diff options
Diffstat (limited to 'modules')
414 files changed, 23642 insertions, 15474 deletions
diff --git a/modules/Makefile.am b/modules/Makefile.am index 0c80cea9..8da46410 100644 --- a/modules/Makefile.am +++ b/modules/Makefile.am @@ -2,16 +2,92 @@ # Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@thkukuk.de> # -SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ - pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth +if COND_BUILD_PAM_KEYINIT + MAYBE_PAM_KEYINIT = pam_keyinit +endif + +if COND_BUILD_PAM_LASTLOG + MAYBE_PAM_LASTLOG = pam_lastlog +endif + +if COND_BUILD_PAM_NAMESPACE + MAYBE_PAM_NAMESPACE = pam_namespace +endif + +if COND_BUILD_PAM_RHOSTS + MAYBE_PAM_RHOSTS = pam_rhosts +endif + +if COND_BUILD_PAM_SELINUX + MAYBE_PAM_SELINUX = pam_selinux +endif + +if COND_BUILD_PAM_SEPERMIT + MAYBE_PAM_SEPERMIT = pam_sepermit +endif + +if COND_BUILD_PAM_SETQUOTA + MAYBE_PAM_SETQUOTA = pam_setquota +endif + +if COND_BUILD_PAM_TTY_AUDIT + MAYBE_PAM_TTY_AUDIT = pam_tty_audit +endif + +if COND_BUILD_PAM_UNIX + MAYBE_PAM_UNIX = pam_unix +endif + +if COND_BUILD_PAM_USERDB + MAYBE_PAM_USERDB = pam_userdb +endif + +SUBDIRS := \ + pam_access \ + pam_debug \ + pam_deny \ + pam_echo \ + pam_env \ + pam_exec \ + pam_faildelay \ + pam_faillock \ + pam_filter \ + pam_ftp \ + pam_group \ + pam_issue \ + $(MAYBE_PAM_KEYINIT) \ + $(MAYBE_PAM_LASTLOG) \ + pam_limits \ + pam_listfile \ + pam_localuser \ + pam_loginuid \ + pam_mail \ + pam_mkhomedir \ + pam_motd \ + $(MAYBE_PAM_NAMESPACE) \ + pam_nologin \ + pam_permit \ + pam_pwhistory \ + $(MAYBE_PAM_RHOSTS) \ + pam_rootok \ + pam_securetty \ + $(MAYBE_PAM_SELINUX) \ + $(MAYBE_PAM_SEPERMIT) \ + $(MAYBE_PAM_SETQUOTA) \ + pam_shells \ + pam_stress \ + pam_succeed_if \ + pam_time \ + pam_timestamp \ + $(MAYBE_PAM_TTY_AUDIT) \ + pam_umask \ + $(MAYBE_PAM_UNIX) \ + $(MAYBE_PAM_USERDB) \ + pam_usertype \ + pam_warn \ + pam_wheel \ + pam_xauth \ + # CLEANFILES = *~ diff --git a/modules/Makefile.in b/modules/Makefile.in index 0464ca78..9ac4d669 100644 --- a/modules/Makefile.in +++ b/modules/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -18,7 +18,17 @@ # Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@thkukuk.de> # VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -82,22 +92,25 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = modules -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -136,7 +149,7 @@ am__recursive_targets = \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ - distdir + distdir distdir-am am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -156,7 +169,16 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) +DIST_SUBDIRS = pam_access pam_debug pam_deny pam_echo pam_env pam_exec \ + pam_faildelay pam_faillock pam_filter pam_ftp pam_group \ + pam_issue pam_keyinit pam_lastlog pam_limits pam_listfile \ + pam_localuser pam_loginuid pam_mail pam_mkhomedir pam_motd \ + pam_namespace pam_nologin pam_permit pam_pwhistory pam_rhosts \ + pam_rootok pam_securetty pam_selinux pam_sepermit pam_setquota \ + pam_shells pam_stress pam_succeed_if pam_time pam_timestamp \ + pam_tty_audit pam_umask pam_unix pam_userdb pam_usertype \ + pam_warn pam_wheel pam_xauth +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -201,24 +223,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -232,7 +263,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -251,11 +281,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -278,8 +311,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -290,11 +322,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -337,7 +376,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -345,9 +383,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -357,20 +392,67 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ - pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth +@COND_BUILD_PAM_KEYINIT_TRUE@MAYBE_PAM_KEYINIT = pam_keyinit +@COND_BUILD_PAM_LASTLOG_TRUE@MAYBE_PAM_LASTLOG = pam_lastlog +@COND_BUILD_PAM_NAMESPACE_TRUE@MAYBE_PAM_NAMESPACE = pam_namespace +@COND_BUILD_PAM_RHOSTS_TRUE@MAYBE_PAM_RHOSTS = pam_rhosts +@COND_BUILD_PAM_SELINUX_TRUE@MAYBE_PAM_SELINUX = pam_selinux +@COND_BUILD_PAM_SEPERMIT_TRUE@MAYBE_PAM_SEPERMIT = pam_sepermit +@COND_BUILD_PAM_SETQUOTA_TRUE@MAYBE_PAM_SETQUOTA = pam_setquota +@COND_BUILD_PAM_TTY_AUDIT_TRUE@MAYBE_PAM_TTY_AUDIT = pam_tty_audit +@COND_BUILD_PAM_UNIX_TRUE@MAYBE_PAM_UNIX = pam_unix +@COND_BUILD_PAM_USERDB_TRUE@MAYBE_PAM_USERDB = pam_userdb +SUBDIRS := \ + pam_access \ + pam_debug \ + pam_deny \ + pam_echo \ + pam_env \ + pam_exec \ + pam_faildelay \ + pam_faillock \ + pam_filter \ + pam_ftp \ + pam_group \ + pam_issue \ + $(MAYBE_PAM_KEYINIT) \ + $(MAYBE_PAM_LASTLOG) \ + pam_limits \ + pam_listfile \ + pam_localuser \ + pam_loginuid \ + pam_mail \ + pam_mkhomedir \ + pam_motd \ + $(MAYBE_PAM_NAMESPACE) \ + pam_nologin \ + pam_permit \ + pam_pwhistory \ + $(MAYBE_PAM_RHOSTS) \ + pam_rootok \ + pam_securetty \ + $(MAYBE_PAM_SELINUX) \ + $(MAYBE_PAM_SEPERMIT) \ + $(MAYBE_PAM_SETQUOTA) \ + pam_shells \ + pam_stress \ + pam_succeed_if \ + pam_time \ + pam_timestamp \ + $(MAYBE_PAM_TTY_AUDIT) \ + pam_umask \ + $(MAYBE_PAM_UNIX) \ + $(MAYBE_PAM_USERDB) \ + pam_usertype \ + pam_warn \ + pam_wheel \ + pam_xauth \ + # CLEANFILES = *~ EXTRA_DIST = modules.map @@ -389,14 +471,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -513,7 +594,10 @@ cscopelist-am: $(am__tagged_files) distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -685,6 +769,8 @@ uninstall-am: mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am index 924b7219..8af2852a 100644 --- a/modules/pam_access/Makefile.am +++ b/modules/pam_access/Makefile.am @@ -5,18 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access - -man_MANS = access.conf.5 pam_access.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = access.conf.5 pam_access.8 +endif XMLS = README.xml access.conf.5.xml pam_access.8.xml +dist_check_SCRIPTS = tst-pam_access +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ - -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,15 +31,9 @@ endif securelib_LTLIBRARIES = pam_access.la pam_access_la_LIBADD = $(top_builddir)/libpam/libpam.la -secureconf_DATA = access.conf +dist_secureconf_DATA = access.conf if ENABLE_REGENERATE_MAN - -noinst_DATA = README - -README: pam_access.8.xml access.conf.5.xml - +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif - -TESTS = tst-pam_access diff --git a/modules/pam_access/Makefile.in b/modules/pam_access/Makefile.in index 02a35cb0..9dadd2d3 100644 --- a/modules/pam_access/Makefile.in +++ b/modules/pam_access/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,27 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_access -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -158,7 +171,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_access.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,8 +202,9 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -364,6 +379,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -386,6 +402,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -405,24 +424,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -436,7 +464,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -455,11 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -482,8 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -494,11 +523,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -541,7 +577,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -549,9 +584,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -561,27 +593,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access -man_MANS = access.conf.5 pam_access.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = access.conf.5 pam_access.8 XMLS = README.xml access.conf.5.xml pam_access.8.xml +dist_check_SCRIPTS = tst-pam_access +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ - -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_access.la pam_access_la_LIBADD = $(top_builddir)/libpam/libpam.la -secureconf_DATA = access.conf -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README -TESTS = tst-pam_access +dist_secureconf_DATA = access.conf +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -598,14 +632,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_access/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_access/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -661,21 +694,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_access.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -689,10 +728,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -727,15 +766,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -770,14 +809,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -791,9 +830,9 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) @@ -879,7 +918,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -956,7 +995,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -969,7 +1008,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -979,7 +1018,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1012,7 +1051,10 @@ tst-pam_access.log: tst-pam_access @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1043,6 +1085,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1091,7 +1134,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_access.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1108,7 +1151,7 @@ info: info-am info-am: -install-data-am: install-man install-secureconfDATA \ +install-data-am: install-dist_secureconfDATA install-man \ install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1138,7 +1181,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_access.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1155,33 +1198,32 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man5 \ - install-man8 install-pdf install-pdf-am install-ps \ - install-ps-am install-secureconfDATA \ - install-securelibLTLIBRARIES install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ - uninstall-securelibLTLIBRARIES - +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dist_secureconfDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-man8 install-pdf install-pdf-am \ + install-ps install-ps-am install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am recheck tags tags-am uninstall \ + uninstall-am uninstall-dist_secureconfDATA uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_access.8.xml access.conf.5.xml +.PRECIOUS: Makefile @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_access/README b/modules/pam_access/README index 0e16c0d8..891e7688 100644 --- a/modules/pam_access/README +++ b/modules/pam_access/README @@ -18,6 +18,20 @@ of parsing. This means that once a pattern is matched in some file no further files are parsed. If a config file is explicitly specified with the accessfile option the files in the above directory are not parsed. +By default rules for access management are taken from config file /etc/security +/access.conf or, if that one is not present, the file %vendordir%/security/ +access.conf. These settings can be overruled by setting in a config file +explicitly specified with the accessfile option. Then individual *.conf files +from the /etc/security/access.d/ and %vendordir%/security/access.d directories +are read. If /etc/security/access.d/@filename@.conf exists, then %vendordir%/ +security/access.d/@filename@.conf will not be used. All access.d/*.conf files +are sorted by their @filename@.conf in lexicographic order regardless of which +of the directories they reside in. The effect of the individual files is the +same as if all the files were concatenated together in the order of parsing. +This means that once a pattern is matched in some file no further files are +parsed. If a config file is explicitly specified with the accessfile option the +files in the above directories are not parsed. + If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc.). @@ -116,6 +130,10 @@ User john should get access from IPv6 net/mask. +:john:2001:db8:0:101::/64 +Members of group wheel should be allowed to get access from all sources. + ++:(wheel):ALL + Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group. diff --git a/modules/pam_access/README.xml b/modules/pam_access/README.xml index 8c7d078b..408aed00 100644 --- a/modules/pam_access/README.xml +++ b/modules/pam_access/README.xml @@ -1,39 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_access.8.xml"> ---> -<!-- -<!ENTITY accessconf SYSTEM "access.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_access.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_access-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_access.8.xml" xpointer='xpointer(id("pam_access-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_access.8.xml" xpointer='xpointer(id("pam_access-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_access.8.xml" xpointer='xpointer(id("pam_access-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="access.conf.5.xml" xpointer='xpointer(id("access.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 index 8e7ea4cf..774e5cd9 100644 --- a/modules/pam_access/access.conf.5 +++ b/modules/pam_access/access.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: access.conf .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2018 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: [FIXME: source] .\" Language: English .\" -.TH "ACCESS\&.CONF" "5" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "ACCESS\&.CONF" "5" "05/07/2023" "[FIXME: source]" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -188,6 +188,12 @@ should get access from IPv6 net/mask\&. .PP +:john:2001:db8:0:101::/64 .PP +Members of group +\fIwheel\fR +should be allowed to get access from all sources\&. +.PP ++:(wheel):ALL +.PP Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&. .PP \-:ALL EXCEPT (wheel) shutdown sync:LOCAL @@ -204,7 +210,7 @@ option, the spaces will become part of the actual item and the line will be most .PP \fBpam_access\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHORS" .PP Original diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index 386346b9..e1e5531f 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -1,8 +1,4 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - -<refentry id="access.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="access.conf"> <refmeta> <refentrytitle>access.conf</refentrytitle> @@ -16,7 +12,7 @@ </refnamediv> - <refsect1 id='access.conf-description'> + <refsect1 xml:id="access.conf-description"> <title>DESCRIPTION</title> <para> The <filename>/etc/security/access.conf</filename> file specifies @@ -126,7 +122,7 @@ </refsect1> - <refsect1 id="access.conf-examples"> + <refsect1 xml:id="access.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -135,7 +131,7 @@ <para> User <emphasis>root</emphasis> should be allowed to get access via - <emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>, + <emphasis>cron</emphasis>, X11 terminal <emphasis remap="I">:0</emphasis>, <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>, <emphasis>tty6</emphasis>. </para> @@ -198,6 +194,12 @@ <para>+:john:2001:db8:0:101::/64</para> <para> + Members of group <emphasis>wheel</emphasis> should be allowed to get access + from all sources. + </para> + <para>+:(wheel):ALL</para> + + <para> Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group. </para> @@ -210,7 +212,7 @@ </refsect1> - <refsect1 id="access.conf-notes"> + <refsect1 xml:id="access.conf-notes"> <title>NOTES</title> <para> The default separators of list items in a field are space, ',', and tabulator @@ -222,16 +224,16 @@ </para> </refsect1> - <refsect1 id="access.conf-see_also"> + <refsect1 xml:id="access.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="access.conf-author"> + <refsect1 xml:id="access.conf-author"> <title>AUTHORS</title> <para> Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry> @@ -244,4 +246,4 @@ introduced by Mike Becher <mike.becher@lrz-muenchen.de>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_access/pam_access.8 b/modules/pam_access/pam_access.8 index 138c3c48..5b0e1a3f 100644 --- a/modules/pam_access/pam_access.8 +++ b/modules/pam_access/pam_access.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_access .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2018 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ACCESS" "8" "05/18/2018" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ACCESS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -51,25 +51,25 @@ option the files in the above directory are not parsed\&. If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc\&.)\&. .SH "OPTIONS" .PP -\fBaccessfile=\fR\fB\fI/path/to/access\&.conf\fR\fR +accessfile=/path/to/access\&.conf .RS 4 Indicate an alternative access\&.conf style configuration file to override the default\&. This can be useful when different services need different access lists\&. .RE .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is printed with \fBsyslog\fR(3)\&. .RE .PP -\fBnoaudit\fR +noaudit .RS 4 Do not report logins from disallowed hosts and ttys to the audit subsystem\&. .RE .PP -\fBfieldsep=\fR\fB\fIseparators\fR\fR +fieldsep=separators .RS 4 This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\&. For example: \fBfieldsep=|\fR @@ -78,14 +78,14 @@ will cause the default `:\*(Aq character to be treated as part of a field value item is likely to be of the form "hostname:0" which includes a `:\*(Aq character in its value\&. But you should not need this\&. .RE .PP -\fBlistsep=\fR\fB\fIseparators\fR\fR +listsep=separators .RS 4 This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\&. For example: \fBlistsep=,\fR will cause the default ` \*(Aq (space) and `\et\*(Aq (tab) characters to be treated as part of a list element value and `,\*(Aq becomes the only list element separator\&. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\&. .RE .PP -\fBnodefgroup\fR +nodefgroup .RS 4 User tokens which are not enclosed in parentheses will not be matched against the group database\&. The backwards compatible default is to try the group database match even for tokens not enclosed in parentheses\&. .RE @@ -133,7 +133,7 @@ Default configuration file .PP \fBaccess.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&. diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index 9a6556cc..cc01d5ca 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_access'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_access"> <refmeta> <refentrytitle>pam_access</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_access-name'> + <refnamediv xml:id="pam_access-name"> <refname>pam_access</refname> <refpurpose> PAM module for logdaemon style login access control @@ -20,31 +17,31 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_access-cmdsynopsis"> + <cmdsynopsis xml:id="pam_access-cmdsynopsis" sepchar=" "> <command>pam_access.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nodefgroup </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noaudit </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> accessfile=<replaceable>file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> fieldsep=<replaceable>sep</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> listsep=<replaceable>sep</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_access-description"> + <refsect1 xml:id="pam_access-description"> <title>DESCRIPTION</title> <para> The pam_access PAM module is mainly for access management. @@ -53,7 +50,7 @@ or on terminal line names, X <varname>$DISPLAY</varname> values, or PAM service names in case of non-networked logins. </para> - <para> + <para condition="without_vendordir"> By default rules for access management are taken from config file <filename>/etc/security/access.conf</filename> if you don't specify another file. @@ -66,19 +63,39 @@ If a config file is explicitly specified with the <option>accessfile</option> option the files in the above directory are not parsed. </para> + <para condition="with_vendordir"> + By default rules for access management are taken from config file + <filename>/etc/security/access.conf</filename> or, if that one is not + present, the file <filename>%vendordir%/security/access.conf</filename>. + These settings can be overruled by setting in a config file explicitly + specified with the <option>accessfile</option> option. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/access.d/</filename> and + <filename>%vendordir%/security/access.d</filename> directories are read. + If <filename>/etc/security/access.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/access.d/@filename@.conf</filename> will not be used. + All <filename>access.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. This means that once + a pattern is matched in some file no further files are parsed. + If a config file is explicitly specified with the <option>accessfile</option> + option the files in the above directories are not parsed. + </para> <para> If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc.). </para> </refsect1> - <refsect1 id="pam_access-options"> + <refsect1 xml:id="pam_access-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>accessfile=<replaceable>/path/to/access.conf</replaceable></option> + accessfile=/path/to/access.conf </term> <listitem> <para> @@ -91,7 +108,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -103,7 +120,7 @@ <varlistentry> <term> - <option>noaudit</option> + noaudit </term> <listitem> <para> @@ -114,19 +131,19 @@ <varlistentry> <term> - <option>fieldsep=<replaceable>separators</replaceable></option> + fieldsep=separators </term> <listitem> <para> This option modifies the field separator character that pam_access will recognize when parsing the access configuration file. For example: - <emphasis remap='B'>fieldsep=|</emphasis> will cause the + <emphasis remap="B">fieldsep=|</emphasis> will cause the default `:' character to be treated as part of a field value and `|' becomes the field separator. Doing this may be useful in conjunction with a system that wants to use pam_access with X based applications, since the - <emphasis remap='B'>PAM_TTY</emphasis> item is likely to be + <emphasis remap="B">PAM_TTY</emphasis> item is likely to be of the form "hostname:0" which includes a `:' character in its value. But you should not need this. </para> @@ -135,14 +152,14 @@ <varlistentry> <term> - <option>listsep=<replaceable>separators</replaceable></option> + listsep=separators </term> <listitem> <para> This option modifies the list separator character that pam_access will recognize when parsing the access configuration file. For example: - <emphasis remap='B'>listsep=,</emphasis> will cause the + <emphasis remap="B">listsep=,</emphasis> will cause the default ` ' (space) and `\t' (tab) characters to be treated as part of a list element value and `,' becomes the only list element separator. Doing this may be useful on a system @@ -155,7 +172,7 @@ <varlistentry> <term> - <option>nodefgroup</option> + nodefgroup </term> <listitem> <para> @@ -170,7 +187,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_access-types"> + <refsect1 xml:id="pam_access-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -178,7 +195,7 @@ </para> </refsect1> - <refsect1 id="pam_access-return_values"> + <refsect1 xml:id="pam_access-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -224,19 +241,26 @@ </variablelist> </refsect1> - <refsect1 id="pam_access-files"> + <refsect1 xml:id="pam_access-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/access.conf</filename></term> + <term>/etc/security/access.conf</term> <listitem> <para>Default configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/access.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/access.conf</filename> does not exist.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_access-see_also"> + <refsect1 xml:id="pam_access-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -246,12 +270,12 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_access-authors"> + <refsect1 xml:id="pam_access-authors"> <title>AUTHORS</title> <para> The logdaemon style login access control scheme was designed and implemented by @@ -262,4 +286,4 @@ was developed and provided by Mike Becher <mike.becher@lrz-muenchen.de>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 80d885dd..f70b7e49 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -1,6 +1,6 @@ -/* pam_access module */ - /* + * pam_access module + * * Written by Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15 * (I took login_access from logdaemon-5.6 and converted it to PAM * using parts of pam_time code.) @@ -21,7 +21,7 @@ * * This software is provided "as is" and without any expressed or implied * warranties, including, without limitation, the implied warranties of - * merchantibility and fitness for any particular purpose. + * merchantability and fitness for any particular purpose. ************************************************************************* */ @@ -49,22 +49,19 @@ #include <libaudit.h> #endif -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include <security/_pam_macros.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_cc_compat.h" +#include "pam_inline.h" + +#define PAM_ACCESS_CONFIG (SCONFIGDIR "/access.conf") +#define ACCESS_CONF_GLOB (SCONFIGDIR "/access.d/*.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_PAM_ACCESS_CONFIG (VENDOR_SCONFIGDIR "/access.conf") +#define VENDOR_ACCESS_CONF_GLOB (VENDOR_SCONFIGDIR "/access.d/*.conf") +#endif /* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */ @@ -123,25 +120,27 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, loginfo->fs = ":"; loginfo->sep = ", \t"; for (i=0; i<argc; ++i) { - if (!strncmp("fieldsep=", argv[i], 9)) { + const char *str; + + if ((str = pam_str_skip_prefix(argv[i], "fieldsep=")) != NULL) { /* the admin wants to override the default field separators */ - loginfo->fs = argv[i]+9; + loginfo->fs = str; - } else if (!strncmp("listsep=", argv[i], 8)) { + } else if ((str = pam_str_skip_prefix(argv[i], "listsep=")) != NULL) { /* the admin wants to override the default list separators */ - loginfo->sep = argv[i]+8; + loginfo->sep = str; - } else if (!strncmp("accessfile=", argv[i], 11)) { - FILE *fp = fopen(11 + argv[i], "r"); + } else if ((str = pam_str_skip_prefix(argv[i], "accessfile=")) != NULL) { + FILE *fp = fopen(str, "r"); if (fp) { - loginfo->config_file = 11 + argv[i]; + loginfo->config_file = str; fclose(fp); } else { pam_syslog(pamh, LOG_ERR, - "failed to open accessfile=[%s]: %m", 11 + argv[i]); + "failed to open accessfile=[%s]: %m", str); return 0; } @@ -159,6 +158,95 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, return 1; /* OK */ } +/* --- evaluting all files in VENDORDIR/security/access.d and /etc/security/access.d --- */ +static const char *base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (const char * const *) a), + base_name(* (const char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/access.d/@filename@.conf exists, then + * %vendordir%/security/access.d/@filename@.conf should not be used. + * - All files in both access.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char **read_access_dir(pam_handle_t *pamh) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_ACCESS_CONF_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_ACCESS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_ACCESS_CONF_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_ACCESS_CONF_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* --- static functions for checking whether the user should be let in --- */ typedef int match_func (pam_handle_t *, char *, struct login_info *); @@ -168,6 +256,7 @@ static int list_match (pam_handle_t *, char *, char *, struct login_info *, static int user_match (pam_handle_t *, char *, struct login_info *); static int group_match (pam_handle_t *, const char *, const char *, int); static int from_match (pam_handle_t *, char *, struct login_info *); +static int remote_match (pam_handle_t *, char *, struct login_info *); static int string_match (pam_handle_t *, const char *, const char *, int); static int network_netmask_match (pam_handle_t *, const char *, const char *, struct login_info *); @@ -216,7 +305,7 @@ isipaddr (const char *string, int *addr_type, /* are_addresses_equal - translate IP address strings to real IP * addresses and compare them to find out if they are equal. - * If netmask was provided it will be used to focus comparation to + * If netmask was provided it will be used to focus comparison to * relevant bits. */ static int @@ -335,7 +424,9 @@ login_access (pam_handle_t *pamh, struct login_info *item) char *users; /* becomes list of login names */ char *froms; /* becomes list of terminals or hosts */ int match = NO; +#ifdef HAVE_LIBAUDIT int nonall_match = NO; +#endif int end; int lineno = 0; /* for diagnostics */ char *sptr; @@ -371,7 +462,7 @@ login_access (pam_handle_t *pamh, struct login_info *item) if (line[0] == 0) /* skip blank lines */ continue; - /* Allow field seperator in last field of froms */ + /* Allow field separator in last field of froms */ if (!(perm = strtok_r(line, item->fs, &sptr)) || !(users = strtok_r(NULL, item->fs, &sptr)) || !(froms = strtok_r(NULL, "\n", &sptr))) { @@ -393,9 +484,11 @@ login_access (pam_handle_t *pamh, struct login_info *item) match, item->user->pw_name); if (match) { match = list_match(pamh, froms, NULL, item, from_match); +#ifdef HAVE_LIBAUDIT if (!match && perm[0] == '+') { nonall_match = YES; } +#endif if (item->debug) pam_syslog (pamh, LOG_DEBUG, "from_match=%d, \"%s\"", match, item->from); @@ -473,6 +566,8 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, { int retval; char *mydomain = NULL; + +#ifdef HAVE_GETDOMAINNAME char domainname_res[256]; if (getdomainname (domainname_res, sizeof (domainname_res)) == 0) @@ -482,6 +577,7 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, mydomain = domainname_res; } } +#endif #ifdef HAVE_INNETGR retval = innetgr (netgroup, machine, user, mydomain); @@ -567,7 +663,7 @@ static int group_match (pam_handle_t *pamh, const char *tok, const char* usr, int debug) { - char grptok[BUFSIZ]; + char grptok[BUFSIZ] = {}; if (debug) pam_syslog (pamh, LOG_DEBUG, @@ -576,8 +672,7 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr, if (strlen(tok) < 3) return NO; - /* token is recieved under the format '(...)' */ - memset(grptok, 0, BUFSIZ); + /* token is received under the format '(...)' */ strncpy(grptok, tok + 1, strlen(tok) - 2); if (pam_modutil_user_in_group_nam_nam(pamh, usr, grptok)) @@ -590,11 +685,9 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr, /* from_match - match a host or tty against a list of tokens */ static int -from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) +from_match (pam_handle_t *pamh, char *tok, struct login_info *item) { const char *string = item->from; - int tok_len; - int str_len; int rv; if (item->debug) @@ -617,14 +710,29 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) { /* ALL or exact match */ return rv; - } else if (tok[0] == '.') { /* domain: match last fields */ - if ((str_len = strlen(string)) > (tok_len = strlen(tok)) - && strcasecmp(tok, string + str_len - tok_len) == 0) - return (YES); - } else if (item->from_remote_host == 0) { /* local: no PAM_RHOSTS */ - if (strcasecmp(tok, "LOCAL") == 0) - return (YES); - } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { + } else if (strcasecmp(tok, "LOCAL") == 0) { + /* LOCAL matches only local accesses */ + if (!item->from_remote_host) + return YES; + return NO; + } else if (item->from_remote_host) { + return remote_match(pamh, tok, item); + } + return NO; +} + +static int +remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) +{ + const char *string = item->from; + size_t tok_len = strlen(tok); + size_t str_len; + + if (tok[0] == '.') { /* domain: match last fields */ + if ((str_len = strlen(string)) > tok_len + && strcasecmp(tok, string + str_len - tok_len) == 0) + return YES; + } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ struct addrinfo hint; memset (&hint, '\0', sizeof (hint)); @@ -646,9 +754,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) if (runp->ai_family == AF_INET) { + DIAG_PUSH_IGNORE_CAST_ALIGN; inet_ntop (runp->ai_family, &((struct sockaddr_in *) runp->ai_addr)->sin_addr, buf, sizeof (buf)); + DIAG_POP_IGNORE_CAST_ALIGN; strcat (buf, "."); @@ -660,13 +770,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) runp = runp->ai_next; } } - } else { - /* Assume network/netmask with a IP of a host. */ - if (network_netmask_match(pamh, tok, string, item)) - return YES; + return NO; } - return NO; + /* Assume network/netmask, IP address or hostname. */ + return network_netmask_match(pamh, tok, string, item); } /* string_match - match a string against one token */ @@ -683,7 +791,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, /* * If the token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the string. - * "NONE" token matches NULL string. + * "NONE" token matches NULL string. */ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ @@ -701,7 +809,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, /* network_netmask_match - match a string against one token * where string is a hostname or ip (v4,v6) address and tok - * represents either a single ip (v4,v6) address or a network/netmask + * represents either a hostname, a single ip (v4,v6) address + * or a network/netmask */ static int network_netmask_match (pam_handle_t *pamh, @@ -710,10 +819,12 @@ network_netmask_match (pam_handle_t *pamh, char *netmask_ptr; char netmask_string[MAXHOSTNAMELEN + 1]; int addr_type; + struct addrinfo *ai = NULL; if (item->debug) - pam_syslog (pamh, LOG_DEBUG, + pam_syslog (pamh, LOG_DEBUG, "network_netmask_match: tok=%s, item=%s", tok, string); + /* OK, check if tok is of type addr/mask */ if ((netmask_ptr = strchr(tok, '/')) != NULL) { @@ -737,7 +848,9 @@ network_netmask_match (pam_handle_t *pamh, { /* invalid netmask value */ return NO; } - if ((netmask < 0) || (netmask >= 128)) + if ((netmask < 0) + || (addr_type == AF_INET && netmask > 32) + || (addr_type == AF_INET6 && netmask > 128)) { /* netmask value out of range */ return NO; } @@ -745,52 +858,108 @@ network_netmask_match (pam_handle_t *pamh, netmask_ptr = number_to_netmask(netmask, addr_type, netmask_string, MAXHOSTNAMELEN); } - } + + /* + * Construct an addrinfo list from the IP address. + * This should not fail as the input is a correct IP address... + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { + return NO; + } + } else - /* NO, then check if it is only an addr */ - if (isipaddr(tok, NULL, NULL) != YES) + { + /* + * It is either an IP address or a hostname. + * Let getaddrinfo sort everything out + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) { + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); + return NO; } + netmask_ptr = NULL; + } if (isipaddr(string, NULL, NULL) != YES) { - /* Assume network/netmask with a name of a host. */ struct addrinfo hint; + /* Assume network/netmask with a name of a host. */ memset (&hint, '\0', sizeof (hint)); hint.ai_flags = AI_CANONNAME; hint.ai_family = AF_UNSPEC; if (item->gai_rv != 0) + { + freeaddrinfo(ai); return NO; + } else if (!item->res && (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) + { + freeaddrinfo(ai); return NO; + } else { struct addrinfo *runp = item->res; + struct addrinfo *runp1; while (runp != NULL) { char buf[INET6_ADDRSTRLEN]; - inet_ntop (runp->ai_family, - runp->ai_family == AF_INET - ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr - : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, - buf, sizeof (buf)); + if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0) + { + freeaddrinfo(ai); + return NO; + } - if (are_addresses_equal(buf, tok, netmask_ptr)) + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) { - return YES; + char buf1[INET6_ADDRSTRLEN]; + + if (runp->ai_family != runp1->ai_family) + continue; + + if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0) + { + freeaddrinfo(ai); + return NO; + } + + if (are_addresses_equal (buf, buf1, netmask_ptr)) + { + freeaddrinfo(ai); + return YES; + } } runp = runp->ai_next; } } } else - return (are_addresses_equal(string, tok, netmask_ptr)); + { + struct addrinfo *runp1; + + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) + { + char buf1[INET6_ADDRSTRLEN]; + + (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); + + if (are_addresses_equal(string, buf1, netmask_ptr)) + { + freeaddrinfo(ai); + return YES; + } + } + } + + freeaddrinfo(ai); return NO; } @@ -806,17 +975,15 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *user=NULL; const void *void_from=NULL; const char *from; - const char const *default_config = PAM_ACCESS_CONFIG; + const char *default_config = PAM_ACCESS_CONFIG; struct passwd *user_pw; char hostname[MAXHOSTNAMELEN + 1]; int rv; - /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } @@ -837,6 +1004,18 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_ABORT; } +#ifdef VENDOR_PAM_ACCESS_CONFIG + if (loginfo.config_file == default_config) { + /* Check whether PAM_ACCESS_CONFIG file is available. + * If it does not exist, fall back to VENDOR_PAM_ACCESS_CONFIG file. */ + struct stat buffer; + if (stat(loginfo.config_file, &buffer) != 0 && errno == ENOENT) { + default_config = VENDOR_PAM_ACCESS_CONFIG; + loginfo.config_file = default_config; + } + } +#endif + /* remote host name */ if (pam_get_item(pamh, PAM_RHOST, &void_from) @@ -900,23 +1079,18 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, rv = login_access(pamh, &loginfo); if (rv == NOMATCH && loginfo.config_file == default_config) { - glob_t globbuf; - int i, glob_rv; - - /* We do not manipulate locale as setlocale() is not - * thread safe. We could use uselocale() in future. - */ - glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); - if (!glob_rv) { - /* Parse the *.conf files. */ - for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { - loginfo.config_file = globbuf.gl_pathv[i]; - rv = login_access(pamh, &loginfo); - if (rv != NOMATCH) - break; - } - globfree(&globbuf); - } + char **filename_list = read_access_dir(pamh); + if (filename_list != NULL) { + for (int i = 0; filename_list[i] != NULL; i++) { + loginfo.config_file = filename_list[i]; + rv = login_access(pamh, &loginfo); + if (rv != NOMATCH) + break; + } + for (int i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); + } } if (loginfo.gai_rv == 0 && loginfo.res) diff --git a/modules/pam_cracklib/README b/modules/pam_cracklib/README deleted file mode 100644 index 6a59c1ca..00000000 --- a/modules/pam_cracklib/README +++ /dev/null @@ -1,253 +0,0 @@ -pam_cracklib — PAM module to check the password against dictionary words - -â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” - -DESCRIPTION - -This module can be plugged into the password stack of a given application to -provide some plug-in strength-checking for passwords. - -The action of this module is to prompt the user for a password and check its -strength against a system dictionary and a set of rules for identifying poor -choices. - -The first action is to prompt for a single password, check its strength and -then, if it is considered strong, prompt for the password a second time (to -verify that it was typed correctly on the first occasion). All being well, the -password is passed on to subsequent modules to be installed as the new -authentication token. - -The strength checks works in the following manner: at first the Cracklib -routine is called to check if the password is part of a dictionary; if this is -not the case an additional set of strength checks is done. These checks are: - -Palindrome - - Is the new password a palindrome? - -Case Change Only - - Is the new password the the old one with only a change of case? - -Similar - - Is the new password too much like the old one? This is primarily controlled - by one argument, difok which is a number of character changes (inserts, - removals, or replacements) between the old and new password that are enough - to accept the new password. This defaults to 5 changes. - -Simple - - Is the new password too small? This is controlled by 6 arguments minlen, - maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. See the section on - the arguments for the details of how these work and there defaults. - -Rotated - - Is the new password a rotated version of the old password? - -Same consecutive characters - - Optional check for same consecutive characters. - -Too long monotonic character sequence - - Optional check for too long monotonic character sequence. - -Contains user name - - Optional check whether the password contains the user's name in some form. - -This module with no arguments will work well for standard unix password -encryption. With md5 encryption, passwords can be longer than 8 characters and -the default settings for this module can make it hard for the user to choose a -satisfactory new password. Notably, the requirement that the new password -contain no more than 1/2 of the characters in the old password becomes a -non-trivial constraint. For example, an old password of the form "the quick -brown fox jumped over the lazy dogs" would be difficult to change... In -addition, the default action is to allow passwords as small as 5 characters in -length. For a md5 systems it can be a good idea to increase the required -minimum size of a password. One can then allow more credit for different kinds -of characters but accept that the new password may share most of these -characters with the old password. - -OPTIONS - -debug - - This option makes the module write information to syslog(3) indicating the - behavior of the module (this option does not write password information to - the log file). - -authtok_type=XXX - - The default action is for the module to use the following prompts when - requesting passwords: "New UNIX password: " and "Retype UNIX password: ". - The example word UNIX can be replaced with this option, by default it is - empty. - -retry=N - - Prompt user at most N times before returning with error. The default is 1. - -difok=N - - This argument will change the default of 5 for the number of character - changes in the new password that differentiate it from the old password. - -minlen=N - - The minimum acceptable size for the new password (plus one if credits are - not disabled which is the default). In addition to the number of characters - in the new password, credit (of +1 in length) is given for each different - kind of character (other, upper, lower and digit). The default for this - parameter is 9 which is good for a old style UNIX password all of the same - type of character but may be too low to exploit the added security of a md5 - system. Note that there is a pair of length limits in Cracklib itself, a - "way too short" limit of 4 which is hard coded in and a defined limit (6) - that will be checked without reference to minlen. If you want to allow - passwords as short as 5 characters you should not use this module. - -dcredit=N - - (N >= 0) This is the maximum credit for having digits in the new password. - If you have less than or N digits, each digit will count +1 towards meeting - the current minlen value. The default for dcredit is 1 which is the - recommended value for minlen less than 10. - - (N < 0) This is the minimum number of digits that must be met for a new - password. - -ucredit=N - - (N >= 0) This is the maximum credit for having upper case letters in the - new password. If you have less than or N upper case letters each letter - will count +1 towards meeting the current minlen value. The default for - ucredit is 1 which is the recommended value for minlen less than 10. - - (N < 0) This is the minimum number of upper case letters that must be met - for a new password. - -lcredit=N - - (N >= 0) This is the maximum credit for having lower case letters in the - new password. If you have less than or N lower case letters, each letter - will count +1 towards meeting the current minlen value. The default for - lcredit is 1 which is the recommended value for minlen less than 10. - - (N < 0) This is the minimum number of lower case letters that must be met - for a new password. - -ocredit=N - - (N >= 0) This is the maximum credit for having other characters in the new - password. If you have less than or N other characters, each character will - count +1 towards meeting the current minlen value. The default for ocredit - is 1 which is the recommended value for minlen less than 10. - - (N < 0) This is the minimum number of other characters that must be met for - a new password. - -minclass=N - - The minimum number of required classes of characters for the new password. - The default number is zero. The four classes are digits, upper and lower - letters and other characters. The difference to the credit check is that a - specific class if of characters is not required. Instead N out of four of - the classes are required. - -maxrepeat=N - - Reject passwords which contain more than N same consecutive characters. The - default is 0 which means that this check is disabled. - -maxsequence=N - - Reject passwords which contain monotonic character sequences longer than N. - The default is 0 which means that this check is disabled. Examples of such - sequence are '12345' or 'fedcb'. Note that most such passwords will not - pass the simplicity check unless the sequence is only a minor part of the - password. - -maxclassrepeat=N - - Reject passwords which contain more than N consecutive characters of the - same class. The default is 0 which means that this check is disabled. - -reject_username - - Check whether the name of the user in straight or reversed form is - contained in the new password. If it is found the new password is rejected. - -gecoscheck - - Check whether the words from the GECOS field (usualy full name of the user) - longer than 3 characters in straight or reversed form are contained in the - new password. If any such word is found the new password is rejected. - -enforce_for_root - - The module will return error on failed check also if the user changing the - password is root. This option is off by default which means that just the - message about the failed check is printed but root can change the password - anyway. Note that root is not asked for an old password so the checks that - compare the old and new password are not performed. - -use_authtok - - This argument is used to force the module to not prompt the user for a new - password but use the one provided by the previously stacked password - module. - -dictpath=/path/to/dict - - Path to the cracklib dictionaries. - -EXAMPLES - -For an example of the use of this module, we show how it may be stacked with -the password component of pam_unix(8) - -# -# These lines stack two password type modules. In this example the -# user is given 3 opportunities to enter a strong password. The -# "use_authtok" argument ensures that the pam_unix module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib. -# -passwd password required pam_cracklib.so retry=3 -passwd password required pam_unix.so use_authtok - - -Another example (in the /etc/pam.d/passwd format) is for the case that you want -to use md5 password encryption: - -#%PAM-1.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib.so \ - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix.so use_authtok nullok md5 - - -And here is another example in case you don't want to use credits: - -#%PAM-1.0 -# -# These lines require the user to select a password with a minimum -# length of 8 and with at least 1 digit number, 1 upper case letter, -# and 1 other character -# -password required pam_cracklib.so \ - dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 -password required pam_unix.so use_authtok nullok md5 - - -AUTHOR - -pam_cracklib was written by Cristian Gafton <gafton@redhat.com> - diff --git a/modules/pam_cracklib/README.xml b/modules/pam_cracklib/README.xml deleted file mode 100644 index c4a7b54c..00000000 --- a/modules/pam_cracklib/README.xml +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_cracklib.8.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_cracklib.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_cracklib-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-options"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-examples"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-author"]/*)'/> - </section> - -</article> diff --git a/modules/pam_cracklib/pam_cracklib.8 b/modules/pam_cracklib/pam_cracklib.8 deleted file mode 100644 index 3ed37e8e..00000000 --- a/modules/pam_cracklib/pam_cracklib.8 +++ /dev/null @@ -1,363 +0,0 @@ -'\" t -.\" Title: pam_cracklib -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" Language: English -.\" -.TH "PAM_CRACKLIB" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -pam_cracklib \- PAM module to check the password against dictionary words -.SH "SYNOPSIS" -.HP \w'\fBpam_cracklib\&.so\fR\ 'u -\fBpam_cracklib\&.so\fR [\fI\&.\&.\&.\fR] -.SH "DESCRIPTION" -.PP -This module can be plugged into the -\fIpassword\fR -stack of a given application to provide some plug\-in strength\-checking for passwords\&. -.PP -The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\&. -.PP -The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\&. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\&. -.PP -The strength checks works in the following manner: at first the -\fBCracklib\fR -routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\&. These checks are: -.PP -Palindrome -.RS 4 -Is the new password a palindrome? -.RE -.PP -Case Change Only -.RS 4 -Is the new password the the old one with only a change of case? -.RE -.PP -Similar -.RS 4 -Is the new password too much like the old one? This is primarily controlled by one argument, -\fBdifok\fR -which is a number of character changes (inserts, removals, or replacements) between the old and new password that are enough to accept the new password\&. This defaults to 5 changes\&. -.RE -.PP -Simple -.RS 4 -Is the new password too small? This is controlled by 6 arguments -\fBminlen\fR, -\fBmaxclassrepeat\fR, -\fBdcredit\fR, -\fBucredit\fR, -\fBlcredit\fR, and -\fBocredit\fR\&. See the section on the arguments for the details of how these work and there defaults\&. -.RE -.PP -Rotated -.RS 4 -Is the new password a rotated version of the old password? -.RE -.PP -Same consecutive characters -.RS 4 -Optional check for same consecutive characters\&. -.RE -.PP -Too long monotonic character sequence -.RS 4 -Optional check for too long monotonic character sequence\&. -.RE -.PP -Contains user name -.RS 4 -Optional check whether the password contains the user\*(Aqs name in some form\&. -.RE -.PP -This module with no arguments will work well for standard unix password encryption\&. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\&. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\&. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\&.\&.\&. In addition, the default action is to allow passwords as small as 5 characters in length\&. For a md5 systems it can be a good idea to increase the required minimum size of a password\&. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\&. -.SH "OPTIONS" -.PP -.PP -\fBdebug\fR -.RS 4 -This option makes the module write information to -\fBsyslog\fR(3) -indicating the behavior of the module (this option does not write password information to the log file)\&. -.RE -.PP -\fBauthtok_type=\fR\fB\fIXXX\fR\fR -.RS 4 -The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\&. The example word -\fIUNIX\fR -can be replaced with this option, by default it is empty\&. -.RE -.PP -\fBretry=\fR\fB\fIN\fR\fR -.RS 4 -Prompt user at most -\fIN\fR -times before returning with error\&. The default is -\fI1\fR\&. -.RE -.PP -\fBdifok=\fR\fB\fIN\fR\fR -.RS 4 -This argument will change the default of -\fI5\fR -for the number of character changes in the new password that differentiate it from the old password\&. -.RE -.PP -\fBminlen=\fR\fB\fIN\fR\fR -.RS 4 -The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\&. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, -\fIupper\fR, -\fIlower\fR -and -\fIdigit\fR)\&. The default for this parameter is -\fI9\fR -which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\&. Note that there is a pair of length limits in -\fICracklib\fR -itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to -\fBminlen\fR\&. If you want to allow passwords as short as 5 characters you should not use this module\&. -.RE -.PP -\fBdcredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having digits in the new password\&. If you have less than or -\fIN\fR -digits, each digit will count +1 towards meeting the current -\fBminlen\fR -value\&. The default for -\fBdcredit\fR -is 1 which is the recommended value for -\fBminlen\fR -less than 10\&. -.sp -(N < 0) This is the minimum number of digits that must be met for a new password\&. -.RE -.PP -\fBucredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having upper case letters in the new password\&. If you have less than or -\fIN\fR -upper case letters each letter will count +1 towards meeting the current -\fBminlen\fR -value\&. The default for -\fBucredit\fR -is -\fI1\fR -which is the recommended value for -\fBminlen\fR -less than 10\&. -.sp -(N < 0) This is the minimum number of upper case letters that must be met for a new password\&. -.RE -.PP -\fBlcredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having lower case letters in the new password\&. If you have less than or -\fIN\fR -lower case letters, each letter will count +1 towards meeting the current -\fBminlen\fR -value\&. The default for -\fBlcredit\fR -is 1 which is the recommended value for -\fBminlen\fR -less than 10\&. -.sp -(N < 0) This is the minimum number of lower case letters that must be met for a new password\&. -.RE -.PP -\fBocredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having other characters in the new password\&. If you have less than or -\fIN\fR -other characters, each character will count +1 towards meeting the current -\fBminlen\fR -value\&. The default for -\fBocredit\fR -is 1 which is the recommended value for -\fBminlen\fR -less than 10\&. -.sp -(N < 0) This is the minimum number of other characters that must be met for a new password\&. -.RE -.PP -\fBminclass=\fR\fB\fIN\fR\fR -.RS 4 -The minimum number of required classes of characters for the new password\&. The default number is zero\&. The four classes are digits, upper and lower letters and other characters\&. The difference to the -\fBcredit\fR -check is that a specific class if of characters is not required\&. Instead -\fIN\fR -out of four of the classes are required\&. -.RE -.PP -\fBmaxrepeat=\fR\fB\fIN\fR\fR -.RS 4 -Reject passwords which contain more than N same consecutive characters\&. The default is 0 which means that this check is disabled\&. -.RE -.PP -\fBmaxsequence=\fR\fB\fIN\fR\fR -.RS 4 -Reject passwords which contain monotonic character sequences longer than N\&. The default is 0 which means that this check is disabled\&. Examples of such sequence are \*(Aq12345\*(Aq or \*(Aqfedcb\*(Aq\&. Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password\&. -.RE -.PP -\fBmaxclassrepeat=\fR\fB\fIN\fR\fR -.RS 4 -Reject passwords which contain more than N consecutive characters of the same class\&. The default is 0 which means that this check is disabled\&. -.RE -.PP -\fBreject_username\fR -.RS 4 -Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&. -.RE -.PP -\fBgecoscheck\fR -.RS 4 -Check whether the words from the GECOS field (usualy full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&. -.RE -.PP -\fBenforce_for_root\fR -.RS 4 -The module will return error on failed check also if the user changing the password is root\&. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway\&. Note that root is not asked for an old password so the checks that compare the old and new password are not performed\&. -.RE -.PP -\fBuse_authtok\fR -.RS 4 -This argument is used to -\fIforce\fR -the module to not prompt the user for a new password but use the one provided by the previously stacked -\fIpassword\fR -module\&. -.RE -.PP -\fBdictpath=\fR\fB\fI/path/to/dict\fR\fR -.RS 4 -Path to the cracklib dictionaries\&. -.RE -.SH "MODULE TYPES PROVIDED" -.PP -Only the -\fBpassword\fR -module type is provided\&. -.SH "RETURN VALUES" -.PP -.PP -PAM_SUCCESS -.RS 4 -The new password passes all checks\&. -.RE -.PP -PAM_AUTHTOK_ERR -.RS 4 -No new password was entered, the username could not be determined or the new password fails the strength checks\&. -.RE -.PP -PAM_AUTHTOK_RECOVERY_ERR -.RS 4 -The old password was not supplied by a previous stacked module or got not requested from the user\&. The first error can happen if -\fBuse_authtok\fR -is specified\&. -.RE -.PP -PAM_SERVICE_ERR -.RS 4 -A internal error occurred\&. -.RE -.SH "EXAMPLES" -.PP -For an example of the use of this module, we show how it may be stacked with the password component of -\fBpam_unix\fR(8) -.sp -.if n \{\ -.RS 4 -.\} -.nf -# -# These lines stack two password type modules\&. In this example the -# user is given 3 opportunities to enter a strong password\&. The -# "use_authtok" argument ensures that the pam_unix module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib\&. -# -passwd password required pam_cracklib\&.so retry=3 -passwd password required pam_unix\&.so use_authtok - -.fi -.if n \{\ -.RE -.\} -.PP -Another example (in the -/etc/pam\&.d/passwd -format) is for the case that you want to use md5 password encryption: -.sp -.if n \{\ -.RS 4 -.\} -.nf -#%PAM\-1\&.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib\&.so \e - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix\&.so use_authtok nullok md5 - -.fi -.if n \{\ -.RE -.\} -.PP -And here is another example in case you don\*(Aqt want to use credits: -.sp -.if n \{\ -.RS 4 -.\} -.nf -#%PAM\-1\&.0 -# -# These lines require the user to select a password with a minimum -# length of 8 and with at least 1 digit number, 1 upper case letter, -# and 1 other character -# -password required pam_cracklib\&.so \e - dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8 -password required pam_unix\&.so use_authtok nullok md5 - -.fi -.if n \{\ -.RE -.\} -.sp -.SH "SEE ALSO" -.PP -\fBpam.conf\fR(5), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_cracklib was written by Cristian Gafton <gafton@redhat\&.com> diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml deleted file mode 100644 index 3f6e76f0..00000000 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ /dev/null @@ -1,592 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_cracklib"> - - <refmeta> - <refentrytitle>pam_cracklib</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_cracklib-name"> - <refname>pam_cracklib</refname> - <refpurpose>PAM module to check the password against dictionary words</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis id="pam_cracklib-cmdsynopsis"> - <command>pam_cracklib.so</command> - <arg choice="opt"> - <replaceable>...</replaceable> - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1 id="pam_cracklib-description"> - - <title>DESCRIPTION</title> - - <para> - This module can be plugged into the <emphasis>password</emphasis> stack of - a given application to provide some plug-in strength-checking for passwords. - </para> - - <para> - The action of this module is to prompt the user for a password and - check its strength against a system dictionary and a set of rules for - identifying poor choices. - </para> - - <para> - The first action is to prompt for a single password, check its - strength and then, if it is considered strong, prompt for the password - a second time (to verify that it was typed correctly on the first - occasion). All being well, the password is passed on to subsequent - modules to be installed as the new authentication token. - </para> - - <para> - The strength checks works in the following manner: at first the - <function>Cracklib</function> routine is called to check if the password - is part of a dictionary; if this is not the case an additional set of - strength checks is done. These checks are: - </para> - - <variablelist> - <varlistentry> - <term>Palindrome</term> - <listitem> - <para> - Is the new password a palindrome? - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Case Change Only</term> - <listitem> - <para> - Is the new password the the old one with only a change of case? - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Similar</term> - <listitem> - <para> - Is the new password too much like the old one? - This is primarily controlled by one argument, - <option>difok</option> which is a number of character changes - (inserts, removals, or replacements) between the old and new - password that are enough to accept the new password. - This defaults to 5 changes. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Simple</term> - <listitem> - <para> - Is the new password too small? - This is controlled by 6 arguments <option>minlen</option>, - <option>maxclassrepeat</option>, - <option>dcredit</option>, <option>ucredit</option>, - <option>lcredit</option>, and <option>ocredit</option>. See the section - on the arguments for the details of how these work and there defaults. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Rotated</term> - <listitem> - <para> - Is the new password a rotated version of the old password? - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Same consecutive characters</term> - <listitem> - <para> - Optional check for same consecutive characters. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Too long monotonic character sequence</term> - <listitem> - <para> - Optional check for too long monotonic character sequence. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Contains user name</term> - <listitem> - <para> - Optional check whether the password contains the user's name - in some form. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - This module with no arguments will work well for standard unix - password encryption. With md5 encryption, passwords can be longer - than 8 characters and the default settings for this module can make it - hard for the user to choose a satisfactory new password. Notably, the - requirement that the new password contain no more than 1/2 of the - characters in the old password becomes a non-trivial constraint. For - example, an old password of the form "the quick brown fox jumped over - the lazy dogs" would be difficult to change... In addition, the - default action is to allow passwords as small as 5 characters in - length. For a md5 systems it can be a good idea to increase the - required minimum size of a password. One can then allow more credit - for different kinds of characters but accept that the new password may - share most of these characters with the old password. - </para> - - </refsect1> - - <refsect1 id="pam_cracklib-options"> - - <title>OPTIONS</title> - <para> - <variablelist> - - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - This option makes the module write information to - <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - indicating the behavior of the module (this option does - not write password information to the log file). - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>authtok_type=<replaceable>XXX</replaceable></option> - </term> - <listitem> - <para> - The default action is for the module to use the - following prompts when requesting passwords: - "New UNIX password: " and "Retype UNIX password: ". - The example word <emphasis>UNIX</emphasis> can - be replaced with this option, by default it is empty. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>retry=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Prompt user at most <replaceable>N</replaceable> times - before returning with error. The default is - <emphasis>1</emphasis>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>difok=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - This argument will change the default of - <emphasis>5</emphasis> for the number of character - changes in the new password that differentiate it - from the old password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>minlen=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - The minimum acceptable size for the new password (plus - one if credits are not disabled which is the default). - In addition to the number of characters in the new password, - credit (of +1 in length) is given for each different kind - of character (<emphasis>other</emphasis>, - <emphasis>upper</emphasis>, <emphasis>lower</emphasis> and - <emphasis>digit</emphasis>). The default for this parameter - is <emphasis>9</emphasis> which is good for a old style UNIX - password all of the same type of character but may be too low - to exploit the added security of a md5 system. Note that - there is a pair of length limits in - <emphasis>Cracklib</emphasis> itself, a "way too short" limit - of 4 which is hard coded in and a defined limit (6) that will - be checked without reference to <option>minlen</option>. - If you want to allow passwords as short as 5 characters you - should not use this module. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>dcredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having digits in - the new password. If you have less than or - <replaceable>N</replaceable> - digits, each digit will count +1 towards meeting the current - <option>minlen</option> value. The default for - <option>dcredit</option> is 1 which is the recommended - value for <option>minlen</option> less than 10. - </para> - <para> - (N < 0) This is the minimum number of digits that must - be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>ucredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having upper - case letters in the new password. If you have less than - or <replaceable>N</replaceable> upper case letters each - letter will count +1 towards meeting the current - <option>minlen</option> value. The default for - <option>ucredit</option> is <emphasis>1</emphasis> which - is the recommended value for <option>minlen</option> less - than 10. - </para> - <para> - (N < 0) This is the minimum number of upper - case letters that must be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>lcredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having - lower case letters in the new password. If you have - less than or <replaceable>N</replaceable> lower case - letters, each letter will count +1 towards meeting the - current <option>minlen</option> value. The default for - <option>lcredit</option> is 1 which is the recommended - value for <option>minlen</option> less than 10. - </para> - <para> - (N < 0) This is the minimum number of lower - case letters that must be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>ocredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having other - characters in the new password. If you have less than or - <replaceable>N</replaceable> other characters, each - character will count +1 towards meeting the current - <option>minlen</option> value. The default for - <option>ocredit</option> is 1 which is the recommended - value for <option>minlen</option> less than 10. - </para> - <para> - (N < 0) This is the minimum number of other - characters that must be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>minclass=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - The minimum number of required classes of characters for - the new password. The default number is zero. The four - classes are digits, upper and lower letters and other - characters. - The difference to the <option>credit</option> check is - that a specific class if of characters is not required. - Instead <replaceable>N</replaceable> out of four of the - classes are required. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>maxrepeat=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Reject passwords which contain more than N same consecutive - characters. The default is 0 which means that this check - is disabled. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>maxsequence=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Reject passwords which contain monotonic character sequences - longer than N. The default is 0 which means that this check - is disabled. Examples of such sequence are '12345' or 'fedcb'. - Note that most such passwords will not pass the simplicity - check unless the sequence is only a minor part of the password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>maxclassrepeat=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Reject passwords which contain more than N consecutive - characters of the same class. The default is 0 which means - that this check is disabled. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>reject_username</option> - </term> - <listitem> - <para> - Check whether the name of the user in straight or reversed - form is contained in the new password. If it is found the - new password is rejected. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>gecoscheck</option> - </term> - <listitem> - <para> - Check whether the words from the GECOS field (usualy full name - of the user) longer than 3 characters in straight or reversed - form are contained in the new password. If any such word is - found the new password is rejected. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>enforce_for_root</option> - </term> - <listitem> - <para> - The module will return error on failed check also if the user - changing the password is root. This option is off by default - which means that just the message about the failed check is - printed but root can change the password anyway. - Note that root is not asked for an old password so the checks - that compare the old and new password are not performed. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>use_authtok</option> - </term> - <listitem> - <para> - This argument is used to <emphasis>force</emphasis> the - module to not prompt the user for a new password but use - the one provided by the previously stacked - <emphasis>password</emphasis> module. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>dictpath=<replaceable>/path/to/dict</replaceable></option> - </term> - <listitem> - <para> - Path to the cracklib dictionaries. - </para> - </listitem> - </varlistentry> - - </variablelist> - </para> - </refsect1> - - <refsect1 id="pam_cracklib-types"> - <title>MODULE TYPES PROVIDED</title> - <para> - Only the <option>password</option> module type is provided. - </para> - </refsect1> - - <refsect1 id='pam_cracklib-return_values'> - <title>RETURN VALUES</title> - <para> - <variablelist> - - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The new password passes all checks. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_AUTHTOK_ERR</term> - <listitem> - <para> - No new password was entered, - the username could not be determined or the new - password fails the strength checks. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_AUTHTOK_RECOVERY_ERR</term> - <listitem> - <para> - The old password was not supplied by a previous stacked - module or got not requested from the user. - The first error can happen if <option>use_authtok</option> - is specified. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_SERVICE_ERR</term> - <listitem> - <para> - A internal error occurred. - </para> - </listitem> - </varlistentry> - - </variablelist> - </para> - </refsect1> - - <refsect1 id='pam_cracklib-examples'> - <title>EXAMPLES</title> - <para> - For an example of the use of this module, we show how it may be - stacked with the password component of - <citerefentry> - <refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - <programlisting> -# -# These lines stack two password type modules. In this example the -# user is given 3 opportunities to enter a strong password. The -# "use_authtok" argument ensures that the pam_unix module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib. -# -passwd password required pam_cracklib.so retry=3 -passwd password required pam_unix.so use_authtok - </programlisting> - </para> - - <para> - Another example (in the <filename>/etc/pam.d/passwd</filename> format) - is for the case that you want to use md5 password encryption: - <programlisting> -#%PAM-1.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib.so \ - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix.so use_authtok nullok md5 - </programlisting> - </para> - - <para> - And here is another example in case you don't want to use credits: - <programlisting> -#%PAM-1.0 -# -# These lines require the user to select a password with a minimum -# length of 8 and with at least 1 digit number, 1 upper case letter, -# and 1 other character -# -password required pam_cracklib.so \ - dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 -password required pam_unix.so use_authtok nullok md5 - </programlisting> - </para> - - </refsect1> - - <refsect1 id='pam_cracklib-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_cracklib-author'> - <title>AUTHOR</title> - <para> - pam_cracklib was written by Cristian Gafton <gafton@redhat.com> - </para> - </refsect1> - -</refentry> diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c deleted file mode 100644 index 45c02aba..00000000 --- a/modules/pam_cracklib/pam_cracklib.c +++ /dev/null @@ -1,908 +0,0 @@ -/* - * pam_cracklib module - */ - -/* - * 0.9. switch to using a distance algorithm in similar() - * 0.86. added support for setting minimum numbers of digits, uppers, - * lowers, and others - * 0.85. added six new options to use this with long passwords. - * 0.8. tidied output and improved D(()) usage for debugging. - * 0.7. added support for more obscure checks for new passwd. - * 0.6. root can reset user passwd to any values (it's only warned) - * 0.5. supports retries - 'retry=N' argument - * 0.4. added argument 'type=XXX' for 'New XXX password' prompt - * 0.3. Added argument 'debug' - * 0.2. new password is feeded to cracklib for verify after typed once - * 0.1. First release - */ - -/* - * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10 - * Long password support by Philip W. Dalrymple <pwd@mdtsoft.com> 1997/07/18 - * See the end of the file for Copyright Information - * - * Modification for long password systems (>8 chars). The original - * module had problems when used in a md5 password system in that it - * allowed too short passwords but required that at least half of the - * bytes in the new password did not appear in the old one. this - * action is still the default and the changes should not break any - * current user. This modification adds 6 new options, one to set the - * number of bytes in the new password that are not in the old one, - * the other five to control the length checking, these are all - * documented (or will be before anyone else sees this code) in the PAM - * S.A.G. in the section on the cracklib module. - */ - -#include "config.h" - -#include <stdio.h> -#ifdef HAVE_LIBXCRYPT -# include <xcrypt.h> -#elif defined(HAVE_CRYPT_H) -# include <crypt.h> -#endif -#include <unistd.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <stdarg.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <ctype.h> -#include <limits.h> -#include <pwd.h> -#include <security/pam_modutil.h> - -#ifdef HAVE_CRACK_H -#include <crack.h> -#else -extern char *FascistCheck(char *pw, const char *dictpath); -#endif - -#ifndef CRACKLIB_DICTS -#define CRACKLIB_DICTS NULL -#endif - -#ifdef MIN -#undef MIN -#endif -#define MIN(_a, _b) (((_a) < (_b)) ? (_a) : (_b)) - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> -#include <security/pam_ext.h> - -/* argument parsing */ -#define PAM_DEBUG_ARG 0x0001 - -struct cracklib_options { - int retry_times; - int diff_ok; - int min_length; - int dig_credit; - int up_credit; - int low_credit; - int oth_credit; - int min_class; - int max_repeat; - int max_sequence; - int max_class_repeat; - int reject_user; - int gecos_check; - int enforce_for_root; - const char *cracklib_dictpath; -}; - -#define CO_RETRY_TIMES 1 -#define CO_DIFF_OK 5 -#define CO_MIN_LENGTH 9 -# define CO_MIN_LENGTH_BASE 5 -#define CO_DIG_CREDIT 1 -#define CO_UP_CREDIT 1 -#define CO_LOW_CREDIT 1 -#define CO_OTH_CREDIT 1 -#define CO_MIN_WORD_LENGTH 4 - -static int -_pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, - int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - char *ep = NULL; - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"type=",5)) - pam_set_item (pamh, PAM_AUTHTOK_TYPE, *argv+5); - else if (!strncmp(*argv,"retry=",6)) { - opt->retry_times = strtol(*argv+6,&ep,10); - if (!ep || (opt->retry_times < 1)) - opt->retry_times = CO_RETRY_TIMES; - } else if (!strncmp(*argv,"difok=",6)) { - opt->diff_ok = strtol(*argv+6,&ep,10); - if (!ep || (opt->diff_ok < 0)) - opt->diff_ok = CO_DIFF_OK; - } else if (!strncmp(*argv,"difignore=",10)) { - /* just ignore */ - } else if (!strncmp(*argv,"minlen=",7)) { - opt->min_length = strtol(*argv+7,&ep,10); - if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE)) - opt->min_length = CO_MIN_LENGTH_BASE; - } else if (!strncmp(*argv,"dcredit=",8)) { - opt->dig_credit = strtol(*argv+8,&ep,10); - if (!ep) - opt->dig_credit = 0; - } else if (!strncmp(*argv,"ucredit=",8)) { - opt->up_credit = strtol(*argv+8,&ep,10); - if (!ep) - opt->up_credit = 0; - } else if (!strncmp(*argv,"lcredit=",8)) { - opt->low_credit = strtol(*argv+8,&ep,10); - if (!ep) - opt->low_credit = 0; - } else if (!strncmp(*argv,"ocredit=",8)) { - opt->oth_credit = strtol(*argv+8,&ep,10); - if (!ep) - opt->oth_credit = 0; - } else if (!strncmp(*argv,"minclass=",9)) { - opt->min_class = strtol(*argv+9,&ep,10); - if (!ep) - opt->min_class = 0; - if (opt->min_class > 4) - opt->min_class = 4; - } else if (!strncmp(*argv,"maxrepeat=",10)) { - opt->max_repeat = strtol(*argv+10,&ep,10); - if (!ep) - opt->max_repeat = 0; - } else if (!strncmp(*argv,"maxsequence=",12)) { - opt->max_sequence = strtol(*argv+12,&ep,10); - if (!ep) - opt->max_sequence = 0; - } else if (!strncmp(*argv,"maxclassrepeat=",15)) { - opt->max_class_repeat = strtol(*argv+15,&ep,10); - if (!ep) - opt->max_class_repeat = 0; - } else if (!strncmp(*argv,"reject_username",15)) { - opt->reject_user = 1; - } else if (!strncmp(*argv,"gecoscheck",10)) { - opt->gecos_check = 1; - } else if (!strncmp(*argv,"enforce_for_root",16)) { - opt->enforce_for_root = 1; - } else if (!strncmp(*argv,"authtok_type",12)) { - /* for pam_get_authtok, ignore */; - } else if (!strncmp(*argv,"use_authtok",11)) { - /* for pam_get_authtok, ignore */; - } else if (!strncmp(*argv,"use_first_pass",14)) { - /* for pam_get_authtok, ignore */; - } else if (!strncmp(*argv,"try_first_pass",14)) { - /* for pam_get_authtok, ignore */; - } else if (!strncmp(*argv,"dictpath=",9)) { - opt->cracklib_dictpath = *argv+9; - if (!*(opt->cracklib_dictpath)) { - opt->cracklib_dictpath = CRACKLIB_DICTS; - } - } else { - pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* Helper functions */ - -/* - * can't be a palindrome - like `R A D A R' or `M A D A M' - */ -static int palindrome(const char *new) -{ - int i, j; - - i = strlen (new); - - for (j = 0;j < i;j++) - if (new[i - j - 1] != new[j]) - return 0; - - return 1; -} - -/* - * Calculate how different two strings are in terms of the number of - * character removals, additions, and changes needed to go from one to - * the other - */ - -static int distdifferent(const char *old, const char *new, - size_t i, size_t j) -{ - char c, d; - - if ((i == 0) || (strlen(old) < i)) { - c = 0; - } else { - c = old[i - 1]; - } - if ((j == 0) || (strlen(new) < j)) { - d = 0; - } else { - d = new[j - 1]; - } - return (c != d); -} - -static int distcalculate(int **distances, const char *old, const char *new, - size_t i, size_t j) -{ - int tmp = 0; - - if (distances[i][j] != -1) { - return distances[i][j]; - } - - tmp = distcalculate(distances, old, new, i - 1, j - 1); - tmp = MIN(tmp, distcalculate(distances, old, new, i, j - 1)); - tmp = MIN(tmp, distcalculate(distances, old, new, i - 1, j)); - tmp += distdifferent(old, new, i, j); - - distances[i][j] = tmp; - - return tmp; -} - -static int distance(const char *old, const char *new) -{ - int **distances = NULL; - size_t m, n, i, j, r; - - m = strlen(old); - n = strlen(new); - distances = malloc(sizeof(int*) * (m + 1)); - - for (i = 0; i <= m; i++) { - distances[i] = malloc(sizeof(int) * (n + 1)); - for(j = 0; j <= n; j++) { - distances[i][j] = -1; - } - } - for (i = 0; i <= m; i++) { - distances[i][0] = i; - } - for (j = 0; j <= n; j++) { - distances[0][j] = j; - } - distances[0][0] = 0; - - r = distcalculate(distances, old, new, m, n); - - for (i = 0; i <= m; i++) { - memset(distances[i], 0, sizeof(int) * (n + 1)); - free(distances[i]); - } - free(distances); - - return r; -} - -static int similar(struct cracklib_options *opt, - const char *old, const char *new) -{ - if (distance(old, new) >= opt->diff_ok) { - return 0; - } - - if (strlen(new) >= (strlen(old) * 2)) { - return 0; - } - - /* passwords are too similar */ - return 1; -} - -/* - * enough classes of charecters - */ - -static int minclass (struct cracklib_options *opt, - const char *new) -{ - int digits = 0; - int uppers = 0; - int lowers = 0; - int others = 0; - int total_class; - int i; - int retval; - - D(( "called" )); - for (i = 0; new[i]; i++) - { - if (isdigit (new[i])) - digits = 1; - else if (isupper (new[i])) - uppers = 1; - else if (islower (new[i])) - lowers = 1; - else - others = 1; - } - - total_class = digits + uppers + lowers + others; - - D (("total class: %d\tmin_class: %d", total_class, opt->min_class)); - - if (total_class >= opt->min_class) - retval = 0; - else - retval = 1; - - return retval; -} - - -/* - * a nice mix of characters. - */ -static int simple(struct cracklib_options *opt, const char *new) -{ - int digits = 0; - int uppers = 0; - int lowers = 0; - int others = 0; - int size; - int i; - enum { NONE, DIGIT, UCASE, LCASE, OTHER } prevclass = NONE; - int sameclass = 0; - - for (i = 0;new[i];i++) { - if (isdigit (new[i])) { - digits++; - if (prevclass != DIGIT) { - prevclass = DIGIT; - sameclass = 1; - } else - sameclass++; - } - else if (isupper (new[i])) { - uppers++; - if (prevclass != UCASE) { - prevclass = UCASE; - sameclass = 1; - } else - sameclass++; - } - else if (islower (new[i])) { - lowers++; - if (prevclass != LCASE) { - prevclass = LCASE; - sameclass = 1; - } else - sameclass++; - } - else { - others++; - if (prevclass != OTHER) { - prevclass = OTHER; - sameclass = 1; - } else - sameclass++; - } - if (opt->max_class_repeat > 0 && sameclass > opt->max_class_repeat) { - return 1; - } - } - - /* - * The scam was this - a password of only one character type - * must be 8 letters long. Two types, 7, and so on. - * This is now changed, the base size and the credits or defaults - * see the docs on the module for info on these parameters, the - * defaults cause the effect to be the same as before the change - */ - - if ((opt->dig_credit >= 0) && (digits > opt->dig_credit)) - digits = opt->dig_credit; - - if ((opt->up_credit >= 0) && (uppers > opt->up_credit)) - uppers = opt->up_credit; - - if ((opt->low_credit >= 0) && (lowers > opt->low_credit)) - lowers = opt->low_credit; - - if ((opt->oth_credit >= 0) && (others > opt->oth_credit)) - others = opt->oth_credit; - - size = opt->min_length; - - if (opt->dig_credit >= 0) - size -= digits; - else if (digits < opt->dig_credit * -1) - return 1; - - if (opt->up_credit >= 0) - size -= uppers; - else if (uppers < opt->up_credit * -1) - return 1; - - if (opt->low_credit >= 0) - size -= lowers; - else if (lowers < opt->low_credit * -1) - return 1; - - if (opt->oth_credit >= 0) - size -= others; - else if (others < opt->oth_credit * -1) - return 1; - - if (size <= i) - return 0; - - return 1; -} - -static int consecutive(struct cracklib_options *opt, const char *new) -{ - char c; - int i; - int same; - - if (opt->max_repeat == 0) - return 0; - - for (i = 0; new[i]; i++) { - if (i > 0 && new[i] == c) { - ++same; - if (same > opt->max_repeat) - return 1; - } else { - c = new[i]; - same = 1; - } - } - return 0; -} - -static int sequence(struct cracklib_options *opt, const char *new) -{ - char c; - int i; - int sequp = 1; - int seqdown = 1; - - if (opt->max_sequence == 0) - return 0; - - if (new[0] == '\0') - return 0; - - for (i = 1; new[i]; i++) { - c = new[i-1]; - if (new[i] == c+1) { - ++sequp; - if (sequp > opt->max_sequence) - return 1; - seqdown = 1; - } else if (new[i] == c-1) { - ++seqdown; - if (seqdown > opt->max_sequence) - return 1; - sequp = 1; - } else { - sequp = 1; - seqdown = 1; - } - } - return 0; -} - -static int wordcheck(const char *new, char *word) -{ - char *f, *b; - - if (strstr(new, word) != NULL) - return 1; - - /* now reverse the word, we can do that in place - as it is strdup-ed */ - f = word; - b = word+strlen(word)-1; - while (f < b) { - char c; - - c = *f; - *f = *b; - *b = c; - --b; - ++f; - } - - if (strstr(new, word) != NULL) - return 1; - return 0; -} - -static int usercheck(struct cracklib_options *opt, const char *new, - char *user) -{ - if (!opt->reject_user) - return 0; - - return wordcheck(new, user); -} - -static char * str_lower(char *string) -{ - char *cp; - - if (!string) - return NULL; - - for (cp = string; *cp; cp++) - *cp = tolower(*cp); - return string; -} - -static int gecoscheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new, - const char *user) -{ - struct passwd *pwd; - char *list; - char *p; - char *next; - - if (!opt->gecos_check) - return 0; - - if ((pwd = pam_modutil_getpwnam(pamh, user)) == NULL) { - return 0; - } - - list = strdup(pwd->pw_gecos); - - if (list == NULL || *list == '\0') { - free(list); - return 0; - } - - for (p = list;;p = next + 1) { - next = strchr(p, ' '); - if (next) - *next = '\0'; - - if (strlen(p) >= CO_MIN_WORD_LENGTH) { - str_lower(p); - if (wordcheck(new, p)) { - free(list); - return 1; - } - } - - if (!next) - break; - } - - free(list); - return 0; -} - -static const char *password_check(pam_handle_t *pamh, struct cracklib_options *opt, - const char *old, const char *new, - const char *user) -{ - const char *msg = NULL; - char *oldmono = NULL, *newmono, *wrapped = NULL; - char *usermono = NULL; - - if (old && strcmp(new, old) == 0) { - msg = _("is the same as the old one"); - return msg; - } - - newmono = str_lower(strdup(new)); - if (!newmono) - msg = _("memory allocation error"); - - usermono = str_lower(strdup(user)); - if (!usermono) - msg = _("memory allocation error"); - - if (!msg && old) { - oldmono = str_lower(strdup(old)); - if (oldmono) - wrapped = malloc(strlen(oldmono) * 2 + 1); - if (wrapped) { - strcpy (wrapped, oldmono); - strcat (wrapped, oldmono); - } else { - msg = _("memory allocation error"); - } - } - - if (!msg && palindrome(newmono)) - msg = _("is a palindrome"); - - if (!msg && oldmono && strcmp(oldmono, newmono) == 0) - msg = _("case changes only"); - - if (!msg && oldmono && similar(opt, oldmono, newmono)) - msg = _("is too similar to the old one"); - - if (!msg && simple(opt, new)) - msg = _("is too simple"); - - if (!msg && wrapped && strstr(wrapped, newmono)) - msg = _("is rotated"); - - if (!msg && minclass (opt, new)) - msg = _("not enough character classes"); - - if (!msg && consecutive(opt, new)) - msg = _("contains too many same characters consecutively"); - - if (!msg && sequence(opt, new)) - msg = _("contains too long of a monotonic character sequence"); - - if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user))) - msg = _("contains the user name in some form"); - - free(usermono); - if (newmono) { - memset(newmono, 0, strlen(newmono)); - free(newmono); - } - if (oldmono) { - memset(oldmono, 0, strlen(oldmono)); - free(oldmono); - } - if (wrapped) { - memset(wrapped, 0, strlen(wrapped)); - free(wrapped); - } - - return msg; -} - - -static int _pam_unix_approve_pass(pam_handle_t *pamh, - unsigned int ctrl, - struct cracklib_options *opt, - const char *pass_old, - const char *pass_new) -{ - const char *msg = NULL; - const char *user; - int retval; - - if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { - if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh, LOG_DEBUG, "bad authentication token"); - pam_error(pamh, "%s", pass_new == NULL ? - _("No password supplied"):_("Password unchanged")); - return PAM_AUTHTOK_ERR; - } - - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { - if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh,LOG_ERR,"Can not get username"); - return PAM_AUTHTOK_ERR; - } - /* - * if one wanted to hardwire authentication token strength - * checking this would be the place - */ - msg = password_check(pamh, opt, pass_old, pass_new, user); - - if (msg) { - if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh, LOG_NOTICE, - "new passwd fails strength check: %s", msg); - pam_error(pamh, _("BAD PASSWORD: %s"), msg); - return PAM_AUTHTOK_ERR; - }; - return PAM_SUCCESS; - -} - -/* The Main Thing (by Cristian Gafton, CEO at this module :-) - * (stolen from http://home.netscape.com) - */ -int -pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - unsigned int ctrl; - struct cracklib_options options; - - D(("called.")); - - memset(&options, 0, sizeof(options)); - options.retry_times = CO_RETRY_TIMES; - options.diff_ok = CO_DIFF_OK; - options.min_length = CO_MIN_LENGTH; - options.dig_credit = CO_DIG_CREDIT; - options.up_credit = CO_UP_CREDIT; - options.low_credit = CO_LOW_CREDIT; - options.oth_credit = CO_OTH_CREDIT; - options.cracklib_dictpath = CRACKLIB_DICTS; - - ctrl = _pam_parse(pamh, &options, argc, argv); - - if (flags & PAM_PRELIM_CHECK) { - /* Check for passwd dictionary */ - /* We cannot do that, since the original path is compiled - into the cracklib library and we don't know it. */ - return PAM_SUCCESS; - } else if (flags & PAM_UPDATE_AUTHTOK) { - int retval; - const void *oldtoken; - int tries; - - D(("do update")); - - - retval = pam_get_item (pamh, PAM_OLDAUTHTOK, &oldtoken); - if (retval != PAM_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh,LOG_ERR,"Can not get old passwd"); - oldtoken = NULL; - } - - tries = 0; - while (tries < options.retry_times) { - const char *crack_msg; - const char *newtoken = NULL; - - - tries++; - - /* Planned modus operandi: - * Get a passwd. - * Verify it against cracklib. - * If okay get it a second time. - * Check to be the same with the first one. - * set PAM_AUTHTOK and return - */ - - retval = pam_get_authtok_noverify (pamh, &newtoken, NULL); - if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s", - pam_strerror (pamh, retval)); - continue; - } else if (newtoken == NULL) { /* user aborted password change, quit */ - return PAM_AUTHTOK_ERR; - } - - D(("testing password")); - /* now test this passwd against cracklib */ - - D(("against cracklib")); - if ((crack_msg = FascistCheck (newtoken, options.cracklib_dictpath))) { - if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg); - pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg); - if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - { - pam_set_item (pamh, PAM_AUTHTOK, NULL); - retval = PAM_AUTHTOK_ERR; - continue; - } - } - - /* check it for strength too... */ - D(("for strength")); - retval = _pam_unix_approve_pass (pamh, ctrl, &options, - oldtoken, newtoken); - if (retval != PAM_SUCCESS) { - if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - { - pam_set_item(pamh, PAM_AUTHTOK, NULL); - retval = PAM_AUTHTOK_ERR; - continue; - } - } - - retval = pam_get_authtok_verify (pamh, &newtoken, NULL); - if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s", - pam_strerror (pamh, retval)); - pam_set_item(pamh, PAM_AUTHTOK, NULL); - continue; - } else if (newtoken == NULL) { /* user aborted password change, quit */ - return PAM_AUTHTOK_ERR; - } - - return PAM_SUCCESS; - } - - D(("returning because maxtries reached")); - - pam_set_item (pamh, PAM_AUTHTOK, NULL); - - /* if we have only one try, we can use the real reason, - else say that there were too many tries. */ - if (options.retry_times > 1) - return PAM_MAXTRIES; - else - return retval; - - } else { - if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh, LOG_NOTICE, "UNKNOWN flags setting %02X",flags); - return PAM_SERVICE_ERR; - } - - /* Not reached */ - return PAM_SERVICE_ERR; -} - - - -/* - * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1996. - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - * The following copyright was appended for the long password support - * added with the libpam 0.58 release: - * - * Modificaton Copyright (c) Philip W. Dalrymple III <pwd@mdtsoft.com> - * 1997. All rights reserved - * - * THE MODIFICATION THAT PROVIDES SUPPORT FOR LONG PASSWORD TYPE CHECKING TO - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/modules/pam_cracklib/tst-pam_cracklib b/modules/pam_cracklib/tst-pam_cracklib deleted file mode 100755 index 46a7060d..00000000 --- a/modules/pam_cracklib/tst-pam_cracklib +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_cracklib.so diff --git a/modules/pam_debug/Makefile.am b/modules/pam_debug/Makefile.am index 9e27ec5e..0333d9ba 100644 --- a/modules/pam_debug/Makefile.am +++ b/modules/pam_debug/Makefile.am @@ -5,16 +5,25 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_debug +EXTRA_DIST = $(XMLS) -man_MANS = pam_debug.8 +if HAVE_DOC +dist_man_MANS = pam_debug.8 +endif XMLS = README.xml pam_debug.8.xml +dist_check_SCRIPTS = tst-pam_debug +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) +AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -22,10 +31,10 @@ endif securelib_LTLIBRARIES = pam_debug.la pam_debug_la_LIBADD = $(top_builddir)/libpam/libpam.la -TESTS = tst-pam_debug +check_PROGRAMS = tst-pam_debug-retval +tst_pam_debug_retval_LDADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_debug.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_debug/Makefile.in b/modules/pam_debug/Makefile.in index 9d763fbc..32fa197d 100644 --- a/modules/pam_debug/Makefile.in +++ b/modules/pam_debug/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_debug-retval$(EXEEXT) subdir = modules/pam_debug -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_debug_retval_SOURCES = tst-pam_debug-retval.c +tst_pam_debug_retval_OBJECTS = tst-pam_debug-retval.$(OBJEXT) +tst_pam_debug_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +173,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_debug.Plo \ + ./$(DEPDIR)/tst-pam_debug-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +195,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_debug.c -DIST_SOURCES = pam_debug.c +SOURCES = pam_debug.c tst-pam_debug-retval.c +DIST_SOURCES = pam_debug.c tst-pam_debug-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +204,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +381,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +404,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +426,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +466,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +525,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +579,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +586,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +595,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_debug -man_MANS = pam_debug.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_debug.8 XMLS = README.xml pam_debug.8.xml +dist_check_SCRIPTS = tst-pam_debug +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_debug.la pam_debug_la_LIBADD = $(top_builddir)/libpam/libpam.la -TESTS = tst-pam_debug -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_debug_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_debug/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_debug/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +652,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +699,38 @@ clean-securelibLTLIBRARIES: pam_debug.la: $(pam_debug_la_OBJECTS) $(pam_debug_la_DEPENDENCIES) $(EXTRA_pam_debug_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_debug_la_OBJECTS) $(pam_debug_la_LIBADD) $(LIBS) +tst-pam_debug-retval$(EXEEXT): $(tst_pam_debug_retval_OBJECTS) $(tst_pam_debug_retval_DEPENDENCIES) $(EXTRA_tst_pam_debug_retval_DEPENDENCIES) + @rm -f tst-pam_debug-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_debug_retval_OBJECTS) $(tst_pam_debug_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_debug.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_debug.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_debug-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +744,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +782,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +870,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +947,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +960,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +970,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +988,13 @@ tst-pam_debug.log: tst-pam_debug --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_debug-retval.log: tst-pam_debug-retval$(EXEEXT) + @p='tst-pam_debug-retval$(EXEEXT)'; \ + b='tst-pam_debug-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1010,10 @@ tst-pam_debug.log: tst-pam_debug @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1044,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1090,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_debug.Plo + -rm -f ./$(DEPDIR)/tst-pam_debug-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1141,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_debug.Plo + -rm -f ./$(DEPDIR)/tst-pam_debug-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1165,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1182,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_debug.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_debug/README.xml b/modules/pam_debug/README.xml index ef41911b..cdcec7f4 100644 --- a/modules/pam_debug/README.xml +++ b/modules/pam_debug/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_debug.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_debug-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_debug/pam_debug.8 b/modules/pam_debug/pam_debug.8 index bba7f934..2b2dee3b 100644 --- a/modules/pam_debug/pam_debug.8 +++ b/modules/pam_debug/pam_debug.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_debug .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_DEBUG" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_DEBUG" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_debug \- PAM module to debug the PAM stack The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating\&. This module returns what its module arguments tell it to return\&. .SH "OPTIONS" .PP -\fBauth=\fR\fB\fIvalue\fR\fR +auth=value .RS 4 The \fBpam_sm_authenticate\fR(3) @@ -45,7 +45,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBcred=\fR\fB\fIvalue\fR\fR +cred=value .RS 4 The \fBpam_sm_setcred\fR(3) @@ -53,7 +53,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBacct=\fR\fB\fIvalue\fR\fR +acct=value .RS 4 The \fBpam_sm_acct_mgmt\fR(3) @@ -61,7 +61,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBprechauthtok=\fR\fB\fIvalue\fR\fR +prechauthtok=value .RS 4 The \fBpam_sm_chauthtok\fR(3) @@ -72,7 +72,7 @@ if the flag is set\&. .RE .PP -\fBchauthtok=\fR\fB\fIvalue\fR\fR +chauthtok=value .RS 4 The \fBpam_sm_chauthtok\fR(3) @@ -85,7 +85,7 @@ flag is set\&. .RE .PP -\fBopen_session=\fR\fB\fIvalue\fR\fR +open_session=value .RS 4 The \fBpam_sm_open_session\fR(3) @@ -93,7 +93,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBclose_session=\fR\fB\fIvalue\fR\fR +close_session=value .RS 4 The \fBpam_sm_close_session\fR(3) @@ -138,7 +138,7 @@ auth sufficient pam_debug\&.so auth=success cred=success .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_debug was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_debug/pam_debug.8.xml b/modules/pam_debug/pam_debug.8.xml index 3d85f4d8..939c19bb 100644 --- a/modules/pam_debug/pam_debug.8.xml +++ b/modules/pam_debug/pam_debug.8.xml @@ -1,51 +1,48 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_debug"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_debug"> <refmeta> <refentrytitle>pam_debug</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_debug-name"> + <refnamediv xml:id="pam_debug-name"> <refname>pam_debug</refname> <refpurpose>PAM module to debug the PAM stack</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_debug-cmdsynopsis"> + <cmdsynopsis xml:id="pam_debug-cmdsynopsis" sepchar=" "> <command>pam_debug.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> auth=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> cred=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> acct=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> prechauthtok=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> chauthtok=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> auth=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> open_session=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> close_session=<replaceable>value</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_debug-description"> + <refsect1 xml:id="pam_debug-description"> <title>DESCRIPTION</title> <para> The pam_debug PAM module is intended as a debugging aide for @@ -54,12 +51,12 @@ </para> </refsect1> - <refsect1 id="pam_debug-options"> + <refsect1 xml:id="pam_debug-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>auth=<replaceable>value</replaceable></option> + auth=value </term> <listitem> <para> @@ -73,7 +70,7 @@ </varlistentry> <varlistentry> <term> - <option>cred=<replaceable>value</replaceable></option> + cred=value </term> <listitem> <para> @@ -87,7 +84,7 @@ </varlistentry> <varlistentry> <term> - <option>acct=<replaceable>value</replaceable></option> + acct=value </term> <listitem> <para> @@ -101,7 +98,7 @@ </varlistentry> <varlistentry> <term> - <option>prechauthtok=<replaceable>value</replaceable></option> + prechauthtok=value </term> <listitem> <para> @@ -116,7 +113,7 @@ </varlistentry> <varlistentry> <term> - <option>chauthtok=<replaceable>value</replaceable></option> + chauthtok=value </term> <listitem> <para> @@ -126,13 +123,13 @@ </citerefentry> function will return <replaceable>value</replaceable> if the <emphasis>PAM_PRELIM_CHECK</emphasis> flag is - <emphasis remap='B'>not</emphasis> set. + <emphasis remap="B">not</emphasis> set. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>open_session=<replaceable>value</replaceable></option> + open_session=value </term> <listitem> <para> @@ -146,7 +143,7 @@ </varlistentry> <varlistentry> <term> - <option>close_session=<replaceable>value</replaceable></option> + close_session=value </term> <listitem> <para> @@ -171,7 +168,7 @@ </para> </refsect1> - <refsect1 id="pam_debug-types"> + <refsect1 xml:id="pam_debug-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -179,7 +176,7 @@ </para> </refsect1> - <refsect1 id='pam_debug-return_values'> + <refsect1 xml:id="pam_debug-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -194,7 +191,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_debug-examples'> + <refsect1 xml:id="pam_debug-examples"> <title>EXAMPLES</title> <programlisting> auth requisite pam_permit.so @@ -206,7 +203,7 @@ auth sufficient pam_debug.so auth=success cred=success </programlisting> </refsect1> - <refsect1 id='pam_debug-see_also'> + <refsect1 xml:id="pam_debug-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -216,16 +213,16 @@ auth sufficient pam_debug.so auth=success cred=success <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_debug-author'> + <refsect1 xml:id="pam_debug-author"> <title>AUTHOR</title> <para> pam_debug was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c index 9b68d382..414806b2 100644 --- a/modules/pam_debug/pam_debug.c +++ b/modules/pam_debug/pam_debug.c @@ -1,32 +1,14 @@ -/* pam_permit module */ - /* - * $Id$ + * pam_debug module * * Written by Andrew Morgan <morgan@kernel.org> 2001/02/04 * - */ - -#define DEFAULT_USER "nobody" - -#include "config.h" - -#include <stdio.h> - -/* * This module is intended as a debugging aide for determining how * the PAM stack is operating. - * - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. */ -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD +#include "config.h" +#include <stdio.h> #include <security/pam_modules.h> #include <security/_pam_macros.h> @@ -35,6 +17,8 @@ #define _PAM_ACTION_UNDEF (-10) #include "../../libpam/pam_tokens.h" +#define DEFAULT_USER "nobody" + /* --- authentication management functions --- */ static int state(pam_handle_t *pamh, const char *text) @@ -78,28 +62,7 @@ static int parse_args(int retval, const char *event, int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int retval; - const char *user=NULL; - - /* - * authentication requires we know who the user wants to be - */ - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) { - D(("get user returned error: %s", pam_strerror(pamh,retval))); - return retval; - } - if (user == NULL || *user == '\0') { - D(("username not known")); - retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); - if (retval != PAM_SUCCESS) - return retval; - } - user = NULL; /* clean up */ - - retval = parse_args(PAM_SUCCESS, "auth", pamh, argc, argv); - - return retval; + return parse_args(PAM_SUCCESS, "auth", pamh, argc, argv); } int pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, diff --git a/modules/pam_debug/tst-pam_debug-retval.c b/modules/pam_debug/tst-pam_debug-retval.c new file mode 100644 index 00000000..6d3edf8f --- /dev/null +++ b/modules/pam_debug/tst-pam_debug-retval.c @@ -0,0 +1,65 @@ +/* + * Check pam_debug return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_debug" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_name[] = ""; +static const char args[] = " auth=perm_denied" + " cred=cred_unavail" + " acct=acct_expired" + " prechauthtok=success" + " chauthtok=service_err" + " open_session=buf_err" + " close_session=system_err"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so %s\n" + "account required %s/.libs/%s.so %s\n" + "password required %s/.libs/%s.so %s\n" + "session required %s/.libs/%s.so %s\n", + cwd, MODULE_NAME, args, + cwd, MODULE_NAME, args, + cwd, MODULE_NAME, args, + cwd, MODULE_NAME, args)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_CRED_UNAVAIL, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_ACCT_EXPIRED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_BUF_ERR, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_SYSTEM_ERR, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_deny/Makefile.am b/modules/pam_deny/Makefile.am index e2d2ea4c..952df4d6 100644 --- a/modules/pam_deny/Makefile.am +++ b/modules/pam_deny/Makefile.am @@ -5,16 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_deny - -man_MANS = pam_deny.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_deny.8 +endif XMLS = README.xml pam_deny.8.xml +dist_check_SCRIPTS = tst-pam_deny +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -23,13 +31,10 @@ endif securelib_LTLIBRARIES = pam_deny.la pam_deny_la_LIBADD = $(top_builddir)/libpam/libpam.la -if ENABLE_REGENERATE_MAN - -noinst_DATA = README - -README: pam_deny.8.xml +check_PROGRAMS = tst-pam_deny-retval +tst_pam_deny_retval_LDADD = $(top_builddir)/libpam/libpam.la +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif - -TESTS = tst-pam_deny diff --git a/modules/pam_deny/Makefile.in b/modules/pam_deny/Makefile.in index 76a91355..98bc5b1c 100644 --- a/modules/pam_deny/Makefile.in +++ b/modules/pam_deny/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_deny-retval$(EXEEXT) subdir = modules/pam_deny -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_deny_retval_SOURCES = tst-pam_deny-retval.c +tst_pam_deny_retval_OBJECTS = tst-pam_deny-retval.$(OBJEXT) +tst_pam_deny_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +173,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_deny.Plo \ + ./$(DEPDIR)/tst-pam_deny-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +195,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_deny.c -DIST_SOURCES = pam_deny.c +SOURCES = pam_deny.c tst-pam_deny-retval.c +DIST_SOURCES = pam_deny.c tst-pam_deny-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +204,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +381,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +404,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +426,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +466,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +525,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +579,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +586,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +595,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_deny -man_MANS = pam_deny.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_deny.8 XMLS = README.xml pam_deny.8.xml +dist_check_SCRIPTS = tst-pam_deny +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_deny.la pam_deny_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README -TESTS = tst-pam_deny +tst_pam_deny_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_deny/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_deny/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +652,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +699,38 @@ clean-securelibLTLIBRARIES: pam_deny.la: $(pam_deny_la_OBJECTS) $(pam_deny_la_DEPENDENCIES) $(EXTRA_pam_deny_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_deny_la_OBJECTS) $(pam_deny_la_LIBADD) $(LIBS) +tst-pam_deny-retval$(EXEEXT): $(tst_pam_deny_retval_OBJECTS) $(tst_pam_deny_retval_DEPENDENCIES) $(EXTRA_tst_pam_deny_retval_DEPENDENCIES) + @rm -f tst-pam_deny-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_deny_retval_OBJECTS) $(tst_pam_deny_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_deny.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_deny.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_deny-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +744,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +782,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +870,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +947,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +960,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +970,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +988,13 @@ tst-pam_deny.log: tst-pam_deny --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_deny-retval.log: tst-pam_deny-retval$(EXEEXT) + @p='tst-pam_deny-retval$(EXEEXT)'; \ + b='tst-pam_deny-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1010,10 @@ tst-pam_deny.log: tst-pam_deny @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1044,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1090,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_deny.Plo + -rm -f ./$(DEPDIR)/tst-pam_deny-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1141,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_deny.Plo + -rm -f ./$(DEPDIR)/tst-pam_deny-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1165,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,8 +1182,7 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES - -@ENABLE_REGENERATE_MAN_TRUE@README: pam_deny.8.xml +.PRECIOUS: Makefile @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_deny/README.xml b/modules/pam_deny/README.xml index ff2e82b0..d3ba53ce 100644 --- a/modules/pam_deny/README.xml +++ b/modules/pam_deny/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_deny.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_deny-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_deny/pam_deny.8 b/modules/pam_deny/pam_deny.8 index 662a3081..81d53435 100644 --- a/modules/pam_deny/pam_deny.8 +++ b/modules/pam_deny/pam_deny.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_deny .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_DENY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_DENY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -96,7 +96,7 @@ other session required pam_deny\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_deny was written by Andrew G\&. Morgan <morgan@kernel\&.org> diff --git a/modules/pam_deny/pam_deny.8.xml b/modules/pam_deny/pam_deny.8.xml index a9283582..de41a597 100644 --- a/modules/pam_deny/pam_deny.8.xml +++ b/modules/pam_deny/pam_deny.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_deny"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_deny"> <refmeta> <refentrytitle>pam_deny</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_deny-name"> + <refnamediv xml:id="pam_deny-name"> <refname>pam_deny</refname> <refpurpose>The locking-out PAM module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_deny-cmdsynopsis"> + <cmdsynopsis xml:id="pam_deny-cmdsynopsis" sepchar=" "> <command>pam_deny.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_deny-description"> + <refsect1 xml:id="pam_deny-description"> <title>DESCRIPTION</title> @@ -33,12 +30,12 @@ </refsect1> - <refsect1 id="pam_deny-options"> + <refsect1 xml:id="pam_deny-options"> <title>OPTIONS</title> <para>This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_deny-types"> + <refsect1 xml:id="pam_deny-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -46,7 +43,7 @@ </para> </refsect1> - <refsect1 id='pam_deny-return_values'> + <refsect1 xml:id="pam_deny-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -91,7 +88,7 @@ </para> </refsect1> - <refsect1 id='pam_deny-examples'> + <refsect1 xml:id="pam_deny-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -110,7 +107,7 @@ other session required pam_deny.so </programlisting> </refsect1> - <refsect1 id='pam_deny-see_also'> + <refsect1 xml:id="pam_deny-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -120,16 +117,16 @@ other session required pam_deny.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_deny-author'> + <refsect1 xml:id="pam_deny-author"> <title>AUTHOR</title> <para> pam_deny was written by Andrew G. Morgan <morgan@kernel.org> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_deny/pam_deny.c b/modules/pam_deny/pam_deny.c index 155a1f5d..a2fe0c23 100644 --- a/modules/pam_deny/pam_deny.c +++ b/modules/pam_deny/pam_deny.c @@ -1,26 +1,10 @@ -/* pam_deny module */ - /* - * $Id$ + * pam_deny module * * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * - */ - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. */ #include "config.h" - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> /* --- authentication management functions --- */ diff --git a/modules/pam_deny/tst-pam_deny-retval.c b/modules/pam_deny/tst-pam_deny-retval.c new file mode 100644 index 00000000..356ca1f1 --- /dev/null +++ b/modules/pam_deny/tst-pam_deny-retval.c @@ -0,0 +1,58 @@ +/* + * Check pam_deny return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_deny" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_AUTH_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_CRED_ERR, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_AUTH_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_AUTHTOK_ERR, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_SESSION_ERR, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_SESSION_ERR, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_echo/Makefile.am b/modules/pam_echo/Makefile.am index dc14b057..7d7ae983 100644 --- a/modules/pam_echo/Makefile.am +++ b/modules/pam_echo/Makefile.am @@ -5,16 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_echo - -man_MANS = pam_echo.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_echo.8 +endif XMLS = README.xml pam_echo.8.xml +dist_check_SCRIPTS = tst-pam_echo +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -23,10 +31,10 @@ endif securelib_LTLIBRARIES = pam_echo.la pam_echo_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_echo-retval +tst_pam_echo_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_echo.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif - -TESTS = tst-pam_echo diff --git a/modules/pam_echo/Makefile.in b/modules/pam_echo/Makefile.in index f3ebf665..f1b3f7ef 100644 --- a/modules/pam_echo/Makefile.in +++ b/modules/pam_echo/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_echo-retval$(EXEEXT) subdir = modules/pam_echo -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_echo_retval_SOURCES = tst-pam_echo-retval.c +tst_pam_echo_retval_OBJECTS = tst-pam_echo-retval.$(OBJEXT) +tst_pam_echo_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +173,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_echo.Plo \ + ./$(DEPDIR)/tst-pam_echo-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +195,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_echo.c -DIST_SOURCES = pam_echo.c +SOURCES = pam_echo.c tst-pam_echo-retval.c +DIST_SOURCES = pam_echo.c tst-pam_echo-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +204,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +381,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +404,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +426,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +466,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +525,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +579,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +586,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +595,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_echo -man_MANS = pam_echo.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_echo.8 XMLS = README.xml pam_echo.8.xml +dist_check_SCRIPTS = tst-pam_echo +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_echo.la pam_echo_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README -TESTS = tst-pam_echo +tst_pam_echo_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_echo/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_echo/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +652,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +699,38 @@ clean-securelibLTLIBRARIES: pam_echo.la: $(pam_echo_la_OBJECTS) $(pam_echo_la_DEPENDENCIES) $(EXTRA_pam_echo_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_echo_la_OBJECTS) $(pam_echo_la_LIBADD) $(LIBS) +tst-pam_echo-retval$(EXEEXT): $(tst_pam_echo_retval_OBJECTS) $(tst_pam_echo_retval_DEPENDENCIES) $(EXTRA_tst_pam_echo_retval_DEPENDENCIES) + @rm -f tst-pam_echo-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_echo_retval_OBJECTS) $(tst_pam_echo_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_echo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_echo.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_echo-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +744,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +782,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +870,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +947,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +960,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +970,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +988,13 @@ tst-pam_echo.log: tst-pam_echo --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_echo-retval.log: tst-pam_echo-retval$(EXEEXT) + @p='tst-pam_echo-retval$(EXEEXT)'; \ + b='tst-pam_echo-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1010,10 @@ tst-pam_echo.log: tst-pam_echo @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1044,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1090,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_echo.Plo + -rm -f ./$(DEPDIR)/tst-pam_echo-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1141,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_echo.Plo + -rm -f ./$(DEPDIR)/tst-pam_echo-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1165,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1182,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_echo.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_echo/README.xml b/modules/pam_echo/README.xml index b1556e38..ceecf9ef 100644 --- a/modules/pam_echo/README.xml +++ b/modules/pam_echo/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_echo.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_echo-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_echo/pam_echo.8 b/modules/pam_echo/pam_echo.8 index f291bff8..5f0712b9 100644 --- a/modules/pam_echo/pam_echo.8 +++ b/modules/pam_echo/pam_echo.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_echo .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ECHO" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ECHO" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -40,32 +40,32 @@ PAM module is for printing text messages to inform user about special things\&. \fI%\fR character are interpreted in the following way: .PP -\fI%H\fR +%H .RS 4 The name of the remote host (PAM_RHOST)\&. .RE .PP -\fI%h\fR +%h .RS 4 The name of the local host\&. .RE .PP -\fI%s\fR +%s .RS 4 The service name (PAM_SERVICE)\&. .RE .PP -\fI%t\fR +%t .RS 4 The name of the controlling terminal (PAM_TTY)\&. .RE .PP -\fI%U\fR +%U .RS 4 The remote user name (PAM_RUSER)\&. .RE .PP -\fI%u\fR +%u .RS 4 The local user name (PAM_USER)\&. .RE @@ -77,7 +77,7 @@ expands to the characters following the character\&. .SH "OPTIONS" .PP -\fBfile=\fR\fB\fI/path/message\fR\fR +file=/path/message .RS 4 The content of the file /path/message @@ -126,7 +126,7 @@ password required pam_unix\&.so .PP \fBpam.conf\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP Thorsten Kukuk <kukuk@thkukuk\&.de> diff --git a/modules/pam_echo/pam_echo.8.xml b/modules/pam_echo/pam_echo.8.xml index ef76b022..cf2d0062 100644 --- a/modules/pam_echo/pam_echo.8.xml +++ b/modules/pam_echo/pam_echo.8.xml @@ -1,15 +1,12 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_echo'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_echo"> <refmeta> <refentrytitle>pam_echo</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_echo-name'> + <refnamediv xml:id="pam_echo-name"> <refname>pam_echo</refname> <refpurpose>PAM module for printing text messages</refpurpose> </refnamediv> @@ -17,15 +14,15 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_echo-cmdsynopsis"> + <cmdsynopsis xml:id="pam_echo-cmdsynopsis" sepchar=" "> <command>pam_echo.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> file=<replaceable>/path/message</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id='pam_echo-description'> + <refsect1 xml:id="pam_echo-description"> <title>DESCRIPTION</title> <para> The <emphasis>pam_echo</emphasis> PAM module is for printing @@ -35,37 +32,37 @@ </para> <variablelist> <varlistentry> - <term><emphasis>%H</emphasis></term> + <term>%H</term> <listitem> <para>The name of the remote host (PAM_RHOST).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%h</emphasis></term> + <term>%h</term> <listitem> <para>The name of the local host.</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%s</emphasis></term> + <term>%s</term> <listitem> <para>The service name (PAM_SERVICE).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%t</emphasis></term> + <term>%t</term> <listitem> <para>The name of the controlling terminal (PAM_TTY).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%U</emphasis></term> + <term>%U</term> <listitem> <para>The remote user name (PAM_RUSER).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%u</emphasis></term> + <term>%u</term> <listitem> <para>The local user name (PAM_USER).</para> </listitem> @@ -79,12 +76,12 @@ </para> </refsect1> - <refsect1 id='pam_echo-options'> + <refsect1 xml:id="pam_echo-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>file=<replaceable>/path/message</replaceable></option> + file=/path/message </term> <listitem> <para> @@ -96,7 +93,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_echo-types"> + <refsect1 xml:id="pam_echo-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -106,7 +103,7 @@ </refsect1> - <refsect1 id="pam_echo-return_values"> + <refsect1 xml:id="pam_echo-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -137,7 +134,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_echo-examples'> + <refsect1 xml:id="pam_echo-examples"> <title>EXAMPLES</title> <para> For an example of the use of this module, we show how it may be @@ -150,7 +147,7 @@ password required pam_unix.so </refsect1> - <refsect1 id='pam_echo-see_also'><title>SEE ALSO</title> + <refsect1 xml:id="pam_echo-see_also"><title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>8</manvolnum> @@ -159,12 +156,12 @@ password required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry></para> </refsect1> - <refsect1 id='pam_echo-author'> + <refsect1 xml:id="pam_echo-author"> <title>AUTHOR</title> <para>Thorsten Kukuk <kukuk@thkukuk.de></para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c index 38303880..181aeb4c 100644 --- a/modules/pam_echo/pam_echo.c +++ b/modules/pam_echo/pam_echo.c @@ -52,15 +52,11 @@ #define HOST_NAME_MAX 255 #endif -#define PAM_SM_ACCOUNT -#define PAM_SM_AUTH -#define PAM_SM_PASSWORD -#define PAM_SM_SESSION - #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> +#include "pam_inline.h" static int replace_and_print (pam_handle_t *pamh, const char *mesg) @@ -150,8 +146,9 @@ pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv) for (; argc-- > 0; ++argv) { - if (!strncmp (*argv, "file=", 5)) - file = (5 + *argv); + const char *str = pam_str_skip_prefix(*argv, "file="); + if (str != NULL) + file = str; } /* No file= option, use argument for output. */ diff --git a/modules/pam_echo/tst-pam_echo-retval.c b/modules/pam_echo/tst-pam_echo-retval.c new file mode 100644 index 00000000..2374b71a --- /dev/null +++ b/modules/pam_echo/tst-pam_echo-retval.c @@ -0,0 +1,101 @@ +/* + * Check pam_echo return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_echo" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_SUCCESS -> PAM_SUCCESS, PAM_IGNORE -> PAM_PERM_DENIED */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_SILENT: PAM_IGNORE -> PAM_PERM_DENIED */ + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_PERM_DENIED, pam_chauthtok(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_PERM_DENIED, pam_open_session(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_PERM_DENIED, pam_close_session(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_IGNORE -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_SUCCESS, pam_chauthtok(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, PAM_SILENT)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am index d6f081ff..f988f109 100644 --- a/modules/pam_env/Makefile.am +++ b/modules/pam_env/Makefile.am @@ -5,33 +5,40 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment - -man_MANS = pam_env.conf.5 pam_env.8 environment.5 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_env.conf.5 pam_env.8 environment.5 +endif XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml +dist_check_SCRIPTS = tst-pam_env +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\" + $(WARN_CFLAGS) -DSYSCONFDIR=\"$(sysconfdir)\" $(ECONF_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_env.la -pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) -secureconf_DATA = pam_env.conf -sysconf_DATA = environment +check_PROGRAMS = tst-pam_env-retval +tst_pam_env_retval_LDADD = $(top_builddir)/libpam/libpam.la + +dist_secureconf_DATA = pam_env.conf +dist_sysconf_DATA = environment if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_env.8.xml pam_env.conf.5.xml +dist_noinst_DATA = README environment.5: pam_env.conf.5.xml -include $(top_srcdir)/Make.xml.rules endif - -TESTS = tst-pam_env diff --git a/modules/pam_env/Makefile.in b/modules/pam_env/Makefile.in index 87ae8c04..dd3fd05f 100644 --- a/modules/pam_env/Makefile.in +++ b/modules/pam_env/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,29 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_env-retval$(EXEEXT) subdir = modules/pam_env -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(dist_sysconf_DATA) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -138,13 +152,18 @@ am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" \ "$(DESTDIR)$(sysconfdir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_env_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_env_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_env_la_SOURCES = pam_env.c pam_env_la_OBJECTS = pam_env.lo AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_env_retval_SOURCES = tst-pam_env-retval.c +tst_pam_env_retval_OBJECTS = tst-pam_env-retval.$(OBJEXT) +tst_pam_env_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -159,7 +178,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_env.Plo \ + ./$(DEPDIR)/tst-pam_env-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -179,8 +200,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_env.c -DIST_SOURCES = pam_env.c +SOURCES = pam_env.c tst-pam_env-retval.c +DIST_SOURCES = pam_env.c tst-pam_env-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -189,8 +210,10 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) $(sysconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) \ + $(dist_sysconf_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -365,6 +388,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -387,6 +411,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -406,24 +433,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -437,7 +473,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -456,11 +491,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -483,8 +521,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -495,11 +532,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -542,7 +586,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -550,9 +593,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -562,27 +602,31 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment -man_MANS = pam_env.conf.5 pam_env.8 environment.5 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_env.conf.5 pam_env.8 environment.5 XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml +dist_check_SCRIPTS = tst-pam_env +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\" + $(WARN_CFLAGS) -DSYSCONFDIR=\"$(sysconfdir)\" $(ECONF_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_env.la -pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la -secureconf_DATA = pam_env.conf -sysconf_DATA = environment -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README -TESTS = tst-pam_env +pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) +tst_pam_env_retval_LDADD = $(top_builddir)/libpam/libpam.la +dist_secureconf_DATA = pam_env.conf +dist_sysconf_DATA = environment +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -599,14 +643,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_env/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_env/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -618,6 +661,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -656,27 +708,38 @@ clean-securelibLTLIBRARIES: pam_env.la: $(pam_env_la_OBJECTS) $(pam_env_la_DEPENDENCIES) $(EXTRA_pam_env_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_env_la_OBJECTS) $(pam_env_la_LIBADD) $(LIBS) +tst-pam_env-retval$(EXEEXT): $(tst_pam_env_retval_OBJECTS) $(tst_pam_env_retval_DEPENDENCIES) $(EXTRA_tst_pam_env_retval_DEPENDENCIES) + @rm -f tst-pam_env-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_env_retval_OBJECTS) $(tst_pam_env_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_env-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -690,10 +753,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -728,15 +791,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -771,14 +834,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -792,14 +855,14 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) -install-sysconfDATA: $(sysconf_DATA) +install-dist_sysconfDATA: $(dist_sysconf_DATA) @$(NORMAL_INSTALL) - @list='$(sysconf_DATA)'; test -n "$(sysconfdir)" || list=; \ + @list='$(dist_sysconf_DATA)'; test -n "$(sysconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(sysconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(sysconfdir)" || exit 1; \ @@ -813,9 +876,9 @@ install-sysconfDATA: $(sysconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(sysconfdir)" || exit $$?; \ done -uninstall-sysconfDATA: +uninstall-dist_sysconfDATA: @$(NORMAL_UNINSTALL) - @list='$(sysconf_DATA)'; test -n "$(sysconfdir)" || list=; \ + @list='$(dist_sysconf_DATA)'; test -n "$(sysconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(sysconfdir)'; $(am__uninstall_files_from_dir) @@ -901,7 +964,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -978,7 +1041,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -991,7 +1054,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1001,7 +1064,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1019,6 +1082,13 @@ tst-pam_env.log: tst-pam_env --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_env-retval.log: tst-pam_env-retval$(EXEEXT) + @p='tst-pam_env-retval$(EXEEXT)'; \ + b='tst-pam_env-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1034,7 +1104,10 @@ tst-pam_env.log: tst-pam_env @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1065,6 +1138,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1109,11 +1184,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_env.Plo + -rm -f ./$(DEPDIR)/tst-pam_env-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1130,14 +1206,14 @@ info: info-am info-am: -install-data-am: install-man install-secureconfDATA \ +install-data-am: install-dist_secureconfDATA install-man \ install-securelibLTLIBRARIES install-dvi: install-dvi-am install-dvi-am: -install-exec-am: install-sysconfDATA +install-exec-am: install-dist_sysconfDATA install-html: install-html-am @@ -1160,7 +1236,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_env.Plo + -rm -f ./$(DEPDIR)/tst-pam_env-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1177,32 +1254,35 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ - uninstall-securelibLTLIBRARIES uninstall-sysconfDATA +uninstall-am: uninstall-dist_secureconfDATA uninstall-dist_sysconfDATA \ + uninstall-man uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dist_secureconfDATA \ + install-dist_sysconfDATA install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-man5 \ install-man8 install-pdf install-pdf-am install-ps \ - install-ps-am install-secureconfDATA \ - install-securelibLTLIBRARIES install-strip install-sysconfDATA \ + install-ps-am install-securelibLTLIBRARIES install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ - uninstall-securelibLTLIBRARIES uninstall-sysconfDATA + recheck tags tags-am uninstall uninstall-am \ + uninstall-dist_secureconfDATA uninstall-dist_sysconfDATA \ + uninstall-man uninstall-man5 uninstall-man8 \ + uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile -@ENABLE_REGENERATE_MAN_TRUE@README: pam_env.8.xml pam_env.conf.5.xml @ENABLE_REGENERATE_MAN_TRUE@environment.5: pam_env.conf.5.xml @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_env/README b/modules/pam_env/README index 65a35ce6..f10a02b4 100644 --- a/modules/pam_env/README +++ b/modules/pam_env/README @@ -8,17 +8,45 @@ The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST. +Rules for (un)setting of variables can be defined in an own config file. The +path to this file can be specified with the conffile option. If this file does +not exist, the default rules are taken from the config files /etc/security/ +pam_env.conf and /etc/security/pam_env.conf.d/*.conf. If the file /etc/security +/pam_env.conf does not exist, the rules are taken from the files %vendordir%/ +security/pam_env.conf, %vendordir%/security/pam_env.conf.d/*.conf and /etc/ +security/pam_env.conf.d/*.conf in that order. + +By default rules for (un)setting of variables are taken from the config file / +etc/security/pam_env.conf. If this file does not exist %vendordir%/security/ +pam_env.conf is used. An alternate file can be specified with the conffile +option, which overrules all other files. + By default rules for (un)setting of variables are taken from the config file / etc/security/pam_env.conf. An alternate file can be specified with the conffile option. +Environment variables can be defined in a file with simple KEY=VAL pairs on +separate lines. The path to this file can be specified with the envfile option. +If this file has not been defined, the settings are read from the files /etc/ +security/environment and /etc/security/environment.d/*. If the file /etc/ +environment does not exist, the settings are read from the files %vendordir%/ +environment, %vendordir%/environment.d/* and /etc/environment.d/* in that +order. And last but not least, with the readenv option this mechanism can be +completely disabled. + +Second a file (/etc/environment by default) with simple KEY=VAL pairs on +separate lines will be read. If this file does not exist, %vendordir%/etc/ +environment is used. With the envfile option an alternate file can be +specified, which overrules all other files. And with the readenv option this +can be completely disabled. + Second a file (/etc/environment by default) with simple KEY=VAL pairs on separate lines will be read. With the envfile option an alternate file can be -specified. And with the readenv option this can be completly disabled. +specified. And with the readenv option this can be completely disabled. Third it will read a user configuration file ($HOME/.pam_environment by -default). The default file file can be changed with the user_envfile option and -it can be turned on and off with the user_readenv option. +default). The default file can be changed with the user_envfile option and it +can be turned on and off with the user_readenv option. Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack. @@ -50,14 +78,19 @@ readenv=0|1 user_envfile=filename Indicate an alternative .pam_environment file to override the default.The - syntax is the same as for /etc/environment. The filename is relative to the - user home directory. This can be useful when different services need - different environments. + syntax is the same as for /etc/security/pam_env.conf. The filename is + relative to the user home directory. This can be useful when different + services need different environments. user_readenv=0|1 Turns on or off the reading of the user specific environment file. 0 is - off, 1 is on. By default this option is on. + off, 1 is on. By default this option is off as user supplied environment + variables in the PAM environment could affect behavior of subsequent + modules in the stack without the consent of the system administrator. + + Due to problematic security this functionality is deprecated since the + 1.5.0 version and will be removed completely at some point in the future. EXAMPLES @@ -83,7 +116,7 @@ Now some simple variables NNTPSERVER DEFAULT=localhost PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 - XDG_DATA_HOME @{HOME}/share/ + XDG_DATA_HOME DEFAULT=@{HOME}/share/ Silly examples of escaped variables, just to show how they work. diff --git a/modules/pam_env/README.xml b/modules/pam_env/README.xml index 21a9b855..8becf870 100644 --- a/modules/pam_env/README.xml +++ b/modules/pam_env/README.xml @@ -1,39 +1,21 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_env.8.xml"> ---> -<!-- -<!ENTITY accessconf SYSTEM "pam_env.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_env-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.8.xml" xpointer='xpointer(id("pam_env-name")/*)'/> </title> - - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.8.xml" xpointer='xpointer(id("pam_env-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.8.xml" xpointer='xpointer(id("pam_env-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.conf.5.xml" xpointer='xpointer(id("pam_env.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_env/pam_env.8 b/modules/pam_env/pam_env.8 index 2a3ea165..afef8b1b 100644 --- a/modules/pam_env/pam_env.8 +++ b/modules/pam_env/pam_env.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_env .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 09/13/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ENV" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ENV" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -50,10 +50,10 @@ pairs on separate lines will be read\&. With the \fIenvfile\fR option an alternate file can be specified\&. And with the \fIreadenv\fR -option this can be completly disabled\&. +option this can be completely disabled\&. .PP Third it will read a user configuration file ($HOME/\&.pam_environment -by default)\&. The default file file can be changed with the +by default)\&. The default file can be changed with the \fIuser_envfile\fR option and it can be turned on and off with the \fIuser_readenv\fR @@ -62,20 +62,20 @@ option\&. Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack\&. .SH "OPTIONS" .PP -\fBconffile=\fR\fB\fI/path/to/pam_env\&.conf\fR\fR +conffile=/path/to/pam_env\&.conf .RS 4 Indicate an alternative pam_env\&.conf style configuration file to override the default\&. This can be useful when different services need different environments\&. .RE .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is printed with \fBsyslog\fR(3)\&. .RE .PP -\fBenvfile=\fR\fB\fI/path/to/environment\fR\fR +envfile=/path/to/environment .RS 4 Indicate an alternative environment @@ -86,22 +86,24 @@ pairs on separate lines\&. The instruction can be specified for bash compatibility, but will be ignored\&. This can be useful when different services need different environments\&. .RE .PP -\fBreadenv=\fR\fB\fI0|1\fR\fR +readenv=0|1 .RS 4 Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\&. By default this option is on\&. .RE .PP -\fBuser_envfile=\fR\fB\fIfilename\fR\fR +user_envfile=filename .RS 4 Indicate an alternative \&.pam_environment file to override the default\&.The syntax is the same as for -\fI/etc/environment\fR\&. The filename is relative to the user home directory\&. This can be useful when different services need different environments\&. +\fI/etc/security/pam_env\&.conf\fR\&. The filename is relative to the user home directory\&. This can be useful when different services need different environments\&. .RE .PP -\fBuser_readenv=\fR\fB\fI0|1\fR\fR +user_readenv=0|1 .RS 4 -Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is on\&. +Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off as user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator\&. +.sp +Due to problematic security this functionality is deprecated since the 1\&.5\&.0 version and will be removed completely at some point in the future\&. .RE .SH "MODULE TYPES PROVIDED" .PP @@ -151,7 +153,7 @@ User specific environment file .PP \fBpam_env.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBenviron\fR(7)\&. .SH "AUTHOR" .PP diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index d6e20a2e..a720d37e 100644 --- a/modules/pam_env/pam_env.8.xml +++ b/modules/pam_env/pam_env.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_env'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_env"> <refmeta> <refentrytitle>pam_env</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_env-name'> + <refnamediv xml:id="pam_env-name"> <refname>pam_env</refname> <refpurpose> PAM module to set/unset environment variables @@ -20,31 +17,31 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_env-cmdsynopsis"> + <cmdsynopsis xml:id="pam_env-cmdsynopsis" sepchar=" "> <command>pam_env.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conffile=<replaceable>conf-file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> envfile=<replaceable>env-file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> readenv=<replaceable>0|1</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> user_envfile=<replaceable>env-file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> user_readenv=<replaceable>0|1</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_env-description"> + <refsect1 xml:id="pam_env-description"> <title>DESCRIPTION</title> <para> The pam_env PAM module allows the (un)setting of environment @@ -52,22 +49,64 @@ variables as well as <emphasis>PAM_ITEM</emphasis>s such as <emphasis>PAM_RHOST</emphasis>. </para> - <para> + <para condition="with_vendordir_and_with_econf"> + Rules for (un)setting of variables can be defined in an own config + file. The path to this file can be specified with the + <emphasis>conffile</emphasis> option. + If this file does not exist, the default rules are taken from the + config files <filename>/etc/security/pam_env.conf</filename> and + <filename>/etc/security/pam_env.conf.d/*.conf</filename>. + If the file <filename>/etc/security/pam_env.conf</filename> does not + exist, the rules are taken from the files + <filename>%vendordir%/security/pam_env.conf</filename>, + <filename>%vendordir%/security/pam_env.conf.d/*.conf</filename> and + <filename>/etc/security/pam_env.conf.d/*.conf</filename> in that order. + </para> + <para condition="with_vendordir_and_without_econf"> + By default rules for (un)setting of variables are taken from the + config file <filename>/etc/security/pam_env.conf</filename>. + If this file does not exist <filename>%vendordir%/security/pam_env.conf</filename> is used. + An alternate file can be specified with the <emphasis>conffile</emphasis> + option, which overrules all other files. + </para> + <para condition="without_vendordir"> By default rules for (un)setting of variables are taken from the config file <filename>/etc/security/pam_env.conf</filename>. An alternate file can be specified with the <emphasis>conffile</emphasis> option. </para> - <para> + <para condition="with_vendordir_and_with_econf"> + Environment variables can be defined in a file with simple <emphasis>KEY=VAL</emphasis> + pairs on separate lines. The path to this file can be specified with the + <emphasis>envfile</emphasis> option. + If this file has not been defined, the settings are read from the + files <filename>/etc/security/environment</filename> and + <filename>/etc/security/environment.d/*</filename>. + If the file <filename>/etc/environment</filename> does not exist, the + settings are read from the files <filename>%vendordir%/environment</filename>, + <filename>%vendordir%/environment.d/*</filename> and + <filename>/etc/environment.d/*</filename> in that order. + And last but not least, with the <emphasis>readenv</emphasis> option this mechanism can + be completely disabled. + </para> + <para condition="with_vendordir_and_without_econf"> + Second a file (<filename>/etc/environment</filename> by default) with simple + <emphasis>KEY=VAL</emphasis> pairs on separate lines will be read. + If this file does not exist, <filename>%vendordir%/etc/environment</filename> is used. + With the <emphasis>envfile</emphasis> option an alternate file can be specified, + which overrules all other files. + And with the <emphasis>readenv</emphasis> option this can be completely disabled. + </para> + <para condition="without_vendordir"> Second a file (<filename>/etc/environment</filename> by default) with simple <emphasis>KEY=VAL</emphasis> pairs on separate lines will be read. With the <emphasis>envfile</emphasis> option an alternate file can be specified. - And with the <emphasis>readenv</emphasis> option this can be completly disabled. + And with the <emphasis>readenv</emphasis> option this can be completely disabled. </para> <para> Third it will read a user configuration file (<filename>$HOME/.pam_environment</filename> by default). - The default file file can be changed with the + The default file can be changed with the <emphasis>user_envfile</emphasis> option and it can be turned on and off with the <emphasis>user_readenv</emphasis> option. </para> @@ -77,13 +116,13 @@ </para> </refsect1> - <refsect1 id="pam_env-options"> + <refsect1 xml:id="pam_env-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>conffile=<replaceable>/path/to/pam_env.conf</replaceable></option> + conffile=/path/to/pam_env.conf </term> <listitem> <para> @@ -96,7 +135,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -108,7 +147,7 @@ <varlistentry> <term> - <option>envfile=<replaceable>/path/to/environment</replaceable></option> + envfile=/path/to/environment </term> <listitem> <para> @@ -124,7 +163,7 @@ <varlistentry> <term> - <option>readenv=<replaceable>0|1</replaceable></option> + readenv=0|1 </term> <listitem> <para> @@ -137,13 +176,13 @@ <varlistentry> <term> - <option>user_envfile=<replaceable>filename</replaceable></option> + user_envfile=filename </term> <listitem> <para> Indicate an alternative <filename>.pam_environment</filename> file to override the default.The syntax is the same as - for <emphasis>/etc/environment</emphasis>. + for <emphasis>/etc/security/pam_env.conf</emphasis>. The filename is relative to the user home directory. This can be useful when different services need different environments. @@ -153,12 +192,20 @@ <varlistentry> <term> - <option>user_readenv=<replaceable>0|1</replaceable></option> + user_readenv=0|1 </term> <listitem> <para> Turns on or off the reading of the user specific environment - file. 0 is off, 1 is on. By default this option is on. + file. 0 is off, 1 is on. By default this option is off as user + supplied environment variables in the PAM environment could affect + behavior of subsequent modules in the stack without the consent + of the system administrator. + </para> + <para> + Due to problematic security this functionality is deprecated + since the 1.5.0 version and will be removed completely at some + point in the future. </para> </listitem> </varlistentry> @@ -166,7 +213,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_env-types"> + <refsect1 xml:id="pam_env-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>session</option> module @@ -174,7 +221,7 @@ </para> </refsect1> - <refsect1 id="pam_env-return_values"> + <refsect1 xml:id="pam_env-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -212,23 +259,25 @@ </variablelist> </refsect1> - <refsect1 id="pam_env-files"> + <refsect1 xml:id="pam_env-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/pam_env.conf</filename></term> + <term condition="with_vendordir">%vendordir%/security/pam_env.conf</term> + <term>/etc/security/pam_env.conf</term> <listitem> <para>Default configuration file</para> </listitem> </varlistentry> <varlistentry> - <term><filename>/etc/environment</filename></term> + <term condition="with_vendordir">%vendordir%/environment</term> + <term>/etc/environment</term> <listitem> <para>Default environment file</para> </listitem> </varlistentry> <varlistentry> - <term><filename>$HOME/.pam_environment</filename></term> + <term>$HOME/.pam_environment</term> <listitem> <para>User specific environment file</para> </listitem> @@ -236,7 +285,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_env-see_also"> + <refsect1 xml:id="pam_env-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -246,7 +295,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum> @@ -254,10 +303,10 @@ </para> </refsect1> - <refsect1 id="pam_env-authors"> + <refsect1 xml:id="pam_env-authors"> <title>AUTHOR</title> <para> pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index 3846e359..d2b4cb10 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -1,16 +1,19 @@ -/* pam_env module */ - /* + * pam_env module + * * Written by Dave Kinchlea <kinch@kinch.ark.com> 1997/01/31 * Inspired by Andrew Morgan <morgan@kernel.org>, who also supplied the * template for this file (via pam_mail) */ #define DEFAULT_ETC_ENVFILE "/etc/environment" +#ifdef VENDORDIR +#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") +#endif #define DEFAULT_READ_ENVFILE 1 #define DEFAULT_USER_ENVFILE ".pam_environment" -#define DEFAULT_USER_READ_ENVFILE 1 +#define DEFAULT_USER_READ_ENVFILE 0 #include "config.h" @@ -25,23 +28,15 @@ #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH /* This is primarily a AUTH_SETCRED module */ -#define PAM_SM_SESSION /* But I like to be friendly */ -#define PAM_SM_PASSWORD /* "" */ -#define PAM_SM_ACCOUNT /* "" */ +#ifdef USE_ECONF +#include <libeconf.h> +#endif #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* This little structure makes it easier to keep variables together */ @@ -52,7 +47,12 @@ typedef struct var { char *override; } VAR; -#define BUF_SIZE 1024 +#define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf") +#endif + +#define BUF_SIZE 8192 #define MAX_ENV 8192 #define GOOD_LINE 0 @@ -62,17 +62,19 @@ typedef struct var { #define UNDEFINE_VAR 102 #define ILLEGAL_VAR 103 -static int _assemble_line(FILE *, char *, int); -static int _parse_line(const pam_handle_t *, char *, VAR *); -static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */ -static void _clean_var(VAR *); -static int _expand_arg(pam_handle_t *, char **); -static const char * _pam_get_item_byname(pam_handle_t *, const char *); -static int _define_var(pam_handle_t *, int, VAR *); -static int _undefine_var(pam_handle_t *, int, VAR *); +/* This is a special value used to designate an empty string */ +static char quote='\0'; -/* This is a flag used to designate an empty string */ -static char quote='Z'; +static void free_string_array(char **array) +{ + if (array == NULL) + return; + for (char **entry = array; *entry != NULL; ++entry) { + pam_overwrite_string(*entry); + free(*entry); + } + free(array); +} /* argument parsing */ @@ -86,206 +88,206 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, int ctrl=0; *user_envfile = DEFAULT_USER_ENVFILE; - *envfile = DEFAULT_ETC_ENVFILE; + *envfile = NULL; *readenv = DEFAULT_READ_ENVFILE; *user_readenv = DEFAULT_USER_READ_ENVFILE; - *conffile = DEFAULT_CONF_FILE; + *conffile = NULL; /* step through arguments */ for (; argc-- > 0; ++argv) { + const char *str; /* generic options */ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"conffile=",9)) { - if ((*argv)[9] == '\0') { + else if ((str = pam_str_skip_prefix(*argv, "conffile=")) != NULL) { + if (str[0] == '\0') { pam_syslog(pamh, LOG_ERR, "conffile= specification missing argument - ignored"); } else { - *conffile = 9+*argv; + *conffile = str; D(("new Configuration File: %s", *conffile)); } - } else if (!strncmp(*argv,"envfile=",8)) { - if ((*argv)[8] == '\0') { + } else if ((str = pam_str_skip_prefix(*argv, "envfile=")) != NULL) { + if (str[0] == '\0') { pam_syslog (pamh, LOG_ERR, "envfile= specification missing argument - ignored"); } else { - *envfile = 8+*argv; + *envfile = str; D(("new Env File: %s", *envfile)); } - } else if (!strncmp(*argv,"user_envfile=",13)) { - if ((*argv)[13] == '\0') { + } else if ((str = pam_str_skip_prefix(*argv, "user_envfile=")) != NULL) { + if (str[0] == '\0') { pam_syslog (pamh, LOG_ERR, "user_envfile= specification missing argument - ignored"); } else { - *user_envfile = 13+*argv; + *user_envfile = str; D(("new User Env File: %s", *user_envfile)); } - } else if (!strncmp(*argv,"readenv=",8)) - *readenv = atoi(8+*argv); - else if (!strncmp(*argv,"user_readenv=",13)) - *user_readenv = atoi(13+*argv); - else + } else if ((str = pam_str_skip_prefix(*argv, "readenv=")) != NULL) { + *readenv = atoi(str); + } else if ((str = pam_str_skip_prefix(*argv, "user_readenv=")) != NULL) { + *user_readenv = atoi(str); + } else pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } + if (*user_readenv) + pam_syslog(pamh, LOG_DEBUG, "deprecated reading of user environment enabled"); + return ctrl; } -static int -_parse_config_file(pam_handle_t *pamh, int ctrl, const char *file) -{ - int retval; - char buffer[BUF_SIZE]; - FILE *conf; - VAR Var, *var=&Var; - - D(("Called.")); - - var->name=NULL; var->defval=NULL; var->override=NULL; - - D(("Config file name is: %s", file)); - - /* - * Lets try to open the config file, parse it and process - * any variables found. - */ +#ifdef USE_ECONF - if ((conf = fopen(file,"r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "Unable to open config file: %s: %m", file); - return PAM_IGNORE; - } - - /* _pam_assemble_line will provide a complete line from the config file, - * with all comments removed and any escaped newlines fixed up - */ - - while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) { - D(("Read line: %s", buffer)); - - if ((retval = _parse_line(pamh, buffer, var)) == GOOD_LINE) { - retval = _check_var(pamh, var); +#define ENVIRONMENT "environment" +#define PAM_ENV "pam_env" - if (DEFINE_VAR == retval) { - retval = _define_var(pamh, ctrl, var); - - } else if (UNDEFINE_VAR == retval) { - retval = _undefine_var(pamh, ctrl, var); - } - } - if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval - && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; - - _clean_var(var); - - } /* while */ - - (void) fclose(conf); - - /* tidy up */ - _clean_var(var); /* We could have got here prematurely, - * this is safe though */ - D(("Exit.")); - return (retval != 0 ? PAM_ABORT : PAM_SUCCESS); +static int +isDirectory(const char *path) { + struct stat statbuf; + if (stat(path, &statbuf) != 0) + return 0; + return S_ISDIR(statbuf.st_mode); } static int -_parse_env_file(pam_handle_t *pamh, int ctrl, const char *file) +econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim, + const char *name, const char *suffix, const char *subpath, + char ***lines) { - int retval=PAM_SUCCESS, i, t; - char buffer[BUF_SIZE], *key, *mark; - FILE *conf; - - D(("Env file name is: %s", file)); - - if ((conf = fopen(file,"r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %m", file); - return PAM_IGNORE; + econf_file *key_file = NULL; + econf_err error; + size_t key_number = 0; + char **keys = NULL; + const char *base_dir = ""; + + if (filename != NULL) { + if (isDirectory(filename)) { + /* Set base directory which can be different from root */ + D(("filename argument is a directory: %s", filename)); + base_dir = filename; + } else { + /* Read only one file */ + error = econf_readFile (&key_file, filename, delim, "#"); + D(("File name is: %s", filename)); + if (error != ECONF_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %s", filename, + econf_errString(error)); + if (error == ECONF_NOFILE) + return PAM_IGNORE; + else + return PAM_ABORT; + } + } } + if (filename == NULL || base_dir[0] != '\0') { + /* Read and merge all setting in e.g. /usr/etc and /etc */ + char *vendor_dir = NULL, *sysconf_dir; + if (subpath != NULL && subpath[0] != '\0') { +#ifdef VENDORDIR + if (asprintf(&vendor_dir, "%s%s/%s/", base_dir, VENDORDIR, subpath) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + return PAM_BUF_ERR; + } +#endif + if (asprintf(&sysconf_dir, "%s%s/%s/", base_dir, SYSCONFDIR, subpath) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + free(vendor_dir); + return PAM_BUF_ERR; + } + } else { +#ifdef VENDORDIR + if (asprintf(&vendor_dir, "%s%s/", base_dir, VENDORDIR) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + return PAM_BUF_ERR; + } +#endif + if (asprintf(&sysconf_dir, "%s%s/", base_dir, SYSCONFDIR) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + free(vendor_dir); + return PAM_BUF_ERR; + } + } - while (_assemble_line(conf, buffer, BUF_SIZE) > 0) { - D(("Read line: %s", buffer)); - key = buffer; - - /* skip leading white space */ - key += strspn(key, " \n\t"); - - /* skip blanks lines and comments */ - if (key[0] == '#') - continue; - - /* skip over "export " if present so we can be compat with - bash type declarations */ - if (strncmp(key, "export ", (size_t) 7) == 0) - key += 7; + D(("Read configuration from directory %s and %s", vendor_dir, sysconf_dir)); + error = econf_readDirs (&key_file, vendor_dir, sysconf_dir, name, suffix, + delim, "#"); + free(vendor_dir); + free(sysconf_dir); + if (error != ECONF_SUCCESS) { + if (error == ECONF_NOFILE) { + pam_syslog(pamh, LOG_ERR, "Configuration file not found: %s%s", name, suffix); + return PAM_IGNORE; + } else { + char *error_filename = NULL; + uint64_t error_line = 0; + + econf_errLocation(&error_filename, &error_line); + pam_syslog(pamh, LOG_ERR, "Unable to read configuration file %s line %ld: %s", + error_filename, + error_line, + econf_errString(error)); + free(error_filename); + return PAM_ABORT; + } + } + } - /* now find the end of value */ - mark = key; - while(mark[0] != '\n' && mark[0] != '#' && mark[0] != '\0') - mark++; - if (mark[0] != '\0') - mark[0] = '\0'; + error = econf_getKeys(key_file, NULL, &key_number, &keys); + if (error != ECONF_SUCCESS && error != ECONF_NOKEY) { + pam_syslog(pamh, LOG_ERR, "Unable to read keys: %s", + econf_errString(error)); + econf_freeFile(key_file); + return PAM_ABORT; + } - /* - * sanity check, the key must be alpha-numeric - */ + *lines = malloc((key_number +1)* sizeof(char**)); + if (*lines == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); + econf_freeFile(key_file); + return PAM_BUF_ERR; + } - for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) - if (!isalnum(key[i]) && key[i] != '_') { - pam_syslog(pamh, LOG_ERR, - "non-alphanumeric key '%s' in %s', ignoring", - key, file); - break; - } - /* non-alphanumeric key, ignore this line */ - if (key[i] != '=' && key[i] != '\0') - continue; + (*lines)[key_number] = 0; - /* now we try to be smart about quotes around the value, - but not too smart, we can't get all fancy with escaped - values like bash */ - if (key[i] == '=' && (key[++i] == '\"' || key[i] == '\'')) { - for ( t = i+1 ; key[t] != '\0' ; t++) - if (key[t] != '\"' && key[t] != '\'') - key[i++] = key[t]; - else if (key[t+1] != '\0') - key[i++] = key[t]; - key[i] = '\0'; - } + for (size_t i = 0; i < key_number; i++) { + char *val; - /* if this is a request to delete a variable, check that it's - actually set first, so we don't get a vague error back from - pam_putenv() */ - for (i = 0; key[i] != '=' && key[i] != '\0'; i++); - - if (key[i] == '\0' && !pam_getenv(pamh,key)) - continue; - - /* set the env var, if it fails, we break out of the loop */ - retval = pam_putenv(pamh, key); - if (retval != PAM_SUCCESS) { - D(("error setting env \"%s\"", key)); - break; - } else if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "pam_putenv(\"%s\")", key); + error = econf_getStringValue (key_file, NULL, keys[i], &val); + if (error != ECONF_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Unable to get string from key %s: %s", + keys[i], + econf_errString(error)); + } else { + if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); + econf_freeFile(key_file); + (*lines)[i] = NULL; + free_string_array(*lines); + free (val); + return PAM_BUF_ERR; } + free (val); + } } - (void) fclose(conf); - - /* tidy up */ - D(("Exit.")); - return retval; + econf_free(keys); + econf_free(key_file); + return PAM_SUCCESS; } +#else + /* * This is where we read a line of the PAM config file. The line may be - * preceeded by lines of comments and also extended with "\\\n" + * preceded by lines of comments and also extended with "\\\n" */ - -static int _assemble_line(FILE *f, char *buffer, int buf_len) +static int +_assemble_line(FILE *f, char *buffer, int buf_len) { char *p = buffer; char *s, *os; @@ -310,6 +312,14 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len) return 0; } } + if (p[0] == '\0') { + D(("_assemble_line: corrupted or binary file")); + return -1; + } + if (p[strlen(p)-1] != '\n' && !feof(f)) { + D(("_assemble_line: line too long")); + return -1; + } /* skip leading spaces --- line may be blank */ @@ -365,8 +375,57 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len) return used; } +static int read_file(const pam_handle_t *pamh, const char*filename, char ***lines) +{ + FILE *conf; + char buffer[BUF_SIZE]; + + D(("Parsed file name is: %s", filename)); + + if ((conf = fopen(filename,"r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s", filename); + return PAM_IGNORE; + } + + size_t i = 0; + *lines = malloc((i + 1)* sizeof(char**)); + if (*lines == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + (void) fclose(conf); + return PAM_BUF_ERR; + } + (*lines)[i] = 0; + while (_assemble_line(conf, buffer, BUF_SIZE) > 0) { + char **tmp = NULL; + D(("Read line: %s", buffer)); + tmp = realloc(*lines, (++i + 1) * sizeof(char**)); + if (tmp == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + (void) fclose(conf); + free_string_array(*lines); + pam_overwrite_array(buffer); + return PAM_BUF_ERR; + } + *lines = tmp; + (*lines)[i-1] = strdup(buffer); + if ((*lines)[i-1] == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + (void) fclose(conf); + free_string_array(*lines); + pam_overwrite_array(buffer); + return PAM_BUF_ERR; + } + (*lines)[i] = 0; + } + + (void) fclose(conf); + pam_overwrite_array(buffer); + return PAM_SUCCESS; +} +#endif + static int -_parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) +_parse_line(const pam_handle_t *pamh, const char *buffer, VAR *var) { /* * parse buffer into var, legal syntax is @@ -377,7 +436,8 @@ _parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) */ int length, quoteflg=0; - char *ptr, **valptr, *tmpptr; + const char *ptr, *tmpptr; + char **valptr; D(("Called buffer = <%s>", buffer)); @@ -405,12 +465,12 @@ _parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) while ((length = strspn(ptr, " \t")) > 0) { ptr += length; /* remove leading whitespace */ D((ptr)); - if (strncmp(ptr,"DEFAULT=",8) == 0) { - ptr+=8; + if ((tmpptr = pam_str_skip_prefix(ptr, "DEFAULT=")) != NULL) { + ptr = tmpptr; D(("Default arg found: <%s>", ptr)); valptr=&(var->defval); - } else if (strncmp(ptr, "OVERRIDE=", 9) == 0) { - ptr+=9; + } else if ((tmpptr = pam_str_skip_prefix(ptr, "OVERRIDE=")) != NULL) { + ptr = tmpptr; D(("Override arg found: <%s>", ptr)); valptr=&(var->override); } else { @@ -445,7 +505,8 @@ _parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) } (void)strncpy(*valptr,ptr,length); (*valptr)[length]='\0'; - } else if (quoteflg--) { + } else if (quoteflg) { + quoteflg--; *valptr = "e; /* a quick hack to handle the empty string */ } ptr = tmpptr; /* Start the search where we stopped */ @@ -460,76 +521,57 @@ _parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) return GOOD_LINE; } -static int _check_var(pam_handle_t *pamh, VAR *var) +static const char * +_pam_get_item_byname(pam_handle_t *pamh, const char *name) { /* - * Examine the variable and determine what action to take. - * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take - * or a PAM_* error code if passed back from other routines - * - * if no DEFAULT provided, the empty string is assumed - * if no OVERRIDE provided, the empty string is assumed - * if DEFAULT= and OVERRIDE evaluates to the empty string, - * this variable should be undefined - * if DEFAULT="" and OVERRIDE evaluates to the empty string, - * this variable should be defined with no value - * if OVERRIDE=value and value turns into the empty string, DEFAULT is used - * - * If DEFINE_VAR is to be returned, the correct value to define will - * be pointed to by var->value + * This function just allows me to use names as given in the config + * file and translate them into the appropriate PAM_ITEM macro */ - int retval; + int item; + const void *itemval; D(("Called.")); - - /* - * First thing to do is to expand any arguments, but only - * if they are not the special quote values (cause expand_arg - * changes memory). - */ - - if (var->defval && ("e != var->defval) && - ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) { - return retval; - } - if (var->override && ("e != var->override) && - ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) { - return retval; + if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) { + item = PAM_USER; + } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { + item = PAM_USER_PROMPT; + } else if (strcmp(name, "PAM_TTY") == 0) { + item = PAM_TTY; + } else if (strcmp(name, "PAM_RUSER") == 0) { + item = PAM_RUSER; + } else if (strcmp(name, "PAM_RHOST") == 0) { + item = PAM_RHOST; + } else { + D(("Unknown PAM_ITEM: <%s>", name)); + pam_syslog (pamh, LOG_ERR, "Unknown PAM_ITEM: <%s>", name); + return NULL; } - /* Now its easy */ - - if (var->override && *(var->override) && "e != var->override) { - /* if there is a non-empty string in var->override, we use it */ - D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); - var->value = var->override; - retval = DEFINE_VAR; - } else { + if (pam_get_item(pamh, item, &itemval) != PAM_SUCCESS) { + D(("pam_get_item failed")); + return NULL; /* let pam_get_item() log the error */ + } - var->value = var->defval; - if ("e == var->defval) { - /* - * This means that the empty string was given for defval value - * which indicates that a variable should be defined with no value - */ - *var->defval = '\0'; - D(("An empty variable: <%s>", var->name)); - retval = DEFINE_VAR; - } else if (var->defval) { - D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval)); - retval = DEFINE_VAR; - } else { - D(("UNDEFINE variable <%s>", var->name)); - retval = UNDEFINE_VAR; + if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) { + struct passwd *user_entry; + user_entry = pam_modutil_getpwnam (pamh, itemval); + if (!user_entry) { + pam_syslog(pamh, LOG_ERR, "No such user!?"); + return NULL; } + return (strcmp(name, "SHELL") == 0) ? + user_entry->pw_shell : + user_entry->pw_dir; } D(("Exit.")); - return retval; + return itemval; } -static int _expand_arg(pam_handle_t *pamh, char **value) +static int +_expand_arg(pam_handle_t *pamh, char **value) { const char *orig=*value, *tmpptr=NULL; char *ptr; /* @@ -542,10 +584,8 @@ static int _expand_arg(pam_handle_t *pamh, char **value) char type, tmpval[BUF_SIZE]; /* I know this shouldn't be hard-coded but it's so much easier this way */ - char tmp[MAX_ENV]; - - D(("Remember to initialize tmp!")); - memset(tmp, 0, MAX_ENV); + char tmp[MAX_ENV] = {}; + size_t idx = 0; /* * (possibly non-existent) environment variables can be used as values @@ -563,14 +603,14 @@ static int _expand_arg(pam_handle_t *pamh, char **value) pam_syslog(pamh, LOG_ERR, "Unrecognized escaped character: <%c> - ignoring", *orig); - } else if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ + } else if (idx + 1 < MAX_ENV) { + tmp[idx++] = *orig++; /* Note the increment */ } else { /* is it really a good idea to try to log this? */ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - return PAM_BUF_ERR; + goto buf_err; } continue; } @@ -580,8 +620,8 @@ static int _expand_arg(pam_handle_t *pamh, char **value) " <%s> - ignoring", orig)); pam_syslog(pamh, LOG_ERR, "Expandable variables must be wrapped in {}" " <%s> - ignoring", orig); - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ + if (idx + 1 < MAX_ENV) { + tmp[idx++] = *orig++; /* Note the increment */ } continue; } else { @@ -595,7 +635,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Unterminated expandable variable: <%s>", orig-2)); pam_syslog(pamh, LOG_ERR, "Unterminated expandable variable: <%s>", orig-2); - return PAM_ABORT; + goto abort_err; } strncpy(tmpval, orig, sizeof(tmpval)); tmpval[sizeof(tmpval)-1] = '\0'; @@ -621,99 +661,154 @@ static int _expand_arg(pam_handle_t *pamh, char **value) default: D(("Impossible error, type == <%c>", type)); pam_syslog(pamh, LOG_CRIT, "Impossible error, type == <%c>", type); - return PAM_ABORT; + goto abort_err; } /* switch */ if (tmpptr) { - if ((strlen(tmp) + strlen(tmpptr)) < MAX_ENV) { - strcat(tmp, tmpptr); + size_t len = strlen(tmpptr); + if (idx + len < MAX_ENV) { + strcpy(tmp + idx, tmpptr); + idx += len; } else { /* is it really a good idea to try to log this? */ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - return PAM_BUF_ERR; + goto buf_err; } } } /* if ('{' != *orig++) */ } else { /* if ( '$' == *orig || '@' == *orig) */ - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ + if (idx + 1 < MAX_ENV) { + tmp[idx++] = *orig++; /* Note the increment */ } else { /* is it really a good idea to try to log this? */ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog(pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - return PAM_BUF_ERR; + goto buf_err; } } } /* for (;*orig;) */ - if (strlen(tmp) > strlen(*value)) { + if (idx > strlen(*value)) { free(*value); - if ((*value = malloc(strlen(tmp) +1)) == NULL) { - D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1)); + if ((*value = malloc(idx + 1)) == NULL) { + D(("Couldn't malloc %d bytes for expanded var", idx + 1)); pam_syslog (pamh, LOG_CRIT, "Couldn't malloc %lu bytes for expanded var", - (unsigned long)strlen(tmp)+1); - return PAM_BUF_ERR; + (unsigned long)idx+1); + goto buf_err; } } strcpy(*value, tmp); - memset(tmp,'\0',sizeof(tmp)); + pam_overwrite_array(tmp); + pam_overwrite_array(tmpval); D(("Exit.")); return PAM_SUCCESS; +buf_err: + pam_overwrite_array(tmp); + pam_overwrite_array(tmpval); + return PAM_BUF_ERR; +abort_err: + pam_overwrite_array(tmp); + pam_overwrite_array(tmpval); + return PAM_ABORT; } -static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) +static int +_check_var(pam_handle_t *pamh, VAR *var) { /* - * This function just allows me to use names as given in the config - * file and translate them into the appropriate PAM_ITEM macro + * Examine the variable and determine what action to take. + * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take + * or a PAM_* error code if passed back from other routines + * + * if no DEFAULT provided, the empty string is assumed + * if no OVERRIDE provided, the empty string is assumed + * if DEFAULT= and OVERRIDE evaluates to the empty string, + * this variable should be undefined + * if DEFAULT="" and OVERRIDE evaluates to the empty string, + * this variable should be defined with no value + * if OVERRIDE=value and value turns into the empty string, DEFAULT is used + * + * If DEFINE_VAR is to be returned, the correct value to define will + * be pointed to by var->value */ - int item; - const void *itemval; + int retval; D(("Called.")); - if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) { - item = PAM_USER; - } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { - item = PAM_USER_PROMPT; - } else if (strcmp(name, "PAM_TTY") == 0) { - item = PAM_TTY; - } else if (strcmp(name, "PAM_RUSER") == 0) { - item = PAM_RUSER; - } else if (strcmp(name, "PAM_RHOST") == 0) { - item = PAM_RHOST; - } else { - D(("Unknown PAM_ITEM: <%s>", name)); - pam_syslog (pamh, LOG_ERR, "Unknown PAM_ITEM: <%s>", name); - return NULL; - } - if (pam_get_item(pamh, item, &itemval) != PAM_SUCCESS) { - D(("pam_get_item failed")); - return NULL; /* let pam_get_item() log the error */ + /* + * First thing to do is to expand any arguments, but only + * if they are not the special quote values (cause expand_arg + * changes memory). + */ + + if (var->defval && ("e != var->defval) && + ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) { + return retval; + } + if (var->override && ("e != var->override) && + ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) { + return retval; } - if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) { - struct passwd *user_entry; - user_entry = pam_modutil_getpwnam (pamh, (char *) itemval); - if (!user_entry) { - pam_syslog(pamh, LOG_ERR, "No such user!?"); - return NULL; + /* Now its easy */ + + if (var->override && *(var->override)) { + /* if there is a non-empty string in var->override, we use it */ + D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); + var->value = var->override; + retval = DEFINE_VAR; + } else { + + var->value = var->defval; + if ("e == var->defval) { + /* + * This means that the empty string was given for defval value + * which indicates that a variable should be defined with no value + */ + D(("An empty variable: <%s>", var->name)); + retval = DEFINE_VAR; + } else if (var->defval) { + D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval)); + retval = DEFINE_VAR; + } else { + D(("UNDEFINE variable <%s>", var->name)); + retval = UNDEFINE_VAR; } - return (strcmp(name, "SHELL") == 0) ? - user_entry->pw_shell : - user_entry->pw_dir; } D(("Exit.")); - return itemval; + return retval; +} + +static void +_clean_var(VAR *var) +{ + if (var->name) { + pam_overwrite_string(var->name); + free(var->name); + } + if (var->defval && ("e != var->defval)) { + pam_overwrite_string(var->defval); + free(var->defval); + } + if (var->override && ("e != var->override)) { + pam_overwrite_string(var->override); + free(var->override); + } + var->name = NULL; + var->value = NULL; /* never has memory specific to it */ + var->defval = NULL; + var->override = NULL; + return; } -static int _define_var(pam_handle_t *pamh, int ctrl, VAR *var) +static int +_define_var(pam_handle_t *pamh, int ctrl, VAR *var) { /* We have a variable to define, this is a simple function */ @@ -735,7 +830,8 @@ static int _define_var(pam_handle_t *pamh, int ctrl, VAR *var) return retval; } -static int _undefine_var(pam_handle_t *pamh, int ctrl, VAR *var) +static int +_undefine_var(pam_handle_t *pamh, int ctrl, VAR *var) { /* We have a variable to undefine, this is a simple function */ @@ -746,25 +842,175 @@ static int _undefine_var(pam_handle_t *pamh, int ctrl, VAR *var) return pam_putenv(pamh, var->name); } -static void _clean_var(VAR *var) +static int +_parse_config_file(pam_handle_t *pamh, int ctrl, const char *file) { - if (var->name) { - free(var->name); - } - if (var->defval && ("e != var->defval)) { - free(var->defval); - } - if (var->override && ("e != var->override)) { - free(var->override); + int retval; + VAR Var, *var=&Var; + char **conf_list = NULL; + + var->name=NULL; var->defval=NULL; var->override=NULL; + + D(("Called.")); + +#ifdef USE_ECONF + /* If "file" is not NULL, only this file will be parsed. */ + retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list); +#else + /* Only one file will be parsed. So, file has to be set. */ + if (file == NULL) /* No filename has been set via argv. */ + file = DEFAULT_CONF_FILE; +#ifdef VENDOR_DEFAULT_CONF_FILE + /* + * Check whether file is available. + * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. + */ + struct stat stat_buffer; + if (stat(file, &stat_buffer) != 0 && errno == ENOENT) { + file = VENDOR_DEFAULT_CONF_FILE; } - var->name = NULL; - var->value = NULL; /* never has memory specific to it */ - var->defval = NULL; - var->override = NULL; - return; +#endif + retval = read_file(pamh, file, &conf_list); +#endif + + if (retval != PAM_SUCCESS) + return retval; + + for (char **conf = conf_list; *conf != NULL; ++conf) { + if ((retval = _parse_line(pamh, *conf, var)) == GOOD_LINE) { + retval = _check_var(pamh, var); + + if (DEFINE_VAR == retval) { + retval = _define_var(pamh, ctrl, var); + + } else if (UNDEFINE_VAR == retval) { + retval = _undefine_var(pamh, ctrl, var); + } + } + if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval + && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; + + _clean_var(var); + + } /* for */ + + /* tidy up */ + free_string_array(conf_list); + _clean_var(var); /* We could have got here prematurely, + * this is safe though */ + D(("Exit.")); + return (retval != 0 ? PAM_ABORT : PAM_SUCCESS); } +static int +_parse_env_file(pam_handle_t *pamh, int ctrl, const char *file) +{ + int retval=PAM_SUCCESS, i, t; + char *key, *mark; + char **env_list = NULL; + +#ifdef USE_ECONF + retval = econf_read_file(pamh, file, "=", ENVIRONMENT, "", "", &env_list); +#else + /* Only one file will be parsed. So, file has to be set. */ + if (file == NULL) /* No filename has been set via argv. */ + file = DEFAULT_ETC_ENVFILE; +#ifdef VENDOR_DEFAULT_ETC_ENVFILE + /* + * Check whether file is available. + * If it does not exist, fall back to VENDOR_DEFAULT_ETC_ENVFILE; file. + */ + struct stat stat_buffer; + if (stat(file, &stat_buffer) != 0 && errno == ENOENT) { + file = VENDOR_DEFAULT_ETC_ENVFILE; + } +#endif + retval = read_file(pamh, file, &env_list); +#endif + + if (retval != PAM_SUCCESS) + return retval == PAM_IGNORE ? PAM_SUCCESS : retval; + + for (char **env = env_list; *env != NULL; ++env) { + key = *env; + + /* skip leading white space */ + key += strspn(key, " \n\t"); + + /* skip blanks lines and comments */ + if (key[0] == '#') + continue; + + /* skip over "export " if present so we can be compat with + bash type declarations */ + if (strncmp(key, "export ", (size_t) 7) == 0) + key += 7; + /* now find the end of value */ + mark = key; + while(mark[0] != '\n' && mark[0] != '#' && mark[0] != '\0') + mark++; + if (mark[0] != '\0') + mark[0] = '\0'; + + /* + * sanity check, the key must be alphanumeric + */ + + if (key[0] == '=') { + pam_syslog(pamh, LOG_ERR, + "missing key name '%s' in %s', ignoring", + key, file); + continue; + } + + for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) + if (!isalnum(key[i]) && key[i] != '_') { + pam_syslog(pamh, LOG_ERR, + "non-alphanumeric key '%s' in %s', ignoring", + key, file); + break; + } + /* non-alphanumeric key, ignore this line */ + if (key[i] != '=' && key[i] != '\0') + continue; + + /* now we try to be smart about quotes around the value, + but not too smart, we can't get all fancy with escaped + values like bash */ + if (key[i] == '=' && (key[++i] == '\"' || key[i] == '\'')) { + for ( t = i+1 ; key[t] != '\0' ; t++) + if (key[t] != '\"' && key[t] != '\'') + key[i++] = key[t]; + else if (key[t+1] != '\0') + key[i++] = key[t]; + key[i] = '\0'; + } + + /* if this is a request to delete a variable, check that it's + actually set first, so we don't get a vague error back from + pam_putenv() */ + for (i = 0; key[i] != '=' && key[i] != '\0'; i++); + + if (key[i] == '\0' && !pam_getenv(pamh,key)) + continue; + + /* set the env var, if it fails, we break out of the loop */ + retval = pam_putenv(pamh, key); + if (retval != PAM_SUCCESS) { + D(("error setting env \"%s\"", key)); + break; + } else if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "pam_putenv(\"%s\")", key); + } + } + + /* tidy up */ + free_string_array(env_list); + D(("Exit.")); + return retval; +} /* --- authentication management functions (only) --- */ diff --git a/modules/pam_env/pam_env.conf b/modules/pam_env/pam_env.conf index 30e9d008..2549e430 100644 --- a/modules/pam_env/pam_env.conf +++ b/modules/pam_env/pam_env.conf @@ -26,7 +26,7 @@ # # Each line starts with the variable name, there are then two possible # options for each variable DEFAULT and OVERRIDE. -# DEFAULT allows and administrator to set the value of the +# DEFAULT allows an administrator to set the value of the # variable to some default value, if none is supplied then the empty # string is assumed. The OVERRIDE option tells pam_env that it should # enter in its value (overriding the default value) if there is one diff --git a/modules/pam_env/pam_env.conf.5 b/modules/pam_env/pam_env.conf.5 index ffa35a13..9d9af676 100644 --- a/modules/pam_env/pam_env.conf.5 +++ b/modules/pam_env/pam_env.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_env.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ENV\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ENV\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -36,7 +36,7 @@ The file specifies the environment variables to be set, unset or modified by \fBpam_env\fR(8)\&. When someone logs in, this file is read and the environment variables are set according\&. .PP -Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE\&. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed\&. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use\&. OVERRIDE is not used, "" is assumed and no override will be done\&. +Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE\&. DEFAULT allows an administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed\&. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use\&. When OVERRIDE is not used, "" is assumed and no override will be done\&. .PP \fIVARIABLE\fR [\fIDEFAULT=[value]\fR] [\fIOVERRIDE=[value]\fR] @@ -99,7 +99,7 @@ Now some simple variables NNTPSERVER DEFAULT=localhost PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\e :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 - XDG_DATA_HOME @{HOME}/share/ + XDG_DATA_HOME DEFAULT=@{HOME}/share/ .fi .if n \{\ @@ -125,7 +125,7 @@ Silly examples of escaped variables, just to show how they work\&. .PP \fBpam_env\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBenviron\fR(7) .SH "AUTHOR" .PP diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml index c47f17d9..38bc5fd6 100644 --- a/modules/pam_env/pam_env.conf.5.xml +++ b/modules/pam_env/pam_env.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_env.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_env.conf"> <refmeta> <refentrytitle>pam_env.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -17,10 +14,18 @@ </refnamediv> - <refsect1 id='pam_env.conf-description'> + <refsect1 xml:id="pam_env.conf-description"> <title>DESCRIPTION</title> - <para> + <para condition="with_vendordir"> + The <filename>%vendordir%/security/pam_env.conf</filename> and + <filename>/etc/security/pam_env.conf</filename> files specify + the environment variables to be set, unset or modified by + <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + When someone logs in, these files are read and the environment + variables are set according. + </para> + <para condition="without_vendordir"> The <filename>/etc/security/pam_env.conf</filename> file specifies the environment variables to be set, unset or modified by <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>. @@ -29,11 +34,11 @@ </para> <para> Each line starts with the variable name, there are then two possible - options for each variable DEFAULT and OVERRIDE. DEFAULT allows and + options for each variable DEFAULT and OVERRIDE. DEFAULT allows an administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value - (overriding the default value) if there is one to use. OVERRIDE is + (overriding the default value) if there is one to use. When OVERRIDE is not used, "" is assumed and no override will be done. </para> <para> @@ -61,7 +66,15 @@ at front) can be used to mark this line as a comment line. </para> - <para> + <para condition="with_vendordir"> + The <filename>%vendordir%/environment</filename> and <filename>/etc/environment</filename> files specify + the environment variables to be set. These files must consist of simple + <emphasis>NAME=VALUE</emphasis> pairs on separate lines. + The <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry> + module will read these files after the <filename>pam_env.conf</filename> + file. + </para> + <para condition="without_vendordir"> The <filename>/etc/environment</filename> file specifies the environment variables to be set. The file must consist of simple <emphasis>NAME=VALUE</emphasis> pairs on separate lines. @@ -71,7 +84,7 @@ </para> </refsect1> - <refsect1 id="pam_env.conf-examples"> + <refsect1 xml:id="pam_env.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -103,7 +116,7 @@ NNTPSERVER DEFAULT=localhost PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 - XDG_DATA_HOME @{HOME}/share/ + XDG_DATA_HOME DEFAULT=@{HOME}/share/ </programlisting> <para> @@ -117,17 +130,17 @@ </programlisting> </refsect1> - <refsect1 id="pam_env.conf-see_also"> + <refsect1 xml:id="pam_env.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="pam_env.conf-author"> + <refsect1 xml:id="pam_env.conf-author"> <title>AUTHOR</title> <para> pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. diff --git a/modules/pam_env/tst-pam_env-retval.c b/modules/pam_env/tst-pam_env-retval.c new file mode 100644 index 00000000..23ad10b9 --- /dev/null +++ b/modules/pam_env/tst-pam_env-retval.c @@ -0,0 +1,287 @@ +/* + * Check pam_env return values. + * + * Copyright (c) 2020-2022 Dmitry V. Levin <ldv@altlinux.org> + * Copyright (c) 2022 Stefan Schubert <schubi@suse.de> + */ + +#include "test_assert.h" + +#include <errno.h> +#include <libgen.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/stat.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_env" +#define TEST_NAME "tst-" MODULE_NAME "-retval" +#define TEST_NAME_DIR TEST_NAME ".dir" + +static const char service_file[] = TEST_NAME ".service"; +static const char missing_file[] = TEST_NAME ".missing"; +static const char my_conf[] = TEST_NAME ".conf"; +static const char my_env[] = TEST_NAME ".env"; +#ifdef VENDORDIR +static const char dir_usr_etc_security[] = TEST_NAME_DIR VENDOR_SCONFIGDIR; +static const char usr_env[] = TEST_NAME_DIR VENDORDIR "/environment"; +static const char usr_conf[] = TEST_NAME_DIR VENDOR_SCONFIGDIR "/pam_env.conf"; +#endif + +static struct pam_conv conv; + +#ifdef VENDORDIR +static void +mkdir_p(const char *pathname, mode_t mode) +{ + if (mkdir(pathname, mode) == 0 || errno == EEXIST) + return; + ASSERT_EQ(errno, ENOENT); + + char *buf; + ASSERT_NE(NULL, buf = strdup(pathname)); + mkdir_p(dirname(buf), mode); + free(buf); + + ASSERT_EQ(0, mkdir(pathname, mode)); +} + +static void +rmdir_p(const char *pathname) +{ + if (rmdir(pathname) != 0) + return; + + char *buf; + ASSERT_NE(NULL, buf = strdup(pathname)); + rmdir_p(dirname(buf)); + free(buf); +} +#endif + +static void +setup(void) +{ + FILE *fp; + + ASSERT_NE(NULL, fp = fopen(my_conf, "w")); + ASSERT_LT(0, fprintf(fp, + "EDITOR\tDEFAULT=vim\n" + "PAGER\tDEFAULT=more\n")); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_NE(NULL, fp = fopen(my_env, "w")); + ASSERT_LT(0, fprintf(fp, + "test_value=foo\n" + "test2_value=bar\n")); + ASSERT_EQ(0, fclose(fp)); + +#ifdef VENDORDIR + mkdir_p(dir_usr_etc_security, 0755); + + ASSERT_NE(NULL, fp = fopen(usr_env, "w")); + ASSERT_LT(0, fprintf(fp, + "usr_etc_test=foo\n" + "usr_etc_test2=bar\n")); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_NE(NULL, fp = fopen(usr_conf, "w")); + ASSERT_LT(0, fprintf(fp, + "PAGER DEFAULT=emacs\n" + "MANPAGER DEFAULT=less\n")); + ASSERT_EQ(0, fclose(fp)); +#endif +} + +static void +cleanup(void) +{ + ASSERT_EQ(0, unlink(my_conf)); + ASSERT_EQ(0, unlink(my_env)); +#ifdef VENDORDIR + ASSERT_EQ(0, unlink(usr_env)); + ASSERT_EQ(0, unlink(usr_conf)); + rmdir_p(dir_usr_etc_security); +#endif +} + +static void +check_array(const char **array1, char **array2) +{ + for (const char **a1 = array1; *a1 != NULL; ++a1) { + char **a2; + for (a2 = array2; *a2 != NULL; ++a2) { + if (strcmp(*a1, *a2) == 0) + break; + } + ASSERT_NE(NULL, *a2); + } +} + +static void +check_env(const char **list) +{ + pam_handle_t *pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + + char **env_list = pam_getenvlist(pamh); + ASSERT_NE(NULL, env_list); + + check_array(list, env_list); + + for (char **e = env_list; *e != NULL; ++e) + free(*e); + free(env_list); + + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); +} + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + setup(); + + /* + * When conffile= specifies a missing file, all methods except + * pam_sm_acct_mgmt and pam_sm_chauthtok return PAM_IGNORE. + * The return code of the stack where every module returns PAM_IGNORE + * is PAM_PERM_DENIED. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conffile=%s/%s\n" + "account required %s/.libs/%s.so conffile=%s/%s\n" + "password required %s/.libs/%s.so conffile=%s/%s\n" + "session required %s/.libs/%s.so conffile=%s/%s\n", + cwd, MODULE_NAME, cwd, missing_file, + cwd, MODULE_NAME, cwd, missing_file, + cwd, MODULE_NAME, cwd, missing_file, + cwd, MODULE_NAME, cwd, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * When conffile= specifies a missing file, all methods except + * pam_sm_acct_mgmt and pam_sm_chauthtok return PAM_IGNORE. + * pam_permit is added after pam_env to convert PAM_IGNORE to PAM_SUCCESS. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conffile=%s/%s\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so conffile=%s/%s\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so conffile=%s/%s\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so conffile=%s/%s\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, cwd, missing_file, cwd, + cwd, MODULE_NAME, cwd, missing_file, cwd, + cwd, MODULE_NAME, cwd, missing_file, cwd, + cwd, MODULE_NAME, cwd, missing_file, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * conffile= specifies an existing file, + * envfile= specifies an empty file. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s/%s envfile=%s\n", + cwd, MODULE_NAME, + cwd, my_conf, "/dev/null")); + ASSERT_EQ(0, fclose(fp)); + + const char *env1[] = { "EDITOR=vim", "PAGER=more", NULL }; + check_env(env1); + + /* + * conffile= specifies an empty file, + * envfile= specifies an existing file. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s envfile=%s/%s\n", + cwd, MODULE_NAME, + "/dev/null", cwd, my_env)); + ASSERT_EQ(0, fclose(fp)); + + const char *env2[] = { "test_value=foo", "test2_value=bar", NULL }; + check_env(env2); + +#if defined (USE_ECONF) && defined (VENDORDIR) + + /* envfile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s envfile=%s/%s/\n", + cwd, MODULE_NAME, + "/dev/null", + cwd, TEST_NAME_DIR)); + ASSERT_EQ(0, fclose(fp)); + + const char *env3[] = {"usr_etc_test=foo", "usr_etc_test2=bar", NULL}; + check_env(env3); + + /* conffile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s/%s/ envfile=%s\n", + cwd, MODULE_NAME, + cwd, TEST_NAME_DIR, + "/dev/null")); + ASSERT_EQ(0, fclose(fp)); + + const char *env4[] = {"PAGER=emacs", "MANPAGER=less", NULL}; + check_env(env4); + +#endif + + /* cleanup */ + cleanup(); + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_exec/Makefile.am b/modules/pam_exec/Makefile.am index 293c00ae..a0582226 100644 --- a/modules/pam_exec/Makefile.am +++ b/modules/pam_exec/Makefile.am @@ -5,16 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_exec - -man_MANS = pam_exec.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_exec.8 +endif XMLS = README.xml pam_exec.8.xml +dist_check_SCRIPTS = tst-pam_exec +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,12 +32,6 @@ securelib_LTLIBRARIES = pam_exec.la pam_exec_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN - -noinst_DATA = README - -README: pam_exec.8.xml - +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif - -TESTS = tst-pam_exec diff --git a/modules/pam_exec/Makefile.in b/modules/pam_exec/Makefile.in index 98809774..f738998d 100644 --- a/modules/pam_exec/Makefile.in +++ b/modules/pam_exec/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_exec -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_exec.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_exec -man_MANS = pam_exec.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_exec.8 XMLS = README.xml pam_exec.8.xml +dist_check_SCRIPTS = tst-pam_exec +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_exec.la pam_exec_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README -TESTS = tst-pam_exec +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_exec/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_exec/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_exec.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_exec.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_exec.log: tst-pam_exec @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_exec.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_exec.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,8 +1152,7 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES - -@ENABLE_REGENERATE_MAN_TRUE@README: pam_exec.8.xml +.PRECIOUS: Makefile @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_exec/README b/modules/pam_exec/README index efdd32dd..39591625 100644 --- a/modules/pam_exec/README +++ b/modules/pam_exec/README @@ -12,7 +12,7 @@ environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and PAM_TYPE, which contains one of the module types: account, auth, password, open_session and close_session. -Commands called by pam_exec need to be aware of that the user can have controll +Commands called by pam_exec need to be aware of that the user can have control over the environment. OPTIONS @@ -47,6 +47,11 @@ quiet Per default pam_exec.so will echo the exit status of the external command if it fails. Specifying this option will suppress the message. +quiet_log + + Per default pam_exec.so will log the exit status of the external command if + it fails. Specifying this option will suppress the log message. + seteuid Per default pam_exec.so will execute the external command with the real diff --git a/modules/pam_exec/README.xml b/modules/pam_exec/README.xml index 5e76cab3..1928d7f9 100644 --- a/modules/pam_exec/README.xml +++ b/modules/pam_exec/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_exec.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_exec-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8 index f4cff034..bfa49f8e 100644 --- a/modules/pam_exec/pam_exec.8 +++ b/modules/pam_exec/pam_exec.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_exec .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_EXEC" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_EXEC" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pam_exec \- PAM module which calls an external command .SH "SYNOPSIS" .HP \w'\fBpam_exec\&.so\fR\ 'u -\fBpam_exec\&.so\fR [debug] [expose_authtok] [seteuid] [quiet] [stdout] [log=\fIfile\fR] [type=\fItype\fR] \fIcommand\fR [\fI\&.\&.\&.\fR] +\fBpam_exec\&.so\fR [debug] [expose_authtok] [seteuid] [quiet] [quiet_log] [stdout] [log=\fIfile\fR] [type=\fItype\fR] \fIcommand\fR [\fI\&.\&.\&.\fR] .SH "DESCRIPTION" .PP pam_exec is a PAM module that can be used to run an external command\&. @@ -53,16 +53,16 @@ and and \fBclose_session\fR\&. .PP -Commands called by pam_exec need to be aware of that the user can have controll over the environment\&. +Commands called by pam_exec need to be aware of that the user can have control over the environment\&. .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBexpose_authtok\fR +expose_authtok .RS 4 During authentication the calling command can read the password from \fBstdin\fR(3)\&. Only first @@ -70,18 +70,18 @@ During authentication the calling command can read the password from bytes of a password are provided to the command\&. .RE .PP -\fBlog=\fR\fB\fIfile\fR\fR +log=file .RS 4 The output of the command is appended to file .RE .PP -\fBtype=\fR\fB\fItype\fR\fR +type=type .RS 4 Only run the command if the module type matches the given type\&. .RE .PP -\fBstdout\fR +stdout .RS 4 Per default the output of the executed command is written to /dev/null\&. With this option, the stdout output of the executed command is redirected to the calling application\&. It\*(Aqs in the responsibility of this application what happens with the output\&. The @@ -89,12 +89,17 @@ Per default the output of the executed command is written to option is ignored\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Per default pam_exec\&.so will echo the exit status of the external command if it fails\&. Specifying this option will suppress the message\&. .RE .PP -\fBseteuid\fR +quiet_log +.RS 4 +Per default pam_exec\&.so will log the exit status of the external command if it fails\&. Specifying this option will suppress the log message\&. +.RE +.PP +seteuid .RS 4 Per default pam_exec\&.so will execute the external command with the real user ID of the calling process\&. Specifying this option means the command is run with the effective user ID\&. .RE @@ -113,6 +118,21 @@ PAM_SUCCESS The external command was run successfully\&. .RE .PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP +PAM_INCOMPLETE +.RS 4 +The conversation method supplied by the application returned PAM_CONV_AGAIN\&. +.RE +.PP PAM_SERVICE_ERR .RS 4 No argument or a wrong number of arguments were given\&. @@ -162,7 +182,7 @@ with effective user ID\&. .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de> and Josh Triplett <josh@joshtriplett\&.org>\&. diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml index d1b00a21..2eedb285 100644 --- a/modules/pam_exec/pam_exec.8.xml +++ b/modules/pam_exec/pam_exec.8.xml @@ -1,54 +1,54 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_exec"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_exec"> <refmeta> <refentrytitle>pam_exec</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_exec-name"> + <refnamediv xml:id="pam_exec-name"> <refname>pam_exec</refname> <refpurpose>PAM module which calls an external command</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_exec-cmdsynopsis"> + <cmdsynopsis xml:id="pam_exec-cmdsynopsis" sepchar=" "> <command>pam_exec.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> expose_authtok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> seteuid </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> quiet </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> + quiet_log + </arg> + <arg choice="opt" rep="norepeat"> stdout </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> log=<replaceable>file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> type=<replaceable>type</replaceable> </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> <replaceable>command</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>...</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_exec-description"> + <refsect1 xml:id="pam_exec-description"> <title>DESCRIPTION</title> @@ -75,12 +75,12 @@ <para> Commands called by pam_exec need to be aware of that the user - can have controll over the environment. + can have control over the environment. </para> </refsect1> - <refsect1 id="pam_exec-options"> + <refsect1 xml:id="pam_exec-options"> <title>OPTIONS</title> <para> @@ -88,7 +88,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -99,7 +99,7 @@ <varlistentry> <term> - <option>expose_authtok</option> + expose_authtok </term> <listitem> <para> @@ -114,7 +114,7 @@ <varlistentry> <term> - <option>log=<replaceable>file</replaceable></option> + log=file </term> <listitem> <para> @@ -126,7 +126,7 @@ <varlistentry> <term> - <option>type=<replaceable>type</replaceable></option> + type=type </term> <listitem> <para> @@ -137,7 +137,7 @@ <varlistentry> <term> - <option>stdout</option> + stdout </term> <listitem> <para> @@ -148,7 +148,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -161,7 +161,20 @@ <varlistentry> <term> - <option>seteuid</option> + quiet_log + </term> + <listitem> + <para> + Per default pam_exec.so will log the exit status of the + external command if it fails. + Specifying this option will suppress the log message. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + seteuid </term> <listitem> <para> @@ -178,7 +191,7 @@ </para> </refsect1> - <refsect1 id="pam_exec-types"> + <refsect1 xml:id="pam_exec-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -186,7 +199,7 @@ </para> </refsect1> - <refsect1 id='pam_exec-return_values'> + <refsect1 xml:id="pam_exec-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -201,6 +214,35 @@ </varlistentry> <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the application + failed to obtain the username. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + The conversation method supplied by the application + returned PAM_CONV_AGAIN. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>PAM_SERVICE_ERR</term> <listitem> <para> @@ -233,7 +275,7 @@ </para> </refsect1> - <refsect1 id='pam_exec-examples'> + <refsect1 xml:id="pam_exec-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/passwd</filename> to @@ -248,7 +290,7 @@ </para> </refsect1> - <refsect1 id='pam_exec-see_also'> + <refsect1 xml:id="pam_exec-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -258,12 +300,12 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_exec-author'> + <refsect1 xml:id="pam_exec-author"> <title>AUTHOR</title> <para> pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and @@ -271,4 +313,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 52dc6818..9d2145dc 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -48,17 +48,13 @@ #include <sys/wait.h> #include <sys/stat.h> #include <sys/types.h> - - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD +#include <signal.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> #include <security/_pam_macros.h> +#include "pam_inline.h" #define ENV_ITEM(n) { (n), #n } static struct { @@ -98,15 +94,19 @@ call_exec (const char *pam_type, pam_handle_t *pamh, int debug = 0; int call_setuid = 0; int quiet = 0; + int quiet_log = 0; int expose_authtok = 0; int use_stdout = 0; int optargc; const char *logfile = NULL; - const char *authtok = NULL; + char authtok[PAM_MAX_RESP_SIZE] = {}; pid_t pid; int fds[2]; int stdout_fds[2]; FILE *stdout_file = NULL; + int retval; + const char *name; + struct sigaction newsa, oldsa; if (argc < 1) { pam_syslog (pamh, LOG_ERR, @@ -116,6 +116,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, for (optargc = 0; optargc < argc; optargc++) { + const char *str; + if (argv[optargc][0] == '/') /* paths starts with / */ break; @@ -123,23 +125,35 @@ call_exec (const char *pam_type, pam_handle_t *pamh, debug = 1; else if (strcasecmp (argv[optargc], "stdout") == 0) use_stdout = 1; - else if (strncasecmp (argv[optargc], "log=", 4) == 0) - logfile = &argv[optargc][4]; - else if (strncasecmp (argv[optargc], "type=", 5) == 0) + else if ((str = pam_str_skip_icase_prefix (argv[optargc], "log=")) != NULL) + logfile = str; + else if ((str = pam_str_skip_icase_prefix (argv[optargc], "type=")) != NULL) { - if (strcmp (pam_type, &argv[optargc][5]) != 0) + if (strcmp (pam_type, str) != 0) return PAM_IGNORE; } else if (strcasecmp (argv[optargc], "seteuid") == 0) call_setuid = 1; else if (strcasecmp (argv[optargc], "quiet") == 0) quiet = 1; + else if (strcasecmp (argv[optargc], "quiet_log") == 0) + quiet_log = 1; else if (strcasecmp (argv[optargc], "expose_authtok") == 0) expose_authtok = 1; else break; /* Unknown option, assume program to execute. */ } + /* Request user name to be available. */ + + retval = pam_get_user(pamh, &name, NULL); + if (retval != PAM_SUCCESS) + { + if (retval == PAM_CONV_AGAIN) + retval = PAM_INCOMPLETE; + return retval; + } + if (expose_authtok == 1) { if (strcmp (pam_type, "auth") != 0) @@ -151,7 +165,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, else { const void *void_pass; - int retval; retval = pam_get_item (pamh, PAM_AUTHTOK, &void_pass); if (retval != PAM_SUCCESS) @@ -171,6 +184,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (retval != PAM_SUCCESS) { + pam_overwrite_string (resp); _pam_drop (resp); if (retval == PAM_CONV_AGAIN) retval = PAM_INCOMPLETE; @@ -180,15 +194,17 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (resp) { pam_set_item (pamh, PAM_AUTHTOK, resp); - authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + strncpy (authtok, resp, sizeof(authtok) - 1); + pam_overwrite_string (resp); _pam_drop (resp); } } else - authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + strncpy (authtok, void_pass, sizeof(authtok) - 1); if (pipe(fds) != 0) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "Could not create pipe: %m"); return PAM_SYSTEM_ERR; } @@ -199,51 +215,57 @@ call_exec (const char *pam_type, pam_handle_t *pamh, { if (pipe(stdout_fds) != 0) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "Could not create pipe: %m"); return PAM_SYSTEM_ERR; } stdout_file = fdopen(stdout_fds[0], "r"); if (!stdout_file) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "Could not fdopen pipe: %m"); return PAM_SYSTEM_ERR; } } if (optargc >= argc) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "No path given as argument"); return PAM_SERVICE_ERR; } + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_overwrite_array(authtok); + pam_syslog(pamh, LOG_ERR, "failed to reset SIGCHLD handler: %m"); + return PAM_SYSTEM_ERR; + } + pid = fork(); - if (pid == -1) + if (pid == -1) { + pam_overwrite_array(authtok); return PAM_SYSTEM_ERR; + } if (pid > 0) /* parent */ { int status = 0; - pid_t retval; + pid_t rc; if (expose_authtok) /* send the password to the child */ { - if (authtok != NULL) - { /* send the password to the child */ - if (debug) - pam_syslog (pamh, LOG_DEBUG, "send password to child"); - if (write(fds[1], authtok, strlen(authtok)+1) == -1) - pam_syslog (pamh, LOG_ERR, - "sending password to child failed: %m"); - authtok = NULL; - } - else - { - if (write(fds[1], "", 1) == -1) /* blank password */ - pam_syslog (pamh, LOG_ERR, - "sending password to child failed: %m"); - } - close(fds[0]); /* close here to avoid possible SIGPIPE above */ - close(fds[1]); + if (debug) + pam_syslog (pamh, LOG_DEBUG, "send password to child"); + if (write(fds[1], authtok, strlen(authtok)) == -1) + pam_syslog (pamh, LOG_ERR, + "sending password to child failed: %m"); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); } + pam_overwrite_array(authtok); + if (use_stdout) { char buf[4096]; @@ -259,9 +281,10 @@ call_exec (const char *pam_type, pam_handle_t *pamh, fclose(stdout_file); } - while ((retval = waitpid (pid, &status, 0)) == -1 && + while ((rc = waitpid (pid, &status, 0)) == -1 && errno == EINTR); - if (retval == (pid_t)-1) + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + if (rc == (pid_t)-1) { pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m"); return PAM_SYSTEM_ERR; @@ -270,6 +293,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, { if (WIFEXITED(status)) { + if (!quiet_log) pam_syslog (pamh, LOG_ERR, "%s failed: exit code %d", argv[optargc], WEXITSTATUS(status)); if (!quiet) @@ -278,6 +302,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } else if (WIFSIGNALED(status)) { + if (!quiet_log) pam_syslog (pamh, LOG_ERR, "%s failed: caught signal %d%s", argv[optargc], WTERMSIG(status), WCOREDUMP(status) ? " (core dumped)" : ""); @@ -288,6 +313,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } else { + if (!quiet_log) pam_syslog (pamh, LOG_ERR, "%s failed: unknown status 0x%x", argv[optargc], status); if (!quiet) @@ -300,9 +326,9 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } else /* child */ { - char **arggv; + const char **arggv; int i; - char **envlist, **tmp; + char **envlist; int envlen, nitems; char *envstr; enum pam_modutil_redirect_fd redirect_stdin = @@ -310,6 +336,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, enum pam_modutil_redirect_fd redirect_stdout = (use_stdout || logfile) ? PAM_MODUTIL_IGNORE_FD : PAM_MODUTIL_NULL_FD; + pam_overwrite_array(authtok); + /* First, move all the pipes off of stdin, stdout, and stderr, to ensure * that calls to dup2 won't close them. */ @@ -413,7 +441,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, _exit (ENOMEM); for (i = 0; i < (argc - optargc); i++) - arggv[i] = strdup(argv[i+optargc]); + arggv[i] = argv[i+optargc]; arggv[i] = NULL; /* @@ -423,16 +451,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh, envlist = pam_getenvlist(pamh); for (envlen = 0; envlist[envlen] != NULL; ++envlen) /* nothing */ ; - nitems = sizeof(env_items) / sizeof(*env_items); + nitems = PAM_ARRAY_SIZE(env_items); /* + 2 because of PAM_TYPE and NULL entry */ - tmp = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist)); - if (tmp == NULL) + envlist = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist)); + if (envlist == NULL) { - free(envlist); pam_syslog (pamh, LOG_CRIT, "realloc environment failed: %m"); _exit (ENOMEM); } - envlist = tmp; for (i = 0; i < nitems; ++i) { const void *item; @@ -441,7 +467,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, continue; if (asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item) < 0) { - free(envlist); pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m"); _exit (ENOMEM); } @@ -451,7 +476,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (asprintf(&envstr, "PAM_TYPE=%s", pam_type) < 0) { - free(envlist); pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m"); _exit (ENOMEM); } @@ -461,10 +485,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (debug) pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]); - execve (arggv[0], arggv, envlist); + DIAG_PUSH_IGNORE_CAST_QUAL; + execve (arggv[0], (char **) arggv, envlist); + DIAG_POP_IGNORE_CAST_QUAL; i = errno; pam_syslog (pamh, LOG_ERR, "execve(%s,...) failed: %m", arggv[0]); - free(envlist); _exit (i); } return PAM_SYSTEM_ERR; /* will never be reached. */ diff --git a/modules/pam_faildelay/Makefile.am b/modules/pam_faildelay/Makefile.am index 9166d582..0ca59c52 100644 --- a/modules/pam_faildelay/Makefile.am +++ b/modules/pam_faildelay/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faildelay +EXTRA_DIST = $(XMLS) -man_MANS = pam_faildelay.8 +if HAVE_DOC +dist_man_MANS = pam_faildelay.8 +endif XMLS = README.xml pam_faildelay.8.xml - -TESTS = tst-pam_faildelay +dist_check_SCRIPTS = tst-pam_faildelay +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,8 +31,10 @@ endif securelib_LTLIBRARIES = pam_faildelay.la pam_faildelay_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_faildelay-retval +tst_pam_faildelay_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_faildelay.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_faildelay/Makefile.in b/modules/pam_faildelay/Makefile.in index 72ef61ed..3f526dfb 100644 --- a/modules/pam_faildelay/Makefile.in +++ b/modules/pam_faildelay/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_faildelay-retval$(EXEEXT) subdir = modules/pam_faildelay -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,10 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_faildelay_retval_SOURCES = tst-pam_faildelay-retval.c +tst_pam_faildelay_retval_OBJECTS = tst-pam_faildelay-retval.$(OBJEXT) +tst_pam_faildelay_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +174,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_faildelay.Plo \ + ./$(DEPDIR)/tst-pam_faildelay-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +196,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_faildelay.c -DIST_SOURCES = pam_faildelay.c +SOURCES = pam_faildelay.c tst-pam_faildelay-retval.c +DIST_SOURCES = pam_faildelay.c tst-pam_faildelay-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +205,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +382,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +405,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +427,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +467,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +485,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +515,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +526,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +580,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +587,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +596,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faildelay -man_MANS = pam_faildelay.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_faildelay.8 XMLS = README.xml pam_faildelay.8.xml -TESTS = tst-pam_faildelay +dist_check_SCRIPTS = tst-pam_faildelay +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_faildelay.la pam_faildelay_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_faildelay_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +635,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_faildelay/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_faildelay/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +653,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +700,38 @@ clean-securelibLTLIBRARIES: pam_faildelay.la: $(pam_faildelay_la_OBJECTS) $(pam_faildelay_la_DEPENDENCIES) $(EXTRA_pam_faildelay_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_faildelay_la_OBJECTS) $(pam_faildelay_la_LIBADD) $(LIBS) +tst-pam_faildelay-retval$(EXEEXT): $(tst_pam_faildelay_retval_OBJECTS) $(tst_pam_faildelay_retval_DEPENDENCIES) $(EXTRA_tst_pam_faildelay_retval_DEPENDENCIES) + @rm -f tst-pam_faildelay-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_faildelay_retval_OBJECTS) $(tst_pam_faildelay_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_faildelay.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_faildelay.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_faildelay-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +745,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +783,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +871,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +948,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +961,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +971,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +989,13 @@ tst-pam_faildelay.log: tst-pam_faildelay --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_faildelay-retval.log: tst-pam_faildelay-retval$(EXEEXT) + @p='tst-pam_faildelay-retval$(EXEEXT)'; \ + b='tst-pam_faildelay-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1011,10 @@ tst-pam_faildelay.log: tst-pam_faildelay @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1045,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1091,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_faildelay.Plo + -rm -f ./$(DEPDIR)/tst-pam_faildelay-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1142,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_faildelay.Plo + -rm -f ./$(DEPDIR)/tst-pam_faildelay-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1166,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1183,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_faildelay.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_faildelay/README.xml b/modules/pam_faildelay/README.xml index 64d4accc..8530a3d0 100644 --- a/modules/pam_faildelay/README.xml +++ b/modules/pam_faildelay/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" -"http://www.docbook.org/xml/4.4/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_faildelay.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faildelay-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_faildelay/pam_faildelay.8 b/modules/pam_faildelay/pam_faildelay.8 index 60818dda..0e798cd3 100644 --- a/modules/pam_faildelay/pam_faildelay.8 +++ b/modules/pam_faildelay/pam_faildelay.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_faildelay .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_FAILDELAY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FAILDELAY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -42,12 +42,12 @@ is given, pam_faildelay will use the value of FAIL_DELAY from /etc/login\&.defs\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging messages sent to syslog\&. .RE .PP -\fBdelay=\fR\fB\fIN\fR\fR +delay=N .RS 4 Set the delay on failure to N microseconds\&. .RE @@ -87,7 +87,7 @@ auth optional pam_faildelay\&.so delay=10000000 \fBpam_fail_delay\fR(3), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_faildelay was written by Darren Tucker <dtucker@zip\&.com\&.au>\&. diff --git a/modules/pam_faildelay/pam_faildelay.8.xml b/modules/pam_faildelay/pam_faildelay.8.xml index 57107203..49ec46f7 100644 --- a/modules/pam_faildelay/pam_faildelay.8.xml +++ b/modules/pam_faildelay/pam_faildelay.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - -<refentry id="pam_faildelay"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_faildelay"> <refmeta> <refentrytitle>pam_faildelay</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_faildelay-name"> + <refnamediv xml:id="pam_faildelay-name"> <refname>pam_faildelay</refname> <refpurpose>Change the delay on failure per-application</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_faildelay-cmdsynopsis"> + <cmdsynopsis xml:id="pam_faildelay-cmdsynopsis" sepchar=" "> <command>pam_faildelay.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> delay=<replaceable>microseconds</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_faildelay-description"> + <refsect1 xml:id="pam_faildelay-description"> <title>DESCRIPTION</title> @@ -41,13 +38,13 @@ </para> </refsect1> - <refsect1 id="pam_faildelay-options"> + <refsect1 xml:id="pam_faildelay-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -57,7 +54,7 @@ </varlistentry> <varlistentry> <term> - <option>delay=<replaceable>N</replaceable></option> + delay=N </term> <listitem> <para> @@ -68,14 +65,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_faildelay-types"> + <refsect1 xml:id="pam_faildelay-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_faildelay-return_values'> + <refsect1 xml:id="pam_faildelay-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -97,7 +94,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_faildelay-examples'> + <refsect1 xml:id="pam_faildelay-examples"> <title>EXAMPLES</title> <para> The following example will set the delay on failure to @@ -108,7 +105,7 @@ auth optional pam_faildelay.so delay=10000000 </para> </refsect1> - <refsect1 id='pam_faildelay-see_also'> + <refsect1 xml:id="pam_faildelay-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -121,16 +118,16 @@ auth optional pam_faildelay.so delay=10000000 <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_faildelay-author'> + <refsect1 xml:id="pam_faildelay-author"> <title>AUTHOR</title> <para> pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_faildelay/pam_faildelay.c b/modules/pam_faildelay/pam_faildelay.c index 7ea8f837..02c5fafd 100644 --- a/modules/pam_faildelay/pam_faildelay.c +++ b/modules/pam_faildelay/pam_faildelay.c @@ -1,6 +1,6 @@ -/* pam_faildelay module */ - /* + * pam_faildelay module + * * Allows an admin to set the delay on failure per-application. * Provides "auth" interface only. * @@ -70,86 +70,12 @@ #include <string.h> #include <stdlib.h> - -#define PAM_SM_AUTH - #include <security/pam_modules.h> #include <security/pam_ext.h> +#include <security/pam_modutil.h> - -#define BUF_SIZE 8192 #define LOGIN_DEFS "/etc/login.defs" -static char * -search_key (const char *filename) -{ - FILE *fp; - char *buf = NULL; - size_t buflen = 0; - char *retval = NULL; - - fp = fopen (filename, "r"); - if (NULL == fp) - return NULL; - - while (!feof (fp)) - { - char *tmp, *cp; -#if defined(HAVE_GETLINE) - ssize_t n = getline (&buf, &buflen, fp); -#elif defined (HAVE_GETDELIM) - ssize_t n = getdelim (&buf, &buflen, '\n', fp); -#else - ssize_t n; - - if (buf == NULL) - { - buflen = BUF_SIZE; - buf = malloc (buflen); - } - buf[0] = '\0'; - if (fgets (buf, buflen - 1, fp) == NULL) - break; - else if (buf != NULL) - n = strlen (buf); - else - n = 0; -#endif /* HAVE_GETLINE / HAVE_GETDELIM */ - cp = buf; - - if (n < 1) - break; - - tmp = strchr (cp, '#'); /* remove comments */ - if (tmp) - *tmp = '\0'; - while (isspace ((int)*cp)) /* remove spaces and tabs */ - ++cp; - if (*cp == '\0') /* ignore empty lines */ - continue; - - if (cp[strlen (cp) - 1] == '\n') - cp[strlen (cp) - 1] = '\0'; - - tmp = strsep (&cp, " \t="); - if (cp != NULL) - while (isspace ((int)*cp) || *cp == '=') - ++cp; - - if (strcasecmp (tmp, "FAIL_DELAY") == 0) - { - retval = strdup (cp); - break; - } - } - fclose (fp); - - free (buf); - - return retval; -} - - /* --- authentication management functions (only) --- */ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, @@ -171,7 +97,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if (delay == -1) { char *endptr; - char *val = search_key (LOGIN_DEFS); + char *val = pam_modutil_search_key (pamh, LOGIN_DEFS, "FAIL_DELAY"); const char *val_orig = val; if (val == NULL) diff --git a/modules/pam_faildelay/tst-pam_faildelay-retval.c b/modules/pam_faildelay/tst-pam_faildelay-retval.c new file mode 100644 index 00000000..cbd8f2a8 --- /dev/null +++ b/modules/pam_faildelay/tst-pam_faildelay-retval.c @@ -0,0 +1,88 @@ +/* + * Check pam_faildelay return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_faildelay" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_IGNORE -> PAM_PERM_DENIED */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so delay=1\n" + "account required %s/.libs/%s.so delay=1\n" + "password required %s/.libs/%s.so delay=1\n" + "session required %s/.libs/%s.so delay=1\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_IGNORE -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so delay=1\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so delay=1\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so delay=1\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so delay=1\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_faillock/Makefile.am b/modules/pam_faillock/Makefile.am new file mode 100644 index 00000000..ec61aeb0 --- /dev/null +++ b/modules/pam_faillock/Makefile.am @@ -0,0 +1,57 @@ +# +# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2008, 2018, 2020 Red Hat, Inc. +# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = $(XMLS) + +if HAVE_DOC +dist_man_MANS = pam_faillock.8 faillock.8 faillock.conf.5 +endif +XMLS = README.xml pam_faillock.8.xml faillock.8.xml faillock.conf.5.xml + +dist_check_SCRIPTS = tst-pam_faillock +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) + +securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else +secureconfdir = $(SCONFIGDIR) +endif + +noinst_HEADERS = faillock.h faillock_config.h + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + +faillock_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ + +pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module +pam_faillock_la_LIBADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) +if HAVE_VERSIONING + pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +check_PROGRAMS = tst-pam_faillock-retval +tst_pam_faillock_retval_LDADD = $(top_builddir)/libpam/libpam.la + +faillock_LDFLAGS = @EXE_LDFLAGS@ +faillock_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) + +dist_secureconf_DATA = faillock.conf + +securelib_LTLIBRARIES = pam_faillock.la +sbin_PROGRAMS = faillock + +pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c +faillock_SOURCES = main.c faillock.c faillock_config.c + +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_tally2/Makefile.in b/modules/pam_faillock/Makefile.in index 8f144347..e9b62c30 100644 --- a/modules/pam_tally2/Makefile.in +++ b/modules/pam_faillock/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -16,14 +16,25 @@ # # Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> -# Copyright (c) 2008 Red Hat, Inc. +# Copyright (c) 2008, 2018, 2020 Red Hat, Inc. +# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> # VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -87,30 +98,38 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map -sbin_PROGRAMS = pam_tally2$(EXEEXT) -subdir = modules/pam_tally2 -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README +check_PROGRAMS = tst-pam_faillock-retval$(EXEEXT) +sbin_PROGRAMS = faillock$(EXEEXT) +subdir = modules/pam_faillock ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(noinst_HEADERS) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(secureconfdir)" +PROGRAMS = $(sbin_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -138,26 +157,33 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ - "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) am__DEPENDENCIES_1 = -pam_tally2_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ +pam_faillock_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ $(am__DEPENDENCIES_1) -am_pam_tally2_la_OBJECTS = pam_tally2.lo -pam_tally2_la_OBJECTS = $(am_pam_tally2_la_OBJECTS) +am_pam_faillock_la_OBJECTS = pam_faillock.lo faillock.lo \ + faillock_config.lo +pam_faillock_la_OBJECTS = $(am_pam_faillock_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -pam_tally2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(pam_tally2_la_LDFLAGS) $(LDFLAGS) -o $@ -PROGRAMS = $(sbin_PROGRAMS) -am_pam_tally2_OBJECTS = pam_tally2_app.$(OBJEXT) -pam_tally2_OBJECTS = $(am_pam_tally2_OBJECTS) -pam_tally2_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ +pam_faillock_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(pam_faillock_la_LDFLAGS) $(LDFLAGS) \ + -o $@ +am_faillock_OBJECTS = faillock-main.$(OBJEXT) \ + faillock-faillock.$(OBJEXT) faillock-faillock_config.$(OBJEXT) +faillock_OBJECTS = $(am_faillock_OBJECTS) +faillock_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ $(am__DEPENDENCIES_1) +faillock_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(faillock_CFLAGS) \ + $(CFLAGS) $(faillock_LDFLAGS) $(LDFLAGS) -o $@ +tst_pam_faillock_retval_SOURCES = tst-pam_faillock-retval.c +tst_pam_faillock_retval_OBJECTS = tst-pam_faillock-retval.$(OBJEXT) +tst_pam_faillock_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -172,7 +198,12 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/faillock-faillock.Po \ + ./$(DEPDIR)/faillock-faillock_config.Po \ + ./$(DEPDIR)/faillock-main.Po ./$(DEPDIR)/faillock.Plo \ + ./$(DEPDIR)/faillock_config.Plo ./$(DEPDIR)/pam_faillock.Plo \ + ./$(DEPDIR)/tst-pam_faillock-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -192,17 +223,21 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(pam_tally2_la_SOURCES) $(pam_tally2_SOURCES) -DIST_SOURCES = $(pam_tally2_la_SOURCES) $(pam_tally2_SOURCES) +SOURCES = $(pam_faillock_la_SOURCES) $(faillock_SOURCES) \ + tst-pam_faillock-retval.c +DIST_SOURCES = $(pam_faillock_la_SOURCES) $(faillock_SOURCES) \ + tst-pam_faillock-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -378,6 +413,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -400,6 +436,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -419,24 +458,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -450,7 +498,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -469,11 +516,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -496,8 +546,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -508,11 +557,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -555,7 +611,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -563,9 +618,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -575,28 +627,37 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2 -man_MANS = pam_tally2.8 -XMLS = README.xml pam_tally2.8.xml -TESTS = tst-pam_tally2 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_faillock.8 faillock.8 faillock.conf.5 +XMLS = README.xml pam_faillock.8.xml faillock.8.xml faillock.conf.5.xml +dist_check_SCRIPTS = tst-pam_faillock +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -noinst_HEADERS = tallylog.h -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module \ +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +noinst_HEADERS = faillock.h faillock_config.h +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + +faillock_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ +pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) -pam_tally2_la_LIBADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) -pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) -securelib_LTLIBRARIES = pam_tally2.la -pam_tally2_la_SOURCES = pam_tally2.c -pam_tally2_SOURCES = pam_tally2_app.c -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +pam_faillock_la_LIBADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) +tst_pam_faillock_retval_LDADD = $(top_builddir)/libpam/libpam.la +faillock_LDFLAGS = @EXE_LDFLAGS@ +faillock_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) +dist_secureconf_DATA = faillock.conf +securelib_LTLIBRARIES = pam_faillock.la +pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c +faillock_SOURCES = main.c faillock.c faillock_config.c +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -610,17 +671,16 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_tally2/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_faillock/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu modules/pam_tally2/Makefile -.PRECIOUS: Makefile + $(AUTOMAKE) --gnu modules/pam_faillock/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -632,43 +692,14 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ - } - -uninstall-securelibLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ - done - -clean-securelibLTLIBRARIES: - -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) - @list='$(securelib_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -pam_tally2.la: $(pam_tally2_la_OBJECTS) $(pam_tally2_la_DEPENDENCIES) $(EXTRA_pam_tally2_la_DEPENDENCIES) - $(AM_V_CCLD)$(pam_tally2_la_LINK) -rpath $(securelibdir) $(pam_tally2_la_OBJECTS) $(pam_tally2_la_LIBADD) $(LIBS) +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ @@ -719,9 +750,51 @@ clean-sbinPROGRAMS: echo " rm -f" $$list; \ rm -f $$list -pam_tally2$(EXEEXT): $(pam_tally2_OBJECTS) $(pam_tally2_DEPENDENCIES) $(EXTRA_pam_tally2_DEPENDENCIES) - @rm -f pam_tally2$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(pam_tally2_OBJECTS) $(pam_tally2_LDADD) $(LIBS) +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +pam_faillock.la: $(pam_faillock_la_OBJECTS) $(pam_faillock_la_DEPENDENCIES) $(EXTRA_pam_faillock_la_DEPENDENCIES) + $(AM_V_CCLD)$(pam_faillock_la_LINK) -rpath $(securelibdir) $(pam_faillock_la_OBJECTS) $(pam_faillock_la_LIBADD) $(LIBS) + +faillock$(EXEEXT): $(faillock_OBJECTS) $(faillock_DEPENDENCIES) $(EXTRA_faillock_DEPENDENCIES) + @rm -f faillock$(EXEEXT) + $(AM_V_CCLD)$(faillock_LINK) $(faillock_OBJECTS) $(faillock_LDADD) $(LIBS) + +tst-pam_faillock-retval$(EXEEXT): $(tst_pam_faillock_retval_OBJECTS) $(tst_pam_faillock_retval_DEPENDENCIES) $(EXTRA_tst_pam_faillock_retval_DEPENDENCIES) + @rm -f tst-pam_faillock-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_faillock_retval_OBJECTS) $(tst_pam_faillock_retval_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -729,22 +802,33 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally2.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally2_app.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock-faillock.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock-faillock_config.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock-main.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock_config.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_faillock.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_faillock-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -753,15 +837,100 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +faillock-main.o: main.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-main.o -MD -MP -MF $(DEPDIR)/faillock-main.Tpo -c -o faillock-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-main.Tpo $(DEPDIR)/faillock-main.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='main.c' object='faillock-main.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-main.o `test -f 'main.c' || echo '$(srcdir)/'`main.c + +faillock-main.obj: main.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-main.obj -MD -MP -MF $(DEPDIR)/faillock-main.Tpo -c -o faillock-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-main.Tpo $(DEPDIR)/faillock-main.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='main.c' object='faillock-main.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-main.obj `if test -f 'main.c'; then $(CYGPATH_W) 'main.c'; else $(CYGPATH_W) '$(srcdir)/main.c'; fi` + +faillock-faillock.o: faillock.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-faillock.o -MD -MP -MF $(DEPDIR)/faillock-faillock.Tpo -c -o faillock-faillock.o `test -f 'faillock.c' || echo '$(srcdir)/'`faillock.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-faillock.Tpo $(DEPDIR)/faillock-faillock.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='faillock.c' object='faillock-faillock.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-faillock.o `test -f 'faillock.c' || echo '$(srcdir)/'`faillock.c + +faillock-faillock.obj: faillock.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-faillock.obj -MD -MP -MF $(DEPDIR)/faillock-faillock.Tpo -c -o faillock-faillock.obj `if test -f 'faillock.c'; then $(CYGPATH_W) 'faillock.c'; else $(CYGPATH_W) '$(srcdir)/faillock.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-faillock.Tpo $(DEPDIR)/faillock-faillock.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='faillock.c' object='faillock-faillock.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-faillock.obj `if test -f 'faillock.c'; then $(CYGPATH_W) 'faillock.c'; else $(CYGPATH_W) '$(srcdir)/faillock.c'; fi` + +faillock-faillock_config.o: faillock_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-faillock_config.o -MD -MP -MF $(DEPDIR)/faillock-faillock_config.Tpo -c -o faillock-faillock_config.o `test -f 'faillock_config.c' || echo '$(srcdir)/'`faillock_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-faillock_config.Tpo $(DEPDIR)/faillock-faillock_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='faillock_config.c' object='faillock-faillock_config.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-faillock_config.o `test -f 'faillock_config.c' || echo '$(srcdir)/'`faillock_config.c + +faillock-faillock_config.obj: faillock_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-faillock_config.obj -MD -MP -MF $(DEPDIR)/faillock-faillock_config.Tpo -c -o faillock-faillock_config.obj `if test -f 'faillock_config.c'; then $(CYGPATH_W) 'faillock_config.c'; else $(CYGPATH_W) '$(srcdir)/faillock_config.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-faillock_config.Tpo $(DEPDIR)/faillock-faillock_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='faillock_config.c' object='faillock-faillock_config.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-faillock_config.obj `if test -f 'faillock_config.c'; then $(CYGPATH_W) 'faillock_config.c'; else $(CYGPATH_W) '$(srcdir)/faillock_config.c'; fi` + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-man8: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -796,11 +965,32 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +install-dist_secureconfDATA: $(dist_secureconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(secureconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ + done + +uninstall-dist_secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -884,7 +1074,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -961,7 +1151,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -974,7 +1164,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -984,7 +1174,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -995,9 +1185,16 @@ recheck: all am__force_recheck=am--force-recheck \ TEST_LOGS="$$log_list"; \ exit $$? -tst-pam_tally2.log: tst-pam_tally2 - @p='tst-pam_tally2'; \ - b='tst-pam_tally2'; \ +tst-pam_faillock.log: tst-pam_faillock + @p='tst-pam_faillock'; \ + b='tst-pam_faillock'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_faillock-retval.log: tst-pam_faillock-retval$(EXEEXT) + @p='tst-pam_faillock-retval$(EXEEXT)'; \ + b='tst-pam_faillock-retval'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1017,7 +1214,10 @@ tst-pam_tally2.log: tst-pam_tally2 @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1048,11 +1248,13 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1092,11 +1294,17 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/faillock-faillock.Po + -rm -f ./$(DEPDIR)/faillock-faillock_config.Po + -rm -f ./$(DEPDIR)/faillock-main.Po + -rm -f ./$(DEPDIR)/faillock.Plo + -rm -f ./$(DEPDIR)/faillock_config.Plo + -rm -f ./$(DEPDIR)/pam_faillock.Plo + -rm -f ./$(DEPDIR)/tst-pam_faillock-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1113,7 +1321,8 @@ info: info-am info-am: -install-data-am: install-man install-securelibLTLIBRARIES +install-data-am: install-dist_secureconfDATA install-man \ + install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1129,7 +1338,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-man5 install-man8 install-pdf: install-pdf-am @@ -1142,7 +1351,13 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/faillock-faillock.Po + -rm -f ./$(DEPDIR)/faillock-faillock_config.Po + -rm -f ./$(DEPDIR)/faillock-main.Po + -rm -f ./$(DEPDIR)/faillock.Plo + -rm -f ./$(DEPDIR)/faillock_config.Plo + -rm -f ./$(DEPDIR)/pam_faillock.Plo + -rm -f ./$(DEPDIR)/tst-pam_faillock-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1159,32 +1374,35 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ - uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ + uninstall-sbinPROGRAMS uninstall-securelibLTLIBRARIES -uninstall-man: uninstall-man8 +uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ + install-data-am install-dist_secureconfDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-man8 install-pdf install-pdf-am \ + install-ps install-ps-am install-sbinPROGRAMS \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ + recheck tags tags-am uninstall uninstall-am \ + uninstall-dist_secureconfDATA uninstall-man uninstall-man5 \ uninstall-man8 uninstall-sbinPROGRAMS \ uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_tally2.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_faillock/README b/modules/pam_faillock/README new file mode 100644 index 00000000..574b37bd --- /dev/null +++ b/modules/pam_faillock/README @@ -0,0 +1,144 @@ +pam_faillock — Module counting authentication failures during a specified +interval + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +This module maintains a list of failed authentication attempts per user during +a specified interval and locks the account in case there were more than deny +consecutive failed authentications. + +Normally, failed attempts to authenticate root will not cause the root account +to become blocked, to prevent denial-of-service: if your users aren't given +shell accounts and root may only login via su or at the machine console (not +telnet/rsh, etc), this is safe. + +OPTIONS + +{preauth|authfail|authsucc} + + This argument must be set accordingly to the position of this module + instance in the PAM stack. + + The preauth argument must be used when the module is called before the + modules which ask for the user credentials such as the password. The module + just examines whether the user should be blocked from accessing the service + in case there were anomalous number of failed consecutive authentication + attempts recently. This call is optional if authsucc is used. + + The authfail argument must be used when the module is called after the + modules which determine the authentication outcome, failed. Unless the user + is already blocked due to previous authentication failures, the module will + record the failure into the appropriate user tally file. + + The authsucc argument must be used when the module is called after the + modules which determine the authentication outcome, succeeded. Unless the + user is already blocked due to previous authentication failures, the module + will then clear the record of the failures in the respective user tally + file. Otherwise it will return authentication error. If this call is not + done, the pam_faillock will not distinguish between consecutive and + non-consecutive failed authentication attempts. The preauth call must be + used in such case. Due to complications in the way the PAM stack can be + configured it is also possible to call pam_faillock as an account module. + In such configuration the module must be also called in the preauth stage. + +conf=/path/to/config-file + + Use another configuration file instead of the default /etc/security/ + faillock.conf. + + Use another configuration file instead of the default which is to use the + file /etc/security/faillock.conf or, if that one is not present, the file + %vendordir%/security/faillock.conf. + +The options for configuring the module behavior are described in the +faillock.conf(5) manual page. The options specified on the module command line +override the values from the configuration file. + +NOTES + +Configuring options on the module command line is not recommend. The /etc/ +security/faillock.conf should be used instead. + +The setup of pam_faillock in the PAM stack is different from the pam_tally2 +module setup. + +Individual files with the failure records are created as owned by the user. +This allows pam_faillock.so module to work correctly when it is called from a +screensaver. + +Note that using the module in preauth without the silent option specified in / +etc/security/faillock.conf or with requisite control field leaks an information +about existence or non-existence of a user account in the system because the +failures are not recorded for the unknown users. The message about the user +account being locked is never displayed for non-existing user accounts allowing +the adversary to infer that a particular account is not existing on a system. + +EXAMPLES + +Here are two possible configuration examples for /etc/pam.d/login. They make +pam_faillock to lock the account after 4 consecutive failed logins during the +default interval of 15 minutes. Root account will be locked as well. The +accounts will be automatically unlocked after 20 minutes. + +In the first example the module is called only in the auth phase and the module +does not print any information about the account being blocked by pam_faillock. +The preauth call can be added to tell users that their logins are blocked by +the module and also to abort the authentication without even asking for +password in such case. + +/etc/security/faillock.conf file example: + +deny=4 +unlock_time=1200 +silent + + +/etc/pam.d/config file example: + +auth required pam_securetty.so +auth required pam_env.so +auth required pam_nologin.so +# optionally call: auth requisite pam_faillock.so preauth +# to display the message about account being locked +auth [success=1 default=bad] pam_unix.so +auth [default=die] pam_faillock.so authfail +auth sufficient pam_faillock.so authsucc +auth required pam_deny.so +account required pam_unix.so +password required pam_unix.so shadow +session required pam_selinux.so close +session required pam_loginuid.so +session required pam_unix.so +session required pam_selinux.so open + + +In the second example the module is called both in the auth and account phases +and the module informs the authenticating user when the account is locked if +silent option is not specified in the faillock.conf. + +auth required pam_securetty.so +auth required pam_env.so +auth required pam_nologin.so +auth required pam_faillock.so preauth +# optionally use requisite above if you do not want to prompt for the password +# on locked accounts +auth sufficient pam_unix.so +auth [default=die] pam_faillock.so authfail +auth required pam_deny.so +account required pam_faillock.so +# if you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures +account required pam_unix.so +password required pam_unix.so shadow +session required pam_selinux.so close +session required pam_loginuid.so +session required pam_unix.so +session required pam_selinux.so open + + +AUTHOR + +pam_faillock was written by Tomas Mraz. + diff --git a/modules/pam_faillock/README.xml b/modules/pam_faillock/README.xml new file mode 100644 index 00000000..a62c917a --- /dev/null +++ b/modules/pam_faillock/README.xml @@ -0,0 +1,31 @@ +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-name")/*)'/> + </title> + + </info> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-description")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-options")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-notes")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-examples")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-author")/*)'/> + </section> + +</article>
\ No newline at end of file diff --git a/modules/pam_faillock/faillock.8 b/modules/pam_faillock/faillock.8 new file mode 100644 index 00000000..5d9c5db8 --- /dev/null +++ b/modules/pam_faillock/faillock.8 @@ -0,0 +1,87 @@ +'\" t +.\" Title: faillock +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "FAILLOCK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +faillock \- Tool for displaying and modifying the authentication failure record files +.SH "SYNOPSIS" +.HP \w'\fBfaillock\fR\ 'u +\fBfaillock\fR [\-\-dir\ \fI/path/to/tally\-directory\fR] [\-\-user\ \fIusername\fR] [\-\-reset] +.SH "DESCRIPTION" +.PP +The +\fIpam_faillock\&.so\fR +module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than +\fIdeny\fR +consecutive failed authentications\&. It stores the failure records into per\-user files in the tally directory\&. +.PP +The +\fBfaillock\fR +command is an application which can be used to examine and modify the contents of the tally files\&. It can display the recent failed authentication attempts of the +\fIusername\fR +or clear the tally files of all or individual +\fIusernames\fR\&. +.SH "OPTIONS" +.PP +\-\-conf /path/to/config\-file +.RS 4 +The file where the configuration is located\&. The default is +/etc/security/faillock\&.conf\&. +.RE +.PP +\-\-dir /path/to/tally\-directory +.RS 4 +The directory where the user files with the failure records are kept\&. +.sp +The priority to set this option is to use the value provided from the command line\&. If this isn\*(Aqt provided, then the value from the configuration file is used\&. Finally, if neither of them has been provided, then +/var/run/faillock +is used\&. +.RE +.PP +\-\-user username +.RS 4 +The user whose failure records should be displayed or cleared\&. +.RE +.PP +\-\-reset +.RS 4 +Instead of displaying the user\*(Aqs failure records, clear them\&. +.RE +.SH "FILES" +.PP +/var/run/faillock/* +.RS 4 +the files logging the authentication failures for users +.RE +.SH "SEE ALSO" +.PP +\fBpam_faillock\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +faillock was written by Tomas Mraz\&. diff --git a/modules/pam_faillock/faillock.8.xml b/modules/pam_faillock/faillock.8.xml new file mode 100644 index 00000000..74440fc8 --- /dev/null +++ b/modules/pam_faillock/faillock.8.xml @@ -0,0 +1,137 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="faillock"> + + <refmeta> + <refentrytitle>faillock</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pam_faillock-name"> + <refname>faillock</refname> + <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis xml:id="faillock-cmdsynopsis" sepchar=" "> + <command>faillock</command> + <arg choice="opt" rep="norepeat"> + --dir <replaceable>/path/to/tally-directory</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + --user <replaceable>username</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + --reset + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 xml:id="faillock-description"> + + <title>DESCRIPTION</title> + + <para> + The <emphasis>pam_faillock.so</emphasis> module maintains a list of + failed authentication attempts per user during a specified interval + and locks the account in case there were more than + <replaceable>deny</replaceable> consecutive failed authentications. + It stores the failure records into per-user files in the tally + directory. + </para> + <para> + The <command>faillock</command> command is an application which + can be used to examine and modify the contents of the + tally files. It can display the recent failed authentication + attempts of the <replaceable>username</replaceable> or clear the tally + files of all or individual <replaceable>usernames</replaceable>. + </para> + </refsect1> + + <refsect1 xml:id="faillock-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + --conf /path/to/config-file + </term> + <listitem> + <para> + The file where the configuration is located. The default is + <filename>/etc/security/faillock.conf</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + --dir /path/to/tally-directory + </term> + <listitem> + <para> + The directory where the user files with the failure records are kept. + </para> + <para> + The priority to set this option is to use the value provided + from the command line. If this isn't provided, then the value + from the configuration file is used. Finally, if neither of + them has been provided, then + <filename>/var/run/faillock</filename> is used. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + --user username + </term> + <listitem> + <para> + The user whose failure records should be displayed or cleared. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + --reset + </term> + <listitem> + <para> + Instead of displaying the user's failure records, clear them. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="faillock-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term>/var/run/faillock/*</term> + <listitem> + <para>the files logging the authentication failures for users</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="faillock-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="faillock-author"> + <title>AUTHOR</title> + <para> + faillock was written by Tomas Mraz. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c new file mode 100644 index 00000000..091f253a --- /dev/null +++ b/modules/pam_faillock/faillock.c @@ -0,0 +1,176 @@ +/* + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010, 2016, 2017 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/file.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <security/pam_modutil.h> + +#include "faillock.h" + +#define ignore_return(x) if (1==((int)x)) {;} + +int +open_tally (const char *dir, const char *user, uid_t uid, int create) +{ + char *path; + int flags = O_RDWR; + int fd; + + if (dir == NULL || strstr(user, "../") != NULL) + /* just a defensive programming as the user must be a + * valid user on the system anyway + */ + return -1; + path = malloc(strlen(dir) + strlen(user) + 2); + if (path == NULL) + return -1; + + strcpy(path, dir); + if (*dir && dir[strlen(dir) - 1] != '/') { + strcat(path, "/"); + } + strcat(path, user); + + if (create) { + flags |= O_CREAT; + if (access(dir, F_OK) != 0) { + mkdir(dir, 0755); + } + } + + fd = open(path, flags, 0660); + + free(path); + + if (fd != -1) { + struct stat st; + + while (flock(fd, LOCK_EX) == -1 && errno == EINTR); + if (fstat(fd, &st) == 0) { + if (st.st_uid != uid) { + ignore_return(fchown(fd, uid, -1)); + } + + /* + * If umask is set to 022, as will probably in most systems, then the + * group will not be able to write to the file. So, change the file + * permissions just in case. + * Note: owners of this file are user:root, so if the permissions are + * not changed the root process writing to this file will require + * CAP_DAC_OVERRIDE. + */ + if (!(st.st_mode & S_IWGRP)) { + ignore_return(fchmod(fd, 0660)); + } + } + } + + return fd; +} + +#define CHUNK_SIZE (64 * sizeof(struct tally)) +#define MAX_RECORDS 1024 + +int +read_tally(int fd, struct tally_data *tallies) +{ + void *data = NULL, *newdata; + unsigned int count = 0; + ssize_t chunk = 0; + + do { + newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); + if (newdata == NULL) { + free(data); + return -1; + } + + data = newdata; + + chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); + if (chunk < 0) { + free(data); + return -1; + } + + count += chunk/sizeof(struct tally); + + if (count >= MAX_RECORDS) + break; + } + while (chunk == CHUNK_SIZE); + + tallies->records = data; + tallies->count = count; + + return 0; +} + +int +update_tally(int fd, struct tally_data *tallies) +{ + void *data = tallies->records; + unsigned int count = tallies->count; + ssize_t chunk; + + if (tallies->count > MAX_RECORDS) { + data = tallies->records + (count - MAX_RECORDS); + count = MAX_RECORDS; + } + + if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { + return -1; + } + + chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); + + if (chunk != (ssize_t)(count * sizeof(struct tally))) { + return -1; + } + + if (ftruncate(fd, count * sizeof(struct tally)) == -1) + return -1; + + return 0; +} diff --git a/modules/pam_faillock/faillock.conf b/modules/pam_faillock/faillock.conf new file mode 100644 index 00000000..16d93df7 --- /dev/null +++ b/modules/pam_faillock/faillock.conf @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +# audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +# deny = 3 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is <replaceable>n</replaceable> seconds. +# The default is 900 (15 minutes). +# fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +# unlock_time = 600 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = <admin_group_name> diff --git a/modules/pam_faillock/faillock.conf.5 b/modules/pam_faillock/faillock.conf.5 new file mode 100644 index 00000000..fd257b08 --- /dev/null +++ b/modules/pam_faillock/faillock.conf.5 @@ -0,0 +1,175 @@ +'\" t +.\" Title: faillock.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "FAILLOCK\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +faillock.conf \- pam_faillock configuration file +.SH "DESCRIPTION" +.PP +\fBfaillock\&.conf\fR +provides a way to configure the default settings for locking the user after multiple failed authentication attempts\&. This file is read by the +\fIpam_faillock\fR +module and is the preferred method over configuring +\fIpam_faillock\fR +directly\&. +.PP +The file has a very simple +\fIname = value\fR +format with possible comments starting with +\fI#\fR +character\&. The whitespace at the beginning of line, end of line, and around the +\fI=\fR +sign is ignored\&. +.SH "OPTIONS" +.PP +dir=/path/to/tally\-directory +.RS 4 +The directory where the user files with the failure records are kept\&. The default is +/var/run/faillock\&. +.sp +Note: These files will disappear after reboot on systems configured with directory +/var/run/faillock +mounted on virtual memory\&. +.RE +.PP +audit +.RS 4 +Will log the user name into the system log if the user is not found\&. +.RE +.PP +silent +.RS 4 +Don\*(Aqt print informative messages to the user\&. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non\-existing users\&. +.RE +.PP +no_log_info +.RS 4 +Don\*(Aqt log informative messages via +\fBsyslog\fR(3)\&. +.RE +.PP +local_users_only +.RS 4 +Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc\&.) users\&. The +\fBfaillock\fR(8) +command will also no longer track user failed authentication attempts\&. Enabling this option will prevent a double\-lockout scenario where a user is locked out locally and in the centralized mechanism\&. +.RE +.PP +nodelay +.RS 4 +Don\*(Aqt enforce a delay after authentication failures\&. +.RE +.PP +deny=n +.RS 4 +Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds +\fIn\fR\&. The default is 3\&. +.RE +.PP +fail_interval=n +.RS 4 +The length of the interval during which the consecutive authentication failures must happen for the user account lock out is +\fIn\fR +seconds\&. The default is 900 (15 minutes)\&. +.RE +.PP +unlock_time=n +.RS 4 +The access will be re\-enabled after +\fIn\fR +seconds after the lock out\&. The value 0 has the same meaning as value +\fInever\fR +\- the access will not be re\-enabled without resetting the faillock entries by the +\fBfaillock\fR(8) +command\&. The default is 600 (10 minutes)\&. +.sp +Note that the default directory that +\fIpam_faillock\fR +uses is usually cleared on system boot so the access will be also re\-enabled after system reboot\&. If that is undesirable a different tally directory must be set with the +\fBdir\fR +option\&. +.sp +Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers\&. +.RE +.PP +even_deny_root +.RS 4 +Root account can become locked as well as regular accounts\&. +.RE +.PP +root_unlock_time=n +.RS 4 +This option implies +\fBeven_deny_root\fR +option\&. Allow access after +\fIn\fR +seconds to root account after the account is locked\&. In case the option is not specified the value is the same as of the +\fBunlock_time\fR +option\&. +.RE +.PP +admin_group=name +.RS 4 +If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options +\fBeven_deny_root\fR +and +\fBroot_unlock_time\fR +will apply to them\&. By default the option is not set\&. +.RE +.SH "EXAMPLES" +.PP +/etc/security/faillock\&.conf file example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +deny=4 +unlock_time=1200 +silent + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/etc/security/faillock\&.conf +.RS 4 +the config file for custom options +.RE +.SH "SEE ALSO" +.PP +\fBfaillock\fR(8), +\fBpam_faillock\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_faillock was written by Tomas Mraz\&. The support for faillock\&.conf was written by Brian Ward\&. diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml new file mode 100644 index 00000000..cc750fbf --- /dev/null +++ b/modules/pam_faillock/faillock.conf.5.xml @@ -0,0 +1,254 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="faillock.conf"> + + <refmeta> + <refentrytitle>faillock.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="faillock.conf-name"> + <refname>faillock.conf</refname> + <refpurpose>pam_faillock configuration file</refpurpose> + </refnamediv> + + <refsect1 xml:id="faillock.conf-description"> + + <title>DESCRIPTION</title> + <para> + <emphasis remap="B">faillock.conf</emphasis> provides a way to configure the + default settings for locking the user after multiple failed authentication attempts. + This file is read by the <emphasis>pam_faillock</emphasis> module and is the + preferred method over configuring <emphasis>pam_faillock</emphasis> directly. + </para> + <para> + The file has a very simple <emphasis>name = value</emphasis> format with possible comments + starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end + of line, and around the <emphasis>=</emphasis> sign is ignored. + </para> + </refsect1> + + <refsect1 xml:id="faillock.conf-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + dir=/path/to/tally-directory + </term> + <listitem> + <para> + The directory where the user files with the failure records are kept. The + default is <filename>/var/run/faillock</filename>. + </para> + <para> + Note: These files will disappear after reboot on systems configured with + directory <filename>/var/run/faillock</filename> mounted on virtual memory. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + audit + </term> + <listitem> + <para> + Will log the user name into the system log if the user is not found. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + silent + </term> + <listitem> + <para> + Don't print informative messages to the user. Please note that when + this option is not used there will be difference in the authentication + behavior for users which exist on the system and non-existing users. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + no_log_info + </term> + <listitem> + <para> + Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + local_users_only + </term> + <listitem> + <para> + Only track failed user authentications attempts for local users + in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. + The <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> + command will also no longer track user failed + authentication attempts. Enabling this option will prevent a + double-lockout scenario where a user is locked out locally and + in the centralized mechanism. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + nodelay + </term> + <listitem> + <para> + Don't enforce a delay after authentication failures. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + deny=n + </term> + <listitem> + <para> + Deny access if the number of consecutive authentication failures + for this user during the recent interval exceeds + <replaceable>n</replaceable>. The default is 3. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + fail_interval=n + </term> + <listitem> + <para> + The length of the interval during which the consecutive + authentication failures must happen for the user account + lock out is <replaceable>n</replaceable> seconds. + The default is 900 (15 minutes). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + unlock_time=n + </term> + <listitem> + <para> + The access will be re-enabled after + <replaceable>n</replaceable> seconds after the lock out. + The value 0 has the same meaning as value + <emphasis>never</emphasis> - the access + will not be re-enabled without resetting the faillock + entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command. + The default is 600 (10 minutes). + </para> + <para> + Note that the default directory that <emphasis>pam_faillock</emphasis> + uses is usually cleared on system boot so the access will be also re-enabled + after system reboot. If that is undesirable a different tally directory + must be set with the <option>dir</option> option. + </para> + <para> + Also note that it is usually undesirable to permanently lock + out users as they can become easily a target of denial of service + attack unless the usernames are random and kept secret to potential + attackers. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + even_deny_root + </term> + <listitem> + <para> + Root account can become locked as well as regular accounts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + root_unlock_time=n + </term> + <listitem> + <para> + This option implies <option>even_deny_root</option> option. + Allow access after <replaceable>n</replaceable> seconds + to root account after the account is locked. In case the + option is not specified the value is the same as of the + <option>unlock_time</option> option. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + admin_group=name + </term> + <listitem> + <para> + If a group name is specified with this option, members + of the group will be handled by this module the same as + the root account (the options <option>even_deny_root</option> + and <option>root_unlock_time</option> will apply to them. + By default the option is not set. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="faillock.conf-examples"> + <title>EXAMPLES</title> + <para> + /etc/security/faillock.conf file example: + </para> + <programlisting> +deny=4 +unlock_time=1200 +silent + </programlisting> + </refsect1> + + <refsect1 xml:id="faillock.conf-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term>/etc/security/faillock.conf</term> + <listitem> + <para>the config file for custom options</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="faillock.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="faillock.conf-author"> + <title>AUTHOR</title> + <para> + pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h new file mode 100644 index 00000000..0ea0ffba --- /dev/null +++ b/modules/pam_faillock/faillock.h @@ -0,0 +1,74 @@ +/* + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * faillock.h - authentication failure data file record structure + * + * Each record in the file represents an instance of login failure of + * the user at the recorded time. + */ + + +#ifndef _FAILLOCK_H +#define _FAILLOCK_H + +#include <stdint.h> +#include <sys/types.h> + +#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ +#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ +#define TALLY_STATUS_TTY 0x4 /* the source is tty */ +/* If neither TALLY_FLAG_RHOST nor TALLY_FLAG_TTY are set the source is service. */ + +struct tally { + char source[52]; /* rhost or tty of the login failure */ + /* (not necessarily NULL terminated) */ + uint16_t reserved; /* reserved for future use */ + uint16_t status; /* record status */ + uint64_t time; /* time of the login failure */ +}; +/* 64 bytes per entry */ + +struct tally_data { + struct tally *records; /* array of tallies */ + unsigned int count; /* number of records */ +}; + +#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" + +int open_tally(const char *dir, const char *user, uid_t uid, int create); +int read_tally(int fd, struct tally_data *tallies); +int update_tally(int fd, struct tally_data *tallies); +#endif diff --git a/modules/pam_faillock/faillock_config.c b/modules/pam_faillock/faillock_config.c new file mode 100644 index 00000000..0d14aad1 --- /dev/null +++ b/modules/pam_faillock/faillock_config.c @@ -0,0 +1,266 @@ +/* + * Copyright (c) 2022 Tomas Mraz <tm@t8m.info> + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <ctype.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> + +#include <security/pam_modules.h> + +#include "faillock_config.h" +#include "faillock.h" + +#define FAILLOCK_DEFAULT_CONF SCONFIGDIR "/faillock.conf" +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_FAILLOCK_DEFAULT_CONF VENDOR_SCONFIGDIR "/faillock.conf" +#endif + +static void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3)) +config_log(const pam_handle_t *pamh, int priority, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + if (pamh) { + pam_vsyslog(pamh, priority, fmt, args); + } else { + char *buf = NULL; + + if (vasprintf(&buf, fmt, args) < 0) { + fprintf(stderr, "vasprintf: %m"); + va_end(args); + return; + } + fprintf(stderr, "%s\n", buf); + free(buf); + } + va_end(args); +} + +/* parse a single configuration file */ +int +read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile) +{ + char linebuf[FAILLOCK_CONF_MAX_LINELEN+1]; + const char *fname = (cfgfile != NULL) ? cfgfile : FAILLOCK_DEFAULT_CONF; + FILE *f = fopen(fname, "r"); + +#ifdef VENDOR_FAILLOCK_DEFAULT_CONF + if (f == NULL && errno == ENOENT && cfgfile == NULL) { + /* + * If the default configuration file in /etc does not exist, + * try the vendor configuration file as fallback. + */ + f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r"); + } +#endif /* VENDOR_FAILLOCK_DEFAULT_CONF */ + + if (f == NULL) { + /* ignore non-existent default config file */ + if (errno == ENOENT && cfgfile == NULL) + return PAM_SUCCESS; + return PAM_SERVICE_ERR; + } + + while (fgets(linebuf, sizeof(linebuf), f) != NULL) { + size_t len; + char *ptr; + char *name; + int eq; + + len = strlen(linebuf); + /* len cannot be 0 unless there is a bug in fgets */ + if (len && linebuf[len - 1] != '\n' && !feof(f)) { + (void) fclose(f); + return PAM_SERVICE_ERR; + } + + if ((ptr=strchr(linebuf, '#')) != NULL) { + *ptr = '\0'; + } else { + ptr = linebuf + len; + } + + /* drop terminating whitespace including the \n */ + while (ptr > linebuf) { + if (!isspace(*(ptr-1))) { + *ptr = '\0'; + break; + } + --ptr; + } + + /* skip initial whitespace */ + for (ptr = linebuf; isspace(*ptr); ptr++); + if (*ptr == '\0') + continue; + + /* grab the key name */ + eq = 0; + name = ptr; + while (*ptr != '\0') { + if (isspace(*ptr) || *ptr == '=') { + eq = *ptr == '='; + *ptr = '\0'; + ++ptr; + break; + } + ++ptr; + } + + /* grab the key value */ + while (*ptr != '\0') { + if (*ptr != '=' || eq) { + if (!isspace(*ptr)) { + break; + } + } else { + eq = 1; + } + ++ptr; + } + + /* set the key:value pair on opts */ + set_conf_opt(pamh, opts, name, ptr); + } + + (void)fclose(f); + return PAM_SUCCESS; +} + +void +set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, + const char *value) +{ + if (strcmp(name, "dir") == 0) { + if (value[0] != '/') { + config_log(pamh, LOG_ERR, + "Tally directory is not absolute path (%s); keeping value", + value); + } else { + free(opts->dir); + opts->dir = strdup(value); + if (opts->dir == NULL) { + opts->fatal_error = 1; + config_log(pamh, LOG_CRIT, "Error allocating memory: %m"); + } + } + } + else if (strcmp(name, "deny") == 0) { + if (sscanf(value, "%hu", &opts->deny) != 1) { + config_log(pamh, LOG_ERR, + "Bad number supplied for deny argument"); + } + } + else if (strcmp(name, "fail_interval") == 0) { + unsigned int temp; + if (sscanf(value, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + config_log(pamh, LOG_ERR, + "Bad number supplied for fail_interval argument"); + } else { + opts->fail_interval = temp; + } + } + else if (strcmp(name, "unlock_time") == 0) { + unsigned int temp; + + if (strcmp(value, "never") == 0) { + opts->unlock_time = 0; + } + else if (sscanf(value, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + config_log(pamh, LOG_ERR, + "Bad number supplied for unlock_time argument"); + } + else { + opts->unlock_time = temp; + } + } + else if (strcmp(name, "root_unlock_time") == 0) { + unsigned int temp; + + if (strcmp(value, "never") == 0) { + opts->root_unlock_time = 0; + } + else if (sscanf(value, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + config_log(pamh, LOG_ERR, + "Bad number supplied for root_unlock_time argument"); + } else { + opts->root_unlock_time = temp; + } + } + else if (strcmp(name, "admin_group") == 0) { + free(opts->admin_group); + opts->admin_group = strdup(value); + if (opts->admin_group == NULL) { + opts->fatal_error = 1; + config_log(pamh, LOG_CRIT, "Error allocating memory: %m"); + } + } + else if (strcmp(name, "even_deny_root") == 0) { + opts->flags |= FAILLOCK_FLAG_DENY_ROOT; + } + else if (strcmp(name, "audit") == 0) { + opts->flags |= FAILLOCK_FLAG_AUDIT; + } + else if (strcmp(name, "silent") == 0) { + opts->flags |= FAILLOCK_FLAG_SILENT; + } + else if (strcmp(name, "no_log_info") == 0) { + opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; + } + else if (strcmp(name, "local_users_only") == 0) { + opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY; + } + else if (strcmp(name, "nodelay") == 0) { + opts->flags |= FAILLOCK_FLAG_NO_DELAY; + } + else { + config_log(pamh, LOG_ERR, "Unknown option: %s", name); + } +} + +const char *get_tally_dir(const struct options *opts) +{ + return (opts->dir != NULL) ? opts->dir : FAILLOCK_DEFAULT_TALLYDIR; +} diff --git a/modules/pam_faillock/faillock_config.h b/modules/pam_faillock/faillock_config.h new file mode 100644 index 00000000..04bc699b --- /dev/null +++ b/modules/pam_faillock/faillock_config.h @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2022 Tomas Mraz <tm@t8m.info> + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * faillock_config.h - load configuration options from file + * + */ + +#ifndef _FAILLOCK_CONFIG_H +#define _FAILLOCK_CONFIG_H + +#include <limits.h> +#include <stdint.h> +#include <sys/types.h> + +#include <security/pam_ext.h> + +#define FAILLOCK_FLAG_DENY_ROOT 0x1 +#define FAILLOCK_FLAG_AUDIT 0x2 +#define FAILLOCK_FLAG_SILENT 0x4 +#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 +#define FAILLOCK_FLAG_UNLOCKED 0x10 +#define FAILLOCK_FLAG_LOCAL_ONLY 0x20 +#define FAILLOCK_FLAG_NO_DELAY 0x40 + +#define FAILLOCK_CONF_MAX_LINELEN 1023 +#define MAX_TIME_INTERVAL 604800 /* 7 days */ + +struct options { + unsigned int action; + unsigned int flags; + unsigned short deny; + unsigned int fail_interval; + unsigned int unlock_time; + unsigned int root_unlock_time; + char *dir; + const char *user; + char *admin_group; + int failures; + uint64_t latest_time; + uid_t uid; + int is_admin; + uint64_t now; + int fatal_error; + + unsigned int reset; + const char *progname; + int legacy_output; /* show failure info in pam_tally2 style */ +}; + +int read_config_file(pam_handle_t *pamh, struct options *opts, + const char *cfgfile); +void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, + const char *value); +const char *get_tally_dir(const struct options *opts); + +#endif /* _FAILLOCK_CONFIG_H */ diff --git a/modules/pam_faillock/main.c b/modules/pam_faillock/main.c new file mode 100644 index 00000000..136be834 --- /dev/null +++ b/modules/pam_faillock/main.c @@ -0,0 +1,329 @@ +/* + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <dirent.h> +#include <errno.h> +#include <pwd.h> +#include <time.h> +#include <sys/types.h> +#include <unistd.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> + +#define AUDIT_NO_ID ((unsigned int) -1) +#endif + +#include "pam_inline.h" +#include "faillock.h" +#include "faillock_config.h" + +static int +args_parse(int argc, char **argv, struct options *opts) +{ + int i; + int rv; + const char *dir = NULL; + const char *conf = NULL; + + memset(opts, 0, sizeof(*opts)); + + opts->progname = argv[0]; + + for (i = 1; i < argc; ++i) { + if (strcmp(argv[i], "--conf") == 0) { + ++i; + if (i >= argc || strlen(argv[i]) == 0) { + fprintf(stderr, "%s: No configuration file supplied.\n", + argv[0]); + return -1; + } + conf = argv[i]; + } + else if (strcmp(argv[i], "--dir") == 0) { + ++i; + if (i >= argc || strlen(argv[i]) == 0) { + fprintf(stderr, "%s: No records directory supplied.\n", + argv[0]); + return -1; + } + dir = argv[i]; + } + else if (strcmp(argv[i], "--user") == 0) { + ++i; + if (i >= argc || strlen(argv[i]) == 0) { + fprintf(stderr, "%s: No user name supplied.\n", argv[0]); + return -1; + } + opts->user = argv[i]; + } + else if (strcmp(argv[i], "--reset") == 0) { + opts->reset = 1; + } + else if (!strcmp(argv[i], "--legacy-output")) { + opts->legacy_output = 1; + } + else { + fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); + return -1; + } + } + + if ((rv = read_config_file(NULL, opts, conf)) != PAM_SUCCESS) { + fprintf(stderr, "Configuration file missing or broken"); + return rv; + } + + if (dir != NULL) { + free(opts->dir); + opts->dir = strdup(dir); + if (opts->dir == NULL) { + fprintf(stderr, "Error allocating memory: %m"); + return -1; + } + } + + return 0; +} + +static void +usage(const char *progname) +{ + fprintf(stderr, + _("Usage: %s [--dir /path/to/tally-directory]" + " [--user username] [--reset] [--legacy-output]\n"), progname); + +} + +static int +get_local_time(time_t when, char *timebuf, size_t timebuf_size) +{ + struct tm *tm; + + tm = localtime(&when); + if (tm == NULL) { + return -1; + } + strftime(timebuf, timebuf_size, "%Y-%m-%d %H:%M:%S", tm); + return 0; +} + +static void +print_in_new_format(struct options *opts, const struct tally_data *tallies, const char *user) +{ + uint32_t i; + + printf("%s:\n", user); + printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); + + for (i = 0; i < tallies->count; i++) { + uint16_t status; + char timebuf[80]; + + if (get_local_time(tallies->records[i].time, timebuf, sizeof(timebuf)) != 0) { + fprintf(stderr, "%s: Invalid timestamp in the tally record\n", + opts->progname); + continue; + } + + status = tallies->records[i].status; + + printf("%-19s %-5s %-52.52s %s\n", timebuf, + status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), + tallies->records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); + } +} + +static void +print_in_legacy_format(struct options *opts, const struct tally_data *tallies, const char *user) +{ + uint32_t tally_count; + static uint32_t pr_once; + + if (pr_once == 0) { + printf(_("Login Failures Latest failure From\n")); + pr_once = 1; + } + + printf("%-15.15s ", user); + + tally_count = tallies->count; + + if (tally_count > 0) { + uint32_t i; + char timebuf[80]; + + i = tally_count - 1; + + if (get_local_time(tallies->records[i].time, timebuf, sizeof(timebuf)) != 0) { + fprintf(stderr, "%s: Invalid timestamp in the tally record\n", + opts->progname); + return; + } + + printf("%5u %25s %s\n", + tally_count, timebuf, tallies->records[i].source); + } + else { + printf("%5u\n", tally_count); + } +} + +static int +do_user(struct options *opts, const char *user) +{ + int fd; + int rv; + struct tally_data tallies; + struct passwd *pwd; + const char *dir = get_tally_dir(opts); + + pwd = getpwnam(user); + if (pwd == NULL) { + fprintf(stderr, "%s: Error no such user: %s\n", opts->progname, user); + return 1; + } + + fd = open_tally(dir, user, pwd->pw_uid, 1); + + if (fd == -1) { + if (errno == ENOENT) { + return 0; + } + else { + fprintf(stderr, "%s: Error opening the tally file for %s:", + opts->progname, user); + perror(NULL); + return 3; + } + } + if (opts->reset) { +#ifdef HAVE_LIBAUDIT + int audit_fd; +#endif + + while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR); + if (rv == -1) { + fprintf(stderr, "%s: Error clearing the tally file for %s:", + opts->progname, user); + perror(NULL); +#ifdef HAVE_LIBAUDIT + } + if ((audit_fd=audit_open()) >= 0) { + audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, + "faillock-reset", user, + pwd != NULL ? pwd->pw_uid : AUDIT_NO_ID, + NULL, NULL, NULL, rv == 0); + close(audit_fd); + } + if (rv == -1) { +#endif + close(fd); + return 4; + } + } + else { + memset(&tallies, 0, sizeof(tallies)); + if (read_tally(fd, &tallies) == -1) { + fprintf(stderr, "%s: Error reading the tally file for %s:", + opts->progname, user); + perror(NULL); + close(fd); + return 5; + } + + if (opts->legacy_output == 0) { + print_in_new_format(opts, &tallies, user); + } + else { + print_in_legacy_format(opts, &tallies, user); + } + + free(tallies.records); + } + close(fd); + return 0; +} + +static int +do_allusers(struct options *opts) +{ + struct dirent **userlist; + int rv, i; + const char *dir = get_tally_dir(opts); + + rv = scandir(dir, &userlist, NULL, alphasort); + if (rv < 0) { + fprintf(stderr, "%s: Error reading tally directory: %m\n", opts->progname); + return 2; + } + + for (i = 0; i < rv; i++) { + if (userlist[i]->d_name[0] == '.') { + if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') || + userlist[i]->d_name[1] == '\0') + continue; + } + do_user(opts, userlist[i]->d_name); + free(userlist[i]); + } + free(userlist); + + return 0; +} + + +/*-----------------------------------------------------------------------*/ +int +main (int argc, char *argv[]) +{ + struct options opts; + + if (args_parse(argc, argv, &opts)) { + usage(argv[0]); + return 1; + } + + if (opts.user == NULL) { + return do_allusers(&opts); + } + + return do_user(&opts, opts.user); +} diff --git a/modules/pam_faillock/pam_faillock.8 b/modules/pam_faillock/pam_faillock.8 new file mode 100644 index 00000000..b4854ff5 --- /dev/null +++ b/modules/pam_faillock/pam_faillock.8 @@ -0,0 +1,269 @@ +'\" t +.\" Title: pam_faillock +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: [FIXME: source] +.\" Language: English +.\" +.TH "PAM_FAILLOCK" "8" "05/07/2023" "[FIXME: source]" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_faillock \- Module counting authentication failures during a specified interval +.SH "SYNOPSIS" +.HP \w'\fBauth\ \&.\&.\&.\ pam_faillock\&.so\fR\ 'u +\fBauth \&.\&.\&. pam_faillock\&.so\fR {preauth|authfail|authsucc} [conf=\fI/path/to/config\-file\fR] [dir=\fI/path/to/tally\-directory\fR] [even_deny_root] [deny=\fIn\fR] [fail_interval=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [admin_group=\fIname\fR] [audit] [silent] [no_log_info] +.HP \w'\fBaccount\ \&.\&.\&.\ pam_faillock\&.so\fR\ 'u +\fBaccount \&.\&.\&. pam_faillock\&.so\fR [dir=\fI/path/to/tally\-directory\fR] [no_log_info] +.SH "DESCRIPTION" +.PP +This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than +\fIdeny\fR +consecutive failed authentications\&. +.PP +Normally, failed attempts to authenticate +\fIroot\fR +will +\fBnot\fR +cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via +\fBsu\fR +or at the machine console (not telnet/rsh, etc), this is safe\&. +.SH "OPTIONS" +.PP +{preauth|authfail|authsucc} +.RS 4 +This argument must be set accordingly to the position of this module instance in the PAM stack\&. +.sp +The +\fIpreauth\fR +argument must be used when the module is called before the modules which ask for the user credentials such as the password\&. The module just examines whether the user should be blocked from accessing the service in case there were anomalous number of failed consecutive authentication attempts recently\&. This call is optional if +\fIauthsucc\fR +is used\&. +.sp +The +\fIauthfail\fR +argument must be used when the module is called after the modules which determine the authentication outcome, failed\&. Unless the user is already blocked due to previous authentication failures, the module will record the failure into the appropriate user tally file\&. +.sp +The +\fIauthsucc\fR +argument must be used when the module is called after the modules which determine the authentication outcome, succeeded\&. Unless the user is already blocked due to previous authentication failures, the module will then clear the record of the failures in the respective user tally file\&. Otherwise it will return authentication error\&. If this call is not done, the pam_faillock will not distinguish between consecutive and non\-consecutive failed authentication attempts\&. The +\fIpreauth\fR +call must be used in such case\&. Due to complications in the way the PAM stack can be configured it is also possible to call +\fIpam_faillock\fR +as an account module\&. In such configuration the module must be also called in the +\fIpreauth\fR +stage\&. +.RE +.PP +conf=/path/to/config\-file +.RS 4 +Use another configuration file instead of the default +/etc/security/faillock\&.conf\&. +.RE +.PP +The options for configuring the module behavior are described in the +\fBfaillock.conf\fR(5) +manual page\&. The options specified on the module command line override the values from the configuration file\&. +.SH "MODULE TYPES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +module types are provided\&. +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +An invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP +PAM_INCOMPLETE +.RS 4 +The conversation method supplied by the application returned PAM_CONV_AGAIN\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Everything was successful\&. +.RE +.PP +PAM_IGNORE +.RS 4 +User not present in passwd database\&. +.RE +.SH "NOTES" +.PP +Configuring options on the module command line is not recommend\&. The +/etc/security/faillock\&.conf +should be used instead\&. +.PP +The setup of +\fIpam_faillock\fR +in the PAM stack is different from the +\fIpam_tally2\fR +module setup\&. +.PP +Individual files with the failure records are created as owned by the user\&. This allows +\fBpam_faillock\&.so\fR +module to work correctly when it is called from a screensaver\&. +.PP +Note that using the module in +\fBpreauth\fR +without the +\fBsilent\fR +option specified in +/etc/security/faillock\&.conf +or with +\fIrequisite\fR +control field leaks an information about existence or non\-existence of a user account in the system because the failures are not recorded for the unknown users\&. The message about the user account being locked is never displayed for non\-existing user accounts allowing the adversary to infer that a particular account is not existing on a system\&. +.SH "EXAMPLES" +.PP +Here are two possible configuration examples for +/etc/pam\&.d/login\&. They make +\fIpam_faillock\fR +to lock the account after 4 consecutive failed logins during the default interval of 15 minutes\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. +.PP +In the first example the module is called only in the +\fIauth\fR +phase and the module does not print any information about the account being blocked by +\fIpam_faillock\fR\&. The +\fIpreauth\fR +call can be added to tell users that their logins are blocked by the module and also to abort the authentication without even asking for password in such case\&. +.PP +/etc/security/faillock\&.conf +file example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +deny=4 +unlock_time=1200 +silent + +.fi +.if n \{\ +.RE +.\} +.PP +/etc/pam\&.d/config file example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +auth required pam_securetty\&.so +auth required pam_env\&.so +auth required pam_nologin\&.so +# optionally call: auth requisite pam_faillock\&.so preauth +# to display the message about account being locked +auth [success=1 default=bad] pam_unix\&.so +auth [default=die] pam_faillock\&.so authfail +auth sufficient pam_faillock\&.so authsucc +auth required pam_deny\&.so +account required pam_unix\&.so +password required pam_unix\&.so shadow +session required pam_selinux\&.so close +session required pam_loginuid\&.so +session required pam_unix\&.so +session required pam_selinux\&.so open + +.fi +.if n \{\ +.RE +.\} +.PP +In the second example the module is called both in the +\fIauth\fR +and +\fIaccount\fR +phases and the module informs the authenticating user when the account is locked if +\fBsilent\fR +option is not specified in the +faillock\&.conf\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +auth required pam_securetty\&.so +auth required pam_env\&.so +auth required pam_nologin\&.so +auth required pam_faillock\&.so preauth +# optionally use requisite above if you do not want to prompt for the password +# on locked accounts +auth sufficient pam_unix\&.so +auth [default=die] pam_faillock\&.so authfail +auth required pam_deny\&.so +account required pam_faillock\&.so +# if you drop the above call to pam_faillock\&.so the lock will be done also +# on non\-consecutive authentication failures +account required pam_unix\&.so +password required pam_unix\&.so shadow +session required pam_selinux\&.so close +session required pam_loginuid\&.so +session required pam_unix\&.so +session required pam_selinux\&.so open + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/var/run/faillock/* +.RS 4 +the files logging the authentication failures for users +.sp +Note: These files will disappear after reboot on systems configured with directory +/var/run/faillock +mounted on virtual memory\&. For persistent storage use the option +\fIdir=\fR +in file +/etc/security/faillock\&.conf\&. +.RE +.PP +/etc/security/faillock\&.conf +.RS 4 +the config file for pam_faillock options +.RE +.SH "SEE ALSO" +.PP +\fBfaillock\fR(8), +\fBfaillock.conf\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_faillock was written by Tomas Mraz\&. diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml new file mode 100644 index 00000000..ce0ae050 --- /dev/null +++ b/modules/pam_faillock/pam_faillock.8.xml @@ -0,0 +1,380 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_faillock"> + + <refmeta> + <refentrytitle>pam_faillock</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pam_faillock-name"> + <refname>pam_faillock</refname> + <refpurpose>Module counting authentication failures during a specified interval</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis xml:id="pam_faillock-cmdsynopsisauth" sepchar=" "> + <command>auth ... pam_faillock.so</command> + <arg choice="req" rep="norepeat"> + preauth|authfail|authsucc + </arg> + <arg choice="opt" rep="norepeat"> + conf=<replaceable>/path/to/config-file</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + dir=<replaceable>/path/to/tally-directory</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + even_deny_root + </arg> + <arg choice="opt" rep="norepeat"> + deny=<replaceable>n</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + fail_interval=<replaceable>n</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + unlock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + root_unlock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + admin_group=<replaceable>name</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + audit + </arg> + <arg choice="opt" rep="norepeat"> + silent + </arg> + <arg choice="opt" rep="norepeat"> + no_log_info + </arg> + </cmdsynopsis> + <cmdsynopsis xml:id="pam_faillock-cmdsynopsisacct" sepchar=" "> + <command>account ... pam_faillock.so</command> + <arg choice="opt" rep="norepeat"> + dir=<replaceable>/path/to/tally-directory</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + no_log_info + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 xml:id="pam_faillock-description"> + + <title>DESCRIPTION</title> + + <para> + This module maintains a list of failed authentication attempts per + user during a specified interval and locks the account in case + there were more than <replaceable>deny</replaceable> consecutive + failed authentications. + </para> + <para> + Normally, failed attempts to authenticate <emphasis>root</emphasis> will + <emphasis remap="B">not</emphasis> cause the root account to become + blocked, to prevent denial-of-service: if your users aren't given + shell accounts and root may only login via <command>su</command> or + at the machine console (not telnet/rsh, etc), this is safe. + </para> + </refsect1> + + <refsect1 xml:id="pam_faillock-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + {preauth|authfail|authsucc} + </term> + <listitem> + <para> + This argument must be set accordingly to the position of this module + instance in the PAM stack. + </para> + <para> + The <emphasis>preauth</emphasis> argument must be used when the module + is called before the modules which ask for the user credentials such + as the password. The module just examines whether the user should + be blocked from accessing the service in case there were anomalous + number of failed consecutive authentication attempts recently. This + call is optional if <emphasis>authsucc</emphasis> is used. + </para> + <para> + The <emphasis>authfail</emphasis> argument must be used when the module + is called after the modules which determine the authentication outcome, + failed. Unless the user is already blocked due to previous authentication + failures, the module will record the failure into the appropriate user + tally file. + </para> + <para> + The <emphasis>authsucc</emphasis> argument must be used when the module + is called after the modules which determine the authentication outcome, + succeeded. Unless the user is already blocked due to previous authentication + failures, the module will then clear the record of the failures in the + respective user tally file. Otherwise it will return authentication error. + If this call is not done, the pam_faillock will not distinguish between + consecutive and non-consecutive failed authentication attempts. The + <emphasis>preauth</emphasis> call must be used in such case. Due to + complications in the way the PAM stack can be configured it is also + possible to call <emphasis>pam_faillock</emphasis> as an account module. + In such configuration the module must be also called in the + <emphasis>preauth</emphasis> stage. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + conf=/path/to/config-file + </term> + <listitem> + <para condition="without_vendordir"> + Use another configuration file instead of the default + <filename>/etc/security/faillock.conf</filename>. + </para> + <para condition="with_vendordir"> + Use another configuration file instead of the default + which is to use the file + <filename>/etc/security/faillock.conf</filename> or, + if that one is not present, the file + <filename>%vendordir%/security/faillock.conf</filename>. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The options for configuring the module behavior are described in the + <citerefentry><refentrytitle>faillock.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> manual page. The options specified on the module command + line override the values from the configuration file. + </para> + </refsect1> + + <refsect1 xml:id="pam_faillock-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + The <option>auth</option> and <option>account</option> module types are + provided. + </para> + </refsect1> + + <refsect1 xml:id="pam_faillock-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + An invalid option was given, the module was not able + to retrieve the user name, no valid counter file + was found, or too many failed logins. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the application + failed to obtain the username. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + The conversation method supplied by the application + returned PAM_CONV_AGAIN. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successful. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + User not present in passwd database. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pam_faillock-notes"> + <title>NOTES</title> + <para> + Configuring options on the module command line is not recommend. The + <filename>/etc/security/faillock.conf</filename> should be used instead. + </para> + <para> + The setup of <emphasis>pam_faillock</emphasis> in the PAM stack is different + from the <emphasis>pam_tally2</emphasis> module setup. + </para> + <para> + Individual files with the failure records are created as owned by + the user. This allows <emphasis remap="B">pam_faillock.so</emphasis> module + to work correctly when it is called from a screensaver. + </para> + <para> + Note that using the module in <option>preauth</option> without the + <option>silent</option> option specified in <filename>/etc/security/faillock.conf</filename> + or with <emphasis>requisite</emphasis> control field leaks an information about + existence or non-existence of a user account in the system because + the failures are not recorded for the unknown users. The message + about the user account being locked is never displayed for non-existing + user accounts allowing the adversary to infer that a particular account + is not existing on a system. + </para> + </refsect1> + + <refsect1 xml:id="pam_faillock-examples"> + <title>EXAMPLES</title> + <para> + Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>. + They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive + failed logins during the default interval of 15 minutes. Root account will be locked + as well. The accounts will be automatically unlocked after 20 minutes. + </para> + <para> + In the first example the module is called only in the <emphasis>auth</emphasis> + phase and the module does not print any information about the account being blocked + by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can + be added to tell users that their logins are blocked by the module and also to abort + the authentication without even asking for password in such case. + </para> + <para> + <filename>/etc/security/faillock.conf</filename> file example: + </para> + <programlisting> +deny=4 +unlock_time=1200 +silent + </programlisting> + <para> + /etc/pam.d/config file example: + </para> + <programlisting> +auth required pam_securetty.so +auth required pam_env.so +auth required pam_nologin.so +# optionally call: auth requisite pam_faillock.so preauth +# to display the message about account being locked +auth [success=1 default=bad] pam_unix.so +auth [default=die] pam_faillock.so authfail +auth sufficient pam_faillock.so authsucc +auth required pam_deny.so +account required pam_unix.so +password required pam_unix.so shadow +session required pam_selinux.so close +session required pam_loginuid.so +session required pam_unix.so +session required pam_selinux.so open + </programlisting> + <para> + In the second example the module is called both in the <emphasis>auth</emphasis> + and <emphasis>account</emphasis> phases and the module informs the authenticating + user when the account is locked if <option>silent</option> option is not + specified in the <filename>faillock.conf</filename>. + </para> + <programlisting> +auth required pam_securetty.so +auth required pam_env.so +auth required pam_nologin.so +auth required pam_faillock.so preauth +# optionally use requisite above if you do not want to prompt for the password +# on locked accounts +auth sufficient pam_unix.so +auth [default=die] pam_faillock.so authfail +auth required pam_deny.so +account required pam_faillock.so +# if you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures +account required pam_unix.so +password required pam_unix.so shadow +session required pam_selinux.so close +session required pam_loginuid.so +session required pam_unix.so +session required pam_selinux.so open + </programlisting> + </refsect1> + + <refsect1 xml:id="pam_faillock-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term>/var/run/faillock/*</term> + <listitem> + <para>the files logging the authentication failures for users</para> + <para> + Note: These files will disappear after reboot on systems configured with + directory <filename>/var/run/faillock</filename> mounted on virtual memory. + For persistent storage use the option <emphasis>dir=</emphasis> in + file <filename>/etc/security/faillock.conf</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>/etc/security/faillock.conf</term> + <listitem> + <para>the config file for pam_faillock options</para> + </listitem> + </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/faillock.conf</term> + <listitem> + <para> + the config file for pam_faillock options. It will be used if + <filename>/etc/security/faillock.conf</filename> does not exist. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pam_faillock-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>faillock.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="pam_faillock-author"> + <title>AUTHOR</title> + <para> + pam_faillock was written by Tomas Mraz. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c new file mode 100644 index 00000000..ca1c7035 --- /dev/null +++ b/modules/pam_faillock/pam_faillock.c @@ -0,0 +1,550 @@ +/* + * Copyright (c) 2010, 2017, 2019 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010, 2017, 2019 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <stdlib.h> +#include <errno.h> +#include <time.h> +#include <pwd.h> +#include <syslog.h> +#include <ctype.h> + +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif + +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#include "pam_inline.h" +#include "faillock.h" +#include "faillock_config.h" + +#define FAILLOCK_ACTION_PREAUTH 0 +#define FAILLOCK_ACTION_AUTHSUCC 1 +#define FAILLOCK_ACTION_AUTHFAIL 2 + +static int +args_parse(pam_handle_t *pamh, int argc, const char **argv, + int flags, struct options *opts) +{ + int i; + int config_arg_index = -1; + int rv; + const char *conf = NULL; + + memset(opts, 0, sizeof(*opts)); + + opts->deny = 3; + opts->fail_interval = 900; + opts->unlock_time = 600; + opts->root_unlock_time = MAX_TIME_INTERVAL+1; + + for (i = 0; i < argc; ++i) { + const char *str = pam_str_skip_prefix(argv[i], "conf="); + + if (str != NULL) { + conf = str; + config_arg_index = i; + } + } + + if ((rv = read_config_file(pamh, opts, conf)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, + "Configuration file missing or broken"); + return rv; + } + + for (i = 0; i < argc; ++i) { + if (i == config_arg_index) { + continue; + } + else if (strcmp(argv[i], "preauth") == 0) { + opts->action = FAILLOCK_ACTION_PREAUTH; + } + else if (strcmp(argv[i], "authfail") == 0) { + opts->action = FAILLOCK_ACTION_AUTHFAIL; + } + else if (strcmp(argv[i], "authsucc") == 0) { + opts->action = FAILLOCK_ACTION_AUTHSUCC; + } + else { + char buf[FAILLOCK_CONF_MAX_LINELEN + 1]; + char *val; + + strncpy(buf, argv[i], sizeof(buf) - 1); + buf[sizeof(buf) - 1] = '\0'; + + val = strchr(buf, '='); + if (val != NULL) { + *val = '\0'; + ++val; + } + else { + val = buf + sizeof(buf) - 1; + } + set_conf_opt(pamh, opts, buf, val); + } + } + + if (opts->root_unlock_time == MAX_TIME_INTERVAL+1) + opts->root_unlock_time = opts->unlock_time; + if (flags & PAM_SILENT) + opts->flags |= FAILLOCK_FLAG_SILENT; + + if (opts->fatal_error) + return PAM_BUF_ERR; + return PAM_SUCCESS; +} + +static int +check_local_user (pam_handle_t *pamh, const char *user) +{ + return pam_modutil_check_user_in_passwd(pamh, user, NULL) == PAM_SUCCESS; +} + +static int +get_pam_user(pam_handle_t *pamh, struct options *opts) +{ + const char *user; + int rv; + struct passwd *pwd; + + if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + return rv == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rv; + } + + if (*user == '\0') { + return PAM_IGNORE; + } + + if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { + if (opts->flags & FAILLOCK_FLAG_AUDIT) { + pam_syslog(pamh, LOG_NOTICE, "User unknown: %s", user); + } + else { + pam_syslog(pamh, LOG_NOTICE, "User unknown"); + } + return PAM_IGNORE; + } + opts->user = user; + opts->uid = pwd->pw_uid; + + if (pwd->pw_uid == 0) { + opts->is_admin = 1; + return PAM_SUCCESS; + } + + if (opts->admin_group && *opts->admin_group) { + opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh, + pwd->pw_uid, opts->admin_group); + } + + return PAM_SUCCESS; +} + +static int +check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) +{ + int tfd; + unsigned int i; + uint64_t latest_time; + int failures; + const char *dir = get_tally_dir(opts); + + opts->now = time(NULL); + + tfd = open_tally(dir, opts->user, opts->uid, 0); + + *fd = tfd; + + if (tfd == -1) { + if (errno == EACCES || errno == ENOENT) { + return PAM_SUCCESS; + } + pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); + return PAM_SYSTEM_ERR; + } + + if (read_tally(tfd, tallies) != 0) { + pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user); + return PAM_SYSTEM_ERR; + } + + if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + return PAM_SUCCESS; + } + + latest_time = 0; + for (i = 0; i < tallies->count; i++) { + if ((tallies->records[i].status & TALLY_STATUS_VALID) && + tallies->records[i].time > latest_time) + latest_time = tallies->records[i].time; + } + + opts->latest_time = latest_time; + + failures = 0; + for (i = 0; i < tallies->count; i++) { + if ((tallies->records[i].status & TALLY_STATUS_VALID) && + latest_time - tallies->records[i].time < opts->fail_interval) { + ++failures; + } + } + + opts->failures = failures; + + if (opts->deny && failures >= opts->deny) { + if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || + (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { +#ifdef HAVE_LIBAUDIT + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + char buf[64]; + int audit_fd; + const void *rhost = NULL, *tty = NULL; + + audit_fd = audit_open(); + /* If there is an error & audit support is in the kernel report error */ + if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; + + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); + snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, + rhost, NULL, tty, 1); + } +#endif + opts->flags |= FAILLOCK_FLAG_UNLOCKED; + return PAM_SUCCESS; + } + return PAM_AUTH_ERR; + } + return PAM_SUCCESS; +} + +static void +reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) +{ + int rv; + const char *dir = get_tally_dir(opts); + + if (*fd == -1) { + *fd = open_tally(dir, opts->user, opts->uid, 1); + } + else { + while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); + if (rv == -1) { + pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); + } + } +} + +static int +write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) +{ + struct tally *records; + unsigned int i; + int failures; + unsigned int oldest; + uint64_t oldtime; + const void *source = NULL; + const char *dir = get_tally_dir(opts); + + if (*fd == -1) { + *fd = open_tally(dir, opts->user, opts->uid, 1); + } + if (*fd == -1) { + if (errno == EACCES) { + return PAM_SUCCESS; + } + pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); + return PAM_SYSTEM_ERR; + } + + oldtime = 0; + oldest = 0; + failures = 0; + + for (i = 0; i < tallies->count; ++i) { + if (oldtime == 0 || tallies->records[i].time < oldtime) { + oldtime = tallies->records[i].time; + oldest = i; + } + if (opts->flags & FAILLOCK_FLAG_UNLOCKED || + opts->now - tallies->records[i].time >= opts->fail_interval ) { + tallies->records[i].status &= ~TALLY_STATUS_VALID; + } else { + ++failures; + } + } + + if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) { + oldest = tallies->count; + + if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) { + pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m"); + return PAM_BUF_ERR; + } + + ++tallies->count; + tallies->records = records; + } + + memset(&tallies->records[oldest], 0, sizeof (*tallies->records)); + + tallies->records[oldest].status = TALLY_STATUS_VALID; + if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) { + if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) { + if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) { + source = ""; + } + } + else { + tallies->records[oldest].status |= TALLY_STATUS_TTY; + } + } + else { + tallies->records[oldest].status |= TALLY_STATUS_RHOST; + } + + strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source)); + /* source does not have to be null terminated */ + + tallies->records[oldest].time = opts->now; + + ++failures; + + if (opts->deny && failures == opts->deny) { +#ifdef HAVE_LIBAUDIT + char buf[64]; + int audit_fd; + + audit_fd = audit_open(); + /* If there is an error & audit support is in the kernel report error */ + if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; + + snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, + NULL, NULL, NULL, 1); + + if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, + NULL, NULL, NULL, 1); + } + close(audit_fd); +#endif + if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO) && + ((opts->flags & FAILLOCK_FLAG_DENY_ROOT) || (opts->uid != 0))) { + pam_syslog(pamh, LOG_INFO, + "Consecutive login failures for user %s account temporarily locked", + opts->user); + } + } + + if (update_tally(*fd, tallies) == 0) + return PAM_SUCCESS; + + return PAM_SYSTEM_ERR; +} + +static void +faillock_message(pam_handle_t *pamh, struct options *opts) +{ + int64_t left; + + if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { + if (opts->is_admin) { + left = opts->latest_time + opts->root_unlock_time - opts->now; + } + else { + left = opts->latest_time + opts->unlock_time - opts->now; + } + + pam_info(pamh, _("The account is locked due to %u failed logins."), + (unsigned int)opts->failures); + if (left > 0) { + left = (left + 59)/60; /* minutes */ + +#if defined HAVE_DNGETTEXT && defined ENABLE_NLS + pam_info( + pamh, + dngettext(PACKAGE, + "(%d minute left to unlock)", + "(%d minutes left to unlock)", + (int)left), + (int)left); +#else + if (left == 1) + pam_info(pamh, _("(%d minute left to unlock)"), (int)left); + else + /* TRANSLATORS: only used if dngettext is not supported. */ + pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); +#endif + } + } +} + +static void +tally_cleanup(struct tally_data *tallies, int fd) +{ + if (fd != -1) { + close(fd); + } + + free(tallies->records); +} + +static void +opts_cleanup(struct options *opts) +{ + free(opts->dir); + free(opts->admin_group); +} + +/*---------------------------------------------------------------------*/ + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + struct options opts; + int rv, fd = -1; + struct tally_data tallies; + + memset(&tallies, 0, sizeof(tallies)); + + rv = args_parse(pamh, argc, argv, flags, &opts); + if (rv != PAM_SUCCESS) + goto err; + + if (!(opts.flags & FAILLOCK_FLAG_NO_DELAY)) { + pam_fail_delay(pamh, 2000000); /* 2 sec delay on failure */ + } + + if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { + goto err; + } + + if (!(opts.flags & FAILLOCK_FLAG_LOCAL_ONLY) || + check_local_user (pamh, opts.user) != 0) { + switch (opts.action) { + case FAILLOCK_ACTION_PREAUTH: + rv = check_tally(pamh, &opts, &tallies, &fd); + if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) { + faillock_message(pamh, &opts); + } + break; + + case FAILLOCK_ACTION_AUTHSUCC: + rv = check_tally(pamh, &opts, &tallies, &fd); + if (rv == PAM_SUCCESS) { + reset_tally(pamh, &opts, &fd); + } + break; + + case FAILLOCK_ACTION_AUTHFAIL: + rv = check_tally(pamh, &opts, &tallies, &fd); + if (rv == PAM_SUCCESS) { + rv = PAM_IGNORE; /* this return value should be ignored */ + write_tally(pamh, &opts, &tallies, &fd); + } + break; + } + } + + tally_cleanup(&tallies, fd); + +err: + opts_cleanup(&opts); + + return rv; +} + +/*---------------------------------------------------------------------*/ + +int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +/*---------------------------------------------------------------------*/ + +int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + struct options opts; + int rv, fd = -1; + struct tally_data tallies; + + memset(&tallies, 0, sizeof(tallies)); + + rv = args_parse(pamh, argc, argv, flags, &opts); + + if (rv != PAM_SUCCESS) + goto err; + + opts.action = FAILLOCK_ACTION_AUTHSUCC; + + if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { + goto err; + } + + if (!(opts.flags & FAILLOCK_FLAG_LOCAL_ONLY) || + check_local_user (pamh, opts.user) != 0) { + check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ + reset_tally(pamh, &opts, &fd); + } + + tally_cleanup(&tallies, fd); + +err: + opts_cleanup(&opts); + + return rv; +} + +/*-----------------------------------------------------------------------*/ diff --git a/modules/pam_faillock/tst-pam_faillock b/modules/pam_faillock/tst-pam_faillock new file mode 100755 index 00000000..ec454c28 --- /dev/null +++ b/modules/pam_faillock/tst-pam_faillock @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/modules/pam_faillock/tst-pam_faillock-retval.c b/modules/pam_faillock/tst-pam_faillock-retval.c new file mode 100644 index 00000000..133026cb --- /dev/null +++ b/modules/pam_faillock/tst-pam_faillock-retval.c @@ -0,0 +1,119 @@ +/* + * Check pam_faillock return values. + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_faillock" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char config_filename[] = TEST_NAME ".conf"; +static const char user_name[] = "root"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + ASSERT_NE(NULL, fp = fopen(config_filename, "w")); + ASSERT_LT(0, fprintf(fp, + "deny = 2\n" + "unlock_time = 5\n" + "root_unlock_time = 5\n")); + ASSERT_EQ(0, fclose(fp)); + + /* root has access */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "auth required %s/.libs/%s.so authsucc even_deny_root dir=%s conf=%s\n" + "account required %s/.libs/%s.so dir=%s\n" + "password required %s/.libs/%s.so dir=%s\n" + "session required %s/.libs/%s.so dir=%s\n", + cwd, + cwd, MODULE_NAME, cwd, config_filename, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd)); + + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + ASSERT_EQ(0, unlink(service_file)); + pamh = NULL; + + /* root tries to login 2 times without success*/ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth requisite %s/.libs/%s.so dir=%s preauth even_deny_root conf=%s\n" + "auth [success=1 default=bad] %s/../pam_debug/.libs/pam_debug.so auth=perm_denied cred=success\n" + "auth [default=die] %s/.libs/%s.so dir=%s authfail even_deny_root conf=%s\n" + "auth sufficient %s/.libs/%s.so dir=%s authsucc even_deny_root conf=%s\n", + cwd, MODULE_NAME, cwd, config_filename, + cwd, + cwd, MODULE_NAME, cwd, config_filename, + cwd, MODULE_NAME, cwd, config_filename)); + + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + pamh = NULL; + ASSERT_EQ(0, unlink(service_file)); + + /* root is locked for 5 sec*/ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth requisite %s/.libs/%s.so dir=%s preauth even_deny_root conf=%s\n" + "auth [success=1 default=bad] %s/../pam_debug/.libs/pam_debug.so auth=success cred=success\n" + "auth [default=die] %s/.libs/%s.so dir=%s authfail even_deny_root conf=%s\n" + "auth sufficient %s/.libs/%s.so dir=%s authsucc even_deny_root conf=%s\n", + cwd, MODULE_NAME, cwd, config_filename, + cwd, + cwd, MODULE_NAME, cwd, config_filename, + cwd, MODULE_NAME, cwd, config_filename)); + + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_AUTH_ERR, pam_authenticate(pamh, 0)); + + /* waiting at least 5 sec --> login is working again*/ + sleep(6); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + ASSERT_EQ(0, unlink(service_file)); + pamh = NULL; + + ASSERT_EQ(0,unlink(user_name)); + ASSERT_EQ(0,unlink(config_filename)); + + return 0; +} diff --git a/modules/pam_filter/Makefile.am b/modules/pam_filter/Makefile.am index 47e9b491..d43177c8 100644 --- a/modules/pam_filter/Makefile.am +++ b/modules/pam_filter/Makefile.am @@ -7,15 +7,24 @@ SUBDIRS = upperLOWER CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_filter +EXTRA_DIST = $(XMLS) -man_MANS = pam_filter.8 +if HAVE_DOC +dist_man_MANS = pam_filter.8 +endif XMLS = README.xml pam_filter.8.xml +dist_check_SCRIPTS = tst-pam_filter +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,10 +34,8 @@ include_HEADERS=pam_filter.h pam_filter_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_filter.la -TESTS = tst-pam_filter if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_filter.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_filter/Makefile.in b/modules/pam_filter/Makefile.in index 0abf4a56..33a3de48 100644 --- a/modules/pam_filter/Makefile.in +++ b/modules/pam_filter/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -86,24 +96,27 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_filter -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(include_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(include_HEADERS) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -159,7 +172,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_filter.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -196,8 +210,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) HEADERS = $(include_HEADERS) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive @@ -206,7 +221,7 @@ am__recursive_targets = \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ - check recheck distdir + check recheck distdir distdir-am am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -381,6 +396,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) TEST_SUITE_LOG = test-suite.log TEST_EXTENSIONS = @EXEEXT@ .test @@ -403,6 +419,9 @@ TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) DIST_SUBDIRS = $(SUBDIRS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -447,24 +466,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -478,7 +506,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -497,11 +524,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -524,8 +554,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -536,11 +565,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -583,7 +619,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -591,9 +626,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -603,6 +635,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ @@ -610,18 +643,22 @@ top_srcdir = @top_srcdir@ SUBDIRS = upperLOWER CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_filter -man_MANS = pam_filter.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_filter.8 XMLS = README.xml pam_filter.8.xml +dist_check_SCRIPTS = tst-pam_filter +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) include_HEADERS = pam_filter.h pam_filter_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_filter.la -TESTS = tst-pam_filter -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-recursive .SUFFIXES: @@ -638,14 +675,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_filter/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_filter/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -701,21 +737,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_filter.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_filter.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -729,10 +771,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -767,7 +809,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -923,7 +965,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -1000,7 +1042,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -1013,7 +1055,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1023,7 +1065,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1056,7 +1098,10 @@ tst-pam_filter.log: tst-pam_filter @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1112,6 +1157,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-recursive all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) @@ -1161,7 +1207,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-recursive - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_filter.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1208,7 +1254,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_filter.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1232,10 +1278,10 @@ uninstall-man: uninstall-man8 .MAKE: $(am__recursive_targets) check-am install-am install-strip -.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ - check-TESTS check-am clean clean-generic clean-libtool \ - clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ + am--depfiles check check-TESTS check-am clean clean-generic \ + clean-libtool clean-securelibLTLIBRARIES cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -1250,7 +1296,8 @@ uninstall-man: uninstall-man8 uninstall-am uninstall-includeHEADERS uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_filter.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_filter/README.xml b/modules/pam_filter/README.xml index b76cb743..ab053174 100644 --- a/modules/pam_filter/README.xml +++ b/modules/pam_filter/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_filter.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_filter-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_filter/pam_filter.8 b/modules/pam_filter/pam_filter.8 index e4588f68..c9b2ee7d 100644 --- a/modules/pam_filter/pam_filter.8 +++ b/modules/pam_filter/pam_filter.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_filter .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_FILTER" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FILTER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -48,12 +48,12 @@ that of the user\&. For this reason it cannot usually be killed by the user with .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBnew_term\fR +new_term .RS 4 The default action of the filter is to set the \fIPAM_TTY\fR @@ -62,14 +62,14 @@ item to indicate the terminal that the user is using to connect to the applicati to the filtered pseudo\-terminal\&. .RE .PP -\fBnon_term\fR +non_term .RS 4 don\*(Aqt try to set the \fIPAM_TTY\fR item\&. .RE .PP -\fBrunX\fR +runX .RS 4 In order that the module can invoke a filter it should know when to invoke it\&. This argument is required to tell the filter when to do this\&. .sp @@ -122,7 +122,7 @@ is used to indicate that the filter is run on the second occasion (the phase)\&. .RE .PP -\fBfilter\fR +filter .RS 4 The full pathname of the filter to be run and any command line arguments that the filter might expect\&. .RE @@ -166,7 +166,7 @@ to see how to configure login to transpose upper and lower case letters once the .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_filter was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_filter/pam_filter.8.xml b/modules/pam_filter/pam_filter.8.xml index 7309c352..0b85e82c 100644 --- a/modules/pam_filter/pam_filter.8.xml +++ b/modules/pam_filter/pam_filter.8.xml @@ -1,45 +1,42 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_filter"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_filter"> <refmeta> <refentrytitle>pam_filter</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_filter-name"> + <refnamediv xml:id="pam_filter-name"> <refname>pam_filter</refname> <refpurpose>PAM filter module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_filter-cmdsynopsis"> + <cmdsynopsis xml:id="pam_filter-cmdsynopsis" sepchar=" "> <command>pam_filter.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> new_term </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> non_term </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> run1|run2 </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> <replaceable>filter</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>...</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_filter-description"> + <refsect1 xml:id="pam_filter-description"> <title>DESCRIPTION</title> @@ -66,7 +63,7 @@ </para> </refsect1> - <refsect1 id="pam_filter-options"> + <refsect1 xml:id="pam_filter-options"> <title>OPTIONS</title> <para> @@ -74,7 +71,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -85,7 +82,7 @@ <varlistentry> <term> - <option>new_term</option> + new_term </term> <listitem> <para> @@ -101,7 +98,7 @@ <varlistentry> <term> - <option>non_term</option> + non_term </term> <listitem> <para> @@ -112,7 +109,7 @@ <varlistentry> <term> - <option>runX</option> + runX </term> <listitem> <para> @@ -174,7 +171,7 @@ <varlistentry> <term> - <option>filter</option> + filter </term> <listitem> <para> @@ -188,7 +185,7 @@ </para> </refsect1> - <refsect1 id="pam_filter-types"> + <refsect1 xml:id="pam_filter-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -196,7 +193,7 @@ </para> </refsect1> - <refsect1 id='pam_filter-return_values'> + <refsect1 xml:id="pam_filter-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -223,7 +220,7 @@ </para> </refsect1> - <refsect1 id='pam_filter-examples'> + <refsect1 xml:id="pam_filter-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -236,7 +233,7 @@ </para> </refsect1> - <refsect1 id='pam_filter-see_also'> + <refsect1 xml:id="pam_filter-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -246,16 +243,16 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_filter-author'> + <refsect1 xml:id="pam_filter-author"> <title>AUTHOR</title> <para> pam_filter was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index 8ab7981a..6e6def37 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -1,5 +1,5 @@ /* - * $Id$ + * pam_filter module * * written by Andrew Morgan <morgan@transmeta.com> with much help from * Richard Stevens' UNIX Network Programming book. @@ -25,11 +25,6 @@ #include <signal.h> -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> #include <security/pam_ext.h> #include "pam_filter.h" @@ -114,38 +109,37 @@ static int process_args(pam_handle_t *pamh return -1; } - for (size=i=0; i<argc; ++i) { - size += strlen(argv[i])+1; - } - /* the "ARGS" variable */ -#define ARGS_OFFSET 5 /* strlen('ARGS='); */ #define ARGS_NAME "ARGS=" +#define ARGS_OFFSET (sizeof(ARGS_NAME) - 1) + + size = sizeof(ARGS_NAME); - size += ARGS_OFFSET; + for (i=0; i<argc; ++i) { + size += strlen(argv[i]) + (i != 0); + } - levp[0] = (char *) malloc(size); + levp[0] = malloc(size); if (levp[0] == NULL) { pam_syslog(pamh, LOG_CRIT, "no memory for filter arguments"); - if (levp) { - free(levp); - } + free(levp); return -1; } - strncpy(levp[0],ARGS_NAME,ARGS_OFFSET); - for (i=0,size=ARGS_OFFSET; i<argc; ++i) { + strcpy(levp[0], ARGS_NAME); + size = ARGS_OFFSET; + for (i=0; i<argc; ++i) { + if (i) + levp[0][size++] = ' '; strcpy(levp[0]+size, argv[i]); size += strlen(argv[i]); - levp[0][size++] = ' '; } - levp[0][--size] = '\0'; /* <NUL> terminate */ /* the "SERVICE" variable */ -#define SERVICE_OFFSET 8 /* strlen('SERVICE='); */ #define SERVICE_NAME "SERVICE=" +#define SERVICE_OFFSET (sizeof(SERVICE_NAME) - 1) retval = pam_get_item(pamh, PAM_SERVICE, &tmp); if (retval != PAM_SUCCESS || tmp == NULL) { @@ -168,17 +162,16 @@ static int process_args(pam_handle_t *pamh return -1; } - strncpy(levp[1],SERVICE_NAME,SERVICE_OFFSET); + strcpy(levp[1], SERVICE_NAME); strcpy(levp[1]+SERVICE_OFFSET, tmp); levp[1][size] = '\0'; /* <NUL> terminate */ /* the "USER" variable */ -#define USER_OFFSET 5 /* strlen('USER='); */ #define USER_NAME "USER=" +#define USER_OFFSET (sizeof(USER_NAME) - 1) - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || - user == NULL) { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { user = "<unknown>"; } size = USER_OFFSET+strlen(user); @@ -194,14 +187,14 @@ static int process_args(pam_handle_t *pamh return -1; } - strncpy(levp[2],USER_NAME,USER_OFFSET); + strcpy(levp[2], USER_NAME); strcpy(levp[2]+USER_OFFSET, user); levp[2][size] = '\0'; /* <NUL> terminate */ /* the "USER" variable */ -#define TYPE_OFFSET 5 /* strlen('TYPE='); */ #define TYPE_NAME "TYPE=" +#define TYPE_OFFSET (sizeof(TYPE_NAME) - 1) size = TYPE_OFFSET+strlen(type); @@ -217,7 +210,7 @@ static int process_args(pam_handle_t *pamh return -1; } - strncpy(levp[3],TYPE_NAME,TYPE_OFFSET); + strcpy(levp[3], TYPE_NAME); strcpy(levp[3]+TYPE_OFFSET, type); levp[3][size] = '\0'; /* <NUL> terminate */ @@ -253,7 +246,7 @@ static void free_evp(char *evp[]) static int set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, - const char **evp, const char *filtername) + char * const evp[], const char *filtername) { int status=-1; char* terminal = NULL; @@ -296,7 +289,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, struct termios t_mode = stored_mode; t_mode.c_iflag = 0; /* no input control */ - t_mode.c_oflag &= ~OPOST; /* no ouput post processing */ + t_mode.c_oflag &= ~OPOST; /* no output post processing */ /* no signals, canonical input, echoing, upper/lower output */ #ifdef XCASE @@ -361,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, int t = open("/dev/tty", O_RDWR|O_NOCTTY); #else int t = open("/dev/tty",O_RDWR); - if (t > 0) { + if (t >= 0) { (void) ioctl(t, TIOCNOTTY, NULL); close(t); } @@ -376,7 +369,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, /* grant slave terminal */ if (grantpt (fd[0]) < 0) { - pam_syslog(pamh, LOG_ERR, "Cannot grant acccess to slave terminal"); + pam_syslog(pamh, LOG_ERR, "Cannot grant access to slave terminal"); return PAM_ABORT; } @@ -444,7 +437,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, close(fd[1]); - /* the current process is now aparently working with filtered + /* the current process is now apparently working with filtered stdio/stdout/stderr --- success! */ return PAM_SUCCESS; @@ -632,8 +625,7 @@ static int need_a_filter(pam_handle_t *pamh } if (retval == PAM_SUCCESS && (ctrl & which_run)) { - retval = set_filter(pamh, flags, ctrl - , (const char **)evp, filterfile); + retval = set_filter(pamh, flags, ctrl, evp, filterfile); } if (retval == PAM_SUCCESS diff --git a/modules/pam_filter/upperLOWER/Makefile.am b/modules/pam_filter/upperLOWER/Makefile.am index 41f0a349..f65c462b 100644 --- a/modules/pam_filter/upperLOWER/Makefile.am +++ b/modules/pam_filter/upperLOWER/Makefile.am @@ -8,8 +8,8 @@ securelibfilterdir = $(SECUREDIR)/pam_filter AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(srcdir)/.. @PIE_CFLAGS@ -AM_LDFLAGS = @PIE_LDFLAGS@ + -I$(srcdir)/.. @EXE_CFLAGS@ $(WARN_CFLAGS) +AM_LDFLAGS = @EXE_LDFLAGS@ LDADD = $(top_builddir)/libpam/libpam.la securelibfilter_PROGRAMS = upperLOWER diff --git a/modules/pam_filter/upperLOWER/Makefile.in b/modules/pam_filter/upperLOWER/Makefile.in index 361ba7da..c25f53e2 100644 --- a/modules/pam_filter/upperLOWER/Makefile.in +++ b/modules/pam_filter/upperLOWER/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -19,7 +19,17 @@ # VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,23 +94,25 @@ build_triplet = @build@ host_triplet = @host@ securelibfilter_PROGRAMS = upperLOWER$(EXEEXT) subdir = modules/pam_filter/upperLOWER -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -129,7 +141,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/upperLOWER.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -175,6 +188,8 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -194,24 +209,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -225,7 +249,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -244,11 +267,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -271,8 +297,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -283,11 +308,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -330,7 +362,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -338,9 +369,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -350,6 +378,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ @@ -357,9 +386,9 @@ top_srcdir = @top_srcdir@ CLEANFILES = *~ securelibfilterdir = $(SECUREDIR)/pam_filter AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(srcdir)/.. @PIE_CFLAGS@ + -I$(srcdir)/.. @EXE_CFLAGS@ $(WARN_CFLAGS) -AM_LDFLAGS = @PIE_LDFLAGS@ +AM_LDFLAGS = @EXE_LDFLAGS@ LDADD = $(top_builddir)/libpam/libpam.la all: all-am @@ -377,14 +406,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_filter/upperLOWER/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_filter/upperLOWER/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -455,21 +483,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/upperLOWER.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/upperLOWER.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -536,7 +570,10 @@ cscopelist-am: $(am__tagged_files) distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -610,7 +647,7 @@ clean-am: clean-generic clean-libtool clean-securelibfilterPROGRAMS \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/upperLOWER.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -656,7 +693,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/upperLOWER.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -677,21 +714,24 @@ uninstall-am: uninstall-securelibfilterPROGRAMS .MAKE: install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-securelibfilterPROGRAMS cscopelist-am \ - ctags ctags-am distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-securelibfilterPROGRAMS \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ + clean-generic clean-libtool clean-securelibfilterPROGRAMS \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibfilterPROGRAMS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am \ uninstall-securelibfilterPROGRAMS +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/modules/pam_ftp/Makefile.am b/modules/pam_ftp/Makefile.am index bbc0a739..18bb52c4 100644 --- a/modules/pam_ftp/Makefile.am +++ b/modules/pam_ftp/Makefile.am @@ -5,15 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_ftp +EXTRA_DIST = $(XMLS) -man_MANS = pam_ftp.8 +if HAVE_DOC +dist_man_MANS = pam_ftp.8 +endif XMLS = README.xml pam_ftp.8.xml +dist_check_SCRIPTS = tst-pam_ftp +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -22,10 +31,7 @@ endif securelib_LTLIBRARIES = pam_ftp.la pam_ftp_la_LIBADD = $(top_builddir)/libpam/libpam.la -TESTS = tst-pam_ftp - if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_ftp.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_ftp/Makefile.in b/modules/pam_ftp/Makefile.in index d2a5571c..442fb494 100644 --- a/modules/pam_ftp/Makefile.in +++ b/modules/pam_ftp/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_ftp -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_ftp.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_ftp -man_MANS = pam_ftp.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_ftp.8 XMLS = README.xml pam_ftp.8.xml +dist_check_SCRIPTS = tst-pam_ftp +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_ftp.la pam_ftp_la_LIBADD = $(top_builddir)/libpam/libpam.la -TESTS = tst-pam_ftp -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_ftp/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_ftp/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_ftp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_ftp.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_ftp.log: tst-pam_ftp @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_ftp.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_ftp.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_ftp.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_ftp/README.xml b/modules/pam_ftp/README.xml index 65de28e3..f4606bee 100644 --- a/modules/pam_ftp/README.xml +++ b/modules/pam_ftp/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_ftp.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_ftp-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_ftp/pam_ftp.8 b/modules/pam_ftp/pam_ftp.8 index 1d5c9b7b..c705ea1b 100644 --- a/modules/pam_ftp/pam_ftp.8 +++ b/modules/pam_ftp/pam_ftp.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_ftp .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_FTP" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FTP" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -54,17 +54,17 @@ This module is not safe and easily spoofable\&. .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBignore\fR +ignore .RS 4 Pay no attention to the email address of the user (if supplied)\&. .RE .PP -\fBftp=\fR\fB\fIXXX,YYY,\&.\&.\&.\fR\fR +ftp=XXX,YYY,\&.\&.\&. .RS 4 Instead of \fIftp\fR @@ -119,7 +119,7 @@ auth required pam_listfile\&.so \e .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_ftp was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_ftp/pam_ftp.8.xml b/modules/pam_ftp/pam_ftp.8.xml index 6f11f570..90079d30 100644 --- a/modules/pam_ftp/pam_ftp.8.xml +++ b/modules/pam_ftp/pam_ftp.8.xml @@ -1,36 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_ftp"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_ftp"> <refmeta> <refentrytitle>pam_ftp</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_ftp-name"> + <refnamediv xml:id="pam_ftp-name"> <refname>pam_ftp</refname> <refpurpose>PAM module for anonymous access module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_ftp-cmdsynopsis"> + <cmdsynopsis xml:id="pam_ftp-cmdsynopsis" sepchar=" "> <command>pam_ftp.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore </arg> - <arg choice="opt" rep='repeat'> + <arg choice="opt" rep="repeat"> users=<replaceable>XXX,YYY,</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_ftp-description"> + <refsect1 xml:id="pam_ftp-description"> <title>DESCRIPTION</title> @@ -54,7 +51,7 @@ </para> </refsect1> - <refsect1 id="pam_ftp-options"> + <refsect1 xml:id="pam_ftp-options"> <title>OPTIONS</title> <para> @@ -62,7 +59,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -73,7 +70,7 @@ <varlistentry> <term> - <option>ignore</option> + ignore </term> <listitem> <para> @@ -85,7 +82,7 @@ <varlistentry> <term> - <option>ftp=<replaceable>XXX,YYY,...</replaceable></option> + ftp=XXX,YYY,... </term> <listitem> <para> @@ -105,14 +102,14 @@ </para> </refsect1> - <refsect1 id="pam_ftp-types"> + <refsect1 xml:id="pam_ftp-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_ftp-return_values'> + <refsect1 xml:id="pam_ftp-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -139,7 +136,7 @@ </para> </refsect1> - <refsect1 id='pam_ftp-examples'> + <refsect1 xml:id="pam_ftp-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/ftpd</filename> to @@ -158,7 +155,7 @@ auth required pam_listfile.so \ </para> </refsect1> - <refsect1 id='pam_ftp-see_also'> + <refsect1 xml:id="pam_ftp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -168,16 +165,16 @@ auth required pam_listfile.so \ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_ftp-author'> + <refsect1 xml:id="pam_ftp-author"> <title>AUTHOR</title> <para> pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 1c2f1456..41fb9f48 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -1,10 +1,7 @@ -/* pam_ftp module */ - /* - * $Id$ + * pam_ftp module * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 - * */ #define PLEASE_ENTER_PASSWORD "Password required for %s." @@ -23,18 +20,10 @@ #include <stdarg.h> #include <string.h> -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* argument parsing */ @@ -49,18 +38,18 @@ _pam_parse(pam_handle_t *pamh, int argc, const char **argv, const char **users) /* step through arguments */ for (ctrl=0; argc-- > 0; ++argv) { + const char *str; /* generic options */ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"users=",6)) { - *users = 6 + *argv; - } else if (!strcmp(*argv,"ignore")) { + else if (!strcmp(*argv,"ignore")) ctrl |= PAM_IGNORE_EMAIL; - } else { + else if ((str = pam_str_skip_prefix(*argv, "users=")) != NULL) + *users = str; + else pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } } return ctrl; @@ -122,7 +111,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *users = NULL; /* - * this module checks if the user name is ftp or annonymous. If + * this module checks if the user name is ftp or anonymous. If * this is the case, it can set the PAM_RUSER to the entered email * address and SUCCEEDS, otherwise it FAILS. */ @@ -130,8 +119,9 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, ctrl = _pam_parse(pamh, argc, argv, &users); retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { - pam_syslog(pamh, LOG_ERR, "no user specified"); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_USER_UNKNOWN; } @@ -143,6 +133,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, retval = pam_set_item(pamh, PAM_USER, (const void *)anon_user); if (retval != PAM_SUCCESS || anon_user == NULL) { pam_syslog(pamh, LOG_ERR, "user resetting failed"); + free(anon_user); + return PAM_USER_UNKNOWN; } free(anon_user); @@ -165,7 +157,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, GUEST_LOGIN_PROMPT); if (retval != PAM_SUCCESS) { - _pam_overwrite (resp); + pam_overwrite_string (resp); _pam_drop (resp); return ((retval == PAM_CONV_AGAIN) ? PAM_INCOMPLETE:PAM_AUTHINFO_UNAVAIL); @@ -185,7 +177,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } - /* we are happy to grant annonymous access to the user */ + /* we are happy to grant anonymous access to the user */ retval = PAM_SUCCESS; } else { @@ -204,7 +196,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } /* clean up */ - _pam_overwrite(resp); + pam_overwrite_string(resp); _pam_drop(resp); /* success or failure */ diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am index 6c1c5213..af8df4eb 100644 --- a/modules/pam_group/Makefile.am +++ b/modules/pam_group/Makefile.am @@ -5,16 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group +EXTRA_DIST = $(XMLS) -man_MANS = group.conf.5 pam_group.8 +if HAVE_DOC +dist_man_MANS = group.conf.5 pam_group.8 +endif XMLS = README.xml group.conf.5.xml pam_group.8.xml +dist_check_SCRIPTS = tst-pam_group +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -23,12 +31,9 @@ endif securelib_LTLIBRARIES = pam_group.la pam_group_la_LIBADD = $(top_builddir)/libpam/libpam.la -secureconf_DATA = group.conf - -TESTS = tst-pam_group +dist_secureconf_DATA = group.conf if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_group.8.xml group.conf.5.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_group/Makefile.in b/modules/pam_group/Makefile.in index 412e59ff..66e4ed95 100644 --- a/modules/pam_group/Makefile.in +++ b/modules/pam_group/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,27 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_group -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -158,7 +171,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_group.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,8 +202,9 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -364,6 +379,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -386,6 +402,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -405,24 +424,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -436,7 +464,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -455,11 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -482,8 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -494,11 +523,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -541,7 +577,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -549,9 +584,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -561,26 +593,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README group.conf $(MANS) $(XMLS) tst-pam_group -man_MANS = group.conf.5 pam_group.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = group.conf.5 pam_group.8 XMLS = README.xml group.conf.5.xml pam_group.8.xml +dist_check_SCRIPTS = tst-pam_group +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_group.la pam_group_la_LIBADD = $(top_builddir)/libpam/libpam.la -secureconf_DATA = group.conf -TESTS = tst-pam_group -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +dist_secureconf_DATA = group.conf +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -597,14 +632,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_group/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_group/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -660,21 +694,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_group.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_group.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -688,10 +728,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -726,15 +766,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -769,14 +809,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -790,9 +830,9 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) @@ -878,7 +918,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -955,7 +995,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -968,7 +1008,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -978,7 +1018,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1011,7 +1051,10 @@ tst-pam_group.log: tst-pam_group @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1042,6 +1085,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1090,7 +1134,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_group.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1107,7 +1151,7 @@ info: info-am info-am: -install-data-am: install-man install-secureconfDATA \ +install-data-am: install-dist_secureconfDATA install-man \ install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1137,7 +1181,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_group.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1154,32 +1198,33 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man5 \ - install-man8 install-pdf install-pdf-am install-ps \ - install-ps-am install-secureconfDATA \ - install-securelibLTLIBRARIES install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ - uninstall-securelibLTLIBRARIES +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dist_secureconfDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-man8 install-pdf install-pdf-am \ + install-ps install-ps-am install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am recheck tags tags-am uninstall \ + uninstall-am uninstall-dist_secureconfDATA uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile -@ENABLE_REGENERATE_MAN_TRUE@README: pam_group.8.xml group.conf.5.xml @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_group/README b/modules/pam_group/README index 9d6d0970..5e2d01e0 100644 --- a/modules/pam_group/README +++ b/modules/pam_group/README @@ -12,6 +12,9 @@ applying for. By default rules for group memberships are taken from config file /etc/security /group.conf. +If /etc/security/group.conf does not exist, %vendordir%/security/group.conf is +used. + This module's usefulness relies on the file-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership. Later, when the diff --git a/modules/pam_group/README.xml b/modules/pam_group/README.xml index 387d6987..8ccd55d0 100644 --- a/modules/pam_group/README.xml +++ b/modules/pam_group/README.xml @@ -1,34 +1,19 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamgroup SYSTEM "pam_group.8.xml"> ---> -<!-- -<!ENTITY groupconf SYSTEM "group.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_group.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_group-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_group.8.xml" xpointer='xpointer(id("pam_group-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_group.8.xml" xpointer='xpointer(id("pam_group-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="group.conf.5.xml" xpointer='xpointer(id("group.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_group/group.conf.5 b/modules/pam_group/group.conf.5 index 933a22ec..96bb061c 100644 --- a/modules/pam_group/group.conf.5 +++ b/modules/pam_group/group.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: group.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "GROUP\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "GROUP\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -53,6 +53,8 @@ The third field, the \fIusers\fR field, is a logic list of users, or a UNIX group, or a netgroup of users to whom this rule applies\&. Group names are preceded by a \*(Aq%\*(Aq symbol, while netgroup names are preceded by a \*(Aq@\*(Aq symbol\&. .PP +A logic list namely means individual tokens that are optionally prefixed with \*(Aq!\*(Aq (logical not) and separated with \*(Aq&\*(Aq (logical and) and \*(Aq|\*(Aq (logical or)\&. +.PP For these items the simple wildcard \*(Aq*\*(Aq may be used only once\&. With UNIX groups or netgroups no wildcards or logic operators are allowed\&. .PP The @@ -113,7 +115,7 @@ xsh; tty* ;%admin;Al0000\-2400;plugdev .PP \fBpam_group\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml index fc5370f5..8d5b2d4f 100644 --- a/modules/pam_group/group.conf.5.xml +++ b/modules/pam_group/group.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="group.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="group.conf"> <refmeta> <refentrytitle>group.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_group module</refpurpose> </refnamediv> - <refsect1 id='group.conf-description'> + <refsect1 xml:id="group.conf-description"> <title>DESCRIPTION</title> <para> @@ -58,6 +55,12 @@ </para> <para> + A logic list namely means individual tokens that are optionally prefixed + with '!' (logical not) and separated with '&' (logical and) and '|' + (logical or). + </para> + + <para> For these items the simple wildcard '*' may be used only once. With UNIX groups or netgroups no wildcards or logic operators are allowed. @@ -92,7 +95,7 @@ </para> </refsect1> - <refsect1 id="group.conf-examples"> + <refsect1 xml:id="group.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -123,19 +126,19 @@ xsh; tty* ;%admin;Al0000-2400;plugdev </refsect1> - <refsect1 id="group.conf-see_also"> + <refsect1 xml:id="group.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="group.conf-author"> + <refsect1 xml:id="group.conf-author"> <title>AUTHOR</title> <para> pam_group was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_group/pam_group.8 b/modules/pam_group/pam_group.8 index 804c921a..1553f207 100644 --- a/modules/pam_group/pam_group.8 +++ b/modules/pam_group/pam_group.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_group .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_GROUP" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_GROUP" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -103,7 +103,7 @@ Default configuration file .PP \fBgroup.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_group/pam_group.8.xml b/modules/pam_group/pam_group.8.xml index 2c1c9058..292ee1cb 100644 --- a/modules/pam_group/pam_group.8.xml +++ b/modules/pam_group/pam_group.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_group'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_group"> <refmeta> <refentrytitle>pam_group</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_group-name'> + <refnamediv xml:id="pam_group-name"> <refname>pam_group</refname> <refpurpose> PAM module for group access @@ -20,13 +17,13 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_group-cmdsynopsis"> + <cmdsynopsis xml:id="pam_group-cmdsynopsis" sepchar=" "> <command>pam_group.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_group-description"> + <refsect1 xml:id="pam_group-description"> <title>DESCRIPTION</title> <para> The pam_group PAM module does not authenticate the user, but instead @@ -38,6 +35,10 @@ By default rules for group memberships are taken from config file <filename>/etc/security/group.conf</filename>. </para> + <para condition="with_vendordir"> + If <filename>/etc/security/group.conf</filename> does not exist, + <filename>%vendordir%/security/group.conf</filename> is used. + </para> <para> This module's usefulness relies on the file-systems accessible to the user. The point being that once granted the @@ -60,19 +61,19 @@ </para> </refsect1> - <refsect1 id="pam_group-options"> + <refsect1 xml:id="pam_group-options"> <title>OPTIONS</title> <para>This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_group-types"> + <refsect1 xml:id="pam_group-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id="pam_group-return_values"> + <refsect1 xml:id="pam_group-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -126,11 +127,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_group-files"> + <refsect1 xml:id="pam_group-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/group.conf</filename></term> + <term>/etc/security/group.conf</term> <listitem> <para>Default configuration file</para> </listitem> @@ -138,7 +139,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_group-see_also"> + <refsect1 xml:id="pam_group-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -148,15 +149,15 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_group-authors"> + <refsect1 xml:id="pam_group-authors"> <title>AUTHORS</title> <para> pam_group was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index 8cd178c0..7d11f590 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -1,6 +1,6 @@ -/* pam_group module */ - /* + * pam_group module + * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/7/6 * Field parsing rewritten by Tomas Mraz <tm@t8m.info> */ @@ -16,6 +16,7 @@ #include <time.h> #include <syslog.h> #include <string.h> +#include <errno.h> #include <grp.h> #include <sys/types.h> @@ -23,6 +24,10 @@ #include <fcntl.h> #include <netdb.h> +#define PAM_GROUP_CONF SCONFIGDIR "/group.conf" +#ifdef VENDOR_SCONFIGDIR +# define VENDOR_PAM_GROUP_CONF VENDOR_SCONFIGDIR "/group.conf" +#endif #define PAM_GROUP_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ @@ -35,19 +40,11 @@ typedef enum { AND, OR } operator; -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* --- static functions for checking whether the user should be let in --- */ @@ -57,7 +54,7 @@ shift_buf(char *mem, int from) char *start = mem; while ((*mem = mem[from]) != '\0') ++mem; - memset(mem, '\0', PAM_GROUP_BUFLEN - (mem - start)); + pam_overwrite_n(mem, PAM_GROUP_BUFLEN - (mem - start)); return mem; } @@ -79,7 +76,8 @@ trim_spaces(char *buf, char *from) #define STATE_EOF 3 /* end of file or error */ static int -read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) +read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state, + const char *conf_filename) { char *to; char *src; @@ -98,9 +96,9 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) } *from = 0; *state = STATE_NL; - fd = open(PAM_GROUP_CONF, O_RDONLY); + fd = open(conf_filename, O_RDONLY); if (fd < 0) { - pam_syslog(pamh, LOG_ERR, "error opening %s: %m", PAM_GROUP_CONF); + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", conf_filename); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -115,9 +113,9 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) while (fd != -1 && to - *buf < PAM_GROUP_BUFLEN) { i = pam_modutil_read(fd, to, PAM_GROUP_BUFLEN - (to - *buf)); if (i < 0) { - pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_GROUP_CONF); + pam_syslog(pamh, LOG_ERR, "error reading %s: %m", conf_filename); close(fd); - memset(*buf, 0, PAM_GROUP_BUFLEN); + pam_overwrite_n(*buf, PAM_GROUP_BUFLEN); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -136,7 +134,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) return -1; } - memset(to, '\0', PAM_GROUP_BUFLEN - (to - *buf)); + pam_overwrite_n(to, PAM_GROUP_BUFLEN - (to - *buf)); to = *buf; onspace = 1; /* delete any leading spaces */ @@ -183,6 +181,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) ++src; /* skip it */ break; } + /* fallthrough */ default: *to++ = c; onspace = 0; @@ -297,6 +296,7 @@ logic_field (const pam_handle_t *pamh, const void *me, return FALSE; } next = VAL; + not = FALSE; } at += l; } @@ -580,6 +580,18 @@ static int check_account(pam_handle_t *pamh, const char *service, int retval=PAM_SUCCESS; gid_t *grps; int no_grps; + const char *conf_filename = PAM_GROUP_CONF; + +#ifdef VENDOR_PAM_GROUP_CONF + /* + * Check whether PAM_GROUP_CONF file is available. + * If it does not exist, fall back to VENDOR_PAM_GROUP_CONF file. + */ + struct stat stat_buffer; + if (stat(conf_filename, &stat_buffer) != 0 && errno == ENOENT) { + conf_filename = VENDOR_PAM_GROUP_CONF; + } +#endif /* * first we get the current list of groups - the application @@ -618,7 +630,7 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the service name field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (!buffer || !buffer[0]) { /* empty line .. ? */ continue; @@ -628,7 +640,7 @@ static int check_account(pam_handle_t *pamh, const char *service, if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } @@ -637,10 +649,10 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the terminal name field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } good &= logic_field(pamh,tty, buffer, count, is_same); @@ -648,10 +660,10 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the username field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } /* If buffer starts with @, we are using netgroups */ @@ -670,20 +682,20 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the time field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } good &= logic_field(pamh,&here_and_now, buffer, count, check_time); D(("with time: %s", good ? "passes":"fails" )); - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state == STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: poorly terminated rule #%d", PAM_GROUP_CONF, count); + "%s: poorly terminated rule #%d", conf_filename, count); continue; } @@ -733,7 +745,7 @@ static int check_account(pam_handle_t *pamh, const char *service, } if (grps) { /* tidy up */ - memset(grps, 0, sizeof(gid_t) * blk_size(no_grps)); + pam_overwrite_n(grps, sizeof(gid_t) * blk_size(no_grps)); _pam_drop(grps); no_grps = 0; } @@ -761,9 +773,12 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, unsigned setting; /* only interested in establishing credentials */ + /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. + Some people just pass PAM_SILENT, so cope with it, too. */ setting = flags; - if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { + if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) + && (setting != 0) && (setting != PAM_SILENT)) { D(("ignoring call - not for establishing credentials")); return PAM_SUCCESS; /* don't fail because of this */ } @@ -778,9 +793,8 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_issue/Makefile.am b/modules/pam_issue/Makefile.am index 92917398..1ab2b2ce 100644 --- a/modules/pam_issue/Makefile.am +++ b/modules/pam_issue/Makefile.am @@ -5,27 +5,33 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_issue +EXTRA_DIST = $(XMLS) -man_MANS = pam_issue.8 +if HAVE_DOC +dist_man_MANS = pam_issue.8 +endif XMLS = README.xml pam_issue.8.xml - -TESTS = tst-pam_issue +dist_check_SCRIPTS = tst-pam_issue +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(LOGIND_CFLAGS) $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_issue.la -pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_issue.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_issue/Makefile.in b/modules/pam_issue/Makefile.in index c718cc28..02a3cc16 100644 --- a/modules/pam_issue/Makefile.in +++ b/modules/pam_issue/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_issue -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -136,7 +148,9 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_issue_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_issue_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_issue_la_SOURCES = pam_issue.c pam_issue_la_OBJECTS = pam_issue.lo AM_V_lt = $(am__v_lt_@AM_V@) @@ -157,7 +171,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_issue.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +201,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +378,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +401,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +423,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +463,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +481,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +511,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +522,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +576,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +583,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +592,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_issue -man_MANS = pam_issue.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_issue.8 XMLS = README.xml pam_issue.8.xml -TESTS = tst-pam_issue +dist_check_SCRIPTS = tst-pam_issue +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(LOGIND_CFLAGS) $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_issue.la -pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +630,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_issue/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_issue/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +692,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_issue.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_issue.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +726,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +764,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +852,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +929,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +942,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +952,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +985,10 @@ tst-pam_issue.log: tst-pam_issue @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1019,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1068,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_issue.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1114,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_issue.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1137,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1154,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_issue.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_issue/README.xml b/modules/pam_issue/README.xml index b5b61c3a..36742c77 100644 --- a/modules/pam_issue/README.xml +++ b/modules/pam_issue/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_issue.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_issue-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_issue/pam_issue.8 b/modules/pam_issue/pam_issue.8 index 5d61a643..745cc421 100644 --- a/modules/pam_issue/pam_issue.8 +++ b/modules/pam_issue/pam_issue.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_issue .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ISSUE" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ISSUE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -38,69 +38,69 @@ pam_issue is a PAM module to prepend an issue file to the username prompt\&. It .PP Recognized escapes: .PP -\fB\ed\fR +\ed .RS 4 current day .RE .PP -\fB\el\fR +\el .RS 4 name of this tty .RE .PP -\fB\em\fR +\em .RS 4 machine architecture (uname \-m) .RE .PP -\fB\en\fR +\en .RS 4 machine\*(Aqs network node hostname (uname \-n) .RE .PP -\fB\eo\fR +\eo .RS 4 domain name of this system .RE .PP -\fB\er\fR +\er .RS 4 release number of operating system (uname \-r) .RE .PP -\fB\et\fR +\et .RS 4 current time .RE .PP -\fB\es\fR +\es .RS 4 operating system name (uname \-s) .RE .PP -\fB\eu\fR +\eu .RS 4 number of users currently logged in .RE .PP -\fB\eU\fR +\eU .RS 4 same as \eu except it is suffixed with "user" or "users" (eg\&. "1 user" or "10 users") .RE .PP -\fB\ev\fR +\ev .RS 4 operating system version and build date (uname \-v) .RE .SH "OPTIONS" .PP .PP -\fBnoesc\fR +noesc .RS 4 Turns off escape code parsing\&. .RE .PP -\fBissue=\fR\fB\fIissue\-file\-name\fR\fR +issue=issue\-file\-name .RS 4 The file to output if not using the default\&. .RE @@ -152,7 +152,7 @@ to set the user specific issue at login: .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_issue was written by Ben Collins <bcollins@debian\&.org>\&. diff --git a/modules/pam_issue/pam_issue.8.xml b/modules/pam_issue/pam_issue.8.xml index fb9b7377..02b31f6f 100644 --- a/modules/pam_issue/pam_issue.8.xml +++ b/modules/pam_issue/pam_issue.8.xml @@ -1,110 +1,107 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_issue"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_issue"> <refmeta> <refentrytitle>pam_issue</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_issue-name"> + <refnamediv xml:id="pam_issue-name"> <refname>pam_issue</refname> <refpurpose>PAM module to add issue file to user prompt</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_issue-cmdsynopsis"> + <cmdsynopsis xml:id="pam_issue-cmdsynopsis" sepchar=" "> <command>pam_issue.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noesc </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> issue=<replaceable>issue-file-name</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_issue-description"> + <refsect1 xml:id="pam_issue-description"> <title>DESCRIPTION</title> <para> pam_issue is a PAM module to prepend an issue file to the username prompt. It also by default parses escape codes in the issue file - similar to some common getty's (using \x format). + similar to some common getty's (using \x format). </para> <para> Recognized escapes: </para> <variablelist> <varlistentry> - <term><emphasis remap='B'>\d</emphasis></term> + <term>\d</term> <listitem> <para>current day</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\l</emphasis></term> + <term>\l</term> <listitem> <para>name of this tty</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\m</emphasis></term> + <term>\m</term> <listitem> <para>machine architecture (uname -m)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\n</emphasis></term> + <term>\n</term> <listitem> <para>machine's network node hostname (uname -n)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\o</emphasis></term> + <term>\o</term> <listitem> <para>domain name of this system</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\r</emphasis></term> + <term>\r</term> <listitem> <para>release number of operating system (uname -r)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\t</emphasis></term> + <term>\t</term> <listitem> <para>current time</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\s</emphasis></term> + <term>\s</term> <listitem> <para>operating system name (uname -s)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\u</emphasis></term> + <term>\u</term> <listitem> <para>number of users currently logged in</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\U</emphasis></term> + <term>\U</term> <listitem> <para> - same as \u except it is suffixed with "user" or + same as \u except it is suffixed with "user" or "users" (eg. "1 user" or "10 users") </para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\v</emphasis></term> + <term>\v</term> <listitem> <para>operating system version and build date (uname -v)</para> </listitem> @@ -113,7 +110,7 @@ </refsect1> - <refsect1 id="pam_issue-options"> + <refsect1 xml:id="pam_issue-options"> <title>OPTIONS</title> <para> @@ -121,7 +118,7 @@ <varlistentry> <term> - <option>noesc</option> + noesc </term> <listitem> <para> @@ -132,7 +129,7 @@ <varlistentry> <term> - <option>issue=<replaceable>issue-file-name</replaceable></option> + issue=issue-file-name </term> <listitem> <para> @@ -146,14 +143,14 @@ </para> </refsect1> - <refsect1 id="pam_issue-types"> + <refsect1 xml:id="pam_issue-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_issue-return_values'> + <refsect1 xml:id="pam_issue-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -198,7 +195,7 @@ </para> </refsect1> - <refsect1 id='pam_issue-examples'> + <refsect1 xml:id="pam_issue-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -209,7 +206,7 @@ </para> </refsect1> - <refsect1 id='pam_issue-see_also'> + <refsect1 xml:id="pam_issue-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -219,16 +216,16 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_issue-author'> + <refsect1 xml:id="pam_issue-author"> <title>AUTHOR</title> <para> pam_issue was written by Ben Collins <bcollins@debian.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c index 5fa21c37..c08f90c3 100644 --- a/modules/pam_issue/pam_issue.c +++ b/modules/pam_issue/pam_issue.c @@ -1,4 +1,5 @@ -/* pam_issue module - a simple /etc/issue parser to set PAM_USER_PROMPT +/* + * pam_issue module - a simple /etc/issue parser to set PAM_USER_PROMPT * * Copyright 1999 by Ben Collins <bcollins@debian.org> * @@ -22,111 +23,24 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> -#include <string.h> #include <unistd.h> #include <sys/utsname.h> -#include <utmp.h> #include <time.h> #include <syslog.h> -#define PAM_SM_AUTH +#ifdef USE_LOGIND +#include <systemd/sd-login.h> +#else +#include <utmp.h> +#endif #include <security/_pam_macros.h> #include <security/pam_modules.h> #include <security/pam_ext.h> +#include "pam_inline.h" static int _user_prompt_set = 0; -static int read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt); -static int read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt); - -/* --- authentication management functions (only) --- */ - -int -pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int retval = PAM_SERVICE_ERR; - FILE *fp; - const char *issue_file = NULL; - int parse_esc = 1; - const void *item = NULL; - const char *cur_prompt; - char *issue_prompt = NULL; - - /* If we've already set the prompt, don't set it again */ - if(_user_prompt_set) - return PAM_IGNORE; - - /* We set this here so if we fail below, we wont get further - than this next time around (only one real failure) */ - _user_prompt_set = 1; - - for ( ; argc-- > 0 ; ++argv ) { - if (!strncmp(*argv,"issue=",6)) { - issue_file = 6 + *argv; - D(("set issue_file to: %s", issue_file)); - } else if (!strcmp(*argv,"noesc")) { - parse_esc = 0; - D(("turning off escape parsing by request")); - } else - D(("unknown option passed: %s", *argv)); - } - - if (issue_file == NULL) - issue_file = "/etc/issue"; - - if ((fp = fopen(issue_file, "r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "error opening %s: %m", issue_file); - return PAM_SERVICE_ERR; - } - - if ((retval = pam_get_item(pamh, PAM_USER_PROMPT, &item)) != PAM_SUCCESS) { - fclose(fp); - return retval; - } - - cur_prompt = item; - if (cur_prompt == NULL) - cur_prompt = ""; - - if (parse_esc) - retval = read_issue_quoted(pamh, fp, &issue_prompt); - else - retval = read_issue_raw(pamh, fp, &issue_prompt); - - fclose(fp); - - if (retval != PAM_SUCCESS) - goto out; - - { - size_t size = strlen(issue_prompt) + strlen(cur_prompt) + 1; - char *new_prompt = realloc(issue_prompt, size); - - if (new_prompt == NULL) { - pam_syslog(pamh, LOG_CRIT, "out of memory"); - retval = PAM_BUF_ERR; - goto out; - } - issue_prompt = new_prompt; - } - - strcat(issue_prompt, cur_prompt); - retval = pam_set_item(pamh, PAM_USER_PROMPT, - (const void *) issue_prompt); - out: - _pam_drop(issue_prompt); - return (retval == PAM_SUCCESS) ? PAM_IGNORE : retval; -} - -int -pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - return PAM_IGNORE; -} - static int read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt) { @@ -161,6 +75,7 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) { int c; size_t size = 1024; + size_t issue_len = 0; char *issue; struct utsname uts; @@ -171,41 +86,42 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) return PAM_BUF_ERR; } - issue[0] = '\0'; (void) uname(&uts); while ((c = getc(fp)) != EOF) { - char buf[1024]; + const char *src = NULL; + size_t len = 0; + char buf[1024] = ""; - buf[0] = '\0'; if (c == '\\') { if ((c = getc(fp)) == EOF) break; switch (c) { case 's': - strncat(buf, uts.sysname, sizeof(buf) - 1); + src = uts.sysname; + len = strnlen(uts.sysname, sizeof(uts.sysname)); break; case 'n': - strncat(buf, uts.nodename, sizeof(buf) - 1); + src = uts.nodename; + len = strnlen(uts.nodename, sizeof(uts.nodename)); break; case 'r': - strncat(buf, uts.release, sizeof(buf) - 1); + src = uts.release; + len = strnlen(uts.release, sizeof(uts.release)); break; case 'v': - strncat(buf, uts.version, sizeof(buf) - 1); + src = uts.version; + len = strnlen(uts.version, sizeof(uts.version)); break; case 'm': - strncat(buf, uts.machine, sizeof(buf) - 1); + src = uts.machine; + len = strnlen(uts.machine, sizeof(uts.machine)); break; case 'o': - { - char domainname[256]; - - if (getdomainname(domainname, sizeof(domainname)) >= 0) { - domainname[sizeof(domainname)-1] = '\0'; - strncat(buf, domainname, sizeof(buf) - 1); - } - } +#ifdef HAVE_GETDOMAINNAME + if (getdomainname(buf, sizeof(buf)) >= 0) + buf[sizeof(buf) - 1] = '\0'; +#endif break; case 'd': case 't': @@ -234,11 +150,13 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) break; case 'l': { - char *ttyn = ttyname(1); + const char *ttyn = ttyname(1); if (ttyn) { - if (!strncmp(ttyn, "/dev/", 5)) - ttyn += 5; - strncat(buf, ttyn, sizeof(buf) - 1); + const char *str = pam_str_skip_prefix(ttyn, "/dev/"); + if (str != NULL) + ttyn = str; + src = ttyn; + len = strlen(ttyn); } } break; @@ -246,6 +164,18 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) case 'U': { unsigned int users = 0; +#ifdef USE_LOGIND + int sessions = sd_get_sessions(NULL); + + if (sessions < 0) { + pam_syslog(pamh, LOG_ERR, "logind error: %s", + strerror(-sessions)); + _pam_drop(issue); + return PAM_SERVICE_ERR; + } else { + users = sessions; + } +#else struct utmp *ut; setutent(); while ((ut = getutent())) { @@ -253,6 +183,7 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) ++users; } endutent(); +#endif if (c == 'U') snprintf (buf, sizeof buf, "%u %s", users, (users == 1) ? "user" : "users"); @@ -267,20 +198,27 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) buf[0] = c; buf[1] = '\0'; } - if ((strlen(issue) + strlen(buf)) + 1 > size) { + if (src == NULL) { + src = buf; + len = strlen(buf); + } + if (issue_len + len + 1 > size) { char *new_issue; - size += strlen(buf) + 1; - new_issue = (char *) realloc (issue, size); + size += len + 1; + new_issue = realloc (issue, size); if (new_issue == NULL) { _pam_drop(issue); return PAM_BUF_ERR; } issue = new_issue; } - strcat(issue, buf); + memcpy(issue + issue_len, src, len); + issue_len += len; } + issue[issue_len] = '\0'; + if (ferror(fp)) { pam_syslog(pamh, LOG_ERR, "read error: %m"); _pam_drop(issue); @@ -291,4 +229,91 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) return PAM_SUCCESS; } -/* end of module definition */ +/* --- authentication management functions (only) --- */ + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int retval = PAM_SERVICE_ERR; + FILE *fp; + const char *issue_file = NULL; + int parse_esc = 1; + const void *item = NULL; + const char *cur_prompt; + char *issue_prompt = NULL; + + /* If we've already set the prompt, don't set it again */ + if(_user_prompt_set) + return PAM_IGNORE; + + /* We set this here so if we fail below, we won't get further + than this next time around (only one real failure) */ + _user_prompt_set = 1; + + for ( ; argc-- > 0 ; ++argv ) { + const char *str; + + if ((str = pam_str_skip_prefix(*argv, "issue=")) != NULL) { + issue_file = str; + D(("set issue_file to: %s", issue_file)); + } else if (!strcmp(*argv,"noesc")) { + parse_esc = 0; + D(("turning off escape parsing by request")); + } else + D(("unknown option passed: %s", *argv)); + } + + if (issue_file == NULL) + issue_file = "/etc/issue"; + + if ((fp = fopen(issue_file, "r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", issue_file); + return PAM_SERVICE_ERR; + } + + if ((retval = pam_get_item(pamh, PAM_USER_PROMPT, &item)) != PAM_SUCCESS) { + fclose(fp); + return retval; + } + + cur_prompt = item; + if (cur_prompt == NULL) + cur_prompt = ""; + + if (parse_esc) + retval = read_issue_quoted(pamh, fp, &issue_prompt); + else + retval = read_issue_raw(pamh, fp, &issue_prompt); + + fclose(fp); + + if (retval != PAM_SUCCESS) + goto out; + + { + size_t size = strlen(issue_prompt) + strlen(cur_prompt) + 1; + char *new_prompt = realloc(issue_prompt, size); + + if (new_prompt == NULL) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + retval = PAM_BUF_ERR; + goto out; + } + issue_prompt = new_prompt; + } + + strcat(issue_prompt, cur_prompt); + retval = pam_set_item(pamh, PAM_USER_PROMPT, + (const void *) issue_prompt); + out: + _pam_drop(issue_prompt); + return (retval == PAM_SUCCESS) ? PAM_IGNORE : retval; +} + +int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am index 5e8657c6..e1806a41 100644 --- a/modules/pam_keyinit/Makefile.am +++ b/modules/pam_keyinit/Makefile.am @@ -5,30 +5,33 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit -XMLS = README.xml pam_keyinit.8.xml - -if HAVE_KEY_MANAGEMENT - man_MANS = pam_keyinit.8 - TESTS = tst-pam_keyinit -endif +EXTRA_DIST = $(XMLS) -if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_keyinit.8.xml --include $(top_srcdir)/Make.xml.rules +if HAVE_DOC +dist_man_MANS = pam_keyinit.8 endif +XMLS = README.xml pam_keyinit.8.xml +dist_check_SCRIPTS = tst-pam_keyinit +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_KEY_MANAGEMENT - securelib_LTLIBRARIES = pam_keyinit.la -endif +securelib_LTLIBRARIES = pam_keyinit.la pam_keyinit_la_LIBADD = $(top_builddir)/libpam/libpam.la + +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_keyinit/Makefile.in b/modules/pam_keyinit/Makefile.in index 194ed241..7da83525 100644 --- a/modules/pam_keyinit/Makefile.in +++ b/modules/pam_keyinit/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_keyinit -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,8 +155,6 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -@HAVE_KEY_MANAGEMENT_TRUE@am_pam_keyinit_la_rpath = -rpath \ -@HAVE_KEY_MANAGEMENT_TRUE@ $(securelibdir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -159,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_keyinit.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -364,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -386,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -405,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -436,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -455,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -482,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -494,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -541,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -549,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -561,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_keyinit.8 XMLS = README.xml pam_keyinit.8.xml -@HAVE_KEY_MANAGEMENT_TRUE@man_MANS = pam_keyinit.8 -@HAVE_KEY_MANAGEMENT_TRUE@TESTS = tst-pam_keyinit -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +dist_check_SCRIPTS = tst-pam_keyinit +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) -@HAVE_KEY_MANAGEMENT_TRUE@securelib_LTLIBRARIES = pam_keyinit.la +securelib_LTLIBRARIES = pam_keyinit.la pam_keyinit_la_LIBADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -594,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_keyinit/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_keyinit/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -649,7 +682,7 @@ clean-securelibLTLIBRARIES: } pam_keyinit.la: $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_DEPENDENCIES) $(EXTRA_pam_keyinit_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) $(am_pam_keyinit_la_rpath) $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_keyinit_la_OBJECTS) $(pam_keyinit_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -657,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_keyinit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_keyinit.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -685,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -723,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -811,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -888,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -901,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -911,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -944,7 +983,10 @@ tst-pam_keyinit.log: tst-pam_keyinit @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -975,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1023,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_keyinit.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1069,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_keyinit.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1092,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1108,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_keyinit.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README index 38344d9a..fa503700 100644 --- a/modules/pam_keyinit/README +++ b/modules/pam_keyinit/README @@ -7,16 +7,18 @@ DESCRIPTION The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring. -The session component of the module checks to see if the process's session -keyring is the user default, and, if it is, creates a new anonymous session -keyring with which to replace it. - -If a new session keyring is created, it will install a link to the user common -keyring in the session keyring so that keys common to the user will be -automatically accessible through it. - -The session keyring of the invoking process will thenceforth be inherited by -all its children unless they override it. +The module checks to see if the process's session keyring is the +user-session-keyring(7), and, if it is, creates a new session-keyring(7) with +which to replace it. If a new session keyring is created, it will install a +link to the user-keyring(7) in the session keyring so that keys common to the +user will be automatically accessible through it. The session keyring of the +invoking process will thenceforth be inherited by all its children unless they +override it. + +In order to allow other PAM modules to attach tokens to the keyring, this +module provides both an auth (limited to pam_setcred(3) and a session +component. The session keyring is created in the module called. Moreover this +module should be included as early as possible in a PAM configuration. This module is intended primarily for use by login processes. Be aware that after the session keyring has been replaced, the old session keyring and the @@ -26,9 +28,6 @@ This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this. -This module should be included as early as possible in a PAM configuration, so -that other PAM modules can attach tokens to the keyring. - The keyutils package is used to manipulate keys more directly. This can be obtained from: diff --git a/modules/pam_keyinit/README.xml b/modules/pam_keyinit/README.xml index 47659e89..33059c7e 100644 --- a/modules/pam_keyinit/README.xml +++ b/modules/pam_keyinit/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 index 4dfbffbc..50e4fe66 100644 --- a/modules/pam_keyinit/pam_keyinit.8 +++ b/modules/pam_keyinit/pam_keyinit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_keyinit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_KEYINIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_KEYINIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -36,36 +36,43 @@ pam_keyinit \- Kernel session keyring initialiser module .PP The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. .PP -The session component of the module checks to see if the process\*(Aqs session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. -.PP -If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. -.PP -The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. +The module checks to see if the process\*(Aqs session keyring is the +\fBuser-session-keyring\fR(7), and, if it is, creates a new +\fBsession-keyring\fR(7) +with which to replace it\&. If a new session keyring is created, it will install a link to the +\fBuser-keyring\fR(7) +in the session keyring so that keys common to the user will be automatically accessible through it\&. The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. +.PP +In order to allow other PAM modules to attach tokens to the keyring, this module provides both an +\fIauth\fR +(limited to +\fBpam_setcred\fR(3) +and a +\fIsession\fR +component\&. The session keyring is created in the module called\&. Moreover this module should be included as early as possible in a PAM configuration\&. .PP This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. .PP This module should not, generally, be invoked by programs like \fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. .PP -This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. -.PP The keyutils package is used to manipulate keys more directly\&. This can be obtained from: .PP \m[blue]\fBKeyutils\fR\m[]\&\s-2\u[1]\d\s+2 .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Log debug information with \fBsyslog\fR(3)\&. .RE .PP -\fBforce\fR +force .RS 4 Causes the session keyring of the invoking process to be replaced unconditionally\&. .RE .PP -\fBrevoke\fR +revoke .RS 4 Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. .RE @@ -130,7 +137,8 @@ This will prevent keys from one session leaking into another session for the sam .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\fBkeyctl\fR(1) +\fBpam\fR(7), +\fBkeyctl\fR(1) .SH "AUTHOR" .PP pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&. diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml index bcc50964..0bab0866 100644 --- a/modules/pam_keyinit/pam_keyinit.8.xml +++ b/modules/pam_keyinit/pam_keyinit.8.xml @@ -1,54 +1,65 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_keyinit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_keyinit"> <refmeta> <refentrytitle>pam_keyinit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_keyinit-name"> + <refnamediv xml:id="pam_keyinit-name"> <refname>pam_keyinit</refname> <refpurpose>Kernel session keyring initialiser module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_keyinit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_keyinit-cmdsynopsis" sepchar=" "> <command>pam_keyinit.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> force </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> revoke </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_keyinit-description"> + <refsect1 xml:id="pam_keyinit-description"> <title>DESCRIPTION</title> <para> The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring. </para> <para> - The session component of the module checks to see if the process's - session keyring is the user default, and, if it is, creates a new - anonymous session keyring with which to replace it. - </para> - <para> - If a new session keyring is created, it will install a link to the user - common keyring in the session keyring so that keys common to the user - will be automatically accessible through it. + The module checks to see if the process's session keyring is the + <citerefentry> + <refentrytitle>user-session-keyring</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, + and, if it is, creates a new + <citerefentry> + <refentrytitle>session-keyring</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + with which to replace it. If a new session keyring is created, it will + install a link to the + <citerefentry> + <refentrytitle>user-keyring</refentrytitle><manvolnum>7</manvolnum> + </citerefentry> + in the session keyring so that keys common to the user will be + automatically accessible through it. The session keyring of the invoking + process will thenceforth be inherited by all its children unless they override it. </para> <para> - The session keyring of the invoking process will thenceforth be inherited - by all its children unless they override it. + In order to allow other PAM modules to attach tokens to the keyring, this module + provides both an <emphasis>auth</emphasis> (limited to + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + and a <emphasis>session</emphasis> component. The session keyring is created + in the module called. Moreover this module should be included as early as + possible in a PAM configuration. </para> <para> This module is intended primarily for use by login processes. Be aware @@ -57,32 +68,27 @@ </para> <para> This module should not, generally, be invoked by programs like - <emphasis remap='B'>su</emphasis>, since it is usually desirable for the + <emphasis remap="B">su</emphasis>, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this. </para> <para> - This module should be included as early as possible in a PAM - configuration, so that other PAM modules can attach tokens to the - keyring. - </para> - <para> The keyutils package is used to manipulate keys more directly. This can be obtained from: </para> <para> - <ulink url="http://people.redhat.com/~dhowells/keyutils/"> + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://people.redhat.com/~dhowells/keyutils/"> Keyutils - </ulink> + </link> </para> </refsect1> - <refsect1 id="pam_keyinit-options"> + <refsect1 xml:id="pam_keyinit-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -95,7 +101,7 @@ <varlistentry> <term> - <option>force</option> + force </term> <listitem> <para> @@ -107,7 +113,7 @@ <varlistentry> <term> - <option>revoke</option> + revoke </term> <listitem> <para> @@ -121,14 +127,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_keyinit-types"> + <refsect1 xml:id="pam_keyinit-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_keyinit-return_values'> + <refsect1 xml:id="pam_keyinit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -198,7 +204,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_keyinit-examples'> + <refsect1 xml:id="pam_keyinit-examples"> <title>EXAMPLES</title> <para> Add this line to your login entries to start each login session with its @@ -213,7 +219,7 @@ session required pam_keyinit.so </para> </refsect1> - <refsect1 id='pam_keyinit-see_also'> + <refsect1 xml:id="pam_keyinit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -223,19 +229,19 @@ session required pam_keyinit.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> + </citerefentry>, <citerefentry> <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_keyinit-author'> + <refsect1 xml:id="pam_keyinit-author"> <title>AUTHOR</title> <para> pam_keyinit was written by David Howells, <dhowells@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index b2fa5d95..df9804b9 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -1,4 +1,5 @@ -/* pam_keyinit.c: Initialise the session keyring on login through a PAM module +/* + * pam_keyinit: Initialise the session keyring on login through a PAM module * * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) @@ -20,6 +21,7 @@ #include <security/pam_modutil.h> #include <security/pam_ext.h> #include <sys/syscall.h> +#include <stdatomic.h> #define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */ #define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */ @@ -30,12 +32,12 @@ #define KEYCTL_REVOKE 3 /* revoke a key */ #define KEYCTL_LINK 8 /* link a key into a keyring */ -static int my_session_keyring; -static int session_counter; -static int do_revoke; -static int revoke_as_uid; -static int revoke_as_gid; -static int xdebug = 0; +static _Thread_local int my_session_keyring = 0; +static _Atomic int session_counter = 0; +static _Thread_local int do_revoke = 0; +static _Thread_local uid_t revoke_as_uid; +static _Thread_local gid_t revoke_as_gid; +static _Thread_local int xdebug = 0; static void debug(pam_handle_t *pamh, const char *fmt, ...) __attribute__((format(printf, 2, 3))); @@ -51,24 +53,49 @@ static void debug(pam_handle_t *pamh, const char *fmt, ...) } } -static int error(pam_handle_t *pamh, const char *fmt, ...) +static void error(pam_handle_t *pamh, const char *fmt, ...) __attribute__((format(printf, 2, 3))); -static int error(pam_handle_t *pamh, const char *fmt, ...) +static void error(pam_handle_t *pamh, const char *fmt, ...) { va_list va; va_start(va, fmt); pam_vsyslog(pamh, LOG_ERR, fmt, va); va_end(va); +} + +static int pam_setreuid(uid_t ruid, uid_t euid) +{ +#if defined(SYS_setreuid32) + return syscall(SYS_setreuid32, ruid, euid); +#else + return syscall(SYS_setreuid, ruid, euid); +#endif +} + +static int pam_setregid(gid_t rgid, gid_t egid) +{ +#if defined(SYS_setregid32) + return syscall(SYS_setregid32, rgid, egid); +#else + return syscall(SYS_setregid, rgid, egid); +#endif +} - return PAM_SESSION_ERR; +static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid) +{ +#if defined(SYS_setresuid32) + return syscall(SYS_setresuid32, ruid, euid, suid); +#else + return syscall(SYS_setresuid, ruid, euid, suid); +#endif } /* * initialise the session keyring for this process */ -static int init_keyrings(pam_handle_t *pamh, int force) +static int init_keyrings(pam_handle_t *pamh, int force, int error_ret) { int session, usession, ret; @@ -85,7 +112,7 @@ static int init_keyrings(pam_handle_t *pamh, int force) * installed */ if (errno == ENOSYS) return PAM_SUCCESS; - return PAM_SESSION_ERR; + return error_ret; } usession = syscall(__NR_keyctl, @@ -94,7 +121,7 @@ static int init_keyrings(pam_handle_t *pamh, int force) 0); debug(pamh, "GET SESSION = %d", usession); if (usession < 0) - return PAM_SESSION_ERR; + return error_ret; /* if the user session keyring is our keyring, then we don't * need to do anything if we're not forcing */ @@ -108,7 +135,7 @@ static int init_keyrings(pam_handle_t *pamh, int force) NULL); debug(pamh, "JOIN = %d", ret); if (ret < 0) - return PAM_SESSION_ERR; + return error_ret; my_session_keyring = ret; @@ -118,15 +145,17 @@ static int init_keyrings(pam_handle_t *pamh, int force) KEY_SPEC_USER_KEYRING, KEY_SPEC_SESSION_KEYRING); - return ret < 0 ? PAM_SESSION_ERR : PAM_SUCCESS; + return ret < 0 ? error_ret : PAM_SUCCESS; } /* * revoke the session keyring for this process */ -static void kill_keyrings(pam_handle_t *pamh) +static int kill_keyrings(pam_handle_t *pamh, int error_ret) { - int old_uid, old_gid; + uid_t old_uid; + gid_t old_gid; + int ret = PAM_SUCCESS; /* revoke the session keyring we created earlier */ if (my_session_keyring > 0) { @@ -139,38 +168,45 @@ static void kill_keyrings(pam_handle_t *pamh) /* switch to the real UID and GID so that we have permission to * revoke the key */ - if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) - error(pamh, "Unable to change GID to %d temporarily\n", - revoke_as_gid); + if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0) { + error(pamh, "Unable to change GID to %d temporarily\n", revoke_as_gid); + return error_ret; + } - if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0) - error(pamh, "Unable to change UID to %d temporarily\n", - revoke_as_uid); + if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0) { + error(pamh, "Unable to change UID to %d temporarily\n", revoke_as_uid); + if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0) + error(pamh, "Unable to change GID back to %d\n", old_gid); + return error_ret; + } - syscall(__NR_keyctl, - KEYCTL_REVOKE, - my_session_keyring); + if (syscall(__NR_keyctl, KEYCTL_REVOKE, my_session_keyring) < 0) { + ret = error_ret; + } - /* return to the orignal UID and GID (probably root) */ - if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) + /* return to the original UID and GID (probably root) */ + if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0) { error(pamh, "Unable to change UID back to %d\n", old_uid); + ret = error_ret; + } - if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) + if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0) { error(pamh, "Unable to change GID back to %d\n", old_gid); + ret = error_ret; + } my_session_keyring = 0; } + return ret; } -/* - * open a PAM session by making sure there's a session keyring - */ -int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error_ret) { struct passwd *pw; const char *username; - int ret, old_uid, uid, old_gid, gid, loop, force = 0; + int ret, loop, force = 0; + uid_t old_uid, uid; + gid_t old_gid, gid; for (loop = 0; loop < argc; loop++) { if (strcmp(argv[loop], "force") == 0) @@ -184,10 +220,6 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, /* don't do anything if already created a keyring (will be called * multiple times if mentioned more than once in a pam script) */ - session_counter++; - - debug(pamh, "OPEN %d", session_counter); - if (my_session_keyring > 0) return PAM_SUCCESS; @@ -198,7 +230,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, pw = pam_modutil_getpwnam(pamh, username); if (!pw) { - error(pamh, "Unable to look up user \"%s\"\n", username); + pam_syslog(pamh, LOG_NOTICE, "Unable to look up user \"%s\"\n", + username); return PAM_USER_UNKNOWN; } @@ -210,31 +243,72 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, /* switch to the real UID and GID so that the keyring ends up owned by * the right user */ - if (gid != old_gid && setregid(gid, -1) < 0) { + if (gid != old_gid && pam_setregid(gid, -1) < 0) { error(pamh, "Unable to change GID to %d temporarily\n", gid); - return PAM_SESSION_ERR; + return error_ret; } - if (uid != old_uid && setreuid(uid, -1) < 0) { + if (uid != old_uid && pam_setreuid(uid, -1) < 0) { error(pamh, "Unable to change UID to %d temporarily\n", uid); - if (setregid(old_gid, -1) < 0) + if (pam_setregid(old_gid, -1) < 0) error(pamh, "Unable to change GID back to %d\n", old_gid); - return PAM_SESSION_ERR; + return error_ret; } - ret = init_keyrings(pamh, force); + ret = init_keyrings(pamh, force, error_ret); - /* return to the orignal UID and GID (probably root) */ - if (uid != old_uid && setreuid(old_uid, -1) < 0) - ret = error(pamh, "Unable to change UID back to %d\n", old_uid); + /* return to the original UID and GID (probably root) */ + if (uid != old_uid && pam_setreuid(old_uid, -1) < 0) { + error(pamh, "Unable to change UID back to %d\n", old_uid); + ret = error_ret; + } - if (gid != old_gid && setregid(old_gid, -1) < 0) - ret = error(pamh, "Unable to change GID back to %d\n", old_gid); + if (gid != old_gid && pam_setregid(old_gid, -1) < 0) { + error(pamh, "Unable to change GID back to %d\n", old_gid); + ret = error_ret; + } return ret; } /* + * Dummy + */ +int pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +/* + * since setcred and open_session are called in different orders, a + * session ring is invoked by the first of these functions called. + */ +int pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + if (flags & PAM_ESTABLISH_CRED) { + debug(pamh, "ESTABLISH_CRED"); + return do_keyinit(pamh, argc, argv, PAM_CRED_ERR); + } + if (flags & PAM_DELETE_CRED && my_session_keyring > 0 && do_revoke) { + debug(pamh, "DELETE_CRED"); + return kill_keyrings(pamh, PAM_CRED_ERR); + } + return PAM_IGNORE; +} + +int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + session_counter++; + + debug(pamh, "OPEN %d", session_counter); + + return do_keyinit(pamh, argc, argv, PAM_SESSION_ERR); +} + +/* * close a PAM session by revoking the session keyring if requested */ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, @@ -245,8 +319,8 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, session_counter--; - if (session_counter == 0 && my_session_keyring > 0 && do_revoke) - kill_keyrings(pamh); + if (session_counter <= 0 && my_session_keyring > 0 && do_revoke) + kill_keyrings(pamh, PAM_SESSION_ERR); return PAM_SUCCESS; } diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index 1c639327..e48038d8 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +EXTRA_DIST = $(XMLS) -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog - -man_MANS = pam_lastlog.8 +if HAVE_DOC +dist_man_MANS = pam_lastlog.8 +endif XMLS = README.xml pam_lastlog.8.xml +dist_check_SCRIPTS = tst-pam_lastlog +TESTS = $(dist_check_SCRIPTS) -TESTS = tst-pam_lastlog +securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else +secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,7 +32,6 @@ securelib_LTLIBRARIES = pam_lastlog.la pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_lastlog.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_lastlog/Makefile.in b/modules/pam_lastlog/Makefile.in index 5eafdf8d..0811a233 100644 --- a/modules/pam_lastlog/Makefile.in +++ b/modules/pam_lastlog/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_lastlog -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_lastlog.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog -man_MANS = pam_lastlog.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_lastlog.8 XMLS = README.xml pam_lastlog.8.xml -TESTS = tst-pam_lastlog -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +dist_check_SCRIPTS = tst-pam_lastlog +TESTS = $(dist_check_SCRIPTS) +securelibdir = $(SECUREDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_lastlog.la pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_lastlog/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_lastlog/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_lastlog.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_lastlog.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_lastlog.log: tst-pam_lastlog @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_lastlog.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_lastlog.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_lastlog.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_lastlog/README b/modules/pam_lastlog/README index 38a3065a..9b0cff9c 100644 --- a/modules/pam_lastlog/README +++ b/modules/pam_lastlog/README @@ -11,9 +11,14 @@ login of the user. In addition, the module maintains the /var/log/lastlog file. Some applications may perform this function themselves. In such cases, this module is not necessary. +The module checks LASTLOG_UID_MAX option in /etc/login.defs and does not update +or display last login records for users with UID higher than its value. If the +option is not present or its value is invalid, no user ID limit is applied. + If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in. The check is not -performed for the root account so the root is never locked out. +performed for the root account so the root is never locked out. It is also not +performed for users with UID higher than the LASTLOG_UID_MAX value. OPTIONS @@ -24,7 +29,7 @@ debug silent Don't inform the user about any previous login, just update the /var/log/ - lastlog file. + lastlog file. This option does not affect display of bad login attempts. never @@ -63,9 +68,15 @@ inactive=<days> number of days after the last login of the user when the user will be locked out by the module. The default value is 90. +unlimited + + If the fsize limit is set, this option can be used to override it, + preventing failures on systems with large UID values that lead lastlog to + become a huge sparse file. + EXAMPLES -Add the following line to /etc/pam.d/login to display the last login time of an +Add the following line to /etc/pam.d/login to display the last login time of a user: session required pam_lastlog.so nowtmp diff --git a/modules/pam_lastlog/README.xml b/modules/pam_lastlog/README.xml index 7fe70339..6b312435 100644 --- a/modules/pam_lastlog/README.xml +++ b/modules/pam_lastlog/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_lastlog.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_lastlog-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8 index 738bd1eb..3c161fff 100644 --- a/modules/pam_lastlog/pam_lastlog.8 +++ b/modules/pam_lastlog/pam_lastlog.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_lastlog .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LASTLOG" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LASTLOG" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pam_lastlog \- PAM module to display date of last login and perform inactive account lock out .SH "SYNOPSIS" .HP \w'\fBpam_lastlog\&.so\fR\ 'u -\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>] +\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>] [unlimited] .SH "DESCRIPTION" .PP pam_lastlog is a PAM module to display a line of information about the last login of the user\&. In addition, the module maintains the @@ -40,71 +40,86 @@ file\&. .PP Some applications may perform this function themselves\&. In such cases, this module is not necessary\&. .PP -If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in\&. The check is not performed for the root account so the root is never locked out\&. +The module checks +\fBLASTLOG_UID_MAX\fR +option in +/etc/login\&.defs +and does not update or display last login records for users with UID higher than its value\&. If the option is not present or its value is invalid, no user ID limit is applied\&. +.PP +If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in\&. The check is not performed for the root account so the root is never locked out\&. It is also not performed for users with UID higher than the +\fBLASTLOG_UID_MAX\fR +value\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt inform the user about any previous login, just update the /var/log/lastlog -file\&. +file\&. This option does not affect display of bad login attempts\&. .RE .PP -\fBnever\fR +never .RS 4 If the /var/log/lastlog file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\&. .RE .PP -\fBnodate\fR +nodate .RS 4 Don\*(Aqt display the date of the last login\&. .RE .PP -\fBnoterm\fR +noterm .RS 4 Don\*(Aqt display the terminal name on which the last login was attempted\&. .RE .PP -\fBnohost\fR +nohost .RS 4 Don\*(Aqt indicate from which host the last login was attempted\&. .RE .PP -\fBnowtmp\fR +nowtmp .RS 4 Don\*(Aqt update the wtmp entry\&. .RE .PP -\fBnoupdate\fR +noupdate .RS 4 Don\*(Aqt update any file\&. .RE .PP -\fBshowfailed\fR +showfailed .RS 4 Display number of failed login attempts and the date of the last failed attempt from btmp\&. The date is not displayed when \fBnodate\fR is specified\&. .RE .PP -\fBinactive=<days>\fR +inactive=<days> .RS 4 This option is specific for the auth or account phase\&. It specifies the number of days after the last login of the user when the user will be locked out by the module\&. The default value is 90\&. .RE +.PP +unlimited +.RS 4 +If the +\fIfsize\fR +limit is set, this option can be used to override it, preventing failures on systems with large UID values that lead lastlog to become a huge sparse file\&. +.RE .SH "MODULE TYPES PROVIDED" .PP The \fBauth\fR and \fBaccount\fR -module type allows to lock out users which did not login recently enough\&. The +module type allows one to lock out users who did not login recently enough\&. The \fBsession\fR module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files\&. .SH "RETURN VALUES" @@ -138,7 +153,7 @@ There was an error during reading the lastlog file in the auth or account phase .PP Add the following line to /etc/pam\&.d/login -to display the last login time of an user: +to display the last login time of a user: .sp .if n \{\ .RS 4 @@ -171,9 +186,10 @@ Lastlog logging file .RE .SH "SEE ALSO" .PP +\fBlimits.conf\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index 77da9dbc..7c15b93c 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -1,57 +1,57 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_lastlog"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_lastlog"> <refmeta> <refentrytitle>pam_lastlog</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_lastlog-name"> + <refnamediv xml:id="pam_lastlog-name"> <refname>pam_lastlog</refname> <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_lastlog-cmdsynopsis"> + <cmdsynopsis xml:id="pam_lastlog-cmdsynopsis" sepchar=" "> <command>pam_lastlog.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> silent </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> never </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nodate </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nohost </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noterm </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nowtmp </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noupdate </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> showfailed </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> inactive=<days> </arg> + <arg choice="opt" rep="norepeat"> + unlimited + </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_lastlog-description"> + <refsect1 xml:id="pam_lastlog-description"> <title>DESCRIPTION</title> @@ -65,20 +65,28 @@ cases, this module is not necessary. </para> <para> + The module checks <option>LASTLOG_UID_MAX</option> option in + <filename>/etc/login.defs</filename> and does not update or display + last login records for users with UID higher than its value. + If the option is not present or its value is invalid, no user ID + limit is applied. + </para> + <para> If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in. The check is not performed for the root account so the root is never - locked out. + locked out. It is also not performed for users with UID higher + than the <option>LASTLOG_UID_MAX</option> value. </para> </refsect1> - <refsect1 id="pam_lastlog-options"> + <refsect1 xml:id="pam_lastlog-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -88,18 +96,19 @@ </varlistentry> <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> Don't inform the user about any previous login, just update the <filename>/var/log/lastlog</filename> file. + This option does not affect display of bad login attempts. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>never</option> + never </term> <listitem> <para> @@ -112,7 +121,7 @@ </varlistentry> <varlistentry> <term> - <option>nodate</option> + nodate </term> <listitem> <para> @@ -122,7 +131,7 @@ </varlistentry> <varlistentry> <term> - <option>noterm</option> + noterm </term> <listitem> <para> @@ -133,7 +142,7 @@ </varlistentry> <varlistentry> <term> - <option>nohost</option> + nohost </term> <listitem> <para> @@ -144,7 +153,7 @@ </varlistentry> <varlistentry> <term> - <option>nowtmp</option> + nowtmp </term> <listitem> <para> @@ -154,7 +163,7 @@ </varlistentry> <varlistentry> <term> - <option>noupdate</option> + noupdate </term> <listitem> <para> @@ -164,7 +173,7 @@ </varlistentry> <varlistentry> <term> - <option>showfailed</option> + showfailed </term> <listitem> <para> @@ -176,7 +185,7 @@ </varlistentry> <varlistentry> <term> - <option>inactive=<days></option> + inactive=<days> </term> <listitem> <para> @@ -187,21 +196,33 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + unlimited + </term> + <listitem> + <para> + If the <emphasis>fsize</emphasis> limit is set, this option can be + used to override it, preventing failures on systems with large UID + values that lead lastlog to become a huge sparse file. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_lastlog-types"> + <refsect1 xml:id="pam_lastlog-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> module type - allows to lock out users which did not login recently enough. + allows one to lock out users who did not login recently enough. The <option>session</option> module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files. </para> </refsect1> - <refsect1 id='pam_lastlog-return_values'> + <refsect1 xml:id="pam_lastlog-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -258,11 +279,11 @@ </para> </refsect1> - <refsect1 id='pam_lastlog-examples'> + <refsect1 xml:id="pam_lastlog-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to - display the last login time of an user: + display the last login time of a user: </para> <programlisting> session required pam_lastlog.so nowtmp @@ -276,11 +297,11 @@ </programlisting> </refsect1> - <refsect1 id="pam_lastlog-files"> + <refsect1 xml:id="pam_lastlog-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/log/lastlog</filename></term> + <term>/var/log/lastlog</term> <listitem> <para>Lastlog logging file</para> </listitem> @@ -288,22 +309,25 @@ </variablelist> </refsect1> - <refsect1 id='pam_lastlog-see_also'> + <refsect1 xml:id="pam_lastlog-see_also"> <title>SEE ALSO</title> <para> <citerefentry> + <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_lastlog-author'> + <refsect1 xml:id="pam_lastlog-author"> <title>AUTHOR</title> <para> pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. @@ -313,4 +337,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1a796b99..ec515f56 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -1,6 +1,6 @@ -/* pam_lastlog module */ - /* + * pam_lastlog module + * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 * * This module does the necessary work to display the last login @@ -20,10 +20,13 @@ #endif #include <pwd.h> #include <stdlib.h> +#include <ctype.h> #include <stdarg.h> #include <stdio.h> #include <string.h> #include <sys/types.h> +#include <sys/time.h> +#include <sys/resource.h> #include <syslog.h> #include <unistd.h> @@ -50,42 +53,36 @@ struct lastlog { # define _PATH_BTMP "/var/log/btmp" #endif -/* XXX - time before ignoring lock. Is 1 sec enough? */ -#define LASTLOG_IGNORE_LOCK_TIME 1 +#ifndef PATH_LOGIN_DEFS +# define PATH_LOGIN_DEFS "/etc/login.defs" +#endif #define DEFAULT_HOST "" /* "[no.where]" */ #define DEFAULT_TERM "" /* "tt???" */ #define DEFAULT_INACTIVE_DAYS 90 #define MAX_INACTIVE_DAYS 100000 - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT +#define LOCK_RETRIES 3 /* number of file lock retries */ +#define LOCK_RETRY_DELAY 1 /* seconds to wait between lock attempts */ #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* argument parsing */ -#define LASTLOG_DATE 01 /* display the date of the last login */ -#define LASTLOG_HOST 02 /* display the last host used (if set) */ -#define LASTLOG_LINE 04 /* display the last terminal used */ -#define LASTLOG_NEVER 010 /* display a welcome message for first login */ -#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ -#define LASTLOG_QUIET 040 /* keep quiet about things */ -#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ -#define LASTLOG_BTMP 0200 /* display failed login info from btmp */ -#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ +#define LASTLOG_DATE 01 /* display the date of the last login */ +#define LASTLOG_HOST 02 /* display the last host used (if set) */ +#define LASTLOG_LINE 04 /* display the last terminal used */ +#define LASTLOG_NEVER 010 /* display a welcome message for first login */ +#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ +#define LASTLOG_QUIET 040 /* keep quiet about things */ +#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ +#define LASTLOG_BTMP 0200 /* display failed login info from btmp */ +#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ +#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */ static int _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, @@ -95,13 +92,14 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, *inactive = DEFAULT_INACTIVE_DAYS; - /* does the appliction require quiet? */ + /* does the application require quiet? */ if (flags & PAM_SILENT) { ctrl |= LASTLOG_QUIET; } /* step through arguments */ for (; argc-- > 0; ++argv) { + const char *str; char *ep = NULL; long l; @@ -109,9 +107,9 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, ctrl |= LASTLOG_DEBUG; } else if (!strcmp(*argv,"silent")) { ctrl |= LASTLOG_QUIET; - } else if (!strncmp(*argv,"inactive=", 9)) { - l = strtol(*argv+9, &ep, 10); - if (ep != *argv+9 && l > 0 && l < MAX_INACTIVE_DAYS) + } else if ((str = pam_str_skip_prefix(*argv, "inactive=")) != NULL) { + l = strtol(str, &ep, 10); + if (ep != str && l > 0 && l < MAX_INACTIVE_DAYS) *inactive = l; else { pam_syslog(pamh, LOG_ERR, "bad option value: %s", *argv); @@ -130,11 +128,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) { int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE); - /* does the appliction require quiet? */ - if (flags & PAM_SILENT) { - ctrl |= LASTLOG_QUIET; - } - /* step through arguments */ for (; argc-- > 0; ++argv) { @@ -158,11 +151,19 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE); } else if (!strcmp(*argv,"showfailed")) { ctrl |= LASTLOG_BTMP; + } else if (!strcmp(*argv,"unlimited")) { + ctrl |= LASTLOG_UNLIMITED; } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } + /* does the application require quiet? */ + if (flags & PAM_SILENT) { + ctrl |= LASTLOG_QUIET; + ctrl &= ~LASTLOG_BTMP; + } + D(("ctrl = %o", ctrl)); return ctrl; } @@ -172,6 +173,7 @@ get_tty(pam_handle_t *pamh) { const void *void_terminal_line = NULL; const char *terminal_line; + const char *str; if (pam_get_item(pamh, PAM_TTY, &void_terminal_line) != PAM_SUCCESS || void_terminal_line == NULL) { @@ -179,14 +181,47 @@ get_tty(pam_handle_t *pamh) } else { terminal_line = void_terminal_line; } - if (!strncmp("/dev/", terminal_line, 5)) { - /* strip leading "/dev/" from tty. */ - terminal_line += 5; - } + + /* strip leading "/dev/" from tty. */ + str = pam_str_skip_prefix(terminal_line, "/dev/"); + if (str != NULL) + terminal_line = str; + D(("terminal = %s", terminal_line)); return terminal_line; } +#define MAX_UID_VALUE 0xFFFFFFFFUL + +static uid_t +get_lastlog_uid_max(pam_handle_t *pamh) +{ + uid_t uid_max = MAX_UID_VALUE; + unsigned long ul; + char *s, *ep; + + s = pam_modutil_search_key(pamh, PATH_LOGIN_DEFS, "LASTLOG_UID_MAX"); + if (s == NULL) + return uid_max; + + ep = s + strlen(s); + while (ep > s && isspace(*(--ep))) { + *ep = '\0'; + } + errno = 0; + ul = strtoul(s, &ep, 10); + if (!(ul >= MAX_UID_VALUE + || (uid_t)ul >= MAX_UID_VALUE + || (errno != 0 && ul == 0) + || s == ep + || *ep != '\0')) { + uid_max = (uid_t)ul; + } + free(s); + + return uid_max; +} + static int last_login_open(pam_handle_t *pamh, int announce, uid_t uid) { @@ -230,6 +265,7 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t { struct flock last_lock; struct lastlog last_login; + int lock_retries = LOCK_RETRIES; int retval = PAM_SUCCESS; char the_time[256]; char *date = NULL; @@ -242,11 +278,19 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t last_lock.l_start = sizeof(last_login) * (off_t) uid; last_lock.l_len = sizeof(last_login); - if (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + while (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + if (0 == --lock_retries) { + /* read lock failed, proceed anyway to avoid possible DoS */ + D(("locking %s failed", _PATH_LASTLOG)); + pam_syslog(pamh, LOG_INFO, + "file %s is locked/read, proceeding anyway", + _PATH_LASTLOG); + break; + } D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - pam_syslog(pamh, LOG_WARNING, - "file %s is locked/read", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); + pam_syslog(pamh, LOG_INFO, + "file %s is locked/read, retrying", _PATH_LASTLOG); + sleep(LOCK_RETRY_DELAY); } if (pam_modutil_read(last_fd, (char *) &last_login, @@ -322,11 +366,11 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t /* cleanup */ cleanup: - memset(&last_login, 0, sizeof(last_login)); - _pam_overwrite(date); - _pam_overwrite(host); + pam_overwrite_object(&last_login); + pam_overwrite_string(date); + pam_overwrite_string(host); _pam_drop(host); - _pam_overwrite(line); + pam_overwrite_string(line); _pam_drop(line); return retval; @@ -336,8 +380,15 @@ static int last_login_write(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, const char *user) { + static struct rlimit no_limit = { + RLIM_INFINITY, + RLIM_INFINITY + }; + struct rlimit old_limit; + int setrlimit_res; struct flock last_lock; struct lastlog last_login; + int lock_retries = LOCK_RETRIES; time_t ll_time; const void *void_remote_host = NULL; const char *remote_host; @@ -384,10 +435,42 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, last_lock.l_start = sizeof(last_login) * (off_t) uid; last_lock.l_len = sizeof(last_login); - if (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + while (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + if (0 == --lock_retries) { + D(("locking %s failed", _PATH_LASTLOG)); + pam_syslog(pamh, LOG_ERR, + "file %s is locked/write", _PATH_LASTLOG); + return PAM_SERVICE_ERR; + } D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - pam_syslog(pamh, LOG_WARNING, "file %s is locked/write", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); + pam_syslog(pamh, LOG_INFO, + "file %s is locked/write, retrying", _PATH_LASTLOG); + sleep(LOCK_RETRY_DELAY); + } + + /* + * Failing to set the 'fsize' limit is not a fatal error. We try to write + * lastlog anyway, under the risk of dying due to a SIGXFSZ. + */ + D(("setting limit for 'fsize'")); + + if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimited */ + setrlimit_res = -1; + } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) { + if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */ + setrlimit_res = -1; + } else { + setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit); + if (setrlimit_res != 0) + pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m"); + } + } else { + setrlimit_res = -1; + if (errno == EINVAL) { + pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m"); + } else { + pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m"); + } } D(("writing to the lastlog file")); @@ -397,6 +480,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, retval = PAM_SERVICE_ERR; } + /* + * Failing to restore the 'fsize' limit is a fatal error. + */ + D(("restoring limit for 'fsize'")); + if (setrlimit_res == 0) { + setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit); + if (setrlimit_res != 0) { + pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m"); + retval = PAM_SERVICE_ERR; + } + } + last_lock.l_type = F_UNLCK; (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ D(("unlocked")); @@ -407,7 +502,7 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, } /* cleanup */ - memset(&last_login, 0, sizeof(last_login)); + pam_overwrite_object(&last_login); return retval; } @@ -418,6 +513,10 @@ last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user, t int retval; int last_fd; + if (uid > get_lastlog_uid_max(pamh)) { + return PAM_SUCCESS; + } + /* obtain the last login date and all the relevant info */ last_fd = last_login_open(pamh, announce, uid); if (last_fd < 0) { @@ -490,12 +589,12 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt time_t lf_time; lf_time = utuser.ut_tv.tv_sec; - tm = localtime_r (&lf_time, &tm_buf); - strftime (the_time, sizeof (the_time), - /* TRANSLATORS: "strftime options for date of last login" */ - _(" %a %b %e %H:%M:%S %Z %Y"), tm); - - date = the_time; + if ((tm = localtime_r (&lf_time, &tm_buf)) != NULL) { + strftime (the_time, sizeof (the_time), + /* TRANSLATORS: "strftime options for date of last login" */ + _(" %a %b %e %H:%M:%S %Z %Y"), tm); + date = the_time; + } } /* we want & have the host? */ @@ -586,9 +685,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } @@ -596,13 +694,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, pwd = pam_modutil_getpwnam (pamh, user); if (pwd == NULL) { - pam_syslog(pamh, LOG_ERR, "user unknown"); + pam_syslog(pamh, LOG_NOTICE, "user unknown"); return PAM_USER_UNKNOWN; } uid = pwd->pw_uid; pwd = NULL; /* tidy up */ - if (uid == 0) + if (uid == 0 || uid > get_lastlog_uid_max(pamh)) return PAM_SUCCESS; /* obtain the last login date and all the relevant info */ diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am index 75a49088..3a3b5e01 100644 --- a/modules/pam_limits/Makefile.am +++ b/modules/pam_limits/Makefile.am @@ -5,20 +5,26 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) limits.conf tst-pam_limits +EXTRA_DIST = $(XMLS) -man_MANS = limits.conf.5 pam_limits.8 +if HAVE_DOC +dist_man_MANS = limits.conf.5 pam_limits.8 +endif XMLS = README.xml limits.conf.5.xml pam_limits.8.xml - -TESTS = tst-pam_limits +dist_check_SCRIPTS = tst-pam_limits +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif limits_conf_dir = $(SCONFIGDIR)/limits.d AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DLIMITS_FILE_DIR=\"$(limits_conf_dir)/*.conf\" \ - -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\" + -DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -27,13 +33,12 @@ endif securelib_LTLIBRARIES = pam_limits.la pam_limits_la_LIBADD = $(top_builddir)/libpam/libpam.la -secureconf_DATA = limits.conf +dist_secureconf_DATA = limits.conf + +install-data-local: + mkdir -p $(DESTDIR)$(limits_conf_dir) if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_limits.8.xml limits.conf.5.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif - -install-data-local: - mkdir -p $(DESTDIR)$(limits_conf_dir) diff --git a/modules/pam_limits/Makefile.in b/modules/pam_limits/Makefile.in index 5dd6c6e7..7b515b83 100644 --- a/modules/pam_limits/Makefile.in +++ b/modules/pam_limits/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,27 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_limits -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -158,7 +171,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_limits.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,8 +202,9 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -364,6 +379,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -386,6 +402,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -405,24 +424,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -436,7 +464,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -455,11 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -482,8 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -494,11 +523,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -541,7 +577,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -549,9 +584,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -561,28 +593,31 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) limits.conf tst-pam_limits -man_MANS = limits.conf.5 pam_limits.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = limits.conf.5 pam_limits.8 XMLS = README.xml limits.conf.5.xml pam_limits.8.xml -TESTS = tst-pam_limits +dist_check_SCRIPTS = tst-pam_limits +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) limits_conf_dir = $(SCONFIGDIR)/limits.d AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DLIMITS_FILE_DIR=\"$(limits_conf_dir)/*.conf\" \ - -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\" + -DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_limits.la pam_limits_la_LIBADD = $(top_builddir)/libpam/libpam.la -secureconf_DATA = limits.conf -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +dist_secureconf_DATA = limits.conf +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -599,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_limits/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_limits/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -662,21 +696,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_limits.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_limits.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -690,10 +730,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -728,15 +768,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -771,14 +811,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -792,9 +832,9 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) @@ -880,7 +920,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -957,7 +997,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -970,7 +1010,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -980,7 +1020,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1013,7 +1053,10 @@ tst-pam_limits.log: tst-pam_limits @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1044,6 +1087,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1092,7 +1136,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_limits.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1109,8 +1153,8 @@ info: info-am info-am: -install-data-am: install-data-local install-man install-secureconfDATA \ - install-securelibLTLIBRARIES +install-data-am: install-data-local install-dist_secureconfDATA \ + install-man install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1139,7 +1183,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_limits.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1156,36 +1200,38 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-data-local install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-man5 install-man8 install-pdf install-pdf-am \ - install-ps install-ps-am install-secureconfDATA \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-local install-dist_secureconfDATA \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-html install-html-am install-info install-info-am \ + install-man install-man5 install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ - uninstall-securelibLTLIBRARIES + recheck tags tags-am uninstall uninstall-am \ + uninstall-dist_secureconfDATA uninstall-man uninstall-man5 \ + uninstall-man8 uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile -@ENABLE_REGENERATE_MAN_TRUE@README: pam_limits.8.xml limits.conf.5.xml -@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules install-data-local: mkdir -p $(DESTDIR)$(limits_conf_dir) +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/modules/pam_limits/README b/modules/pam_limits/README index 6ff9203e..dc560eff 100644 --- a/modules/pam_limits/README +++ b/modules/pam_limits/README @@ -15,6 +15,18 @@ concatenated together in the order of parsing. If a config file is explicitly specified with a module option then the files in the above directory are not parsed. +By default limits are taken from the /etc/security/limits.conf config file or, +if that one is not present, the file %vendordir%/security/limits.conf. Then +individual *.conf files from the /etc/security/limits.d/ and %vendordir%/ +security/limits.d directories are read. If /etc/security/limits.d/ +@filename@.conf exists, then %vendordir%/security/limits.d/@filename@.conf will +not be used. All limits.d/*.conf files are sorted by their @filename@.conf in +lexicographic order regardless of which of the directories they reside in. The +effect of the individual files is the same as if all the files were +concatenated together in the order of parsing. If a config file is explicitly +specified with the config option the files in the above directories are not +parsed. + The module must not be called by a multithreaded application. If Linux PAM is compiled with audit support the module will report when it @@ -34,7 +46,9 @@ debug set_all Set the limits for which no value is specified in the configuration file to - the one from the process with the PID 1. + the one from the process with the PID 1. Please note that if the init + process is systemd these limits will not be the kernel default limits and + this option should not be used. utmp_early @@ -54,12 +68,14 @@ These are some example lines which might be specified in /etc/security/ limits.conf. * soft core 0 +root hard core 100000 * hard nofile 512 @student hard nproc 20 @faculty soft nproc 20 @faculty hard nproc 50 ftp hard nproc 0 @student - maxlogins 4 +@student - nonewprivs 1 :123 hard cpu 5000 @500: soft cpu 10000 600:700 hard locks 10 diff --git a/modules/pam_limits/README.xml b/modules/pam_limits/README.xml index 964a5a21..25a463cc 100644 --- a/modules/pam_limits/README.xml +++ b/modules/pam_limits/README.xml @@ -1,39 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamlimits SYSTEM "pam_limits.8.xml"> ---> -<!-- -<!ENTITY limitsconf SYSTEM "limits.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_limits.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_limits-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_limits.8.xml" xpointer='xpointer(id("pam_limits-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_limits.8.xml" xpointer='xpointer(id("pam_limits-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_limits.8.xml" xpointer='xpointer(id("pam_limits-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="limits.conf.5.xml" xpointer='xpointer(id("limits.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf index be621a7c..6b3865cb 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf @@ -1,5 +1,16 @@ # /etc/security/limits.conf # +#This file sets the resource limits for the users logged in via PAM. +#It does not affect resource limits of the system services. +# +#Also note that configuration files in /etc/security/limits.d directory, +#which are read in alphabetical order, override the settings in this +#file in case the domain is the same or more specific. +#That means, for example, that setting a limit for wildcard domain here +#can be overridden with a wildcard setting in a config file in the +#subdirectory, but a user specific setting here can be overridden only +#with a user specific setting in the subdirectory. +# #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> @@ -11,6 +22,9 @@ # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, <domain> must be +# the literal username root. # #<type> can have the two values: # - "soft" for enforcing the soft limits @@ -35,16 +49,19 @@ # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) # #<domain> <type> <item> <value> # #* soft core 0 +#root hard core 100000 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 +#ftp - chroot /ftp #@student - maxlogins 4 # End of file diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 index 1404553c..c9c41876 100644 --- a/modules/pam_limits/limits.conf.5 +++ b/modules/pam_limits/limits.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: limits.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "LIMITS\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "LIMITS\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -43,11 +43,14 @@ directory\&. .PP The syntax of the lines is as follows: .PP -\fI<domain>\fR\fI<type>\fR\fI<item>\fR\fI<value>\fR +\fI<domain>\fR +\fI<type>\fR +\fI<item>\fR +\fI<value>\fR .PP The fields listed above should be filled as follows: .PP -\fB<domain>\fR +<domain> .RS 4 .sp .RS 4 @@ -142,19 +145,23 @@ a gid specified as \fB%:\fR\fI<gid>\fR applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. .RE +.sp +\fBNOTE:\fR +group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username +\fBroot\fR\&. .RE .PP -\fB<type>\fR +<type> .RS 4 .PP -\fBhard\fR +hard .RS 4 for enforcing \fBhard\fR resource limits\&. These limits are set by the superuser and enforced by the Kernel\&. The user cannot raise his requirement of system resources above such values\&. .RE .PP -\fBsoft\fR +soft .RS 4 for enforcing \fBsoft\fR @@ -165,7 +172,7 @@ limits\&. The values specified with this token can be thought of as values, for normal system usage\&. .RE .PP -\fB\-\fR +\- .RS 4 for enforcing both \fBsoft\fR @@ -177,100 +184,110 @@ Note, if you specify a type of \*(Aq\-\*(Aq but neglect to supply the item and v .RE .RE .PP -\fB<item>\fR +<item> .RS 4 .PP -\fBcore\fR +core .RS 4 limits the core file size (KB) .RE .PP -\fBdata\fR +data .RS 4 maximum data size (KB) .RE .PP -\fBfsize\fR +fsize .RS 4 maximum filesize (KB) .RE .PP -\fBmemlock\fR +memlock .RS 4 maximum locked\-in\-memory address space (KB) .RE .PP -\fBnofile\fR +nofile .RS 4 maximum number of open file descriptors .RE .PP -\fBrss\fR +rss .RS 4 maximum resident set size (KB) (Ignored in Linux 2\&.4\&.30 and higher) .RE .PP -\fBstack\fR +stack .RS 4 maximum stack size (KB) .RE .PP -\fBcpu\fR +cpu .RS 4 maximum CPU time (minutes) .RE .PP -\fBnproc\fR +nproc .RS 4 maximum number of processes .RE .PP -\fBas\fR +as .RS 4 address space limit (KB) .RE .PP -\fBmaxlogins\fR +maxlogins .RS 4 maximum number of logins for this user (this limit does not apply to user with \fIuid=0\fR) .RE .PP -\fBmaxsyslogins\fR +maxsyslogins .RS 4 maximum number of all logins on system; user is not allowed to log\-in if total number of all user logins is greater than specified number (this limit does not apply to user with \fIuid=0\fR) .RE .PP -\fBpriority\fR +nonewprivs +.RS 4 +value of 0 or 1; if set to 1 disables acquiring new privileges by invoking prctl(PR_SET_NO_NEW_PRIVS) +.RE +.PP +priority .RS 4 the priority to run user process with (negative values boost process priority) .RE .PP -\fBlocks\fR +locks .RS 4 maximum locked files (Linux 2\&.4 and higher) .RE .PP -\fBsigpending\fR +sigpending .RS 4 maximum number of pending signals (Linux 2\&.6 and higher) .RE .PP -\fBmsgqueue\fR +msgqueue .RS 4 maximum memory used by POSIX message queues (bytes) (Linux 2\&.6 and higher) .RE .PP -\fBnice\fR +nice .RS 4 maximum nice priority allowed to raise to (Linux 2\&.6\&.12 and higher) values: [\-20,19] .RE .PP -\fBrtprio\fR +rtprio .RS 4 maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) .RE +.PP +\fBchroot\fR +.RS 4 +the directory to chroot the user to +.RE .RE .PP All items support the values @@ -279,9 +296,11 @@ All items support the values or \fIinfinity\fR indicating no limit, except for -\fBpriority\fR -and -\fBnice\fR\&. +\fBpriority\fR, +\fBnice\fR, and +\fBnonewprivs\fR\&. If +\fBnofile\fR +is to be set to one of these values, it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3))\&. .PP If a hard limit or soft limit of a resource is set to a valid value, but outside of the supported range of the local system, the system may reject the new limit or unexpected behavior may occur\&. If the control value \fIrequired\fR @@ -312,12 +331,14 @@ These are some example lines which might be specified in .\} .nf * soft core 0 +root hard core 100000 * hard nofile 512 @student hard nproc 20 @faculty soft nproc 20 @faculty hard nproc 50 ftp hard nproc 0 @student \- maxlogins 4 +@student \- nonewprivs 1 :123 hard cpu 5000 @500: soft cpu 10000 600:700 hard locks 10 @@ -330,7 +351,7 @@ ftp hard nproc 0 .PP \fBpam_limits\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBgetrlimit\fR(2), \fBgetrlimit\fR(3p) .SH "AUTHOR" diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index 380a1399..d3893350 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="limits.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="limits.conf"> <refmeta> <refentrytitle>limits.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_limits module</refpurpose> </refnamediv> - <refsect1 id='limits.conf-description'> + <refsect1 xml:id="limits.conf-description"> <title>DESCRIPTION</title> <para> The <emphasis>pam_limits.so</emphasis> module applies ulimit limits, @@ -38,7 +35,7 @@ <variablelist> <varlistentry> <term> - <option><domain></option> + <domain> </term> <listitem> <itemizedlist> @@ -49,38 +46,35 @@ </listitem> <listitem> <para> - a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + a groupname, with <emphasis remap="B">@group</emphasis> syntax. This should not be confused with netgroups. </para> </listitem> <listitem> <para> - the wildcard <emphasis remap='B'>*</emphasis>, for default entry. + the wildcard <emphasis remap="B">*</emphasis>, for default entry. </para> </listitem> <listitem> <para> - the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only, - can also be used with <emphasis remap='B'>%group</emphasis> syntax. If the - <emphasis remap='B'>%</emphasis> wildcard is used alone it is identical - to using <emphasis remap='B'>*</emphasis> with maxsyslogins limit. With - a group specified after <emphasis remap='B'>%</emphasis> it limits the total + the wildcard <emphasis remap="B">%</emphasis>, for maxlogins limit only, + can also be used with <emphasis remap="B">%group</emphasis> syntax. If the + <emphasis remap="B">%</emphasis> wildcard is used alone it is identical + to using <emphasis remap="B">*</emphasis> with maxsyslogins limit. With + a group specified after <emphasis remap="B">%</emphasis> it limits the total number of logins of all users that are member of the group. </para> </listitem> <listitem> <para> - an uid range specified as <replaceable><min_uid></replaceable><emphasis - remap='B'>:</emphasis><replaceable><max_uid></replaceable>. If min_uid + an uid range specified as <replaceable><min_uid></replaceable><emphasis remap="B">:</emphasis><replaceable><max_uid></replaceable>. If min_uid is omitted, the match is exact for the max_uid. If max_uid is omitted, all uids greater than or equal min_uid match. </para> </listitem> <listitem> <para> - a gid range specified as <emphasis - remap='B'>@</emphasis><replaceable><min_gid></replaceable><emphasis - remap='B'>:</emphasis><replaceable><max_gid></replaceable>. If min_gid + a gid range specified as <emphasis remap="B">@</emphasis><replaceable><min_gid></replaceable><emphasis remap="B">:</emphasis><replaceable><max_gid></replaceable>. If min_gid is omitted, the match is exact for the max_gid. If max_gid is omitted, all gids greater than or equal min_gid match. For the exact match all groups including the user's supplementary groups are examined. For the range matches only @@ -89,50 +83,54 @@ </listitem> <listitem> <para> - a gid specified as <emphasis - remap='B'>%:</emphasis><replaceable><gid></replaceable> applicable + a gid specified as <emphasis remap="B">%:</emphasis><replaceable><gid></replaceable> applicable to maxlogins limit only. It limits the total number of logins of all users that are member of the group with the specified gid. </para> </listitem> </itemizedlist> + <para> + <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not + applied to the root user. To set a limit for the root user, this field + must contain the literal username <emphasis remap='B'>root</emphasis>. + </para> </listitem> </varlistentry> <varlistentry> <term> - <option><type></option> + <type> </term> <listitem> <variablelist> <varlistentry> - <term><option>hard</option></term> + <term>hard</term> <listitem> <para> - for enforcing <emphasis remap='B'>hard</emphasis> resource limits. + for enforcing <emphasis remap="B">hard</emphasis> resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. </para> </listitem> </varlistentry> <varlistentry> - <term><option>soft</option></term> + <term>soft</term> <listitem> <para> - for enforcing <emphasis remap='B'>soft</emphasis> resource limits. + for enforcing <emphasis remap="B">soft</emphasis> resource limits. These limits are ones that the user can move up or down within the - permitted range by any pre-existing <emphasis remap='B'>hard</emphasis> + permitted range by any pre-existing <emphasis remap="B">hard</emphasis> limits. The values specified with this token can be thought of as <emphasis>default</emphasis> values, for normal system usage. </para> </listitem> </varlistentry> <varlistentry> - <term><option>-</option></term> + <term>-</term> <listitem> <para> - for enforcing both <emphasis remap='B'>soft</emphasis> and - <emphasis remap='B'>hard</emphasis> resource limits together. + for enforcing both <emphasis remap="B">soft</emphasis> and + <emphasis remap="B">hard</emphasis> resource limits together. </para> <para> Note, if you specify a type of '-' but neglect to supply the @@ -147,79 +145,79 @@ <varlistentry> <term> - <option><item></option> + <item> </term> <listitem> <variablelist> <varlistentry> - <term><option>core</option></term> + <term>core</term> <listitem> <para>limits the core file size (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>data</option></term> + <term>data</term> <listitem> <para>maximum data size (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>fsize</option></term> + <term>fsize</term> <listitem> <para>maximum filesize (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>memlock</option></term> + <term>memlock</term> <listitem> <para>maximum locked-in-memory address space (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>nofile</option></term> + <term>nofile</term> <listitem> <para>maximum number of open file descriptors</para> </listitem> </varlistentry> <varlistentry> - <term><option>rss</option></term> + <term>rss</term> <listitem> <para>maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>stack</option></term> + <term>stack</term> <listitem> <para>maximum stack size (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>cpu</option></term> + <term>cpu</term> <listitem> <para>maximum CPU time (minutes)</para> </listitem> </varlistentry> <varlistentry> - <term><option>nproc</option></term> + <term>nproc</term> <listitem> <para>maximum number of processes</para> </listitem> </varlistentry> <varlistentry> - <term><option>as</option></term> + <term>as</term> <listitem> <para>address space limit (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>maxlogins</option></term> + <term>maxlogins</term> <listitem> <para>maximum number of logins for this user (this limit does not apply to user with <emphasis>uid=0</emphasis>)</para> </listitem> </varlistentry> <varlistentry> - <term><option>maxsyslogins</option></term> + <term>maxsyslogins</term> <listitem> <para>maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is @@ -228,44 +226,57 @@ </listitem> </varlistentry> <varlistentry> - <term><option>priority</option></term> + <term>nonewprivs</term> + <listitem> + <para>value of 0 or 1; if set to 1 disables acquiring new + privileges by invoking prctl(PR_SET_NO_NEW_PRIVS)</para> + </listitem> + </varlistentry> + <varlistentry> + <term>priority</term> <listitem> <para>the priority to run user process with (negative values boost process priority)</para> </listitem> </varlistentry> <varlistentry> - <term><option>locks</option></term> + <term>locks</term> <listitem> <para>maximum locked files (Linux 2.4 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>sigpending</option></term> + <term>sigpending</term> <listitem> <para>maximum number of pending signals (Linux 2.6 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>msgqueue</option></term> + <term>msgqueue</term> <listitem> <para>maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>nice</option></term> + <term>nice</term> <listitem> <para>maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]</para> </listitem> </varlistentry> <varlistentry> - <term><option>rtprio</option></term> + <term>rtprio</term> <listitem> <para>maximum realtime priority allowed for non-privileged processes (Linux 2.6.12 and higher)</para> </listitem> </varlistentry> + <varlistentry> + <term><option>chroot</option></term> + <listitem> + <para>the directory to chroot the user to</para> + </listitem> + </varlistentry> </variablelist> </listitem> </varlistentry> @@ -274,7 +285,10 @@ <para> All items support the values <emphasis>-1</emphasis>, <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit, - except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>. + except for <emphasis remap="B">priority</emphasis>, <emphasis remap="B">nice</emphasis>, + and <emphasis remap="B">nonewprivs</emphasis>. + If <emphasis remap="B">nofile</emphasis> is to be set to one of these values, + it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)). </para> <para> If a hard limit or soft limit of a resource is set to a valid value, @@ -299,7 +313,7 @@ </para> <para> In the <emphasis>limits</emphasis> configuration file, the - '<emphasis remap='B'>#</emphasis>' character introduces a comment + '<emphasis remap="B">#</emphasis>' character introduces a comment - after which the rest of the line is ignored. </para> <para> @@ -309,7 +323,7 @@ </para> </refsect1> - <refsect1 id="limits.conf-examples"> + <refsect1 xml:id="limits.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -317,33 +331,35 @@ </para> <programlisting> * soft core 0 +root hard core 100000 * hard nofile 512 @student hard nproc 20 @faculty soft nproc 20 @faculty hard nproc 50 ftp hard nproc 0 @student - maxlogins 4 +@student - nonewprivs 1 :123 hard cpu 5000 @500: soft cpu 10000 600:700 hard locks 10 </programlisting> </refsect1> - <refsect1 id="limits.conf-see_also"> + <refsect1 xml:id="limits.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="limits.conf-author"> + <refsect1 xml:id="limits.conf-author"> <title>AUTHOR</title> <para> pam_limits was initially written by Cristian Gafton <gafton@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_limits/pam_limits.8 b/modules/pam_limits/pam_limits.8 index 64044fff..f971b64c 100644 --- a/modules/pam_limits/pam_limits.8 +++ b/modules/pam_limits/pam_limits.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_limits .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LIMITS" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_LIMITS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -49,27 +49,27 @@ The module must not be called by a multithreaded application\&. If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\&. .SH "OPTIONS" .PP -\fBconf=\fR\fB\fI/path/to/limits\&.conf\fR\fR +conf=/path/to/limits\&.conf .RS 4 Indicate an alternative limits\&.conf style configuration file to override the default\&. .RE .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBset_all\fR +set_all .RS 4 -Set the limits for which no value is specified in the configuration file to the one from the process with the PID 1\&. +Set the limits for which no value is specified in the configuration file to the one from the process with the PID 1\&. Please note that if the init process is systemd these limits will not be the kernel default limits and this option should not be used\&. .RE .PP -\fButmp_early\fR +utmp_early .RS 4 Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\&. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\&.conf file\&. .RE .PP -\fBnoaudit\fR +noaudit .RS 4 Do not report exceeded maximum logins count to the audit subsystem\&. .RE @@ -146,7 +146,7 @@ Replace "login" for each service you are using this module\&. .PP \fBlimits.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com> diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml index 663c0e7b..8f026f0a 100644 --- a/modules/pam_limits/pam_limits.8.xml +++ b/modules/pam_limits/pam_limits.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_limits'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_limits"> <refmeta> <refentrytitle>pam_limits</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_limits-name'> + <refnamediv xml:id="pam_limits-name"> <refname>pam_limits</refname> <refpurpose> PAM module to limit resources @@ -20,35 +17,35 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_limits-cmdsynopsis"> + <cmdsynopsis xml:id="pam_limits-cmdsynopsis" sepchar=" "> <command>pam_limits.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conf=<replaceable>/path/to/limits.conf</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> set_all </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> utmp_early </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noaudit </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_limits-description"> + <refsect1 xml:id="pam_limits-description"> <title>DESCRIPTION</title> <para> The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of <emphasis>uid=0</emphasis> are affected by this limits, too. </para> - <para> + <para condition="without_vendordir"> By default limits are taken from the <filename>/etc/security/limits.conf</filename> config file. Then individual *.conf files from the <filename>/etc/security/limits.d/</filename> directory are read. The files are parsed one after another in the order of "C" locale. @@ -57,6 +54,23 @@ If a config file is explicitly specified with a module option then the files in the above directory are not parsed. </para> + <para condition="with_vendordir"> + By default limits are taken from the <filename>/etc/security/limits.conf</filename> + config file or, if that one is not present, the file + <filename>%vendordir%/security/limits.conf</filename>. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/limits.d/</filename> and + <filename>%vendordir%/security/limits.d</filename> directories are read. + If <filename>/etc/security/limits.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/limits.d/@filename@.conf</filename> will not be used. + All <filename>limits.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. + If a config file is explicitly specified with the <option>config</option> + option the files in the above directories are not parsed. + </para> <para> The module must not be called by a multithreaded application. </para> @@ -67,12 +81,12 @@ </para> </refsect1> - <refsect1 id="pam_limits-options"> + <refsect1 xml:id="pam_limits-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>conf=<replaceable>/path/to/limits.conf</replaceable></option> + conf=/path/to/limits.conf </term> <listitem> <para> @@ -83,7 +97,7 @@ </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -93,19 +107,21 @@ </varlistentry> <varlistentry> <term> - <option>set_all</option> + set_all </term> <listitem> <para> Set the limits for which no value is specified in the configuration file to the one from the process with the - PID 1. + PID 1. Please note that if the init process is systemd + these limits will not be the kernel default limits and + this option should not be used. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>utmp_early</option> + utmp_early </term> <listitem> <para> @@ -120,7 +136,7 @@ </varlistentry> <varlistentry> <term> - <option>noaudit</option> + noaudit </term> <listitem> <para> @@ -131,14 +147,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_limits-types"> + <refsect1 xml:id="pam_limits-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id="pam_limits-return_values"> + <refsect1 xml:id="pam_limits-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -200,19 +216,26 @@ </variablelist> </refsect1> - <refsect1 id="pam_limits-files"> + <refsect1 xml:id="pam_limits-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/limits.conf</filename></term> + <term>/etc/security/limits.conf</term> <listitem> <para>Default configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/limits.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/limits.conf</filename> does not exist.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id='pam_limits-examples'> + <refsect1 xml:id="pam_limits-examples"> <title>EXAMPLES</title> <para> For the services you need resources limits (login for example) put a @@ -231,7 +254,7 @@ session required pam_limits.so </para> </refsect1> - <refsect1 id="pam_limits-see_also"> + <refsect1 xml:id="pam_limits-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -241,15 +264,15 @@ session required pam_limits.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_limits-authors"> + <refsect1 xml:id="pam_limits-authors"> <title>AUTHORS</title> <para> pam_limits was initially written by Cristian Gafton <gafton@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index 4bc4ae71..da83b705 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -13,7 +13,7 @@ * See end for Copyright information */ -#if !defined(linux) && !defined(__linux) +#ifndef __linux__ #warning THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! #endif @@ -28,6 +28,7 @@ #include <syslog.h> #include <stdarg.h> #include <signal.h> +#include <sys/prctl.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/resource.h> @@ -46,10 +47,23 @@ #include <libaudit.h> #endif + +#ifndef PR_SET_NO_NEW_PRIVS +# define PR_SET_NO_NEW_PRIVS 38 /* from <linux/prctl.h> */ +#endif + +#ifndef MLOCK_LIMIT +#ifdef __FreeBSD_kernel__ +#define MLOCK_LIMIT RLIM_INFINITY +#else +#define MLOCK_LIMIT (64*1024) +#endif +#endif + /* Module defines */ #define LINE_LENGTH 1024 -#define LIMITS_DEF_USER 0 /* limit was set by an user entry */ +#define LIMITS_DEF_USER 0 /* limit was set by a user entry */ #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ #define LIMITS_DEF_ALLGROUP 2 /* limit was set by a group entry */ #define LIMITS_DEF_ALL 3 /* limit was set by an all entry */ @@ -83,11 +97,14 @@ struct user_limits_struct { /* internal data */ struct pam_limit_s { + int root; /* running as root? */ int login_limit; /* the max logins limit */ int login_limit_def; /* which entry set the login limit */ int flag_numsyslogins; /* whether to limit logins only for a specific user or to count all logins */ int priority; /* the priority to run user process with */ + int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ + char chroot_dir[8092]; /* directory to chroot into */ struct user_limits_struct limits[RLIM_NLIMITS]; const char *conf_file; int utmp_after_pam_call; @@ -98,16 +115,17 @@ struct pam_limit_s { #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 #define LIMIT_PRI RLIM_NLIMITS+3 +#define LIMIT_NONEWPRIVS RLIM_NLIMITS+4 +#define LIMIT_CHROOT RLIM_NLIMITS+5 #define LIMIT_SOFT 1 #define LIMIT_HARD 2 -#define PAM_SM_SESSION - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* argument parsing */ @@ -117,9 +135,14 @@ struct pam_limit_s { #define PAM_SET_ALL 0x0010 /* Limits from globbed files. */ -#define LIMITS_CONF_GLOB LIMITS_FILE_DIR +#define LIMITS_CONF_GLOB (LIMITS_FILE_DIR "/*.conf") + +#define LIMITS_FILE (SCONFIGDIR "/limits.conf") -#define CONF_FILE (pl->conf_file != NULL)?pl->conf_file:LIMITS_FILE +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_LIMITS_FILE (VENDOR_SCONFIGDIR "/limits.conf") +#define VENDOR_LIMITS_CONF_GLOB (VENDOR_SCONFIGDIR "/limits.d/*.conf") +#endif static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, @@ -129,13 +152,14 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, /* step through arguments */ for (ctrl=0; argc-- > 0; ++argv) { + const char *str; /* generic options */ if (!strcmp(*argv,"debug")) { ctrl |= PAM_DEBUG_ARG; - } else if (!strncmp(*argv,"conf=",5)) { - pl->conf_file = *argv+5; + } else if ((str = pam_str_skip_prefix(*argv, "conf=")) != NULL) { + pl->conf_file = str; } else if (!strcmp(*argv,"utmp_early")) { ctrl |= PAM_UTMP_EARLY; } else if (!strcmp(*argv,"noaudit")) { @@ -271,8 +295,8 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, } if (!pl->flag_numsyslogins) { char user[sizeof(ut->UT_USER) + 1]; - user[0] = '\0'; - strncat(user, ut->UT_USER, sizeof(ut->UT_USER)); + memcpy(user, ut->UT_USER, sizeof(ut->UT_USER)); + user[sizeof(ut->UT_USER)] = '\0'; if (((pl->login_limit_def == LIMITS_DEF_USER) || (pl->login_limit_def == LIMITS_DEF_GROUP) @@ -384,7 +408,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int FILE *limitsfile; const char *proclimits = "/proc/1/limits"; char line[256]; - char *units, *hard, *soft, *name; + char *hard, *soft, *name; if (!(limitsfile = fopen(proclimits, "r"))) { pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno)); @@ -401,8 +425,8 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int line[pos] = '\0'; } - /* determine formatting boundry of limits report */ - if (!maxlen && strncmp(line, "Limit", 5) == 0) { + /* determine formatting boundary of limits report */ + if (!maxlen && pam_str_skip_prefix(line, "Limit") != NULL) { maxlen = pos; continue; } @@ -410,10 +434,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int if (pos == maxlen) { /* step backwards over "Units" name */ LIMITS_SKIP_WHITESPACE; - LIMITS_MARK_ITEM(units); - } - else { - units = ""; + LIMITS_MARK_ITEM(hard); /* not a typo, units unused */ } /* step backwards over "Hard Limit" value */ @@ -440,15 +461,32 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int pl->limits[i].src_hard = LIMITS_DEF_KERNEL; } fclose(limitsfile); + + /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE + * since larger values can cause problems with fd_set overflow and + * systemd sets itself higher. */ + if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL && + pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) { + pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE; + } } static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) { int i; int retval = PAM_SUCCESS; + static int mlock_limit = 0; D(("called.")); + pl->root = 0; + + if (mlock_limit == 0) { + mlock_limit = sysconf(_SC_PAGESIZE); + if (mlock_limit < MLOCK_LIMIT) + mlock_limit = MLOCK_LIMIT; + } + for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { @@ -464,18 +502,68 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) } #ifdef __linux__ - if (ctrl & PAM_SET_ALL) { - parse_kernel_limits(pamh, pl, ctrl); + parse_kernel_limits(pamh, pl, ctrl); +#endif - for(i = 0; i < RLIM_NLIMITS; i++) { + for(i = 0; i < RLIM_NLIMITS; i++) { if (pl->limits[i].supported && (pl->limits[i].src_soft == LIMITS_DEF_NONE || pl->limits[i].src_hard == LIMITS_DEF_NONE)) { - pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); +#ifdef __linux__ + pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); +#endif + pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; + pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; + switch(i) { + case RLIMIT_CPU: + case RLIMIT_FSIZE: + case RLIMIT_DATA: + case RLIMIT_RSS: + case RLIMIT_NPROC: +#ifdef RLIMIT_AS + case RLIMIT_AS: +#endif +#ifdef RLIMIT_LOCKS + case RLIMIT_LOCKS: +#endif + pl->limits[i].limit.rlim_cur = RLIM_INFINITY; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + case RLIMIT_MEMLOCK: + pl->limits[i].limit.rlim_cur = mlock_limit; + pl->limits[i].limit.rlim_max = mlock_limit; + break; +#ifdef RLIMIT_SIGPENDING + case RLIMIT_SIGPENDING: + pl->limits[i].limit.rlim_cur = 16382; + pl->limits[i].limit.rlim_max = 16382; + break; +#endif +#ifdef RLIMIT_MSGQUEUE + case RLIMIT_MSGQUEUE: + pl->limits[i].limit.rlim_cur = 819200; + pl->limits[i].limit.rlim_max = 819200; + break; +#endif + case RLIMIT_CORE: + pl->limits[i].limit.rlim_cur = 0; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + case RLIMIT_STACK: + pl->limits[i].limit.rlim_cur = 8192*1024; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + case RLIMIT_NOFILE: + pl->limits[i].limit.rlim_cur = 1024; + pl->limits[i].limit.rlim_max = 1024; + break; + default: + pl->limits[i].src_soft = LIMITS_DEF_NONE; + pl->limits[i].src_hard = LIMITS_DEF_NONE; + break; + } } - } } -#endif errno = 0; pl->priority = getpriority (PRIO_PROCESS, 0); @@ -484,6 +572,43 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) pl->login_limit = -2; pl->login_limit_def = LIMITS_DEF_NONE; + pl->chroot_dir[0] = '\0'; + + return retval; +} + +/* + * Read the contents of <pathname> and return it in *valuep + * return 1 if conversion succeeds, result is in *valuep + * return 0 if conversion fails, *valuep is untouched. + */ +static int +value_from_file(const char *pathname, rlim_t *valuep) +{ + char buf[128]; + FILE *fp; + int retval; + + retval = 0; + + if ((fp = fopen(pathname, "r")) != NULL) { + if (fgets(buf, sizeof(buf), fp) != NULL) { + char *endptr; + unsigned long long value; + + errno = 0; + value = strtoull(buf, &endptr, 10); + if (endptr != buf && + (value != ULLONG_MAX || errno == 0) && + (unsigned long long) (rlim_t) value == value) { + *valuep = (rlim_t) value; + retval = 1; + } + } + + fclose(fp); + } + return retval; } @@ -554,6 +679,10 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, pl->flag_numsyslogins = 1; } else if (strcmp(lim_item, "priority") == 0) { limit_item = LIMIT_PRI; + } else if (strcmp(lim_item, "nonewprivs") == 0) { + limit_item = LIMIT_NONEWPRIVS; + } else if (strcmp(lim_item, "chroot") == 0) { + limit_item = LIMIT_CHROOT; } else { pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); return; @@ -565,11 +694,23 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, limit_type=LIMIT_HARD; else if (strcmp(lim_type,"-")==0) limit_type=LIMIT_SOFT | LIMIT_HARD; - else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) { + else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS + && limit_item != LIMIT_NONEWPRIVS) { pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type); return; } - if (limit_item != LIMIT_PRI + if (limit_item == LIMIT_NONEWPRIVS) { + /* just require a bool-style 0 or 1 */ + if (strcmp(lim_value, "0") == 0) { + int_value = 0; + } else if (strcmp(lim_value, "1") == 0) { + int_value = 1; + } else { + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); + } + } else if (limit_item != LIMIT_PRI #ifdef RLIMIT_NICE && limit_item != RLIMIT_NICE #endif @@ -591,9 +732,9 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, pam_syslog(pamh, LOG_DEBUG, "wrong limit value '%s' for limit type '%s'", lim_value, lim_type); - return; + return; } - } else { + } else if (limit_item != LIMIT_CHROOT) { #ifdef __USE_FILE_OFFSET64 rlimit_value = strtoull (lim_value, &endptr, 10); #else @@ -652,11 +793,30 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, rlimit_value = 20 - int_value; break; #endif + case RLIMIT_NOFILE: + /* + * If nofile is to be set to "unlimited", try to set it to + * the value in /proc/sys/fs/nr_open instead. + */ + if (rlimit_value == RLIM_INFINITY) { + if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value)) + pam_syslog(pamh, LOG_WARNING, + "Cannot set \"nofile\" to a sensible value"); + else if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu", + (unsigned long long) rlimit_value); + } + break; } - if ( (limit_item != LIMIT_LOGIN) + if (limit_item == LIMIT_CHROOT) { + strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1); + pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0'; + } + else if ( (limit_item != LIMIT_LOGIN) && (limit_item != LIMIT_NUMSYSLOGINS) - && (limit_item != LIMIT_PRI) ) { + && (limit_item != LIMIT_PRI) + && (limit_item != LIMIT_NONEWPRIVS) ) { if (limit_type & LIMIT_SOFT) { if (pl->limits[limit_item].src_soft < source) { return; @@ -677,14 +837,16 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, /* recent kernels support negative priority limits (=raise priority) */ if (limit_item == LIMIT_PRI) { - pl->priority = int_value; + pl->priority = int_value; + } else if (limit_item == LIMIT_NONEWPRIVS) { + pl->nonewprivs = int_value; } else { - if (pl->login_limit_def < source) { - return; - } else { - pl->login_limit = int_value; - pl->login_limit_def = source; - } + if (pl->login_limit_def < source) { + return; + } else { + pl->login_limit = int_value; + pl->login_limit_def = source; + } } } return; @@ -740,18 +902,22 @@ parse_uid_range(pam_handle_t *pamh, const char *domain, static int parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, - int ctrl, struct pam_limit_s *pl) + int ctrl, struct pam_limit_s *pl, const int conf_file_set_by_user) { FILE *fil; char buf[LINE_LENGTH]; - /* check for the LIMITS_FILE */ + /* check for the conf_file */ if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE); - fil = fopen(CONF_FILE, "r"); + pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", pl->conf_file); + fil = fopen(pl->conf_file, "r"); if (fil == NULL) { - pam_syslog (pamh, LOG_WARNING, - "cannot read settings from %s: %m", CONF_FILE); + if (errno == ENOENT && !conf_file_set_by_user) + return PAM_SUCCESS; /* file is not there and it has not been set by the conf= argument */ + + pam_syslog(pamh, LOG_WARNING, + "cannot read settings from %s: %s", pl->conf_file, + strerror(errno)); return PAM_SERVICE_ERR; } @@ -806,7 +972,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, if (strcmp(uname, domain) == 0) /* this user have a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); - else if (domain[0]=='@') { + else if (domain[0]=='@' && !pl->root) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", @@ -832,7 +998,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); } - } else if (domain[0]=='%') { + } else if (domain[0]=='%' && !pl->root) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", @@ -866,7 +1032,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, } else { switch(rngtype) { case LIMIT_RANGE_NONE: - if (strcmp(domain, "*") == 0) + if (strcmp(domain, "*") == 0 && !pl->root) process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); break; @@ -965,9 +1131,21 @@ static int setup_limits(pam_handle_t *pamh, if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; res = setrlimit(i, &pl->limits[i].limit); - if (res != 0) - pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", - rlimit2str(i)); + if (res != 0 && (i != RLIMIT_NOFILE + || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) + { + int save_errno = errno; + pam_syslog(pamh, LOG_DEBUG, + "Could not set limit for '%s' to soft=%d, hard=%d:" + " %m; uid=%lu,euid=%lu", rlimit2str(i), + pl->limits[i].limit.rlim_cur, + pl->limits[i].limit.rlim_max, + (unsigned long) getuid(), + (unsigned long) geteuid()); + errno = save_errno; + } + if (res == -1 && errno == EPERM) + continue; status |= res; } @@ -998,36 +1176,151 @@ static int setup_limits(pam_handle_t *pamh, retval |= LOGIN_ERR; } + if (pl->nonewprivs) { + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { + pam_syslog(pamh, LOG_ERR, "Could not set prctl(PR_SET_NO_NEW_PRIVS): %m"); + retval |= LIMIT_ERR; + } + } + + if (!retval && pl->chroot_dir[0]) { + i = chdir(pl->chroot_dir); + if (i == 0) + i = chroot(pl->chroot_dir); + if (i == 0) + i = chdir("/"); + if (i != 0) + retval = LIMIT_ERR; + } return retval; } +/* --- evaluting all files in VENDORDIR/security/limits.d and /etc/security/limits.d --- */ +static const char * +base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (const char * const *) a), + base_name(* (const char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/limits.d/@filename@.conf exists, then + * %vendordir%/security/limits.d/@filename@.conf should not be used. + * - All files in both limits.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char ** +read_limits_dir(pam_handle_t *pamh) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(LIMITS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_LIMITS_CONF_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_LIMITS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_ACCESS_CONF_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_LIMITS_CONF_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* now the session stuff */ int pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int retval; - int i; - int glob_rc; + int retval, i; char *user_name; struct passwd *pwd; int ctrl; struct pam_limit_s plstruct; struct pam_limit_s *pl = &plstruct; - glob_t globbuf; - const char *oldlocale; D(("called.")); memset(pl, 0, sizeof(*pl)); - memset(&globbuf, 0, sizeof(globbuf)); ctrl = _pam_parse(pamh, argc, argv, pl); retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); if ( user_name == NULL || retval != PAM_SUCCESS ) { pam_syslog(pamh, LOG_ERR, "open_session - error recovering username"); return PAM_SESSION_ERR; - } + } + + int conf_file_set_by_user = (pl->conf_file != NULL); + if (pl->conf_file == NULL) { + pl->conf_file = LIMITS_FILE; +#ifdef VENDOR_LIMITS_FILE + /* + * Check whether LIMITS_FILE file is available. + * If it does not exist, fall back to VENDOR_LIMITS_FILE file. + */ + struct stat buffer; + if (stat(pl->conf_file, &buffer) != 0 && errno == ENOENT) + pl->conf_file = VENDOR_LIMITS_FILE; +#endif + } pwd = pam_modutil_getpwnam(pamh, user_name); if (!pwd) { @@ -1043,52 +1336,48 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return PAM_ABORT; } - retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (pwd->pw_uid == 0) + pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, + ctrl, pl, conf_file_set_by_user); if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE)); + D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); return PAM_SUCCESS; } - if (retval != PAM_SUCCESS || pl->conf_file != NULL) - /* skip reading limits.d if config file explicitely specified */ + if (retval != PAM_SUCCESS || conf_file_set_by_user) + /* skip reading limits.d if config file explicitly specified */ goto out; /* Read subsequent *.conf files, if they exist. */ - - /* set the LC_COLLATE so the sorting order doesn't depend - on system locale */ - - oldlocale = setlocale(LC_COLLATE, "C"); - glob_rc = glob(LIMITS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); - - if (oldlocale != NULL) - setlocale (LC_COLLATE, oldlocale); - - if (!glob_rc) { - /* Parse the *.conf files. */ - for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { - pl->conf_file = globbuf.gl_pathv[i]; - retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); - if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); - globfree(&globbuf); - return PAM_SUCCESS; - } - if (retval != PAM_SUCCESS) - goto out; + char **filename_list = read_limits_dir(pamh); + if (filename_list != NULL) { + for (i = 0; filename_list[i] != NULL; i++) { + pl->conf_file = filename_list[i]; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl, 0); + if (retval != PAM_SUCCESS) + break; } + for (i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); + } + + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); + return PAM_SUCCESS; } out: - globfree(&globbuf); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "error parsing the configuration file: '%s' ",CONF_FILE); + pam_syslog(pamh, LOG_ERR, "error parsing the configuration file: '%s' ", pl->conf_file); return retval; } retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl); if (retval & LOGIN_ERR) - pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name); + pam_error(pamh, _("There were too many logins for '%s'."), + pwd->pw_name); if (retval != LIMITED_OK) { return PAM_PERM_DENIED; } diff --git a/modules/pam_listfile/Makefile.am b/modules/pam_listfile/Makefile.am index 7b10af98..c9ba85f6 100644 --- a/modules/pam_listfile/Makefile.am +++ b/modules/pam_listfile/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_listfile +EXTRA_DIST = $(XMLS) -man_MANS = pam_listfile.8 +if HAVE_DOC +dist_man_MANS = pam_listfile.8 +endif XMLS = README.xml pam_listfile.8.xml - -TESTS = tst-pam_listfile +dist_check_SCRIPTS = tst-pam_listfile +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,7 +32,6 @@ securelib_LTLIBRARIES = pam_listfile.la pam_listfile_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_listfile.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_listfile/Makefile.in b/modules/pam_listfile/Makefile.in index 970087f8..ffe0df6a 100644 --- a/modules/pam_listfile/Makefile.in +++ b/modules/pam_listfile/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_listfile -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_listfile.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_listfile -man_MANS = pam_listfile.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_listfile.8 XMLS = README.xml pam_listfile.8.xml -TESTS = tst-pam_listfile +dist_check_SCRIPTS = tst-pam_listfile +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_listfile.la pam_listfile_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_listfile/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_listfile/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_listfile.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_listfile.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_listfile.log: tst-pam_listfile @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_listfile.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_listfile.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_listfile.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_listfile/README.xml b/modules/pam_listfile/README.xml index d851aef3..d0b60107 100644 --- a/modules/pam_listfile/README.xml +++ b/modules/pam_listfile/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_listfile.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_listfile-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_listfile/pam_listfile.8 b/modules/pam_listfile/pam_listfile.8 index f3d54258..a23e6e5a 100644 --- a/modules/pam_listfile/pam_listfile.8 +++ b/modules/pam_listfile/pam_listfile.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_listfile .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LISTFILE" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LISTFILE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -82,27 +82,27 @@ No credentials are awarded by this module\&. .SH "OPTIONS" .PP .PP -\fBitem=[tty|user|rhost|ruser|group|shell]\fR +item=[tty|user|rhost|ruser|group|shell] .RS 4 What is listed in the file and should be checked for\&. .RE .PP -\fBsense=[allow|deny]\fR +sense=[allow|deny] .RS 4 Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\&. .RE .PP -\fBfile=\fR\fB\fI/path/filename\fR\fR +file=/path/filename .RS 4 File containing one item per line\&. The file needs to be a plain file and not world writable\&. .RE .PP -\fBonerr=[succeed|fail]\fR +onerr=[succeed|fail] .RS 4 What to do if something weird happens like being unable to open the file\&. .RE .PP -\fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR +apply=[user|@group] .RS 4 Restrict the user class for which the restriction apply\&. Note that with \fBitem=[user|ruser|group]\fR @@ -111,7 +111,7 @@ this does not make sense, but for it have a meaning\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Do not treat service refusals or missing list files as errors that need to be logged\&. .RE @@ -205,7 +205,7 @@ to the root account\&. .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_listfile was written by Michael K\&. Johnson <johnsonm@redhat\&.com> and Elliot Lee <sopwith@cuc\&.edu>\&. diff --git a/modules/pam_listfile/pam_listfile.8.xml b/modules/pam_listfile/pam_listfile.8.xml index 15f047c2..af747c1b 100644 --- a/modules/pam_listfile/pam_listfile.8.xml +++ b/modules/pam_listfile/pam_listfile.8.xml @@ -1,45 +1,42 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_listfile"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_listfile"> <refmeta> <refentrytitle>pam_listfile</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_listfile-name"> + <refnamediv xml:id="pam_listfile-name"> <refname>pam_listfile</refname> <refpurpose>deny or allow services based on an arbitrary file</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_listfile-cmdsynopsis"> + <cmdsynopsis xml:id="pam_listfile-cmdsynopsis" sepchar=" "> <command>pam_listfile.so</command> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> item=[tty|user|rhost|ruser|group|shell] </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> sense=[allow|deny] </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> file=<replaceable>/path/filename</replaceable> </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> onerr=[succeed|fail] </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>] </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> quiet </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_listfile-description"> + <refsect1 xml:id="pam_listfile-description"> <title>DESCRIPTION</title> @@ -93,7 +90,7 @@ </para> </refsect1> - <refsect1 id="pam_listfile-options"> + <refsect1 xml:id="pam_listfile-options"> <title>OPTIONS</title> <para> @@ -101,7 +98,7 @@ <varlistentry> <term> - <option>item=[tty|user|rhost|ruser|group|shell]</option> + item=[tty|user|rhost|ruser|group|shell] </term> <listitem> <para> @@ -112,7 +109,7 @@ <varlistentry> <term> - <option>sense=[allow|deny]</option> + sense=[allow|deny] </term> <listitem> <para> @@ -124,7 +121,7 @@ <varlistentry> <term> - <option>file=<replaceable>/path/filename</replaceable></option> + file=/path/filename </term> <listitem> <para> @@ -136,7 +133,7 @@ <varlistentry> <term> - <option>onerr=[succeed|fail]</option> + onerr=[succeed|fail] </term> <listitem> <para> @@ -148,7 +145,7 @@ <varlistentry> <term> - <option>apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]</option> + apply=[user|@group] </term> <listitem> <para> @@ -161,7 +158,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -175,7 +172,7 @@ </para> </refsect1> - <refsect1 id="pam_listfile-types"> + <refsect1 xml:id="pam_listfile-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -183,7 +180,7 @@ </para> </refsect1> - <refsect1 id='pam_listfile-return_values'> + <refsect1 xml:id="pam_listfile-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -235,7 +232,7 @@ </para> </refsect1> - <refsect1 id='pam_listfile-examples'> + <refsect1 xml:id="pam_listfile-examples"> <title>EXAMPLES</title> <para> Classic 'ftpusers' authentication can be implemented with this entry @@ -271,7 +268,7 @@ auth required pam_listfile.so \ </para> </refsect1> - <refsect1 id='pam_listfile-see_also'> + <refsect1 xml:id="pam_listfile-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -281,12 +278,12 @@ auth required pam_listfile.so \ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_listfile-author'> + <refsect1 xml:id="pam_listfile-author"> <title>AUTHOR</title> <para> pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> @@ -294,4 +291,4 @@ auth required pam_listfile.so \ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c index 5723598e..937576fd 100644 --- a/modules/pam_listfile/pam_listfile.c +++ b/modules/pam_listfile/pam_listfile.c @@ -1,4 +1,6 @@ /* + * pam_listfile module + * * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. July 25, 1996. * log refused access error christopher mccrory <chrismcc@netus.com> 1998/7/11 * @@ -22,22 +24,11 @@ #include <assert.h> #endif -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_PASSWORD -#define PAM_SM_SESSION - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* --- authentication management functions (only) --- */ @@ -62,17 +53,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *citemp; char *ifname=NULL; char aline[256]; - char mybuf[256],myval[256]; + char mybuf[256],myval[256],apply_val[256]; struct stat fileinfo; FILE *inf; - char apply_val[256]; int apply_type; /* Stuff for "extended" items */ struct passwd *userinfo; apply_type=APPLY_TYPE_NULL; - memset(apply_val,0,sizeof(apply_val)); + apply_val[0] = '\0'; for(i=0; i < argc; i++) { { @@ -140,13 +130,12 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, citem = 0; } else if(!strcmp(mybuf,"apply")) { apply_type=APPLY_TYPE_NONE; - memset(apply_val,'\0',sizeof(apply_val)); if (myval[0]=='@') { apply_type=APPLY_TYPE_GROUP; - strncpy(apply_val,myval+1,sizeof(apply_val)-1); + memcpy(apply_val,myval+1,sizeof(myval)-1); } else { apply_type=APPLY_TYPE_USER; - strncpy(apply_val,myval,sizeof(apply_val)-1); + memcpy(apply_val,myval,sizeof(myval)); } } else { free(ifname); @@ -198,7 +187,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int rval; rval=pam_get_user(pamh,&user_name,NULL); - if((rval==PAM_SUCCESS) && user_name && user_name[0]) { + if(rval==PAM_SUCCESS && user_name[0]) { /* Got it ? Valid ? */ if(apply_type==APPLY_TYPE_USER) { if(strcmp(user_name, apply_val)) { @@ -235,16 +224,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } if((citem == PAM_USER) && !citemp) { retval = pam_get_user(pamh,&citemp,NULL); - if (retval != PAM_SUCCESS || !citemp) { + if (retval != PAM_SUCCESS) { free(ifname); return PAM_SERVICE_ERR; } } if((citem == PAM_TTY) && citemp) { /* Normalize the TTY name. */ - if(strncmp(citemp, "/dev/", 5) == 0) { - citemp += 5; - } + const char *str = pam_str_skip_prefix(citemp, "/dev/"); + if (str != NULL) + citemp = str; } if(!citemp || (strlen(citemp) == 0)) { @@ -264,7 +253,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, gets set to PAM_USER in the extitem switch */ userinfo = pam_modutil_getpwnam(pamh, citemp); if (userinfo == NULL) { - pam_syslog(pamh,LOG_ERR, "getpwnam(%s) failed", + pam_syslog(pamh, LOG_NOTICE, "getpwnam(%s) failed", citemp); free(ifname); return onerr; @@ -323,7 +312,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, #endif while((fgets(aline,sizeof(aline),inf) != NULL) && retval) { - char *a = aline; + const char *a = aline; if(strlen(aline) == 0) continue; @@ -334,8 +323,9 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, if(aline[strlen(aline) - 1] == '\r') aline[strlen(aline) - 1] = '\0'; if(citem == PAM_TTY) { - if(strncmp(a, "/dev/", 5) == 0) - a += 5; + const char *str = pam_str_skip_prefix(a, "/dev/"); + if (str != NULL) + a = str; } if (extitem == EI_GROUP) { retval = !pam_modutil_user_in_group_nam_nam(pamh, diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 64f2ef3f..f5d49dac 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_localuser +EXTRA_DIST = $(XMLS) -TESTS = tst-pam_localuser - -man_MANS = pam_localuser.8 +if HAVE_DOC +dist_man_MANS = pam_localuser.8 +endif XMLS = README.xml pam_localuser.8.xml +dist_check_SCRIPTS = tst-pam_localuser +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,8 +31,10 @@ endif securelib_LTLIBRARIES = pam_localuser.la pam_localuser_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_localuser-retval +tst_pam_localuser_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_localuser.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_localuser/Makefile.in b/modules/pam_localuser/Makefile.in index 72d285c8..57ea3071 100644 --- a/modules/pam_localuser/Makefile.in +++ b/modules/pam_localuser/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_localuser-retval$(EXEEXT) subdir = modules/pam_localuser -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,10 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_localuser_retval_SOURCES = tst-pam_localuser-retval.c +tst_pam_localuser_retval_OBJECTS = tst-pam_localuser-retval.$(OBJEXT) +tst_pam_localuser_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +174,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_localuser.Plo \ + ./$(DEPDIR)/tst-pam_localuser-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +196,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_localuser.c -DIST_SOURCES = pam_localuser.c +SOURCES = pam_localuser.c tst-pam_localuser-retval.c +DIST_SOURCES = pam_localuser.c tst-pam_localuser-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +205,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +382,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +405,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +427,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +467,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +485,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +515,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +526,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +580,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +587,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +596,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_localuser -TESTS = tst-pam_localuser -man_MANS = pam_localuser.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_localuser.8 XMLS = README.xml pam_localuser.8.xml +dist_check_SCRIPTS = tst-pam_localuser +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_localuser.la pam_localuser_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_localuser_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +635,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_localuser/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_localuser/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +653,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +700,38 @@ clean-securelibLTLIBRARIES: pam_localuser.la: $(pam_localuser_la_OBJECTS) $(pam_localuser_la_DEPENDENCIES) $(EXTRA_pam_localuser_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_localuser_la_OBJECTS) $(pam_localuser_la_LIBADD) $(LIBS) +tst-pam_localuser-retval$(EXEEXT): $(tst_pam_localuser_retval_OBJECTS) $(tst_pam_localuser_retval_DEPENDENCIES) $(EXTRA_tst_pam_localuser_retval_DEPENDENCIES) + @rm -f tst-pam_localuser-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_localuser_retval_OBJECTS) $(tst_pam_localuser_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_localuser.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_localuser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_localuser-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +745,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +783,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +871,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +948,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +961,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +971,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +989,13 @@ tst-pam_localuser.log: tst-pam_localuser --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_localuser-retval.log: tst-pam_localuser-retval$(EXEEXT) + @p='tst-pam_localuser-retval$(EXEEXT)'; \ + b='tst-pam_localuser-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1011,10 @@ tst-pam_localuser.log: tst-pam_localuser @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1045,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1091,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_localuser.Plo + -rm -f ./$(DEPDIR)/tst-pam_localuser-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1142,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_localuser.Plo + -rm -f ./$(DEPDIR)/tst-pam_localuser-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1166,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1183,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_localuser.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_localuser/README.xml b/modules/pam_localuser/README.xml index 4ab56d9d..f1b05d1a 100644 --- a/modules/pam_localuser/README.xml +++ b/modules/pam_localuser/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_localuser.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_localuser-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_localuser/pam_localuser.8 b/modules/pam_localuser/pam_localuser.8 index bb83430c..f4f2b29e 100644 --- a/modules/pam_localuser/pam_localuser.8 +++ b/modules/pam_localuser/pam_localuser.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_localuser .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LOCALUSER" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LOCALUSER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -40,12 +40,12 @@ This could also be implemented using pam_listfile\&.so and a very short awk scri .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBfile=\fR\fB\fI/path/passwd\fR\fR +file=/path/passwd .RS 4 Use a file other than /etc/passwd\&. @@ -65,9 +65,24 @@ PAM_SUCCESS The new localuser was set successfully\&. .RE .PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP +PAM_INCOMPLETE +.RS 4 +The conversation method supplied by the application returned PAM_CONV_AGAIN\&. +.RE +.PP PAM_SERVICE_ERR .RS 4 -No username was given\&. +The user name is not valid or the passwd file is unavailable\&. .RE .PP PAM_PERM_DENIED @@ -102,7 +117,7 @@ Local user account information\&. .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_localuser was written by Nalin Dahyabhai <nalin@redhat\&.com>\&. diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml index 2a8b2e04..e4b9e075 100644 --- a/modules/pam_localuser/pam_localuser.8.xml +++ b/modules/pam_localuser/pam_localuser.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_localuser"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_localuser"> <refmeta> <refentrytitle>pam_localuser</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_localuser-name"> + <refnamediv xml:id="pam_localuser-name"> <refname>pam_localuser</refname> <refpurpose>require users to be listed in /etc/passwd</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_localuser-cmdsynopsis"> + <cmdsynopsis xml:id="pam_localuser-cmdsynopsis" sepchar=" "> <command>pam_localuser.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> file=<replaceable>/path/passwd</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_localuser-description"> + <refsect1 xml:id="pam_localuser-description"> <title>DESCRIPTION</title> @@ -47,7 +44,7 @@ </refsect1> - <refsect1 id="pam_localuser-options"> + <refsect1 xml:id="pam_localuser-options"> <title>OPTIONS</title> <para> @@ -55,7 +52,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -66,7 +63,7 @@ <varlistentry> <term> - <option>file=<replaceable>/path/passwd</replaceable></option> + file=/path/passwd </term> <listitem> <para> @@ -80,7 +77,7 @@ </para> </refsect1> - <refsect1 id="pam_localuser-types"> + <refsect1 xml:id="pam_localuser-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -88,7 +85,7 @@ </para> </refsect1> - <refsect1 id='pam_localuser-return_values'> + <refsect1 xml:id="pam_localuser-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -103,10 +100,39 @@ </varlistentry> <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the application + failed to obtain the username. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + The conversation method supplied by the application + returned PAM_CONV_AGAIN. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>PAM_SERVICE_ERR</term> <listitem> <para> - No username was given. + The user name is not valid or the passwd file is unavailable. </para> </listitem> </varlistentry> @@ -124,7 +150,7 @@ </para> </refsect1> - <refsect1 id='pam_localuser-examples'> + <refsect1 xml:id="pam_localuser-examples"> <title>EXAMPLES</title> <para> Add the following lines to <filename>/etc/pam.d/su</filename> to @@ -136,11 +162,11 @@ account required pam_wheel.so </para> </refsect1> - <refsect1 id="pam_localuser-files"> + <refsect1 xml:id="pam_localuser-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/passwd</filename></term> + <term>/etc/passwd</term> <listitem> <para>Local user account information.</para> </listitem> @@ -148,7 +174,7 @@ account required pam_wheel.so </variablelist> </refsect1> - <refsect1 id='pam_localuser-see_also'> + <refsect1 xml:id="pam_localuser-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -158,16 +184,16 @@ account required pam_wheel.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_localuser-author'> + <refsect1 xml:id="pam_localuser-author"> <title>AUTHOR</title> <para> pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index e32ea6d7..a9f2233c 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -1,5 +1,8 @@ /* + * pam_localuser module + * * Copyright 2001, 2004 Red Hat, Inc. + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,97 +38,65 @@ #include "config.h" -#include <errno.h> -#include <limits.h> +#include <stdio.h> #include <stdlib.h> #include <string.h> #include <syslog.h> -#include <stdio.h> -#include <stdarg.h> -#include <time.h> #include <unistd.h> -#include <sys/stat.h> -#include <sys/types.h> -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT #include <security/pam_modules.h> -#include <security/_pam_macros.h> +#include <security/pam_modutil.h> #include <security/pam_ext.h> - -#define MODULE_NAME "pam_localuser" +#include "pam_inline.h" int -pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { - int i, ret = PAM_SUCCESS; - FILE *fp; + int i; + int rc; int debug = 0; - const char *filename = "/etc/passwd"; - char line[LINE_MAX], name[LINE_MAX]; - const char* user; + const char *file_name = NULL; + const char *user_name = NULL; - /* process arguments */ - for(i = 0; i < argc; i++) { - if(strcmp("debug", argv[i]) == 0) { + /* Process arguments. */ + for (i = 0; i < argc; ++i) { + if (strcmp("debug", argv[i]) == 0) { debug = 1; } } - for(i = 0; i < argc; i++) { - if(strncmp("file=", argv[i], 5) == 0) { - filename = argv[i] + 5; - if(debug) { - pam_syslog (pamh, LOG_DEBUG, - "set filename to \"%s\"", - filename); + for (i = 0; i < argc; ++i) { + const char *str; + + if (strcmp("debug", argv[i]) == 0) { + /* Already processed. */ + continue; + } + if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { + file_name = str; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "set filename to %s", file_name); } + } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", + argv[i]); } } - /* open the file */ - fp = fopen(filename, "r"); - if(fp == NULL) { - pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m", - filename); - return PAM_SYSTEM_ERR; - } - - if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog (pamh, LOG_ERR, "user name not specified yet"); - fclose(fp); - return PAM_SYSTEM_ERR; - } - - if ((user == NULL) || (strlen(user) == 0)) { - pam_syslog (pamh, LOG_ERR, "user name not valid"); - fclose(fp); - return PAM_SYSTEM_ERR; - } - - /* scan the file, using fgets() instead of fgetpwent() because i - * don't want to mess with applications which call fgetpwent() */ - ret = PAM_PERM_DENIED; - snprintf(name, sizeof(name), "%s:", user); - i = strlen(name); - while(fgets(line, sizeof(line), fp) != NULL) { - if(debug) { - pam_syslog (pamh, LOG_DEBUG, "checking \"%s\"", line); - } - if(strncmp(name, line, i) == 0) { - ret = PAM_SUCCESS; - break; - } + /* Obtain the user name. */ + if ((rc = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, rc)); + return rc == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rc; } - /* okay, we're done */ - fclose(fp); - return ret; + return pam_modutil_check_user_in_passwd(pamh, user_name, file_name); } int -pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } @@ -137,22 +108,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) } int -pam_sm_open_session (pam_handle_t *pamh, int flags, - int argc, const char **argv) +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } int -pam_sm_close_session (pam_handle_t *pamh, int flags, - int argc, const char **argv) +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } int -pam_sm_chauthtok (pam_handle_t *pamh, int flags, - int argc, const char **argv) +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } diff --git a/modules/pam_localuser/tst-pam_localuser-retval.c b/modules/pam_localuser/tst-pam_localuser-retval.c new file mode 100644 index 00000000..5581cecc --- /dev/null +++ b/modules/pam_localuser/tst-pam_localuser-retval.c @@ -0,0 +1,144 @@ +/* + * Check pam_localuser return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_localuser" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char passwd_file[] = TEST_NAME ".passwd"; +static const char missing_file[] = TEST_NAME ".missing"; + +static const char alice_line[] = "alice:x:1001:1001:Alice:/home/alice:"; +static const char bob_line[] = "bob:x:1002:1002:Bob:/home/bob:"; +static const char craig_prefix[] = ":x:1003:1003:"; +static const char craig_suffix[] = "craig:/home/craig:"; + +int +main(void) +{ + static struct pam_conv conv; + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + char name[BUFSIZ]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* default passwd */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n", + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + memset(name, 'x', sizeof(name) - 1); + name[sizeof(name) - 1] = '\0'; + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root:x", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* missing passwd file */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* custom passwd file */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, passwd_file)); + ASSERT_EQ(0, fclose(fp)); + + memcpy(name + (sizeof(name) - sizeof(craig_prefix)), + craig_prefix, sizeof(craig_prefix)); + ASSERT_NE(NULL, fp = fopen(passwd_file, "w")); + ASSERT_LT(0, fprintf(fp, "%s\n%s\n%s%s\n", + alice_line, bob_line, name, craig_suffix)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + memset(name, 'x', sizeof(name) - 1); + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "alice", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "bob", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "alice:x", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "craig", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + ASSERT_EQ(0, unlink(passwd_file)); + + return 0; +} diff --git a/modules/pam_loginuid/Makefile.am b/modules/pam_loginuid/Makefile.am index 1b9e87bb..f7f5fd85 100644 --- a/modules/pam_loginuid/Makefile.am +++ b/modules/pam_loginuid/Makefile.am @@ -5,16 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_loginuid - -man_MANS = pam_loginuid.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_loginuid.8 +endif XMLS = README.xml pam_loginuid.8.xml +dist_check_SCRIPTS = tst-pam_loginuid +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,12 +32,6 @@ securelib_LTLIBRARIES = pam_loginuid.la pam_loginuid_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBAUDIT@ if ENABLE_REGENERATE_MAN - -noinst_DATA = README - -README: pam_loginuid.8.xml - +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif - -TESTS = tst-pam_loginuid diff --git a/modules/pam_loginuid/Makefile.in b/modules/pam_loginuid/Makefile.in index 41e6e092..fbb16ac9 100644 --- a/modules/pam_loginuid/Makefile.in +++ b/modules/pam_loginuid/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_loginuid -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_loginuid.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_loginuid -man_MANS = pam_loginuid.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_loginuid.8 XMLS = README.xml pam_loginuid.8.xml +dist_check_SCRIPTS = tst-pam_loginuid +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_loginuid.la pam_loginuid_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBAUDIT@ -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README -TESTS = tst-pam_loginuid +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_loginuid/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_loginuid/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_loginuid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_loginuid.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_loginuid.log: tst-pam_loginuid @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_loginuid.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_loginuid.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,8 +1152,7 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES - -@ENABLE_REGENERATE_MAN_TRUE@README: pam_loginuid.8.xml +.PRECIOUS: Makefile @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_loginuid/README.xml b/modules/pam_loginuid/README.xml index 3bcd38ab..f972105f 100644 --- a/modules/pam_loginuid/README.xml +++ b/modules/pam_loginuid/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_loginuid.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_loginuid-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_loginuid/pam_loginuid.8 b/modules/pam_loginuid/pam_loginuid.8 index 8c5949e4..70669a23 100644 --- a/modules/pam_loginuid/pam_loginuid.8 +++ b/modules/pam_loginuid/pam_loginuid.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_loginuid .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LOGINUID" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LOGINUID" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_loginuid \- Record user\*(Aqs login uid to the process attribute The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\&. This is necessary for applications to be correctly audited\&. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\&. There are probably other entry point applications besides these\&. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\&. .SH "OPTIONS" .PP -\fBrequire_auditd\fR +require_auditd .RS 4 This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\&. .RE @@ -85,7 +85,7 @@ session required pam_loginuid\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBauditctl\fR(8), \fBauditd\fR(8) .SH "AUTHOR" diff --git a/modules/pam_loginuid/pam_loginuid.8.xml b/modules/pam_loginuid/pam_loginuid.8.xml index 9513b0e4..1beba983 100644 --- a/modules/pam_loginuid/pam_loginuid.8.xml +++ b/modules/pam_loginuid/pam_loginuid.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_loginuid"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_loginuid"> <refmeta> <refentrytitle>pam_loginuid</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_loginuid-name"> + <refnamediv xml:id="pam_loginuid-name"> <refname>pam_loginuid</refname> <refpurpose>Record user's login uid to the process attribute</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_loginuid-cmdsynopsis"> + <cmdsynopsis xml:id="pam_loginuid-cmdsynopsis" sepchar=" "> <command>pam_loginuid.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> require_auditd </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_loginuid-description"> + <refsect1 xml:id="pam_loginuid-description"> <title>DESCRIPTION</title> @@ -40,12 +37,12 @@ </para> </refsect1> - <refsect1 id="pam_loginuid-options"> + <refsect1 xml:id="pam_loginuid-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>require_auditd</option> + require_auditd </term> <listitem> <para> @@ -57,14 +54,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_loginuid-types"> + <refsect1 xml:id="pam_loginuid-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_loginuid-return_values'> + <refsect1 xml:id="pam_loginuid-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -98,7 +95,7 @@ </para> </refsect1> - <refsect1 id='pam_loginuid-examples'> + <refsect1 xml:id="pam_loginuid-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -111,7 +108,7 @@ session required pam_loginuid.so </programlisting> </refsect1> - <refsect1 id='pam_loginuid-see_also'> + <refsect1 xml:id="pam_loginuid-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -121,7 +118,7 @@ session required pam_loginuid.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum> @@ -132,11 +129,11 @@ session required pam_loginuid.so </para> </refsect1> - <refsect1 id='pam_loginuid-author'> + <refsect1 xml:id="pam_loginuid-author"> <title>AUTHOR</title> <para> pam_loginuid was written by Steve Grubb <sgrubb@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c index 96bfd98e..6f5a6380 100644 --- a/modules/pam_loginuid/pam_loginuid.c +++ b/modules/pam_loginuid/pam_loginuid.c @@ -1,4 +1,6 @@ -/* pam_loginuid.c -- +/* + * pam_loginuid module + * * Copyright 2005 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * @@ -42,7 +44,6 @@ #ifdef HAVE_LIBAUDIT #include <libaudit.h> #include <sys/select.h> -#include <errno.h> #endif /* @@ -64,7 +65,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid) fd = open("/proc/self/uid_map", O_RDONLY); if (fd >= 0) { count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); - if (strncmp(uid_map, host_uid_map, count) != 0) + if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0) rc = PAM_IGNORE; close(fd); } @@ -202,15 +203,14 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED, #endif /* get user name */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) - { - pam_syslog(pamh, LOG_ERR, "error recovering login user-name"); + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_SESSION_ERR; } /* get user info */ if ((pwd = pam_modutil_getpwnam(pamh, user)) == NULL) { - pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_NOTICE, "error: login user-name '%s' does not exist", user); return PAM_SESSION_ERR; } diff --git a/modules/pam_mail/Makefile.am b/modules/pam_mail/Makefile.am index 84f3d9ed..1f52bcd1 100644 --- a/modules/pam_mail/Makefile.am +++ b/modules/pam_mail/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mail +EXTRA_DIST = $(XMLS) -man_MANS = pam_mail.8 +if HAVE_DOC +dist_man_MANS = pam_mail.8 +endif XMLS = README.xml pam_mail.8.xml - -TESTS = tst-pam_mail +dist_check_SCRIPTS = tst-pam_mail +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,7 +32,6 @@ securelib_LTLIBRARIES = pam_mail.la pam_mail_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_mail.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_mail/Makefile.in b/modules/pam_mail/Makefile.in index 6db12c31..36df81cd 100644 --- a/modules/pam_mail/Makefile.in +++ b/modules/pam_mail/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_mail -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_mail.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mail -man_MANS = pam_mail.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_mail.8 XMLS = README.xml pam_mail.8.xml -TESTS = tst-pam_mail +dist_check_SCRIPTS = tst-pam_mail +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_mail.la pam_mail_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_mail/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_mail/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_mail.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_mail.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_mail.log: tst-pam_mail @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_mail.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_mail.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_mail.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_mail/README.xml b/modules/pam_mail/README.xml index 4165d857..5dc89a85 100644 --- a/modules/pam_mail/README.xml +++ b/modules/pam_mail/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_mail.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_mail-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_mail/pam_mail.8 b/modules/pam_mail/pam_mail.8 index 41e6e443..ae4b890d 100644 --- a/modules/pam_mail/pam_mail.8 +++ b/modules/pam_mail/pam_mail.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_mail .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_MAIL" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_MAIL" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -49,17 +49,17 @@ format\&. .SH "OPTIONS" .PP .PP -\fBclose\fR +close .RS 4 Indicate if the user has any mail also on logout\&. .RE .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBdir=\fR\fB\fImaildir\fR\fR +dir=maildir .RS 4 Look for the user\*(Aqs mail in an alternative location defined by maildir/<login>\&. The default location for mail is @@ -68,12 +68,12 @@ maildir is prefixed by a \*(Aq~\*(Aq, the directory is interpreted as indicating a file in the user\*(Aqs home directory\&. .RE .PP -\fBempty\fR +empty .RS 4 Also print message if user has no mail\&. .RE .PP -\fBhash=\fR\fB\fIcount\fR\fR +hash=count .RS 4 Mail directory hash depth\&. For example, a \fIhashcount\fR @@ -81,26 +81,26 @@ of 2 would make the mail file be /var/spool/mail/u/s/user\&. .RE .PP -\fBnoenv\fR +noenv .RS 4 Do not set the \fBMAIL\fR environment variable\&. .RE .PP -\fBnopen\fR +nopen .RS 4 Don\*(Aqt print any mail information on login\&. This flag is useful to get the \fBMAIL\fR environment variable set, but to not display any information about it\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Only report when there is new mail\&. .RE .PP -\fBstandard\fR +standard .RS 4 Old style "You have\&.\&.\&." format which doesn\*(Aqt show the mail spool being used\&. This also implies "empty"\&. .RE @@ -153,7 +153,7 @@ session optional pam_mail\&.so standard .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_mail was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_mail/pam_mail.8.xml b/modules/pam_mail/pam_mail.8.xml index 95216b6c..9b4ce36a 100644 --- a/modules/pam_mail/pam_mail.8.xml +++ b/modules/pam_mail/pam_mail.8.xml @@ -1,54 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_mail"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_mail"> <refmeta> <refentrytitle>pam_mail</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_mail-name"> + <refnamediv xml:id="pam_mail-name"> <refname>pam_mail</refname> <refpurpose>Inform about available mail</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_mail-cmdsynopsis"> + <cmdsynopsis xml:id="pam_mail-cmdsynopsis" sepchar=" "> <command>pam_mail.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> dir=<replaceable>maildir</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> empty </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> hash=<replaceable>count</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noenv </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nopen </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> quiet </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> standard </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_mail-description"> + <refsect1 xml:id="pam_mail-description"> <title>DESCRIPTION</title> @@ -58,18 +55,18 @@ that has credential or session hooks. It gives a single message indicating the <emphasis>newness</emphasis> of any mail it finds in the user's mail folder. This module also sets the PAM - environment variable, <emphasis remap='B'>MAIL</emphasis>, to the + environment variable, <emphasis remap="B">MAIL</emphasis>, to the user's mail directory. </para> <para> If the mail spool file (be it <filename>/var/mail/$USER</filename> or a pathname given with the <option>dir=</option> parameter) is a directory then pam_mail assumes it is in the - <emphasis remap='I'>Maildir</emphasis> format. + <emphasis remap="I">Maildir</emphasis> format. </para> </refsect1> - <refsect1 id="pam_mail-options"> + <refsect1 xml:id="pam_mail-options"> <title>OPTIONS</title> <para> @@ -77,7 +74,7 @@ <varlistentry> <term> - <option>close</option> + close </term> <listitem> <para> @@ -88,7 +85,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -99,7 +96,7 @@ <varlistentry> <term> - <option>dir=<replaceable>maildir</replaceable></option> + dir=maildir </term> <listitem> <para> @@ -116,7 +113,7 @@ <varlistentry> <term> - <option>empty</option> + empty </term> <listitem> <para> @@ -127,7 +124,7 @@ <varlistentry> <term> - <option>hash=<replaceable>count</replaceable></option> + hash=count </term> <listitem> <para> @@ -141,11 +138,11 @@ <varlistentry> <term> - <option>noenv</option> + noenv </term> <listitem> <para> - Do not set the <emphasis remap='B'>MAIL</emphasis> + Do not set the <emphasis remap="B">MAIL</emphasis> environment variable. </para> </listitem> @@ -153,12 +150,12 @@ <varlistentry> <term> - <option>nopen</option> + nopen </term> <listitem> <para> Don't print any mail information on login. This flag is - useful to get the <emphasis remap='B'>MAIL</emphasis> + useful to get the <emphasis remap="B">MAIL</emphasis> environment variable set, but to not display any information about it. </para> @@ -167,7 +164,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -178,7 +175,7 @@ <varlistentry> <term> - <option>standard</option> + standard </term> <listitem> <para> @@ -193,7 +190,7 @@ </para> </refsect1> - <refsect1 id="pam_mail-types"> + <refsect1 xml:id="pam_mail-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>session</option> and @@ -202,7 +199,7 @@ </para> </refsect1> - <refsect1 id='pam_mail-return_values'> + <refsect1 xml:id="pam_mail-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -244,7 +241,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_mail-examples'> + <refsect1 xml:id="pam_mail-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -255,7 +252,7 @@ session optional pam_mail.so standard </para> </refsect1> - <refsect1 id='pam_mail-see_also'> + <refsect1 xml:id="pam_mail-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -265,16 +262,16 @@ session optional pam_mail.so standard <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_mail-author'> + <refsect1 xml:id="pam_mail-author"> <title>AUTHOR</title> <para> pam_mail was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c index 0022f6d6..2b77e560 100644 --- a/modules/pam_mail/pam_mail.c +++ b/modules/pam_mail/pam_mail.c @@ -1,6 +1,6 @@ -/* pam_mail module */ - /* + * pam_mail module + * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 * $HOME additions by David Kinchlea <kinch@kinch.ark.com> 1997/1/7 * mailhash additions by Chris Adams <cadams@ro.com> 1998/7/11 @@ -30,20 +30,11 @@ #define MAIL_ENV_NAME "MAIL" #define MAIL_ENV_FORMAT MAIL_ENV_NAME "=%s" -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION -#define PAM_SM_AUTH - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* argument parsing */ @@ -77,6 +68,7 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, /* step through arguments */ for (; argc-- > 0; ++argv) { + const char *str; /* generic options */ @@ -86,8 +78,8 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, ctrl |= PAM_QUIET_MAIL; else if (!strcmp(*argv,"standard")) ctrl |= PAM_STANDARD_MAIL | PAM_EMPTY_TOO; - else if (!strncmp(*argv,"dir=",4)) { - *maildir = 4 + *argv; + else if ((str = pam_str_skip_prefix(*argv, "dir=")) != NULL) { + *maildir = str; if (**maildir != '\0') { D(("new mail directory: %s", *maildir)); ctrl |= PAM_NEW_MAIL_DIR; @@ -95,9 +87,9 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, pam_syslog(pamh, LOG_ERR, "dir= specification missing argument - ignored"); } - } else if (!strncmp(*argv,"hash=",5)) { + } else if ((str = pam_str_skip_prefix(*argv, "hash=")) != NULL) { char *ep = NULL; - *hashcount = strtoul(*argv+5,&ep,10); + *hashcount = strtoul(str,&ep,10); if (!ep) { *hashcount = 0; } @@ -177,7 +169,7 @@ get_folder(pam_handle_t *pamh, int ctrl, hash[2 * i] = '\0'; rc = asprintf(&folder, MAIL_FILE_FORMAT, path, hash, pwd->pw_name); - _pam_overwrite(hash); + pam_overwrite_string(hash); _pam_drop(hash); if (rc < 0) goto get_folder_cleanup; @@ -219,7 +211,7 @@ get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder) } i = scandir(dir, &namelist, 0, alphasort); save_errno = errno; - _pam_overwrite(dir); + pam_overwrite_string(dir); _pam_drop(dir); if (i < 0) { type = 0; @@ -240,7 +232,7 @@ get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder) } i = scandir(dir, &namelist, 0, alphasort); save_errno = errno; - _pam_overwrite(dir); + pam_overwrite_string(dir); _pam_drop(dir); if (i < 0) { type = 0; @@ -272,7 +264,7 @@ get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder) } get_mail_status_cleanup: - memset(&mail_st, 0, sizeof(mail_st)); + pam_overwrite_object(&mail_st); D(("user has %d mail in %s folder", type, folder)); return type; } @@ -294,7 +286,7 @@ report_mail(pam_handle_t *pamh, int ctrl, int type, const char *folder) switch (type) { case HAVE_NO_MAIL: - retval = pam_info (pamh, "%s", _("No mail.")); + retval = pam_info (pamh, "%s", _("You do not have any new mail.")); break; case HAVE_NEW_MAIL: retval = pam_info (pamh, "%s", _("You have new mail.")); @@ -390,14 +382,15 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, ctrl = _pam_parse(pamh, flags, argc, argv, &path_mail, &hashcount); retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { - pam_syslog(pamh, LOG_ERR, "cannot determine username"); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_USER_UNKNOWN; } pwd = pam_modutil_getpwnam (pamh, user); if (pwd == NULL) { - pam_syslog(pamh, LOG_ERR, "user unknown"); + pam_syslog(pamh, LOG_NOTICE, "user unknown"); return PAM_USER_UNKNOWN; } @@ -422,7 +415,7 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, } D(("setting env: %s", tmp)); retval = pam_putenv(pamh, tmp); - _pam_overwrite(tmp); + pam_overwrite_string(tmp); _pam_drop(tmp); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_CRIT, @@ -464,7 +457,7 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, (void) pam_putenv(pamh, MAIL_ENV_NAME); do_mail_cleanup: - _pam_overwrite(folder); + pam_overwrite_string(folder); _pam_drop(folder); /* indicate success or failure */ diff --git a/modules/pam_mkhomedir/Makefile.am b/modules/pam_mkhomedir/Makefile.am index eb047212..e0f80a96 100644 --- a/modules/pam_mkhomedir/Makefile.am +++ b/modules/pam_mkhomedir/Makefile.am @@ -6,19 +6,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mkhomedir - -man_MANS = pam_mkhomedir.8 mkhomedir_helper.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_mkhomedir.8 mkhomedir_helper.8 +endif XMLS = README.xml pam_mkhomedir.8.xml mkhomedir_helper.8.xml - -TESTS = tst-pam_mkhomedir +dist_check_SCRIPTS = tst-pam_mkhomedir +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DMKHOMEDIR_HELPER=\"$(sbindir)/mkhomedir_helper\" + -DMKHOMEDIR_HELPER=\"$(sbindir)/mkhomedir_helper\" $(WARN_CFLAGS) securelib_LTLIBRARIES = pam_mkhomedir.la pam_mkhomedir_la_SOURCES = pam_mkhomedir.c @@ -30,10 +35,14 @@ endif sbin_PROGRAMS = mkhomedir_helper mkhomedir_helper_SOURCES = mkhomedir_helper.c +mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ +mkhomedir_helper_LDFLAGS = @EXE_LDFLAGS@ mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_mkhomedir-retval +tst_pam_mkhomedir_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_mkhomedir.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_mkhomedir/Makefile.in b/modules/pam_mkhomedir/Makefile.in index 17c646c7..3e5cb170 100644 --- a/modules/pam_mkhomedir/Makefile.in +++ b/modules/pam_mkhomedir/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -22,7 +22,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -87,29 +97,35 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map sbin_PROGRAMS = mkhomedir_helper$(EXEEXT) +check_PROGRAMS = tst-pam_mkhomedir-retval$(EXEEXT) subdir = modules/pam_mkhomedir -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -137,8 +153,6 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ - "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) pam_mkhomedir_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la am_pam_mkhomedir_la_OBJECTS = pam_mkhomedir.lo @@ -151,10 +165,18 @@ pam_mkhomedir_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(pam_mkhomedir_la_LDFLAGS) $(LDFLAGS) \ -o $@ -PROGRAMS = $(sbin_PROGRAMS) -am_mkhomedir_helper_OBJECTS = mkhomedir_helper.$(OBJEXT) +am_mkhomedir_helper_OBJECTS = \ + mkhomedir_helper-mkhomedir_helper.$(OBJEXT) mkhomedir_helper_OBJECTS = $(am_mkhomedir_helper_OBJECTS) mkhomedir_helper_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +mkhomedir_helper_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(mkhomedir_helper_CFLAGS) $(CFLAGS) \ + $(mkhomedir_helper_LDFLAGS) $(LDFLAGS) -o $@ +tst_pam_mkhomedir_retval_SOURCES = tst-pam_mkhomedir-retval.c +tst_pam_mkhomedir_retval_OBJECTS = tst-pam_mkhomedir-retval.$(OBJEXT) +tst_pam_mkhomedir_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -169,7 +191,11 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = \ + ./$(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Po \ + ./$(DEPDIR)/pam_mkhomedir.Plo \ + ./$(DEPDIR)/tst-pam_mkhomedir-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -189,8 +215,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(pam_mkhomedir_la_SOURCES) $(mkhomedir_helper_SOURCES) -DIST_SOURCES = $(pam_mkhomedir_la_SOURCES) $(mkhomedir_helper_SOURCES) +SOURCES = $(pam_mkhomedir_la_SOURCES) $(mkhomedir_helper_SOURCES) \ + tst-pam_mkhomedir-retval.c +DIST_SOURCES = $(pam_mkhomedir_la_SOURCES) $(mkhomedir_helper_SOURCES) \ + tst-pam_mkhomedir-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -198,8 +226,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -374,6 +403,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -396,6 +426,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -415,24 +448,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -446,7 +488,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -465,11 +506,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -492,8 +536,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -504,11 +547,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -551,7 +601,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -559,9 +608,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -571,20 +617,23 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_mkhomedir -man_MANS = pam_mkhomedir.8 mkhomedir_helper.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_mkhomedir.8 mkhomedir_helper.8 XMLS = README.xml pam_mkhomedir.8.xml mkhomedir_helper.8.xml -TESTS = tst-pam_mkhomedir +dist_check_SCRIPTS = tst-pam_mkhomedir +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DMKHOMEDIR_HELPER=\"$(sbindir)/mkhomedir_helper\" + -DMKHOMEDIR_HELPER=\"$(sbindir)/mkhomedir_helper\" $(WARN_CFLAGS) securelib_LTLIBRARIES = pam_mkhomedir.la pam_mkhomedir_la_SOURCES = pam_mkhomedir.c @@ -592,8 +641,11 @@ pam_mkhomedir_la_LIBADD = $(top_builddir)/libpam/libpam.la pam_mkhomedir_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) mkhomedir_helper_SOURCES = mkhomedir_helper.c +mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ +mkhomedir_helper_LDFLAGS = @EXE_LDFLAGS@ mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_mkhomedir_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -610,14 +662,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_mkhomedir/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_mkhomedir/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -629,43 +680,14 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ - } - -uninstall-securelibLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ - done - -clean-securelibLTLIBRARIES: - -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) - @list='$(securelib_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -pam_mkhomedir.la: $(pam_mkhomedir_la_OBJECTS) $(pam_mkhomedir_la_DEPENDENCIES) $(EXTRA_pam_mkhomedir_la_DEPENDENCIES) - $(AM_V_CCLD)$(pam_mkhomedir_la_LINK) -rpath $(securelibdir) $(pam_mkhomedir_la_OBJECTS) $(pam_mkhomedir_la_LIBADD) $(LIBS) +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ @@ -716,9 +738,51 @@ clean-sbinPROGRAMS: echo " rm -f" $$list; \ rm -f $$list +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +pam_mkhomedir.la: $(pam_mkhomedir_la_OBJECTS) $(pam_mkhomedir_la_DEPENDENCIES) $(EXTRA_pam_mkhomedir_la_DEPENDENCIES) + $(AM_V_CCLD)$(pam_mkhomedir_la_LINK) -rpath $(securelibdir) $(pam_mkhomedir_la_OBJECTS) $(pam_mkhomedir_la_LIBADD) $(LIBS) + mkhomedir_helper$(EXEEXT): $(mkhomedir_helper_OBJECTS) $(mkhomedir_helper_DEPENDENCIES) $(EXTRA_mkhomedir_helper_DEPENDENCIES) @rm -f mkhomedir_helper$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(mkhomedir_helper_OBJECTS) $(mkhomedir_helper_LDADD) $(LIBS) + $(AM_V_CCLD)$(mkhomedir_helper_LINK) $(mkhomedir_helper_OBJECTS) $(mkhomedir_helper_LDADD) $(LIBS) + +tst-pam_mkhomedir-retval$(EXEEXT): $(tst_pam_mkhomedir_retval_OBJECTS) $(tst_pam_mkhomedir_retval_DEPENDENCIES) $(EXTRA_tst_pam_mkhomedir_retval_DEPENDENCIES) + @rm -f tst-pam_mkhomedir-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_mkhomedir_retval_OBJECTS) $(tst_pam_mkhomedir_retval_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -726,22 +790,29 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mkhomedir_helper.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_mkhomedir.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_mkhomedir.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_mkhomedir-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -750,15 +821,29 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +mkhomedir_helper-mkhomedir_helper.o: mkhomedir_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mkhomedir_helper_CFLAGS) $(CFLAGS) -MT mkhomedir_helper-mkhomedir_helper.o -MD -MP -MF $(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Tpo -c -o mkhomedir_helper-mkhomedir_helper.o `test -f 'mkhomedir_helper.c' || echo '$(srcdir)/'`mkhomedir_helper.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Tpo $(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mkhomedir_helper.c' object='mkhomedir_helper-mkhomedir_helper.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mkhomedir_helper_CFLAGS) $(CFLAGS) -c -o mkhomedir_helper-mkhomedir_helper.o `test -f 'mkhomedir_helper.c' || echo '$(srcdir)/'`mkhomedir_helper.c + +mkhomedir_helper-mkhomedir_helper.obj: mkhomedir_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mkhomedir_helper_CFLAGS) $(CFLAGS) -MT mkhomedir_helper-mkhomedir_helper.obj -MD -MP -MF $(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Tpo -c -o mkhomedir_helper-mkhomedir_helper.obj `if test -f 'mkhomedir_helper.c'; then $(CYGPATH_W) 'mkhomedir_helper.c'; else $(CYGPATH_W) '$(srcdir)/mkhomedir_helper.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Tpo $(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='mkhomedir_helper.c' object='mkhomedir_helper-mkhomedir_helper.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mkhomedir_helper_CFLAGS) $(CFLAGS) -c -o mkhomedir_helper-mkhomedir_helper.obj `if test -f 'mkhomedir_helper.c'; then $(CYGPATH_W) 'mkhomedir_helper.c'; else $(CYGPATH_W) '$(srcdir)/mkhomedir_helper.c'; fi` + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -793,7 +878,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -881,7 +966,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -958,7 +1043,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -971,7 +1056,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -981,7 +1066,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -999,6 +1084,13 @@ tst-pam_mkhomedir.log: tst-pam_mkhomedir --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_mkhomedir-retval.log: tst-pam_mkhomedir-retval$(EXEEXT) + @p='tst-pam_mkhomedir-retval$(EXEEXT)'; \ + b='tst-pam_mkhomedir-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1014,7 +1106,10 @@ tst-pam_mkhomedir.log: tst-pam_mkhomedir @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1045,11 +1140,13 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1089,11 +1186,13 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Po + -rm -f ./$(DEPDIR)/pam_mkhomedir.Plo + -rm -f ./$(DEPDIR)/tst-pam_mkhomedir-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1139,7 +1238,9 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/mkhomedir_helper-mkhomedir_helper.Po + -rm -f ./$(DEPDIR)/pam_mkhomedir.Plo + -rm -f ./$(DEPDIR)/tst-pam_mkhomedir-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1163,10 +1264,10 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -1181,7 +1282,8 @@ uninstall-man: uninstall-man8 uninstall-man8 uninstall-sbinPROGRAMS \ uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_mkhomedir.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_mkhomedir/README.xml b/modules/pam_mkhomedir/README.xml index 978cbe77..ef998956 100644 --- a/modules/pam_mkhomedir/README.xml +++ b/modules/pam_mkhomedir/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_mkhomedir.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_mkhomedir-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_mkhomedir/mkhomedir_helper.8 b/modules/pam_mkhomedir/mkhomedir_helper.8 index de85f2fa..7f5e6160 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.8 +++ b/modules/pam_mkhomedir/mkhomedir_helper.8 @@ -1,13 +1,13 @@ '\" t .\" Title: mkhomedir_helper .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "MKHOMEDIR_HELPER" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "MKHOMEDIR_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ mkhomedir_helper \- Helper binary that creates home directories .SH "SYNOPSIS" .HP \w'\fBmkhomedir_helper\fR\ 'u -\fBmkhomedir_helper\fR {\fIuser\fR} [\fIumask\fR\ [\ \fIpath\-to\-skel\fR\ ]] +\fBmkhomedir_helper\fR {\fIuser\fR} [\fIumask\fR\ [\ \fIpath\-to\-skel\fR\ [\ \fIhome_mode\fR\ ]\ ]] .SH "DESCRIPTION" .PP \fImkhomedir_helper\fR @@ -44,7 +44,10 @@ The default value of is 0022 and the default value of \fIpath\-to\-skel\fR is -\fI/etc/skel\fR\&. +\fI/etc/skel\fR\&. The default value of +\fIhome_mode\fR +is computed from the value of +\fIumask\fR\&. .PP The helper is separated from the module to not require direct access from login SELinux domains to the contents of user home directories\&. The SELinux domain transition happens when the module is executing the \fImkhomedir_helper\fR\&. diff --git a/modules/pam_mkhomedir/mkhomedir_helper.8.xml b/modules/pam_mkhomedir/mkhomedir_helper.8.xml index c834eddd..0f4c4b40 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.8.xml +++ b/modules/pam_mkhomedir/mkhomedir_helper.8.xml @@ -1,36 +1,36 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="mkhomedir_helper"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="mkhomedir_helper"> <refmeta> <refentrytitle>mkhomedir_helper</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="mkhomedir_helper-name"> + <refnamediv xml:id="mkhomedir_helper-name"> <refname>mkhomedir_helper</refname> <refpurpose>Helper binary that creates home directories</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="mkhomedir_helper-cmdsynopsis"> + <cmdsynopsis xml:id="mkhomedir_helper-cmdsynopsis" sepchar=" "> <command>mkhomedir_helper</command> - <arg choice="req"> + <arg choice="req" rep="norepeat"> <replaceable>user</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>umask</replaceable> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>path-to-skel</replaceable> + <arg choice="opt" rep="norepeat"> + <replaceable>home_mode</replaceable> + </arg> </arg> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="mkhomedir_helper-description"> + <refsect1 xml:id="mkhomedir_helper-description"> <title>DESCRIPTION</title> @@ -43,7 +43,9 @@ <para> The default value of <replaceable>umask</replaceable> is 0022 and the default value of <replaceable>path-to-skel</replaceable> is - <emphasis>/etc/skel</emphasis>. + <emphasis>/etc/skel</emphasis>. The default value of + <replaceable>home_mode</replaceable> is computed from the value of + <replaceable>umask</replaceable>. </para> <para> @@ -58,7 +60,7 @@ </para> </refsect1> - <refsect1 id='mkhomedir_helper-see_also'> + <refsect1 xml:id="mkhomedir_helper-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -67,7 +69,7 @@ </para> </refsect1> - <refsect1 id='mkhomedir_helper-author'> + <refsect1 xml:id="mkhomedir_helper-author"> <title>AUTHOR</title> <para> Written by Tomas Mraz based on the code originally in @@ -75,4 +77,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c index 9e204c16..643d5d01 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.c +++ b/modules/pam_mkhomedir/mkhomedir_helper.c @@ -27,6 +27,7 @@ #include <security/pam_modutil.h> static unsigned long u_mask = 0022; +static unsigned long home_mode = 0; static char skeldir[BUFSIZ] = "/etc/skel"; /* Do the actual work of creating a home dir */ @@ -38,6 +39,7 @@ create_homedir(const struct passwd *pwd, DIR *d; struct dirent *dent; int retval = PAM_SESSION_ERR; + struct stat stat_buf; /* Create the new directory */ if (mkdir(dest, 0700) && errno != EEXIST) @@ -53,6 +55,12 @@ create_homedir(const struct passwd *pwd, goto go_out; } + /* Various things such as an autofs mount with browsing disabled + * can cause the directory to appear only on stat. The intent is + * to minimize network traversal when a file explorer tries to + * traverse large chunks of a directory tree. So stat first.*/ + stat(source, &stat_buf); + /* Scan the directory */ d = opendir(source); if (d == NULL) @@ -183,8 +191,7 @@ create_homedir(const struct passwd *pwd, else pointed[pointedlen] = 0; #else - char pointed[PATH_MAX]; - memset(pointed, 0, sizeof(pointed)); + char pointed[PATH_MAX] = {}; pointedlen = readlink(newsource, pointed, sizeof(pointed) - 1); #endif @@ -232,6 +239,8 @@ create_homedir(const struct passwd *pwd, { pam_syslog(NULL, LOG_DEBUG, "unable to open or stat src file %s: %m", newsource); + if (srcfd >= 0) + close(srcfd); closedir(d); #ifndef PATH_MAX @@ -258,7 +267,7 @@ create_homedir(const struct passwd *pwd, } /* Set the proper ownership and permissions for the module. We make - the file a+w and then mask it with the set mask. This preseves + the file a+w and then mask it with the set mask. This preserves execute bits */ if (fchmod(destfd, (st.st_mode | 0222) & (~u_mask)) != 0 || fchown(destfd, pwd->pw_uid, pwd->pw_gid) != 0) @@ -332,6 +341,24 @@ create_homedir(const struct passwd *pwd, } static int +create_homedir_helper(const struct passwd *_pwd, + const char *_skeldir, const char *_homedir) +{ + int retval = PAM_SESSION_ERR; + + retval = create_homedir(_pwd, _skeldir, _homedir); + + if (chmod(_homedir, home_mode) != 0) + { + pam_syslog(NULL, LOG_DEBUG, + "unable to change perms on home directory %s: %m", _homedir); + return PAM_PERM_DENIED; + } + + return retval; +} + +static int make_parent_dirs(char *dir, int make) { int rc = PAM_SUCCESS; @@ -364,20 +391,20 @@ main(int argc, char *argv[]) { struct passwd *pwd; struct stat st; + char *eptr; if (argc < 2) { - fprintf(stderr, "Usage: %s <username> [<umask> [<skeldir>]]\n", argv[0]); + fprintf(stderr, "Usage: %s <username> [<umask> [<skeldir> [<home_mode>]]]\n", argv[0]); return PAM_SESSION_ERR; } pwd = getpwnam(argv[1]); if (pwd == NULL) { pam_syslog(NULL, LOG_ERR, "User unknown."); - return PAM_CRED_INSUFFICIENT; + return PAM_USER_UNKNOWN; } if (argc >= 3) { - char *eptr; errno = 0; u_mask = strtoul(argv[2], &eptr, 0); if (errno != 0 || *eptr != '\0') { @@ -394,6 +421,18 @@ main(int argc, char *argv[]) strcpy(skeldir, argv[3]); } + if (argc >= 5) { + errno = 0; + home_mode = strtoul(argv[4], &eptr, 0); + if (errno != 0 || *eptr != '\0') { + pam_syslog(NULL, LOG_ERR, "Bogus home_mode value %s", argv[4]); + return PAM_SESSION_ERR; + } + } + + if (home_mode == 0) + home_mode = 0777 & ~u_mask; + /* Stat the home directory, if something exists then we assume it is correct and return a success */ if (stat(pwd->pw_dir, &st) == 0) @@ -402,5 +441,5 @@ main(int argc, char *argv[]) if (make_parent_dirs(pwd->pw_dir, 0) != PAM_SUCCESS) return PAM_PERM_DENIED; - return create_homedir(pwd, skeldir, pwd->pw_dir); + return create_homedir_helper(pwd, skeldir, pwd->pw_dir); } diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8 b/modules/pam_mkhomedir/pam_mkhomedir.8 index 3efcad50..6962971e 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.8 +++ b/modules/pam_mkhomedir/pam_mkhomedir.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_mkhomedir .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_MKHOMEDIR" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_MKHOMEDIR" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pam_mkhomedir \- PAM module to create users home directory .SH "SYNOPSIS" .HP \w'\fBpam_mkhomedir\&.so\fR\ 'u -\fBpam_mkhomedir\&.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR] +\fBpam_mkhomedir\&.so\fR [silent] [debug] [umask=\fImode\fR] [skel=\fIskeldir\fR] .SH "DESCRIPTION" .PP The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins\&. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories\&. The skeleton directory (usually @@ -40,18 +40,29 @@ The pam_mkhomedir PAM module will create a users home directory if it does not e The new users home directory will not be removed after logout of the user\&. .SH "OPTIONS" .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt print informative messages\&. .RE .PP -\fBumask=\fR\fB\fImask\fR\fR +debug .RS 4 -The user file\-creation mask is set to -\fImask\fR\&. The default value of mask is 0022\&. +Turns on debugging via +\fBsyslog\fR(3)\&. .RE .PP -\fBskel=\fR\fB\fI/path/to/skel/directory\fR\fR +umask=mask +.RS 4 +The file mode creation mask is set to +\fImask\fR\&. The default value of mask is 0022\&. If this option is not specified, then the permissions of created user home directory is set to the value of +\fBHOME_MODE\fR +configuration item from +/etc/login\&.defs\&. If there is no such configuration item then the value is computed from the value of +\fBUMASK\fR +in the same file\&. If there is no such configuration option either the default value of 0755 is used for the mode\&. +.RE +.PP +skel=/path/to/skel/directory .RS 4 Indicate an alternative skel @@ -70,11 +81,6 @@ PAM_BUF_ERR Memory buffer error\&. .RE .PP -PAM_CRED_INSUFFICIENT -.RS 4 -Insufficient credentials to access authentication data\&. -.RE -.PP PAM_PERM_DENIED .RS 4 Not enough permissions to create the new directory or read the skel directory\&. @@ -123,7 +129,7 @@ A sample /etc/pam\&.d/login file: .SH "SEE ALSO" .PP \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHOR" .PP pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\&.org>\&. diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8.xml b/modules/pam_mkhomedir/pam_mkhomedir.8.xml index c980ce1d..25f5497a 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.8.xml +++ b/modules/pam_mkhomedir/pam_mkhomedir.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_mkhomedir'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_mkhomedir"> <refmeta> <refentrytitle>pam_mkhomedir</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_mkhomedir-name'> + <refnamediv xml:id="pam_mkhomedir-name"> <refname>pam_mkhomedir</refname> <refpurpose> PAM module to create users home directory @@ -20,22 +17,25 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_mkhomedir-cmdsynopsis"> + <cmdsynopsis xml:id="pam_mkhomedir-cmdsynopsis" sepchar=" "> <command>pam_mkhomedir.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> silent </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> + debug + </arg> + <arg choice="opt" rep="norepeat"> umask=<replaceable>mode</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> skel=<replaceable>skeldir</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_mkhomedir-description"> + <refsect1 xml:id="pam_mkhomedir-description"> <title>DESCRIPTION</title> <para> The pam_mkhomedir PAM module will create a users home directory @@ -52,13 +52,13 @@ </para> </refsect1> - <refsect1 id="pam_mkhomedir-options"> + <refsect1 xml:id="pam_mkhomedir-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -69,20 +69,41 @@ <varlistentry> <term> - <option>umask=<replaceable>mask</replaceable></option> + debug </term> <listitem> <para> - The user file-creation mask is set to - <replaceable>mask</replaceable>. The default value of mask is - 0022. + Turns on debugging via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>skel=<replaceable>/path/to/skel/directory</replaceable></option> + umask=mask + </term> + <listitem> + <para> + The file mode creation mask is set to + <replaceable>mask</replaceable>. The default value of mask + is 0022. If this option is not specified, then the permissions + of created user home directory is set to the value of + <option>HOME_MODE</option> configuration item from + <filename>/etc/login.defs</filename>. If there is no such + configuration item then the value is computed from the + value of <option>UMASK</option> in the same file. If + there is no such configuration option either the default + value of 0755 is used for the mode. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + skel=/path/to/skel/directory </term> <listitem> <para> @@ -95,14 +116,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_mkhomedir-types"> + <refsect1 xml:id="pam_mkhomedir-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id="pam_mkhomedir-return_values"> + <refsect1 xml:id="pam_mkhomedir-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -114,14 +135,6 @@ </listitem> </varlistentry> <varlistentry> - <term>PAM_CRED_INSUFFICIENT</term> - <listitem> - <para> - Insufficient credentials to access authentication data. - </para> - </listitem> - </varlistentry> - <varlistentry> <term>PAM_PERM_DENIED</term> <listitem> <para> @@ -149,11 +162,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_mkhomedir-files"> + <refsect1 xml:id="pam_mkhomedir-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/skel</filename></term> + <term>/etc/skel</term> <listitem> <para>Default skel directory</para> </listitem> @@ -161,7 +174,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_mkhomedir-examples'> + <refsect1 xml:id="pam_mkhomedir-examples"> <title>EXAMPLES</title> <para> A sample /etc/pam.d/login file: @@ -182,22 +195,22 @@ </refsect1> - <refsect1 id="pam_mkhomedir-see_also"> + <refsect1 xml:id="pam_mkhomedir-see_also"> <title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_mkhomedir-author"> + <refsect1 xml:id="pam_mkhomedir-author"> <title>AUTHOR</title> <para> pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c index 84c922f7..6ddcd5a8 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.c +++ b/modules/pam_mkhomedir/pam_mkhomedir.c @@ -44,24 +44,21 @@ #include <syslog.h> #include <signal.h> -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_cc_compat.h" +#include "pam_inline.h" + /* argument parsing */ #define MKHOMEDIR_DEBUG 020 /* be verbose about things */ #define MKHOMEDIR_QUIET 040 /* keep quiet about things */ +#define LOGIN_DEFS "/etc/login.defs" +#define UMASK_DEFAULT "0022" + struct options_t { int ctrl; const char *umask; @@ -74,30 +71,43 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv, options_t *opt) { opt->ctrl = 0; - opt->umask = "0022"; + opt->umask = NULL; opt->skeldir = "/etc/skel"; - /* does the appliction require quiet? */ + /* does the application require quiet? */ if ((flags & PAM_SILENT) == PAM_SILENT) opt->ctrl |= MKHOMEDIR_QUIET; /* step through arguments */ for (; argc-- > 0; ++argv) { + const char *str; + if (!strcmp(*argv, "silent")) { opt->ctrl |= MKHOMEDIR_QUIET; } else if (!strcmp(*argv, "debug")) { opt->ctrl |= MKHOMEDIR_DEBUG; - } else if (!strncmp(*argv,"umask=",6)) { - opt->umask = *argv+6; - } else if (!strncmp(*argv,"skel=",5)) { - opt->skeldir = *argv+5; + } else if ((str = pam_str_skip_prefix(*argv, "umask=")) != NULL) { + opt->umask = str; + } else if ((str = pam_str_skip_prefix(*argv, "skel=")) != NULL) { + opt->skeldir = str; } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } } +static char* +_pam_conv_str_umask_to_homemode(const char *umask) +{ + unsigned int m = 0; + char tmp[5]; + + m = 0777 & ~strtoul(umask, NULL, 8); + (void) snprintf(tmp, sizeof(tmp), "0%o", m); + return strdup(tmp); +} + /* Do the actual work of creating a home dir */ static int create_homedir (pam_handle_t *pamh, options_t *opt, @@ -105,6 +115,8 @@ create_homedir (pam_handle_t *pamh, options_t *opt, { int retval, child; struct sigaction newsa, oldsa; + char *login_umask = NULL; + char *login_homemode = NULL; /* Mention what is happening, if the notification fails that is OK */ if (!(opt->ctrl & MKHOMEDIR_QUIET)) @@ -113,6 +125,25 @@ create_homedir (pam_handle_t *pamh, options_t *opt, D(("called.")); + if (opt->ctrl & MKHOMEDIR_DEBUG) { + pam_syslog(pamh, LOG_DEBUG, "Executing mkhomedir_helper."); + } + + /* fetch UMASK from /etc/login.defs if not in argv */ + if (opt->umask == NULL) { + login_umask = pam_modutil_search_key(pamh, LOGIN_DEFS, "UMASK"); + login_homemode = pam_modutil_search_key(pamh, LOGIN_DEFS, "HOME_MODE"); + if (login_homemode == NULL) { + if (login_umask != NULL) { + login_homemode = _pam_conv_str_umask_to_homemode(login_umask); + } else { + login_homemode = _pam_conv_str_umask_to_homemode(UMASK_DEFAULT); + } + } + } else { + login_homemode = _pam_conv_str_umask_to_homemode(opt->umask); + } + /* * This code arranges that the demise of the child does not cause * the application to receive a signal it is not expecting - which @@ -122,15 +153,11 @@ create_homedir (pam_handle_t *pamh, options_t *opt, newsa.sa_handler = SIG_DFL; sigaction(SIGCHLD, &newsa, &oldsa); - if (opt->ctrl & MKHOMEDIR_DEBUG) { - pam_syslog(pamh, LOG_DEBUG, "Executing mkhomedir_helper."); - } - /* fork */ child = fork(); if (child == 0) { static char *envp[] = { NULL }; - const char *args[] = { NULL, NULL, NULL, NULL, NULL }; + const char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_PIPE_FD, PAM_MODUTIL_PIPE_FD, @@ -140,10 +167,13 @@ create_homedir (pam_handle_t *pamh, options_t *opt, /* exec the mkhomedir helper */ args[0] = MKHOMEDIR_HELPER; args[1] = user; - args[2] = opt->umask; + args[2] = opt->umask ? opt->umask : UMASK_DEFAULT; args[3] = opt->skeldir; + args[4] = login_homemode; - execve(MKHOMEDIR_HELPER, (char *const *) args, envp); + DIAG_PUSH_IGNORE_CAST_QUAL; + execve(MKHOMEDIR_HELPER, (char **)args, envp); + DIAG_POP_IGNORE_CAST_QUAL; /* should not get here: exit with error */ D(("helper binary is not available")); @@ -177,6 +207,9 @@ create_homedir (pam_handle_t *pamh, options_t *opt, dir); } + free(login_umask); + free(login_homemode); + D(("returning %d", retval)); return retval; } @@ -210,7 +243,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, { pam_syslog(pamh, LOG_NOTICE, "User unknown."); D(("couldn't identify user %s", user)); - return PAM_CRED_INSUFFICIENT; + return PAM_USER_UNKNOWN; } /* Stat the home directory, if something exists then we assume it is diff --git a/modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c b/modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c new file mode 100644 index 00000000..451d2e56 --- /dev/null +++ b/modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c @@ -0,0 +1,110 @@ +/* + * Check pam_mkhomedir return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <fcntl.h> +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <pwd.h> +#include <sys/stat.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_mkhomedir" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_empty[] = ""; +static const char user_missing[] = ":"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + struct passwd *pw; + struct stat st; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_empty, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_missing, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so debug\n" + "account required %s/.libs/%s.so debug\n" + "password required %s/.libs/%s.so debug\n" + "session required %s/.libs/%s.so debug\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + if ((pw = getpwuid(geteuid())) != NULL && + pw->pw_dir != NULL && + stat(pw->pw_dir, &st) == 0 && + (st.st_mode & S_IFMT) == S_IFDIR) { + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, pw->pw_name, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + } + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_motd/Makefile.am b/modules/pam_motd/Makefile.am index bd499c54..fc8f26c4 100644 --- a/modules/pam_motd/Makefile.am +++ b/modules/pam_motd/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_motd +EXTRA_DIST = $(XMLS) -man_MANS = pam_motd.8 +if HAVE_DOC +dist_man_MANS = pam_motd.8 +endif XMLS = README.xml pam_motd.8.xml - -TESTS = tst-pam_motd +dist_check_SCRIPTS = tst-pam_motd +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,7 +32,6 @@ securelib_LTLIBRARIES = pam_motd.la pam_motd_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_motd.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_motd/Makefile.in b/modules/pam_motd/Makefile.in index 05504cc9..4116d988 100644 --- a/modules/pam_motd/Makefile.in +++ b/modules/pam_motd/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_motd -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_motd.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_motd -man_MANS = pam_motd.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_motd.8 XMLS = README.xml pam_motd.8.xml -TESTS = tst-pam_motd +dist_check_SCRIPTS = tst-pam_motd +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_motd.la pam_motd_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_motd/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_motd/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_motd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_motd.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_motd.log: tst-pam_motd @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_motd.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_motd.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_motd.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_motd/README b/modules/pam_motd/README index c16938c1..375ec809 100644 --- a/modules/pam_motd/README +++ b/modules/pam_motd/README @@ -5,23 +5,60 @@ pam_motd — Display the motd file DESCRIPTION pam_motd is a PAM module that can be used to display arbitrary motd (message of -the day) files after a successful login. By default the /etc/motd file is -shown. The message size is limited to 64KB. +the day) files after a successful login. By default, pam_motd shows files in +the following locations: + +/etc/motd +/run/motd +/usr/lib/motd +/etc/motd.d/ +/run/motd.d/ +/usr/lib/motd.d/ + +Each message size is limited to 64KB. + +If /etc/motd does not exist, then /run/motd is shown. If /run/motd does not +exist, then /usr/lib/motd is shown. + +Similar overriding behavior applies to the directories. Files in /etc/motd.d/ +override files with the same name in /run/motd.d/ and /usr/lib/motd.d/. Files +in /run/motd.d/ override files with the same name in /usr/lib/motd.d/. + +Files in the directories listed above are displayed in lexicographic order by +name. Moreover, the files are filtered by reading them with the credentials of +the target user authenticating on the system. + +To silence a message, a symbolic link with target /dev/null may be placed in / +etc/motd.d with the same filename as the message to be silenced. Example: +Creating a symbolic link as follows silences /usr/lib/motd.d/my_motd. + +ln -s /dev/null /etc/motd.d/my_motd + +The MOTD_SHOWN=pam environment variable is set after showing the motd files, +even when all of them were silenced using symbolic links. OPTIONS motd=/path/filename - The /path/filename file is displayed as message of the day. + The /path/filename file is displayed as message of the day. Multiple paths + to try can be specified as a colon-separated list. By default this option + is set to /etc/motd:/run/motd:/usr/lib/motd. motd_dir=/path/dirname.d The /path/dirname.d directory is scanned and each file contained inside of - it is displayed. + it is displayed. Multiple directories to scan can be specified as a + colon-separated list. By default this option is set to /etc/motd.d:/run/ + motd.d:/usr/lib/motd.d. + +noupdate + + Don't run the scripts in /etc/update-motd.d to refresh the motd file. -When no options are given, the default is to display both /etc/motd and the -contents of /etc/motd.d. Specifying either option (or both) will disable this -default behavior. +When no options are given, the default behavior applies for both options. +Specifying either option (or both) will disable the default behavior for both +options. EXAMPLES diff --git a/modules/pam_motd/README.xml b/modules/pam_motd/README.xml index 779e4d17..9e8edadf 100644 --- a/modules/pam_motd/README.xml +++ b/modules/pam_motd/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_motd.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_motd-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_motd/pam_motd.8 b/modules/pam_motd/pam_motd.8 index 21c2ed76..6a6ab4e7 100644 --- a/modules/pam_motd/pam_motd.8 +++ b/modules/pam_motd/pam_motd.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_motd .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2018 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_MOTD" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_MOTD" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,32 +31,92 @@ pam_motd \- Display the motd file .SH "SYNOPSIS" .HP \w'\fBpam_motd\&.so\fR\ 'u -\fBpam_motd\&.so\fR [motd=\fI/path/filename\fR] +\fBpam_motd\&.so\fR [motd=\fI/path/filename\fR] [motd_dir=\fI/path/dirname\&.d\fR] .SH "DESCRIPTION" .PP -pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a successful login\&. By default the +pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a successful login\&. By default, pam_motd shows files in the following locations: +.PP +.RS 4 +/etc/motd +.RE +.RS 4 +/run/motd +.RE +.RS 4 +/usr/lib/motd +.RE +.RS 4 +/etc/motd\&.d/ +.RE +.RS 4 +/run/motd\&.d/ +.RE +.RS 4 +/usr/lib/motd\&.d/ +.RE +.PP +Each message size is limited to 64KB\&. +.PP +If /etc/motd -file is shown\&. The message size is limited to 64KB\&. +does not exist, then +/run/motd +is shown\&. If +/run/motd +does not exist, then +/usr/lib/motd +is shown\&. +.PP +Similar overriding behavior applies to the directories\&. Files in +/etc/motd\&.d/ +override files with the same name in +/run/motd\&.d/ +and +/usr/lib/motd\&.d/\&. Files in +/run/motd\&.d/ +override files with the same name in +/usr/lib/motd\&.d/\&. +.PP +Files in the directories listed above are displayed in lexicographic order by name\&. Moreover, the files are filtered by reading them with the credentials of the target user authenticating on the system\&. +.PP +To silence a message, a symbolic link with target +/dev/null +may be placed in +/etc/motd\&.d +with the same filename as the message to be silenced\&. Example: Creating a symbolic link as follows silences +/usr/lib/motd\&.d/my_motd\&. +.PP +\fBln \-s /dev/null /etc/motd\&.d/my_motd\fR +.PP +The +\fBMOTD_SHOWN=pam\fR +environment variable is set after showing the motd files, even when all of them were silenced using symbolic links\&. .SH "OPTIONS" .PP -\fBmotd=\fR\fB\fI/path/filename\fR\fR +motd=/path/filename .RS 4 The /path/filename -file is displayed as message of the day\&. +file is displayed as message of the day\&. Multiple paths to try can be specified as a colon\-separated list\&. By default this option is set to +/etc/motd:/run/motd:/usr/lib/motd\&. .RE .PP -\fBmotd_dir=\fR\fB\fI/path/dirname\&.d\fR\fR +motd_dir=/path/dirname\&.d .RS 4 The /path/dirname\&.d -directory is scanned and each file contained inside of it is displayed\&. +directory is scanned and each file contained inside of it is displayed\&. Multiple directories to scan can be specified as a colon\-separated list\&. By default this option is set to +/etc/motd\&.d:/run/motd\&.d:/usr/lib/motd\&.d\&. .RE .PP -When no options are given, the default is to display both -/etc/motd -and the contents of -/etc/motd\&.d\&. Specifying either option (or both) will disable this default behavior\&. +\fBnoupdate\fR +.RS 4 +Don\*(Aqt run the scripts in +/etc/update\-motd\&.d +to refresh the motd file\&. +.RE +.PP +When no options are given, the default behavior applies for both options\&. Specifying either option (or both) will disable the default behavior for both options\&. .SH "MODULE TYPES PROVIDED" .PP Only the @@ -64,9 +124,19 @@ Only the module type is provided\&. .SH "RETURN VALUES" .PP +PAM_ABORT +.RS 4 +Not all relevant data or options could be obtained\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP PAM_IGNORE .RS 4 -This is the only return value of this module\&. +This is the default return value of this module\&. .RE .SH "EXAMPLES" .PP @@ -122,7 +192,7 @@ session optional pam_motd\&.so motd=/elsewhere/motd motd_dir=/elsewhere/motd\& \fBmotd\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_motd was written by Ben Collins <bcollins@debian\&.org>\&. diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml index 906c4ed0..8369779a 100644 --- a/modules/pam_motd/pam_motd.8.xml +++ b/modules/pam_motd/pam_motd.8.xml @@ -1,99 +1,174 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_motd"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_motd"> <refmeta> <refentrytitle>pam_motd</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_motd-name"> + <refnamediv xml:id="pam_motd-name"> <refname>pam_motd</refname> <refpurpose>Display the motd file</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_motd-cmdsynopsis"> + <cmdsynopsis xml:id="pam_motd-cmdsynopsis" sepchar=" "> <command>pam_motd.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> motd=<replaceable>/path/filename</replaceable> </arg> + <arg choice="opt" rep="norepeat"> + motd_dir=<replaceable>/path/dirname.d</replaceable> + </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_motd-description"> + <refsect1 xml:id="pam_motd-description"> <title>DESCRIPTION</title> <para> pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a successful - login. By default the <filename>/etc/motd</filename> file is - shown. The message size is limited to 64KB. + login. By default, pam_motd shows files in the + following locations: + </para> + <para> + <simplelist type="vert"> + <member><filename>/etc/motd</filename></member> + <member><filename>/run/motd</filename></member> + <member><filename>/usr/lib/motd</filename></member> + <member><filename>/etc/motd.d/</filename></member> + <member><filename>/run/motd.d/</filename></member> + <member><filename>/usr/lib/motd.d/</filename></member> + </simplelist> + </para> + <para> + Each message size is limited to 64KB. + </para> + <para> + If <filename>/etc/motd</filename> does not exist, + then <filename>/run/motd</filename> is shown. If + <filename>/run/motd</filename> does not exist, then + <filename>/usr/lib/motd</filename> is shown. + </para> + <para> + Similar overriding behavior applies to the directories. + Files in <filename>/etc/motd.d/</filename> override files + with the same name in <filename>/run/motd.d/</filename> and + <filename>/usr/lib/motd.d/</filename>. Files in <filename>/run/motd.d/</filename> + override files with the same name in <filename>/usr/lib/motd.d/</filename>. + </para> + <para> + Files in the directories listed above are displayed in lexicographic + order by name. Moreover, the files are filtered by reading them with the + credentials of the target user authenticating on the system. + </para> + <para> + To silence a message, + a symbolic link with target <filename>/dev/null</filename> + may be placed in <filename>/etc/motd.d</filename> with + the same filename as the message to be silenced. Example: + Creating a symbolic link as follows silences <filename>/usr/lib/motd.d/my_motd</filename>. + </para> + <para> + <command>ln -s /dev/null /etc/motd.d/my_motd</command> + </para> + <para> + The <emphasis remap="B">MOTD_SHOWN=pam</emphasis> environment variable + is set after showing the motd files, even when all of them were silenced + using symbolic links. </para> - </refsect1> - <refsect1 id="pam_motd-options"> + <refsect1 xml:id="pam_motd-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>motd=<replaceable>/path/filename</replaceable></option> + motd=/path/filename </term> <listitem> <para> - The <filename>/path/filename</filename> file is displayed - as message of the day. + The <filename>/path/filename</filename> file is displayed + as message of the day. Multiple paths to try can be + specified as a colon-separated list. By default this option + is set to <filename>/etc/motd:/run/motd:/usr/lib/motd</filename>. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>motd_dir=<replaceable>/path/dirname.d</replaceable></option> + motd_dir=/path/dirname.d </term> <listitem> <para> The <filename>/path/dirname.d</filename> directory is scanned - and each file contained inside of it is displayed. + and each file contained inside of it is displayed. Multiple + directories to scan can be specified as a colon-separated list. + By default this option is set to <filename>/etc/motd.d:/run/motd.d:/usr/lib/motd.d</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>noupdate</option> + </term> + <listitem> + <para> + Don't run the scripts in <filename>/etc/update-motd.d</filename> + to refresh the motd file. </para> </listitem> </varlistentry> </variablelist> <para> - When no options are given, the default is to display both - <filename>/etc/motd</filename> and the contents of - <filename>/etc/motd.d</filename>. Specifying either option (or both) - will disable this default behavior. + When no options are given, the default behavior applies for both + options. Specifying either option (or both) will disable the + default behavior for both options. </para> </refsect1> - <refsect1 id="pam_motd-types"> + <refsect1 xml:id="pam_motd-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_motd-return_values'> + <refsect1 xml:id="pam_motd-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data or options could be obtained. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> <term>PAM_IGNORE</term> <listitem> <para> - This is the only return value of this module. + This is the default return value of this module. </para> </listitem> </varlistentry> </variablelist> </refsect1> - <refsect1 id='pam_motd-examples'> + <refsect1 xml:id="pam_motd-examples"> <title>EXAMPLES</title> <para> The suggested usage for <filename>/etc/pam.d/login</filename> is: @@ -116,7 +191,7 @@ session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d </para> </refsect1> - <refsect1 id='pam_motd-see_also'> + <refsect1 xml:id="pam_motd-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -129,12 +204,12 @@ session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_motd-author'> + <refsect1 xml:id="pam_motd-author"> <title>AUTHOR</title> <para> pam_motd was written by Ben Collins <bcollins@debian.org>. @@ -145,4 +220,4 @@ session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c index cc828d7e..8472dd64 100644 --- a/modules/pam_motd/pam_motd.c +++ b/modules/pam_motd/pam_motd.c @@ -1,13 +1,8 @@ -/* pam_motd module */ - /* - * Modified for pam_motd by Ben Collins <bcollins@debian.org> - * - * Based off of: - * $Id$ + * pam_motd module * + * Modified for pam_motd by Ben Collins <bcollins@debian.org> * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 - * */ #include "config.h" @@ -22,22 +17,16 @@ #include <sys/stat.h> #include <pwd.h> #include <syslog.h> +#include <errno.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION -#define DEFAULT_MOTD "/etc/motd" -#define DEFAULT_MOTD_D "/etc/motd.d" - #include <security/pam_modules.h> #include <security/pam_modutil.h> +#include "pam_inline.h" + +#define DEFAULT_MOTD "/etc/motd:/run/motd:/usr/lib/motd" +#define DEFAULT_MOTD_D "/etc/motd.d:/run/motd.d:/usr/lib/motd.d" /* --- session management functions (only) --- */ @@ -48,8 +37,8 @@ pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, return PAM_IGNORE; } -static char default_motd[] = DEFAULT_MOTD; -static char default_motd_dir[] = DEFAULT_MOTD_D; +static const char default_motd[] = DEFAULT_MOTD; +static const char default_motd_dir[] = DEFAULT_MOTD_D; static void try_to_display_fd(pam_handle_t *pamh, int fd) { @@ -75,43 +64,346 @@ static void try_to_display_fd(pam_handle_t *pamh, int fd) _pam_drop(mtmp); } -static void try_to_display_directory(pam_handle_t *pamh, const char *dirname) +/* + * Split a DELIM-separated string ARG into an array. + * Outputs a newly allocated array of strings OUT_ARG_SPLIT + * and the number of strings OUT_NUM_STRS. + * Returns 0 in case of error, 1 in case of success. + */ +static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim, + char ***out_arg_split, unsigned int *out_num_strs) { - DIR *dirp; + char *arg_extracted = NULL; + const char *arg_ptr = arg; + char **arg_split = NULL; + char delim_str[2]; + unsigned int i = 0; + unsigned int num_strs = 0; + int retval = 0; + + delim_str[0] = delim; + delim_str[1] = '\0'; + + if (arg == NULL) { + goto out; + } + + while (arg_ptr != NULL) { + num_strs++; + arg_ptr = strchr(arg_ptr + sizeof(const char), delim); + } + + arg_split = calloc(num_strs, sizeof(*arg_split)); + if (arg_split == NULL) { + pam_syslog(pamh, LOG_CRIT, "failed to allocate string array"); + goto out; + } + + arg_extracted = strtok_r(arg, delim_str, &arg); + while (arg_extracted != NULL && i < num_strs) { + arg_split[i++] = arg_extracted; + arg_extracted = strtok_r(NULL, delim_str, &arg); + } + + retval = 1; + + out: + *out_num_strs = num_strs; + *out_arg_split = arg_split; + + return retval; +} + +/* Join A_STR and B_STR, inserting a "/" between them if one is not already trailing + * in A_STR or beginning B_STR. A pointer to a newly allocated string holding the + * joined string is returned in STRP_OUT. + * Returns -1 in case of error, or the number of bytes in the joined string in + * case of success. */ +static int join_dir_strings(char **strp_out, const char *a_str, const char *b_str) +{ + int has_sep = 0; + int retval = -1; + char *join_strp = NULL; + + if (strp_out == NULL || a_str == NULL || b_str == NULL) { + goto out; + } + if (strlen(a_str) == 0) { + goto out; + } - dirp = opendir(dirname); + has_sep = (a_str[strlen(a_str) - 1] == '/') || (b_str[0] == '/'); - if (dirp != NULL) { - struct dirent *entry; + retval = asprintf(&join_strp, "%s%s%s", a_str, + (has_sep == 1) ? "" : "/", b_str); - while ((entry = readdir(dirp))) { - int fd = openat(dirfd(dirp), entry->d_name, O_RDONLY); + if (retval < 0) { + goto out; + } + + *strp_out = join_strp; + + out: + return retval; +} + +static int compare_strings(const void *a, const void *b) +{ + const char *a_str = *(const char * const *)a; + const char *b_str = *(const char * const *)b; + + if (a_str == NULL && b_str == NULL) { + return 0; + } + else if (a_str == NULL) { + return -1; + } + else if (b_str == NULL) { + return 1; + } + else { + return strcmp(a_str, b_str); + } +} + +static void try_to_display_directories_with_overrides(pam_handle_t *pamh, + char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing) +{ + struct dirent ***dirscans = NULL; + unsigned int *dirscans_sizes = NULL; + unsigned int dirscans_size_total = 0; + char **dirnames_all = NULL; + unsigned int i; + int i_dirnames = 0; + + if (pamh == NULL || motd_dir_path_split == NULL) { + goto out; + } + if (num_motd_dirs < 1) { + goto out; + } + + if ((dirscans = calloc(num_motd_dirs, sizeof(*dirscans))) == NULL) { + pam_syslog(pamh, LOG_CRIT, "failed to allocate dirent arrays"); + goto out; + } + if ((dirscans_sizes = calloc(num_motd_dirs, sizeof(*dirscans_sizes))) == NULL) { + pam_syslog(pamh, LOG_CRIT, "failed to allocate dirent array sizes"); + goto out; + } + + for (i = 0; i < num_motd_dirs; i++) { + int rv; + rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL); + if (rv < 0) { + if (errno != ENOENT || report_missing) { + pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m", + motd_dir_path_split[i]); + } + } else { + dirscans_sizes[i] = rv; + } + dirscans_size_total += dirscans_sizes[i]; + } + + if (dirscans_size_total == 0) + goto out; + + /* filter out unwanted names, directories, and complement data with lstat() */ + for (i = 0; i < num_motd_dirs; i++) { + struct dirent **d = dirscans[i]; + for (unsigned int j = 0; j < dirscans_sizes[i]; j++) { + int rc; + char *fullpath; + struct stat s; + + switch(d[j]->d_type) { /* the filetype determines how to proceed */ + case DT_REG: /* regular files and */ + case DT_LNK: /* symlinks */ + continue; /* are good. */ + case DT_UNKNOWN: /* for file systems that do not provide */ + /* a filetype, we use lstat() */ + if (join_dir_strings(&fullpath, motd_dir_path_split[i], + d[j]->d_name) <= 0) + break; + rc = lstat(fullpath, &s); + _pam_drop(fullpath); /* free the memory alloc'ed by join_dir_strings */ + if (rc != 0) /* if the lstat() somehow failed */ + break; + + if (S_ISREG(s.st_mode) || /* regular files and */ + S_ISLNK(s.st_mode)) continue; /* symlinks are good */ + break; + case DT_DIR: /* We don't want directories */ + default: /* nor anything else */ + break; + } + _pam_drop(d[j]); /* free memory */ + d[j] = NULL; /* indicate this one was dropped */ + dirscans_size_total--; + } + } + + /* Allocate space for all file names found in the directories, including duplicates. */ + if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) { + pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array"); + goto out; + } + + for (i = 0; i < num_motd_dirs; i++) { + unsigned int j; + + for (j = 0; j < dirscans_sizes[i]; j++) { + if (NULL != dirscans[i][j]) { + dirnames_all[i_dirnames] = dirscans[i][j]->d_name; + i_dirnames++; + } + } + } + + qsort(dirnames_all, dirscans_size_total, + sizeof(const char *), compare_strings); + + for (i = 0; i < dirscans_size_total; i++) { + unsigned int j; + + if (dirnames_all[i] == NULL) { + continue; + } + + /* Skip duplicate file names. */ + if (i > 0 && strcmp(dirnames_all[i], dirnames_all[i - 1]) == 0) { + continue; + } + + for (j = 0; j < num_motd_dirs; j++) { + char *abs_path = NULL; + int fd; + + if (join_dir_strings(&abs_path, motd_dir_path_split[j], + dirnames_all[i]) < 0 || abs_path == NULL) { + continue; + } + + fd = open(abs_path, O_RDONLY, 0); + _pam_drop(abs_path); if (fd >= 0) { try_to_display_fd(pamh, fd); close(fd); + + /* We displayed a file, skip to the next file name. */ + break; } } + } + + out: + _pam_drop(dirnames_all); + if (dirscans_sizes != NULL) { + for (i = 0; i < num_motd_dirs; i++) { + unsigned int j; + + for (j = 0; j < dirscans_sizes[i]; j++) + _pam_drop(dirscans[i][j]); + _pam_drop(dirscans[i]); + } + _pam_drop(dirscans_sizes); + } + _pam_drop(dirscans); +} + +static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs) +{ + struct passwd *pw; + const char *username; + int retval; + + retval = pam_get_user(pamh, &username, NULL); + + if (retval == PAM_SUCCESS) { + pw = pam_modutil_getpwnam (pamh, username); + } else { + return PAM_SESSION_ERR; + } + + if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) { + return PAM_SESSION_ERR; + } + + return PAM_SUCCESS; +} + +static int try_to_display(pam_handle_t *pamh, char **motd_path_split, + unsigned int num_motd_paths, + char **motd_dir_path_split, + unsigned int num_motd_dir_paths, int report_missing) +{ + PAM_MODUTIL_DEF_PRIVS(privs); + + if (drop_privileges(pamh, &privs) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Unable to drop privileges"); + return PAM_SESSION_ERR; + } + + if (motd_path_split != NULL) { + unsigned int i; + + for (i = 0; i < num_motd_paths; i++) { + int fd = open(motd_path_split[i], O_RDONLY, 0); + + if (fd >= 0) { + try_to_display_fd(pamh, fd); + close(fd); + + /* We found and displayed a file, + * move onto next filename. + */ + break; + } + } + } - closedir(dirp); + if (motd_dir_path_split != NULL) { + try_to_display_directories_with_overrides(pamh, + motd_dir_path_split, + num_motd_dir_paths, + report_missing); } + + if (pam_modutil_regain_priv(pamh, &privs)) { + pam_syslog(pamh, LOG_ERR, "Unable to regain privileges"); + return PAM_SESSION_ERR; + } + + return PAM_SUCCESS; } int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval = PAM_IGNORE; + int do_update = 1; const char *motd_path = NULL; + char *motd_path_copy = NULL; + unsigned int num_motd_paths = 0; + char **motd_path_split = NULL; const char *motd_dir_path = NULL; + char *motd_dir_path_copy = NULL; + unsigned int num_motd_dir_paths = 0; + char **motd_dir_path_split = NULL; + int report_missing; + struct stat st; if (flags & PAM_SILENT) { return retval; } for (; argc-- > 0; ++argv) { - if (!strncmp(*argv,"motd=",5)) { + const char *str; + if ((str = pam_str_skip_prefix(*argv, "motd=")) != NULL) { - motd_path = 5 + *argv; + motd_path = str; if (*motd_path != '\0') { D(("set motd path: %s", motd_path)); } else { @@ -120,9 +412,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, "motd= specification missing argument - ignored"); } } - else if (!strncmp(*argv,"motd_dir=",9)) { + else if ((str = pam_str_skip_prefix(*argv, "motd_dir=")) != NULL) { - motd_dir_path = 9 + *argv; + motd_dir_path = str; if (*motd_dir_path != '\0') { D(("set motd.d path: %s", motd_dir_path)); } else { @@ -131,6 +423,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, "motd_dir= specification missing argument - ignored"); } } + else if (!strcmp(*argv,"noupdate")) { + do_update = 0; + } else pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -138,21 +433,62 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, if (motd_path == NULL && motd_dir_path == NULL) { motd_path = default_motd; motd_dir_path = default_motd_dir; + report_missing = 0; + } else { + report_missing = 1; + } + + /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. + This will be displayed only when calling pam_motd with + motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd + display both this file and /etc/motd. */ + if (do_update && (stat("/etc/update-motd.d", &st) == 0) + && S_ISDIR(st.st_mode)) + { + mode_t old_mask = umask(0022); + if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) + rename("/run/motd.dynamic.new", "/run/motd.dynamic"); + umask(old_mask); } if (motd_path != NULL) { - int fd = open(motd_path, O_RDONLY, 0); + motd_path_copy = strdup(motd_path); + } - if (fd >= 0) { - try_to_display_fd(pamh, fd); - close(fd); + if (motd_path_copy != NULL) { + if (pam_split_string(pamh, motd_path_copy, ':', + &motd_path_split, &num_motd_paths) == 0) { + goto out; } } - if (motd_dir_path != NULL) - try_to_display_directory(pamh, motd_dir_path); + if (motd_dir_path != NULL) { + motd_dir_path_copy = strdup(motd_dir_path); + } - return retval; + if (motd_dir_path_copy != NULL) { + if (pam_split_string(pamh, motd_dir_path_copy, ':', + &motd_dir_path_split, &num_motd_dir_paths) == 0) { + goto out; + } + } + + retval = try_to_display(pamh, motd_path_split, num_motd_paths, + motd_dir_path_split, num_motd_dir_paths, + report_missing); + + out: + _pam_drop(motd_path_copy); + _pam_drop(motd_path_split); + _pam_drop(motd_dir_path_copy); + _pam_drop(motd_dir_path_split); + + if (retval == PAM_SUCCESS) { + retval = pam_putenv(pamh, "MOTD_SHOWN=pam"); + return retval == PAM_SUCCESS ? PAM_IGNORE : retval; + } else { + return retval; + } } /* end of module definition */ diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index ebb00f36..507beea7 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -4,26 +4,28 @@ # CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MAN5) $(MAN8) README +MAINTAINERCLEANFILES = $(MANS) README -MAN5 = namespace.conf.5 -MAN8 = pam_namespace.8 +EXTRA_DIST = $(XMLS) -EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace - -if HAVE_UNSHARE - TESTS = tst-pam_namespace - man_MANS = $(MAN5) $(MAN8) +if HAVE_DOC +dist_man_MANS = namespace.conf.5 pam_namespace.8 pam_namespace_helper.8 endif - -XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper.8.xml +dist_check_SCRIPTS = tst-pam_namespace +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif namespaceddir = $(SCONFIGDIR)/namespace.d +servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -31,21 +33,20 @@ endif noinst_HEADERS = md5.h pam_namespace.h argv_parse.h -if HAVE_UNSHARE - securelib_LTLIBRARIES = pam_namespace.la - pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c - pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ +securelib_LTLIBRARIES = pam_namespace.la +pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c +pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ - secureconf_DATA = namespace.conf - secureconf_SCRIPTS = namespace.init +dist_secureconf_DATA = namespace.conf +dist_secureconf_SCRIPTS = namespace.init +service_DATA = pam_namespace.service install-data-local: mkdir -p $(DESTDIR)$(namespaceddir) -endif +sbin_SCRIPTS = pam_namespace_helper if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_namespace.8.xml namespace.conf.5.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_namespace/Makefile.in b/modules/pam_namespace/Makefile.in index 9f0c2d9c..8fc29dc1 100644 --- a/modules/pam_namespace/Makefile.in +++ b/modules/pam_namespace/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -23,7 +23,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -88,27 +98,30 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_namespace -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(dist_secureconf_SCRIPTS) $(am__dist_noinst_DATA_DIST) \ + $(dist_secureconf_DATA) $(noinst_HEADERS) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = +CONFIG_CLEAN_FILES = pam_namespace_helper pam_namespace.service CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ @@ -138,21 +151,18 @@ am__uninstall_files_from_dir = { \ $(am__cd) "$$dir" && rm -f $$files; }; \ } am__installdirs = "$(DESTDIR)$(securelibdir)" \ - "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(man5dir)" \ - "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" + "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(servicedir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -@HAVE_UNSHARE_TRUE@pam_namespace_la_DEPENDENCIES = \ -@HAVE_UNSHARE_TRUE@ $(top_builddir)/libpam/libpam.la -am__pam_namespace_la_SOURCES_DIST = pam_namespace.c md5.c argv_parse.c -@HAVE_UNSHARE_TRUE@am_pam_namespace_la_OBJECTS = pam_namespace.lo \ -@HAVE_UNSHARE_TRUE@ md5.lo argv_parse.lo +pam_namespace_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am_pam_namespace_la_OBJECTS = pam_namespace.lo md5.lo argv_parse.lo pam_namespace_la_OBJECTS = $(am_pam_namespace_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -@HAVE_UNSHARE_TRUE@am_pam_namespace_la_rpath = -rpath $(securelibdir) -SCRIPTS = $(secureconf_SCRIPTS) +SCRIPTS = $(dist_secureconf_SCRIPTS) $(sbin_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -167,7 +177,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/argv_parse.Plo ./$(DEPDIR)/md5.Plo \ + ./$(DEPDIR)/pam_namespace.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,7 +200,7 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(pam_namespace_la_SOURCES) -DIST_SOURCES = $(am__pam_namespace_la_SOURCES_DIST) +DIST_SOURCES = $(pam_namespace_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -197,8 +209,9 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) $(service_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -374,6 +387,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -396,6 +410,11 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(srcdir)/pam_namespace.service.in \ + $(srcdir)/pam_namespace_helper.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -415,24 +434,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -446,7 +474,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -465,11 +492,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -492,8 +522,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -504,11 +533,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -551,7 +587,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -559,9 +594,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -571,32 +603,36 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MAN5) $(MAN8) README -MAN5 = namespace.conf.5 -MAN8 = pam_namespace.8 -EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace -@HAVE_UNSHARE_TRUE@TESTS = tst-pam_namespace -@HAVE_UNSHARE_TRUE@man_MANS = $(MAN5) $(MAN8) -XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml +MAINTAINERCLEANFILES = $(MANS) README +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = namespace.conf.5 pam_namespace.8 pam_namespace_helper.8 +XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper.8.xml +dist_check_SCRIPTS = tst-pam_namespace +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d +servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) noinst_HEADERS = md5.h pam_namespace.h argv_parse.h -@HAVE_UNSHARE_TRUE@securelib_LTLIBRARIES = pam_namespace.la -@HAVE_UNSHARE_TRUE@pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c -@HAVE_UNSHARE_TRUE@pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -@HAVE_UNSHARE_TRUE@secureconf_DATA = namespace.conf -@HAVE_UNSHARE_TRUE@secureconf_SCRIPTS = namespace.init -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +securelib_LTLIBRARIES = pam_namespace.la +pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c +pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ +dist_secureconf_DATA = namespace.conf +dist_secureconf_SCRIPTS = namespace.init +service_DATA = pam_namespace.service +sbin_SCRIPTS = pam_namespace_helper +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -613,14 +649,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_namespace/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_namespace/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -631,6 +666,10 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +pam_namespace_helper: $(top_builddir)/config.status $(srcdir)/pam_namespace_helper.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pam_namespace.service: $(top_builddir)/config.status $(srcdir)/pam_namespace.service.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @@ -668,10 +707,10 @@ clean-securelibLTLIBRARIES: } pam_namespace.la: $(pam_namespace_la_OBJECTS) $(pam_namespace_la_DEPENDENCIES) $(EXTRA_pam_namespace_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) $(am_pam_namespace_la_rpath) $(pam_namespace_la_OBJECTS) $(pam_namespace_la_LIBADD) $(LIBS) -install-secureconfSCRIPTS: $(secureconf_SCRIPTS) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_namespace_la_OBJECTS) $(pam_namespace_la_LIBADD) $(LIBS) +install-dist_secureconfSCRIPTS: $(dist_secureconf_SCRIPTS) @$(NORMAL_INSTALL) - @list='$(secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -698,12 +737,47 @@ install-secureconfSCRIPTS: $(secureconf_SCRIPTS) } \ ; done -uninstall-secureconfSCRIPTS: +uninstall-dist_secureconfSCRIPTS: @$(NORMAL_UNINSTALL) - @list='$(secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || exit 0; \ + @list='$(dist_secureconf_SCRIPTS)'; test -n "$(secureconfdir)" || exit 0; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 's,.*/,,;$(transform)'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) +install-sbinSCRIPTS: $(sbin_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -711,23 +785,29 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_parse.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_namespace.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/argv_parse.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_namespace.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -741,10 +821,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -779,15 +859,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -822,14 +902,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -843,11 +923,32 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) +install-serviceDATA: $(service_DATA) + @$(NORMAL_INSTALL) + @list='$(service_DATA)'; test -n "$(servicedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(servicedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(servicedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(servicedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(servicedir)" || exit $$?; \ + done + +uninstall-serviceDATA: + @$(NORMAL_UNINSTALL) + @list='$(service_DATA)'; test -n "$(servicedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(servicedir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -931,7 +1032,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -1008,7 +1109,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -1021,7 +1122,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1031,7 +1132,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1064,7 +1165,10 @@ tst-pam_namespace.log: tst-pam_namespace @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1095,11 +1199,12 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(SCRIPTS) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" "$(DESTDIR)$(servicedir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1137,14 +1242,15 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) -@HAVE_UNSHARE_FALSE@install-data-local: clean: clean-am clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/argv_parse.Plo + -rm -f ./$(DEPDIR)/md5.Plo + -rm -f ./$(DEPDIR)/pam_namespace.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1161,14 +1267,15 @@ info: info-am info-am: -install-data-am: install-data-local install-man install-secureconfDATA \ - install-secureconfSCRIPTS install-securelibLTLIBRARIES +install-data-am: install-data-local install-dist_secureconfDATA \ + install-dist_secureconfSCRIPTS install-man \ + install-securelibLTLIBRARIES install-serviceDATA install-dvi: install-dvi-am install-dvi-am: -install-exec-am: +install-exec-am: install-sbinSCRIPTS install-html: install-html-am @@ -1191,7 +1298,9 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/argv_parse.Plo + -rm -f ./$(DEPDIR)/md5.Plo + -rm -f ./$(DEPDIR)/pam_namespace.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1208,36 +1317,41 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ - uninstall-secureconfSCