>,
- <emphasis>PAM_AUTH_ERR</emphasis> is returned, causing the authorization
- request to fail.
- </para>
- <para>
- If an error is encountered (for instance, if
- <filename>filename</filename> does not exist, or a poorly-constructed
- argument is encountered), then if <emphasis>onerr=succeed</emphasis>,
- <emphasis>PAM_SUCCESS</emphasis> is returned, otherwise if
- <emphasis>onerr=fail</emphasis>, <emphasis>PAM_AUTH_ERR</emphasis> or
- <emphasis>PAM_SERVICE_ERR</emphasis> (as appropriate) will be returned.
- </para>
- <para>
- An additional argument, <option>apply=</option>, can be used
- to restrict the application of the above to a specific user
- (<option>apply=<replaceable>username</replaceable></option>)
- or a given group
- (<option>apply=<replaceable>@groupname</replaceable></option>).
- This added restriction is only meaningful when used with the
- <emphasis>tty</emphasis>, <emphasis>rhost</emphasis> and
- <emphasis>shell</emphasis> items.
- </para>
- <para>
- Besides this last one, all arguments should be specified; do not
- count on any default behavior.
- </para>
- <para>
- No credentials are awarded by this module.
- </para>
- </refsect1>
-
- <refsect1 id="pam_listfile-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>item=[tty|user|rhost|ruser|group|shell]</option>
- </term>
- <listitem>
- <para>
- What is listed in the file and should be checked for.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>sense=[allow|deny]</option>
- </term>
- <listitem>
- <para>
- Action to take if found in file, if the item is NOT found in
- the file, then the opposite action is requested.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>file=<replaceable>/path/filename</replaceable></option>
- </term>
- <listitem>
- <para>
- File containing one item per line. The file needs to be a plain
- file and not world writeable.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>onerr=[succeed|fail]</option>
- </term>
- <listitem>
- <para>
- What to do if something weird happens like being unable to open
- the file.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]</option>
- </term>
- <listitem>
- <para>
- Restrict the user class for which the restriction apply. Note that
- with <option>item=[user|ruser|group]</option> this does not make sense,
- but for <option>item=[tty|rhost|shell]</option> it have a meaning.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>quiet</option>
- </term>
- <listitem>
- <para>
- Do not treat service refusals or missing list files as
- errors that need to be logged.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_listfile-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The services <option>auth</option>, <option>account</option>,
- <option>password</option> and <option>session</option> are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_AUTH_ERR</term>
- <listitem>
- <para>Authentication failure.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_IGNORE</term>
- <listitem>
- <para>
- The rule does not apply to the <option>apply</option> option.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- Error in service module.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Success.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-examples'>
- <title>EXAMPLES</title>
- <para>
- Classic 'ftpusers' authentication can be implemented with this entry
- in <filename>/etc/pam.d/ftpd</filename>:
- <programlisting>
-#
-# deny ftp-access to users listed in the /etc/ftpusers file
-#
-auth required pam_listfile.so \
- onerr=succeed item=user sense=deny file=/etc/ftpusers
- </programlisting>
- Note, users listed in <filename>/etc/ftpusers</filename> file are
- (counterintuitively) <emphasis>not</emphasis> allowed access to
- the ftp service.
- </para>
- <para>
- To allow login access only for certain users, you can use a
- <filename>/etc/pam.d/login</filename> entry like this:
- <programlisting>
-#
-# permit login to users listed in /etc/loginusers
-#
-auth required pam_listfile.so \
- onerr=fail item=user sense=allow file=/etc/loginusers
- </programlisting>
- For this example to work, all users who are allowed to use the
- login service should be listed in the file
- <filename>/etc/loginusers</filename>. Unless you are explicitly
- trying to lock out root, make sure that when you do this, you leave
- a way for root to log in, either by listing root in
- <filename>/etc/loginusers</filename>, or by listing a user who is
- able to <emphasis>su</emphasis> to the root account.
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_listfile-author'>
- <title>AUTHOR</title>
- <para>
- pam_listfile was written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;
- and Elliot Lee &lt;sopwith@cuc.edu&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c
deleted file mode 100644
index f276e5b8..00000000
--- a/modules/pam_listfile/pam_listfile.c
+++ /dev/null
@@ -1,462 +0,0 @@
-/*
- * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. July 25, 1996.
- * log refused access error christopher mccrory <chrismcc@netus.com> 1998/7/11
- *
- * This code began life as the pam_rootok module.
- */
-
-#include "config.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <stdarg.h>
-#include <string.h>
-#include <pwd.h>
-#include <grp.h>
-
-#ifdef DEBUG
-#include <assert.h>
-#endif
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_PASSWORD
-#define PAM_SM_SESSION
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-/* checks if a user is on a list of members */
-static int is_on_list(char * const *list, const char *member)
-{
- while (*list) {
- if (strcmp(*list, member) == 0)
- return 1;
- list++;
- }
- return 0;
-}
-
-/* --- authentication management functions (only) --- */
-
-/* Extended Items that are not directly available via pam_get_item() */
-#define EI_GROUP (1 << 0)
-#define EI_SHELL (1 << 1)
-
-/* Constants for apply= parameter */
-#define APPLY_TYPE_NULL 0
-#define APPLY_TYPE_NONE 1
-#define APPLY_TYPE_USER 2
-#define APPLY_TYPE_GROUP 3
-
-#define LESSER(a, b) ((a) < (b) ? (a) : (b))
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2, quiet=0;
- const void *void_citemp;
- const char *citemp;
- char *ifname=NULL;
- char aline[256];
- char mybuf[256],myval[256];
- struct stat fileinfo;
- FILE *inf;
- char apply_val[256];
- int apply_type;
-
- /* Stuff for "extended" items */
- struct passwd *userinfo;
- struct group *grpinfo;
- char *itemlist[256]; /* Maximum of 256 items */
-
- apply_type=APPLY_TYPE_NULL;
- memset(apply_val,0,sizeof(apply_val));
-
- for(i=0; i < argc; i++) {
- {
- const char *junk;
-
- memset(mybuf,'\0',sizeof(mybuf));
- memset(myval,'\0',sizeof(mybuf));
- junk = strchr(argv[i], '=');
- if((junk == NULL) || (junk - argv[i]) >= (int) sizeof(mybuf)) {
- pam_syslog(pamh,LOG_ERR, "Bad option: \"%s\"",
- argv[i]);
- continue;
- }
- strncpy(mybuf, argv[i],
- LESSER(junk - argv[i], (int)sizeof(mybuf) - 1));
- strncpy(myval, junk + 1, sizeof(myval) - 1);
- }
- if(!strcmp(mybuf,"onerr"))
- if(!strcmp(myval,"succeed"))
- onerr = PAM_SUCCESS;
- else if(!strcmp(myval,"fail"))
- onerr = PAM_SERVICE_ERR;
- else {
- if (ifname) free (ifname);
- return PAM_SERVICE_ERR;
- }
- else if(!strcmp(mybuf,"sense"))
- if(!strcmp(myval,"allow"))
- sense=0;
- else if(!strcmp(myval,"deny"))
- sense=1;
- else {
- if (ifname) free (ifname);
- return onerr;
- }
- else if(!strcmp(mybuf,"file")) {
- if (ifname) free (ifname);
- ifname = (char *)malloc(strlen(myval)+1);
- if (!ifname)
- return PAM_BUF_ERR;
- strcpy(ifname,myval);
- } else if(!strcmp(mybuf,"item"))
- if(!strcmp(myval,"user"))
- citem = PAM_USER;
- else if(!strcmp(myval,"tty"))
- citem = PAM_TTY;
- else if(!strcmp(myval,"rhost"))
- citem = PAM_RHOST;
- else if(!strcmp(myval,"ruser"))
- citem = PAM_RUSER;
- else { /* These items are related to the user, but are not
- directly gettable with pam_get_item */
- citem = PAM_USER;
- if(!strcmp(myval,"group"))
- extitem = EI_GROUP;
- else if(!strcmp(myval,"shell"))
- extitem = EI_SHELL;
- else
- citem = 0;
- } else if(!strcmp(mybuf,"apply")) {
- apply_type=APPLY_TYPE_NONE;
- memset(apply_val,'\0',sizeof(apply_val));
- if (myval[0]=='@') {
- apply_type=APPLY_TYPE_GROUP;
- strncpy(apply_val,myval+1,sizeof(apply_val)-1);
- } else {
- apply_type=APPLY_TYPE_USER;
- strncpy(apply_val,myval,sizeof(apply_val)-1);
- }
- } else if (!strcmp(mybuf,"quiet")) {
- quiet = 1;
- } else {
- free(ifname);
- pam_syslog(pamh,LOG_ERR, "Unknown option: %s",mybuf);
- return onerr;
- }
- }
-
- if(!citem) {
- pam_syslog(pamh,LOG_ERR,
- "Unknown item or item not specified");
- free(ifname);
- return onerr;
- } else if(!ifname) {
- pam_syslog(pamh,LOG_ERR, "List filename not specified");
- return onerr;
- } else if(sense == 2) {
- pam_syslog(pamh,LOG_ERR,
- "Unknown sense or sense not specified");
- free(ifname);
- return onerr;
- } else if(
- (apply_type==APPLY_TYPE_NONE) ||
- ((apply_type!=APPLY_TYPE_NULL) && (*apply_val=='\0'))
- ) {
- pam_syslog(pamh,LOG_ERR,
- "Invalid usage for apply= parameter");
- free (ifname);
- return onerr;
- }
-
- /* Check if it makes sense to use the apply= parameter */
- if (apply_type != APPLY_TYPE_NULL) {
- if((citem==PAM_USER) || (citem==PAM_RUSER)) {
- pam_syslog(pamh,LOG_WARNING,
- "Non-sense use for apply= parameter");
- apply_type=APPLY_TYPE_NULL;
- }
- if(extitem && (extitem==EI_GROUP)) {
- pam_syslog(pamh,LOG_WARNING,
- "Non-sense use for apply= parameter");
- apply_type=APPLY_TYPE_NULL;
- }
- }
-
- /* Short-circuit - test if this session apply for this user */
- {
- const char *user_name;
- int rval;
-
- rval=pam_get_user(pamh,&user_name,NULL);
- if((rval==PAM_SUCCESS) && user_name && user_name[0]) {
- /* Got it ? Valid ? */
- if(apply_type==APPLY_TYPE_USER) {
- if(strcmp(user_name, apply_val)) {
- /* Does not apply to this user */
-#ifdef DEBUG
- pam_syslog(pamh,LOG_DEBUG,
- "don't apply: apply=%s, user=%s",
- apply_val,user_name);
-#endif /* DEBUG */
- free(ifname);
- return PAM_IGNORE;
- }
- } else if(apply_type==APPLY_TYPE_GROUP) {
- if(!pam_modutil_user_in_group_nam_nam(pamh,user_name,apply_val)) {
- /* Not a member of apply= group */
-#ifdef DEBUG
- pam_syslog(pamh,LOG_DEBUG,
-
- "don't apply: %s not a member of group %s",
- user_name,apply_val);
-#endif /* DEBUG */
- free(ifname);
- return PAM_IGNORE;
- }
- }
- }
- }
-
- retval = pam_get_item(pamh,citem,&void_citemp);
- citemp = void_citemp;
- if(retval != PAM_SUCCESS) {
- return onerr;
- }
- if((citem == PAM_USER) && !citemp) {
- retval = pam_get_user(pamh,&citemp,NULL);
- if (retval != PAM_SUCCESS || !citemp) {
- free(ifname);
- return PAM_SERVICE_ERR;
- }
- }
- if((citem == PAM_TTY) && citemp) {
- /* Normalize the TTY name. */
- if(strncmp(citemp, "/dev/", 5) == 0) {
- citemp += 5;
- }
- }
-
- if(!citemp || (strlen(citemp) == 0)) {
- free(ifname);
- /* The item was NULL - we are sure not to match */
- return sense?PAM_SUCCESS:PAM_AUTH_ERR;
- }
-
- if(extitem) {
- switch(extitem) {
- case EI_GROUP:
- userinfo = pam_modutil_getpwnam(pamh, citemp);
- if (userinfo == NULL) {
- pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed",
- citemp);
- free(ifname);
- return onerr;
- }
- grpinfo = pam_modutil_getgrgid(pamh, userinfo->pw_gid);
- if (grpinfo == NULL) {
- pam_syslog(pamh,LOG_ERR, "getgrgid(%d) failed",
- (int)userinfo->pw_gid);
- free(ifname);
- return onerr;
- }
- itemlist[0] = x_strdup(grpinfo->gr_name);
- setgrent();
- for (i=1; (i < (int)(sizeof(itemlist)/sizeof(itemlist[0])-1)) &&
- (grpinfo = getgrent()); ) {
- if (is_on_list(grpinfo->gr_mem,citemp)) {
- itemlist[i++] = x_strdup(grpinfo->gr_name);
- }
- }
- endgrent();
- itemlist[i] = NULL;
- break;
- case EI_SHELL:
- /* Assume that we have already gotten PAM_USER in
- pam_get_item() - a valid assumption since citem
- gets set to PAM_USER in the extitem switch */
- userinfo = pam_modutil_getpwnam(pamh, citemp);
- if (userinfo == NULL) {
- pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed",
- citemp);
- free(ifname);
- return onerr;
- }
- citemp = userinfo->pw_shell;
- break;
- default:
- pam_syslog(pamh,LOG_ERR,
-
- "Internal weirdness, unknown extended item %d",
- extitem);
- free(ifname);
- return onerr;
- }
- }
-#ifdef DEBUG
- pam_syslog(pamh,LOG_INFO,
-
- "Got file = %s, item = %d, value = %s, sense = %d",
- ifname, citem, citemp, sense);
-#endif
- if(lstat(ifname,&fileinfo)) {
- pam_syslog(pamh,LOG_ERR, "Couldn't open %s",ifname);
- free(ifname);
- return onerr;
- }
-
- if((fileinfo.st_mode & S_IWOTH)
- || !S_ISREG(fileinfo.st_mode)) {
- /* If the file is world writable or is not a
- normal file, return error */
- pam_syslog(pamh,LOG_ERR,
- "%s is either world writable or not a normal file",
- ifname);
- free(ifname);
- return PAM_AUTH_ERR;
- }
-
- inf = fopen(ifname,"r");
- if(inf == NULL) { /* Check that we opened it successfully */
- if (onerr == PAM_SERVICE_ERR) {
- /* Only report if it's an error... */
- pam_syslog(pamh,LOG_ERR, "Error opening %s", ifname);
- }
- free(ifname);
- return onerr;
- }
- /* There should be no more errors from here on */
- retval=PAM_AUTH_ERR;
- /* This loop assumes that PAM_SUCCESS == 0
- and PAM_AUTH_ERR != 0 */
-#ifdef DEBUG
- assert(PAM_SUCCESS == 0);
- assert(PAM_AUTH_ERR != 0);
-#endif
- if(extitem == EI_GROUP) {
- while((fgets(aline,sizeof(aline),inf) != NULL)
- && retval) {
- if(strlen(aline) == 0)
- continue;
- if(aline[strlen(aline) - 1] == '\n')
- aline[strlen(aline) - 1] = '\0';
- for(i=0;itemlist[i];)
- /* If any of the items match, strcmp() == 0, and we get out
- of this loop */
- retval = (strcmp(aline,itemlist[i++]) && retval);
- }
- for(i=0;itemlist[i];)
- free(itemlist[i++]);
- } else {
- while((fgets(aline,sizeof(aline),inf) != NULL)
- && retval) {
- char *a = aline;
- if(strlen(aline) == 0)
- continue;
- if(aline[strlen(aline) - 1] == '\n')
- aline[strlen(aline) - 1] = '\0';
- if(strlen(aline) == 0)
- continue;
- if(aline[strlen(aline) - 1] == '\r')
- aline[strlen(aline) - 1] = '\0';
- if(citem == PAM_TTY)
- if(strncmp(a, "/dev/", 5) == 0)
- a += 5;
- retval = strcmp(a,citemp);
- }
- }
- fclose(inf);
- free(ifname);
- if ((sense && retval) || (!sense && !retval)) {
-#ifdef DEBUG
- pam_syslog(pamh,LOG_INFO,
- "Returning PAM_SUCCESS, retval = %d", retval);
-#endif
- return PAM_SUCCESS;
- }
- else {
- const void *service;
- const char *user_name;
-#ifdef DEBUG
- pam_syslog(pamh,LOG_INFO,
- "Returning PAM_AUTH_ERR, retval = %d", retval);
-#endif
- (void) pam_get_item(pamh, PAM_SERVICE, &service);
- (void) pam_get_user(pamh, &user_name, NULL);
- if (!quiet)
- pam_syslog (pamh, LOG_ALERT, "Refused user %s for service %s",
- user_name, (const char *)service);
- return PAM_AUTH_ERR;
- }
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_open_session (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_close_session (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_chauthtok (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_listfile_modstruct = {
- "pam_listfile",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-
-#endif /* PAM_STATIC */
-
-/* end of module definition */
diff --git a/modules/pam_listfile/tst-pam_listfile b/modules/pam_listfile/tst-pam_listfile
deleted file mode 100755
index f555a9f5..00000000
--- a/modules/pam_listfile/tst-pam_listfile
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_listfile.so
diff --git a/modules/pam_localuser/.cvsignore b/modules/pam_localuser/.cvsignore
deleted file mode 100644
index ae7dab97..00000000
--- a/modules/pam_localuser/.cvsignore
+++ /dev/null
@@ -1,10 +0,0 @@
-*.la
-*.lo
-*.so
-*~
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_localuser.8
diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am
deleted file mode 100644
index d4e47937..00000000
--- a/modules/pam_localuser/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_localuser
-
-TESTS = tst-pam_localuser
-
-man_MANS = pam_localuser.8
-XMLS = README.xml pam_localuser.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_localuser.la
-pam_localuser_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_localuser.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_localuser/README.xml b/modules/pam_localuser/README.xml
deleted file mode 100644
index 4ab56d9d..00000000
--- a/modules/pam_localuser/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_localuser.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_localuser.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_localuser-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml
deleted file mode 100644
index ac00ce99..00000000
--- a/modules/pam_localuser/pam_localuser.8.xml
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_localuser">
-
- <refmeta>
- <refentrytitle>pam_localuser</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_localuser-name">
- <refname>pam_localuser</refname>
- <refpurpose>require users to be listed in /etc/passwd</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_localuser-cmdsynopsis">
- <command>pam_localuser.so</command>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- file=<replaceable>/path/passwd</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_localuser-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- pam_localuser is a PAM module to help implementing site-wide login
- policies, where they typically include a subset of the network's
- users and a few accounts that are local to a particular workstation.
- Using pam_localuser and pam_wheel or pam_listfile is an effective
- way to restrict access to either local users and/or a subset of the
- network's users.
- </para>
- <para>
- This could also be implemented using pam_listfile.so and a very
- short awk script invoked by cron, but it's common enough to have
- been separated out.
- </para>
-
- </refsect1>
-
- <refsect1 id="pam_localuser-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>file=<replaceable>/path/passwd</replaceable></option>
- </term>
- <listitem>
- <para>
- Use a file other than <filename>/etc/passwd</filename>.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_localuser-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- All services (<option>account</option>, <option>auth</option>,
- <option>password</option> and <option>session</option>) are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_localuser-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The new localuser was set successfull.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- No username was given.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- User not known.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_localuser-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/su</filename> to
- allow only local users in group wheel to use su.
- <programlisting>
-account sufficient pam_localuser.so
-account required pam_wheel.so
- </programlisting>
- </para>
- </refsect1>
-
- <refsect1 id="pam_localuser-files">
- <title>FILES</title>
- <variablelist>
- <varlistentry>
- <term><filename>/etc/passwd</filename></term>
- <listitem>
- <para>Local user account information.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_localuser-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_localuser-author'>
- <title>AUTHOR</title>
- <para>
- pam_localuser was written by Nalin Dahyabhai &lt;nalin@redhat.com&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c
deleted file mode 100644
index aa43bc4c..00000000
--- a/modules/pam_localuser/pam_localuser.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
- * Copyright 2001, 2004 Red Hat, Inc.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <time.h>
-#include <unistd.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_ext.h>
-
-#define MODULE_NAME "pam_localuser"
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
-{
- int i, ret = PAM_SUCCESS;
- FILE *fp;
- int debug = 0;
- const char *filename = "/etc/passwd";
- char line[LINE_MAX], name[LINE_MAX];
- const char* user;
-
- /* process arguments */
- for(i = 0; i < argc; i++) {
- if(strcmp("debug", argv[i]) == 0) {
- debug = 1;
- }
- }
- for(i = 0; i < argc; i++) {
- if(strncmp("file=", argv[i], 5) == 0) {
- filename = argv[i] + 5;
- if(debug) {
- pam_syslog (pamh, LOG_DEBUG,
- "set filename to \"%s\"",
- filename);
- }
- }
- }
-
- /* open the file */
- fp = fopen(filename, "r");
- if(fp == NULL) {
- pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m",
- filename);
- return PAM_SYSTEM_ERR;
- }
-
- if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) {
- pam_syslog (pamh, LOG_ERR, "user name not specified yet");
- fclose(fp);
- return PAM_SYSTEM_ERR;
- }
-
- if ((user == NULL) || (strlen(user) == 0)) {
- pam_syslog (pamh, LOG_ERR, "user name not valid");
- fclose(fp);
- return PAM_SYSTEM_ERR;
- }
-
- /* scan the file, using fgets() instead of fgetpwent() because i
- * don't want to mess with applications which call fgetpwent() */
- ret = PAM_PERM_DENIED;
- snprintf(name, sizeof(name), "%s:", user);
- i = strlen(name);
- while(fgets(line, sizeof(line), fp) != NULL) {
- if(debug) {
- pam_syslog (pamh, LOG_DEBUG, "checking \"%s\"", line);
- }
- if(strncmp(name, line, i) == 0) {
- ret = PAM_SUCCESS;
- break;
- }
- }
-
- /* okay, we're done */
- fclose(fp);
- return ret;
-}
-
-PAM_EXTERN int
-pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_SUCCESS;
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_open_session (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_close_session (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_chauthtok (pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- return pam_sm_authenticate(pamh, flags, argc, argv);
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_localuser_modstruct = {
- "pam_localuser",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-
-#endif
diff --git a/modules/pam_localuser/tst-pam_localuser b/modules/pam_localuser/tst-pam_localuser
deleted file mode 100755
index 2bcdf6b9..00000000
--- a/modules/pam_localuser/tst-pam_localuser
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_localuser.so
diff --git a/modules/pam_loginuid/.cvsignore b/modules/pam_loginuid/.cvsignore
deleted file mode 100644
index cb4cb6de..00000000
--- a/modules/pam_loginuid/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-pam_loginuid
-README
-pam_loginuid.8
diff --git a/modules/pam_loginuid/Makefile.am b/modules/pam_loginuid/Makefile.am
deleted file mode 100644
index 636db963..00000000
--- a/modules/pam_loginuid/Makefile.am
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_loginuid
-
-man_MANS = pam_loginuid.8
-
-XMLS = README.xml pam_loginuid.8.xml
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_loginuid.la
-pam_loginuid_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBAUDIT@
-
-if ENABLE_REGENERATE_MAN
-
-noinst_DATA = README
-
-README: pam_loginuid.8.xml
-
--include $(top_srcdir)/Make.xml.rules
-endif
-
-TESTS = tst-pam_loginuid
diff --git a/modules/pam_loginuid/README.xml b/modules/pam_loginuid/README.xml
deleted file mode 100644
index 3bcd38ab..00000000
--- a/modules/pam_loginuid/README.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_loginuid.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_loginuid.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_loginuid-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_loginuid/pam_loginuid.8.xml b/modules/pam_loginuid/pam_loginuid.8.xml
deleted file mode 100644
index f50336d0..00000000
--- a/modules/pam_loginuid/pam_loginuid.8.xml
+++ /dev/null
@@ -1,125 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_loginuid">
-
- <refmeta>
- <refentrytitle>pam_loginuid</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_loginuid-name">
- <refname>pam_loginuid</refname>
- <refpurpose>Record user's login uid to the process attribute</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_loginuid-cmdsynopsis">
- <command>pam_loginuid.so</command>
- <arg choice="opt">
- require_auditd
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_loginuid-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- The pam_loginuid module sets the loginuid process attribute for the
- process that was authenticated. This is necessary for applications
- to be correctly audited. This PAM module should only be used for entry
- point applications like: login, sshd, gdm, vsftpd, crond and atd.
- There are probably other entry point applications besides these.
- You should not use it for applications like sudo or su as that
- defeats the purpose by changing the loginuid to the account they just
- switched to.
- </para>
- </refsect1>
-
- <refsect1 id="pam_loginuid-options">
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>require_auditd</option>
- </term>
- <listitem>
- <para>
- This option, when given, will cause this module to query
- the audit daemon status and deny logins if it is not running.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1 id="pam_loginuid-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The <option>session</option> service is supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_loginuid-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
- <varlistentry>
- <term>PAM_SESSION_ERR</term>
- <listitem>
- <para>
- An error occured during session management.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_loginuid-examples'>
- <title>EXAMPLES</title>
- <programlisting>
-#%PAM-1.0
-auth required pam_unix.so
-auth required pam_nologin.so
-account required pam_unix.so
-password required pam_unix.so
-session required pam_unix.so
-session required pam_loginuid.so
- </programlisting>
- </refsect1>
-
- <refsect1 id='pam_loginuid-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>auditd</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_loginuid-author'>
- <title>AUTHOR</title>
- <para>
- pam_loginuid was written by Steve Grubb &lt;sgrubb@redhat.com&gt;
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
deleted file mode 100644
index 13509e7e..00000000
--- a/modules/pam_loginuid/pam_loginuid.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/* pam_loginuid.c --
- * Copyright 2005 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- *
- * PAM module that sets the login uid introduced in kernel 2.6.11
- */
-
-#include "config.h"
-#include <stdio.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <string.h>
-#include <pwd.h>
-#include <unistd.h>
-#include <limits.h>
-#include <errno.h>
-
-#include <security/pam_modules.h>
-#include <security/pam_ext.h>
-#include <security/pam_modutil.h>
-
-#include <fcntl.h>
-
-#ifdef HAVE_LIBAUDIT
-#include <libaudit.h>
-#include <sys/select.h>
-#include <errno.h>
-#endif
-
-/*
- * This function writes the loginuid to the /proc system. It returns
- * 0 on success and 1 on failure.
- */
-static int set_loginuid(pam_handle_t *pamh, uid_t uid)
-{
- int fd, count, rc = 0;
- char loginuid[24];
-
- count = snprintf(loginuid, sizeof(loginuid), "%d", uid);
- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
- if (fd < 0) {
- if (errno != ENOENT) {
- rc = 1;
- pam_syslog(pamh, LOG_ERR,
- "Cannot open /proc/self/loginuid: %m");
- }
- return rc;
- }
- if (pam_modutil_write(fd, loginuid, count) != count)
- rc = 1;
- close(fd);
- return rc;
-}
-
-#ifdef HAVE_LIBAUDIT
-/*
- * This function is called only if "require_auditd" option is passed. It is
- * called after loginuid has been set. The purpose is to disallow logins
- * should the audit daemon not be running or crashed. It returns PAM_SUCCESS
- * if the audit daemon is running and PAM_SESSION_ERR otherwise.
- */
-static int check_auditd(void)
-{
- int fd, retval;
-
- fd = audit_open();
- if (fd < 0) {
- /* This is here to let people that build their own kernel
- and disable the audit system get in. You get these error
- codes only when the kernel doesn't have audit
- compiled in. */
- if (errno == EINVAL || errno == EPROTONOSUPPORT ||
- errno == EAFNOSUPPORT)
- return PAM_SUCCESS;
- return PAM_SESSION_ERR;
- }
- retval = audit_request_status(fd);
- if (retval > 0) {
- struct audit_reply rep;
- int i;
- int timeout = 30; /* tenths of seconds */
- fd_set read_mask;
-
- FD_ZERO(&read_mask);
- FD_SET(fd, &read_mask);
-
- for (i = 0; i < timeout; i++) {
- struct timeval t;
- int rc;
-
- t.tv_sec = 0;
- t.tv_usec = 100000;
- do {
- rc = select(fd+1, &read_mask, NULL, NULL, &t);
- } while (rc < 0 && errno == EINTR);
-
- rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
- if (rc > 0) {
- /* If we get done or error, break out */
- if (rep.type == NLMSG_DONE ||
- rep.type == NLMSG_ERROR)
- break;
-
- /* If its not status, keep looping */
- if (rep.type != AUDIT_GET)
- continue;
-
- /* Found it... */
- close(fd);
- if (rep.status->pid == 0)
- return PAM_SESSION_ERR;
- else
- return PAM_SUCCESS;
- }
- }
- }
- close(fd);
- if (retval == -ECONNREFUSED) {
- /* This is here to let people that build their own kernel
- and disable the audit system get in. ECONNREFUSED is
- issued by the kernel when there is "no on listening". */
- return PAM_SUCCESS;
- } else if (retval == -EPERM && getuid() != 0) {
- /* If we get this, then the kernel supports auditing
- * but we don't have enough privilege to write to the
- * socket. Therefore, we have already been authenticated
- * and we are a common user. Just act as though auditing
- * is not enabled. Any other error we take seriously. */
- return PAM_SUCCESS;
- }
-
- return PAM_SESSION_ERR;
-}
-#endif
-
-/*
- * Initialize audit session for user
- */
-static int
-_pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
-#ifdef HAVE_LIBAUDIT
- int argc, const char **argv
-#else
- int argc UNUSED, const char **argv UNUSED
-#endif
-)
-{
- const char *user = NULL;
- struct passwd *pwd;
-#ifdef HAVE_LIBAUDIT
- int require_auditd = 0;
-#endif
-
- /* get user name */
- if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS)
- {
- pam_syslog(pamh, LOG_ERR, "error recovering login user-name");
- return PAM_SESSION_ERR;
- }
-
- /* get user info */
- if ((pwd = pam_modutil_getpwnam(pamh, user)) == NULL) {
- pam_syslog(pamh, LOG_ERR,
- "error: login user-name '%s' does not exist", user);
- return PAM_SESSION_ERR;
- }
-
- if (set_loginuid(pamh, pwd->pw_uid)) {
- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n");
- return PAM_SESSION_ERR;
- }
-
-#ifdef HAVE_LIBAUDIT
- while (argc-- > 0) {
- if (strcmp(*argv, "require_auditd") == 0)
- require_auditd = 1;
- argv++;
- }
-
- if (require_auditd)
- return check_auditd();
- else
-#endif
- return PAM_SUCCESS;
-}
-
-/*
- * PAM routines
- *
- * This is here for vsftpd which doesn't seem to run the session stack
- */
-PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- return _pam_loginuid(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- return _pam_loginuid(pamh, flags, argc, argv);
-}
-
-PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_SUCCESS;
-}
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_loginuid_modstruct = {
- "pam_loginuid",
- NULL,
- NULL,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL
-};
-#endif
diff --git a/modules/pam_loginuid/tst-pam_loginuid b/modules/pam_loginuid/tst-pam_loginuid
deleted file mode 100755
index bd1e83b7..00000000
--- a/modules/pam_loginuid/tst-pam_loginuid
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_loginuid.so
diff --git a/modules/pam_mail/.cvsignore b/modules/pam_mail/.cvsignore
deleted file mode 100644
index e34886b5..00000000
--- a/modules/pam_mail/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_mail.8
diff --git a/modules/pam_mail/Makefile.am b/modules/pam_mail/Makefile.am
deleted file mode 100644
index 0b5d2d70..00000000
--- a/modules/pam_mail/Makefile.am
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mail
-
-man_MANS = pam_mail.8
-XMLS = README.xml pam_mail.8.xml
-
-TESTS = tst-pam_mail
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-securelib_LTLIBRARIES = pam_mail.la
-pam_mail_la_LIBADD = -L$(top_builddir)/libpam -lpam
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_mail.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
diff --git a/modules/pam_mail/README.xml b/modules/pam_mail/README.xml
deleted file mode 100644
index 4165d857..00000000
--- a/modules/pam_mail/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_mail.8.xml">
--->
-]>
-
-<article>
-
- <articleinfo>
-
- <title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_mail.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_mail-name"]/*)'/>
- </title>
-
- </articleinfo>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-description"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-options"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-examples"]/*)'/>
- </section>
-
- <section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-author"]/*)'/>
- </section>
-
-</article>
diff --git a/modules/pam_mail/pam_mail.8.xml b/modules/pam_mail/pam_mail.8.xml
deleted file mode 100644
index d3c481a5..00000000
--- a/modules/pam_mail/pam_mail.8.xml
+++ /dev/null
@@ -1,279 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_mail">
-
- <refmeta>
- <refentrytitle>pam_mail</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_mail-name">
- <refname>pam_mail</refname>
- <refpurpose>Inform about available mail</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_mail-cmdsynopsis">
- <command>pam_mail.so</command>
- <arg choice="opt">
- close
- </arg>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- dir=<replaceable>maildir</replaceable>
- </arg>
- <arg choice="opt">
- empty
- </arg>
- <arg choice="opt">
- hash=<replaceable>count</replaceable>
- </arg>
- <arg choice="opt">
- noenv
- </arg>
- <arg choice="opt">
- nopen
- </arg>
- <arg choice="opt">
- quit
- </arg>
- <arg choice="opt">
- standard
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_mail-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- The pam_mail PAM module provides the "you have new mail"
- service to the user. It can be plugged into any application
- that has credential or session hooks. It gives a single message
- indicating the <emphasis>newness</emphasis> of any mail it finds
- in the user's mail folder. This module also sets the PAM
- environment variable, <emphasis remap='B'>MAIL</emphasis>, to the
- user's mail directory.
- </para>
- <para>
- If the mail spool file (be it <filename>/var/mail/$USER</filename>
- or a pathname given with the <option>dir=</option> parameter) is
- a directory then pam_mail assumes it is in the
- <emphasis remap='I'>Maildir</emphasis> format.
- </para>
- </refsect1>
-
- <refsect1 id="pam_mail-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>close</option>
- </term>
- <listitem>
- <para>
- Indicate if the user has any mail also on logout.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>dir=<replaceable>maildir</replaceable></option>
- </term>
- <listitem>
- <para>
- Look for the users' mail in an alternative location defined by
- <filename>maildir/&lt;login&gt;</filename>. The default
- location for mail is <filename>/var/mail/&lt;login&gt;</filename>.
- Note, if the supplied
- <filename>maildir</filename> is prefixed by a '~', the
- directory is interpreted as indicating a file in the user's
- home directory.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>empty</option>
- </term>
- <listitem>
- <para>
- Also print message if user has no mail.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>hash=<replaceable>count</replaceable></option>
- </term>
- <listitem>
- <para>
- Mail directory hash depth. For example, a
- <emphasis>hashcount</emphasis> of 2 would
- make the mail file be
- <filename>/var/spool/mail/u/s/user</filename>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>noenv</option>
- </term>
- <listitem>
- <para>
- Do not set the <emphasis remap='B'>MAIL</emphasis>
- environment variable.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>nopen</option>
- </term>
- <listitem>
- <para>
- Don't print any mail information on login. This flag is
- useful to get the <emphasis remap='B'>MAIL</emphasis>
- environment variable set, but to not display any information
- about it.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>quiet</option>
- </term>
- <listitem>
- <para>
- Only report when there is new mail.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>standard</option>
- </term>
- <listitem>
- <para>
- Old style "You have..." format which doesn't show the
- mail spool being used. This also implies "empty".
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
-
- </para>
- </refsect1>
-
- <refsect1 id="pam_mail-services">
- <title>MODULE SERVICES PROVIDED</title>
- <para>
- The <emphasis remap='B'>auth</emphasis> and
- <emphasis remap='B'>account</emphasis> services are supported.
- </para>
- </refsect1>
-
- <refsect1 id='pam_mail-return_values'>
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- Badly formed arguments.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Success.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- User not known.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </refsect1>
-
- <refsect1 id='pam_mail-examples'>
- <title>EXAMPLES</title>
- <para>
- Add the following line to <filename>/etc/pam.d/login</filename> to
- indicate that the user has new mail when they login to the system.
- <programlisting>
-session optional pam_mail.so standard
- </programlisting>
- </para>
- </refsect1>
-
- <refsect1 id='pam_mail-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_mail-author'>
- <title>AUTHOR</title>
- <para>
- pam_mail was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
- </para>
- </refsect1>
-
-</refentry>
diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c
deleted file mode 100644
index 46395b53..00000000
--- a/modules/pam_mail/pam_mail.c
+++ /dev/null
@@ -1,489 +0,0 @@
-/* pam_mail module */
-
-/*
- * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11
- * $HOME additions by David Kinchlea <kinch@kinch.ark.com> 1997/1/7
- * mailhash additions by Chris Adams <cadams@ro.com> 1998/7/11
- */
-
-#include "config.h"
-
-#include <ctype.h>
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <dirent.h>
-#include <errno.h>
-
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-
-#define DEFAULT_MAIL_DIRECTORY PAM_PATH_MAILDIR
-#define MAIL_FILE_FORMAT "%s%s/%s"
-#define MAIL_ENV_NAME "MAIL"
-#define MAIL_ENV_FORMAT MAIL_ENV_NAME "=%s"
-
-/*
- * here, we make a definition for the externally accessible function
- * in this file (this definition is required for static a module
- * but strongly encouraged generally) it is used to instruct the
- * modules include file to define the function prototypes.
- */
-
-#define PAM_SM_SESSION
-#define PAM_SM_AUTH
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-
-/* argument parsing */
-
-#define PAM_DEBUG_ARG 0x0001
-#define PAM_NO_LOGIN 0x0002
-#define PAM_LOGOUT_TOO 0x0004
-#define PAM_NEW_MAIL_DIR 0x0010
-#define PAM_MAIL_SILENT 0x0020
-#define PAM_NO_ENV 0x0040
-#define PAM_HOME_MAIL 0x0100
-#define PAM_EMPTY_TOO 0x0200
-#define PAM_STANDARD_MAIL 0x0400
-#define PAM_QUIET_MAIL 0x1000
-
-#define HAVE_NEW_MAIL 0x1
-#define HAVE_OLD_MAIL 0x2
-#define HAVE_NO_MAIL 0x3
-#define HAVE_MAIL 0x4
-
-static int
-_pam_parse (const pam_handle_t *pamh, int flags, int argc,
- const char **argv, const char **maildir, size_t *hashcount)
-{
- int ctrl=0;
-
- if (flags & PAM_SILENT) {
- ctrl |= PAM_MAIL_SILENT;
- }
-
- *hashcount = 0;
-
- /* step through arguments */
- for (; argc-- > 0; ++argv) {
-
- /* generic options */
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
- else if (!strcmp(*argv,"quiet"))
- ctrl |= PAM_QUIET_MAIL;
- else if (!strcmp(*argv,"standard"))
- ctrl |= PAM_STANDARD_MAIL | PAM_EMPTY_TOO;
- else if (!strncmp(*argv,"dir=",4)) {
- *maildir = 4 + *argv;
- if (**maildir != '\0') {
- D(("new mail directory: %s", *maildir));
- ctrl |= PAM_NEW_MAIL_DIR;
- } else {
- pam_syslog(pamh, LOG_ERR,
- "dir= specification missing argument - ignored");
- }
- } else if (!strncmp(*argv,"hash=",5)) {
- char *ep = NULL;
- *hashcount = strtoul(*argv+5,&ep,10);
- if (!ep) {
- *hashcount = 0;
- }
- } else if (!strcmp(*argv,"close")) {
- ctrl |= PAM_LOGOUT_TOO;
- } else if (!strcmp(*argv,"nopen")) {
- ctrl |= PAM_NO_LOGIN;
- } else if (!strcmp(*argv,"noenv")) {
- ctrl |= PAM_NO_ENV;
- } else if (!strcmp(*argv,"empty")) {
- ctrl |= PAM_EMPTY_TOO;
- } else {
- pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
- }
- }
-
- if ((*hashcount != 0) && !(ctrl & PAM_NEW_MAIL_DIR)) {
- *maildir = DEFAULT_MAIL_DIRECTORY;
- ctrl |= PAM_NEW_MAIL_DIR;
- }
-
- return ctrl;
-}
-
-static int
-get_folder(pam_handle_t *pamh, int ctrl,
- const char *path_mail, char **folder_p, size_t hashcount)
-{
- int retval;
- const char *user, *path;
- char *folder = NULL;
- const struct passwd *pwd = NULL;
-
- retval = pam_get_user(pamh, &user, NULL);
- if (retval != PAM_SUCCESS || user == NULL) {
- pam_syslog(pamh, LOG_ERR, "cannot determine username");
- retval = PAM_USER_UNKNOWN;
- goto get_folder_cleanup;
- }
-
- if (ctrl & PAM_NEW_MAIL_DIR) {
- path = path_mail;
- if (*path == '~') { /* support for $HOME delivery */
- pwd = pam_modutil_getpwnam(pamh, user);
- if (pwd == NULL) {
- pam_syslog(pamh, LOG_ERR, "user unknown");
- retval = PAM_USER_UNKNOWN;
- goto get_folder_cleanup;
- }
- /*
- * "~/xxx" and "~xxx" are treated as same
- */
- if (!*++path || (*path == '/' && !*++path)) {
- pam_syslog(pamh, LOG_ERR,
- "badly formed mail path [%s]", path_mail);
- retval = PAM_SERVICE_ERR;
- goto get_folder_cleanup;
- }
- ctrl |= PAM_HOME_MAIL;
- if (hashcount != 0) {
- pam_syslog(pamh, LOG_ERR,
- "cannot do hash= and home directory mail");
- }
- }
- } else {
- path = DEFAULT_MAIL_DIRECTORY;
- }
-
- /* put folder together */
-
- hashcount = hashcount < strlen(user) ? hashcount : strlen(user);
-
- retval = PAM_BUF_ERR;
- if (ctrl & PAM_HOME_MAIL) {
- if (pwd == NULL) {
- pwd = pam_modutil_getpwnam(pamh, user);
- if (pwd == NULL) {
- pam_syslog(pamh, LOG_ERR, "user unknown");
- retval = PAM_USER_UNKNOWN;
- goto get_folder_cleanup;
- }
- }
- if (asprintf(&folder, MAIL_FILE_FORMAT, pwd->pw_dir, "", path) < 0)
- goto get_folder_cleanup;
- } else {
- int rc;
- size_t i;
- char *hash;
-
- if ((hash = malloc(2 * hashcount + 1)) == NULL)
- goto get_folder_cleanup;
-
- for (i = 0; i < hashcount; i++) {
- hash[2 * i] = '/';
- hash[2 * i + 1] = user[i];
- }
- hash[2 * i] = '\0';
-
- rc = asprintf(&folder, MAIL_FILE_FORMAT, path, hash, user);
- _pam_overwrite(hash);
- _pam_drop(hash);
- if (rc < 0)
- goto get_folder_cleanup;
- }
- D(("folder=[%s]", folder));
- retval = PAM_SUCCESS;
-
- /* tidy up */
-
- get_folder_cleanup:
- user = NULL;
- path = NULL;
-
- *folder_p = folder;
- folder = NULL;
-
- if (retval == PAM_BUF_ERR)
- pam_syslog(pamh, LOG_CRIT, "out of memory for mail folder");
-
- return retval;
-}
-
-static int
-get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder)
-{
- int type = 0;
- struct stat mail_st;
-
- if (stat(folder, &mail_st) < 0)
- return 0;
-
- if (S_ISDIR(mail_st.st_mode)) { /* Assume Maildir format */
- int i, save_errno;
- char *dir;
- struct dirent **namelist;
-
- if (asprintf(&dir, "%s/new", folder) < 0) {
- pam_syslog(pamh, LOG_CRIT, "out of memory");
- goto get_mail_status_cleanup;
- }
- i = scandir(dir, &namelist, 0, alphasort);
- save_errno = errno;
- _pam_overwrite(dir);
- _pam_drop(dir);
- if (i < 0) {
- type = 0;
- namelist = NULL;
- if (save_errno == ENOMEM) {
- pam_syslog(pamh, LOG_CRIT, "out of memory");
- goto get_mail_status_cleanup;
- }
- }
- type = (i > 2) ? HAVE_NEW_MAIL : 0;
- while (--i >= 0)
- _pam_drop(namelist[i]);
- _pam_drop(namelist);
- if (type == 0) {
- if (asprintf(&dir, "%s/cur", folder) < 0) {
- pam_syslog(pamh, LOG_CRIT, "out of memory");
- goto get_mail_status_cleanup;
- }
- i = scandir(dir, &namelist, 0, alphasort);
- save_errno = errno;
- _pam_overwrite(dir);
- _pam_drop(dir);
- if (i < 0) {
- type = 0;
- namelist = NULL;
- if (save_errno == ENOMEM) {
- pam_syslog(pamh, LOG_CRIT, "out of memory");
- goto get_mail_status_cleanup;
- }
- }
- if (i > 2)
- type = HAVE_OLD_MAIL;
- else
- type = (ctrl & PAM_EMPTY_TOO) ? HAVE_NO_MAIL : 0;
- while (--i >= 0)
- _pam_drop(namelist[i]);
- _pam_drop(namelist);
- }
- } else {
- if (mail_st.st_size > 0) {
- if (mail_st.st_atime < mail_st.st_mtime) /* new */
- type = HAVE_NEW_MAIL;
- else /* old */
- type = (ctrl & PAM_STANDARD_MAIL) ? HAVE_MAIL : HAVE_OLD_MAIL;
- } else if (ctrl & PAM_EMPTY_TOO) {
- type = HAVE_NO_MAIL;
- } else {
- type = 0;
- }
- }
-
- get_mail_status_cleanup:
- memset(&mail_st, 0, sizeof(mail_st));
- D(("user has %d mail in %s folder", type, folder));
- return type;
-}
-
-static int
-report_mail(pam_handle_t *pamh, int ctrl, int type, const char *folder)
-{
- int retval;
-
- if (!(ctrl & PAM_MAIL_SILENT) ||
- ((ctrl & PAM_QUIET_MAIL) && type == HAVE_NEW_MAIL))
- {
- if (ctrl & PAM_STANDARD_MAIL)
- switch (type)
- {
- case HAVE_NO_MAIL:
- retval = pam_info (pamh, "%s", _("No mail."));
- break;
- case HAVE_NEW_MAIL:
- retval = pam_info (pamh, "%s", _("You have new mail."));
- break;
- case HAVE_OLD_MAIL:
- retval = pam_info (pamh, "%s", _("You have old mail."));
- break;
- case HAVE_MAIL:
- default:
- retval = pam_info (pamh, "%s", _("You have mail."));
- break;
- }
- else
- switch (type)
- {
- case HAVE_NO_MAIL:
- retval = pam_info (pamh, _("You have no mail in folder %s."),
- folder);
- break;
- case HAVE_NEW_MAIL:
- retval = pam_info (pamh, _("You have new mail in folder %s."),
- folder);
- break;
- case HAVE_OLD_MAIL:
- retval = pam_info (pamh, _("You have old mail in folder %s."),
- folder);
- break;
- case HAVE_MAIL:
- default:
- retval = pam_info (pamh, _("You have mail in folder %s."),
- folder);
- break;
- }
- }
- else
- {
- D(("keeping quiet"));
- retval = PAM_SUCCESS;
- }
-
- D(("returning %s", pam_strerror(pamh, retval)));
- return retval;
-}
-
-static int _do_mail(pam_handle_t *, int, int, const char **, int);
-
-/* --- authentication functions --- */
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
-{
- return PAM_IGNORE;
-}
-
-/* Checking mail as part of authentication */
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- if (!(flags & (PAM_ESTABLISH_CRED|PAM_DELETE_CRED)))
- return PAM_IGNORE;
- return _do_mail(pamh,flags,argc,argv,(flags & PAM_ESTABLISH_CRED));
-}
-
-/* --- session management functions --- */
-
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
- ,const char **argv)
-{
- return _do_mail(pamh,flags,argc,argv,0);
-}
-
-/* Checking mail as part of the session management */
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
-{
- return _do_mail(pamh,flags,argc,argv,1);
-}
-
-
-/* --- The Beaf (Tm) --- */
-
-static int _do_mail(pam_handle_t *pamh, int flags, int argc,
- const char **argv, int est)
-{
- int retval, ctrl, type;
- size_t hashcount;
- char *folder = NULL;
- const char *path_mail = NULL;
-
- /*
- * this module (un)sets the MAIL environment variable, and checks if
- * the user has any new mail.
- */
-
- ctrl = _pam_parse(pamh, flags, argc, argv, &path_mail, &hashcount);
-
- /* which folder? */
-
- retval = get_folder(pamh, ctrl, path_mail, &folder, hashcount);
- if (retval != PAM_SUCCESS) {
- D(("failed to find folder"));
- return retval;
- }
-
- /* set the MAIL variable? */
-
- if (!(ctrl & PAM_NO_ENV) && est) {
- char *tmp;
-
- if (asprintf(&tmp, MAIL_ENV_FORMAT, folder) < 0) {
- pam_syslog(pamh, LOG_CRIT,
- "no memory for " MAIL_ENV_NAME " variable");
- retval = PAM_BUF_ERR;
- goto do_mail_cleanup;
- }
- D(("setting env: %s", tmp));
- retval = pam_putenv(pamh, tmp);
- _pam_overwrite(tmp);
- _pam_drop(tmp);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_CRIT,
- "unable to set " MAIL_ENV_NAME " variable");
- retval = PAM_BUF_ERR;
- goto do_mail_cleanup;
- }
- } else {
- D(("not setting " MAIL_ENV_NAME " variable"));
- }
-
- /*
- * OK. we've got the mail folder... what about its status?
- */
-
- if ((est && !(ctrl & PAM_NO_LOGIN))
- || (!est && (ctrl & PAM_LOGOUT_TOO))) {
- type = get_mail_status(pamh, ctrl, folder);
- if (type != 0) {
- retval = report_mail(pamh, ctrl, type, folder);
- type = 0;
- }
- }
-
- /* Delete environment variable? */
- if ( ! est && ! (ctrl & PAM_NO_ENV) )
- (void) pam_putenv(pamh, MAIL_ENV_NAME);
-
- do_mail_cleanup:
- _pam_overwrite(folder);
- _pam_drop(folder);
-
- /* indicate success or failure */
-
- return retval;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_mail_modstruct = {
- "pam_mail",
- pam_sm_authenticate,
- pam_sm_setcred,
- NULL,
- pam_sm_open_session,
- pam_sm_close_session,
- NULL,
-};
-
-#endif
-
-/* end of module definition */
diff --git a/modules/pam_mail/tst-pam_mail b/modules/pam_mail/tst-pam_mail
deleted file mode 100755
index 99fb7ed0..00000000
--- a/modules/pam_mail/tst-pam_mail
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_mail.so
diff --git a/modules/pam_mkhomedir/.cvsignore b/modules/pam_mkhomedir/.cvsignore
deleted file mode 100644
index bd6faa7e..00000000
--- a/modules/pam_mkhomedir/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_mkhomedir.8
diff --git a/modules/pam_mkhomedir/Makefile.am b/modules/pam_mkhomedir/Makefile.am
deleted file mode 100644
index 7ed3a9f0..00000000
--- a/modules/pam_mkhomedir/Makefile.am
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mkhomedir
-
-man_MANS = pam_mkhomedir.8
-
-XMLS = README.xml pam_mkhomedir.8.xml
-
-TESTS = tst-pam_mkhomedir
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefine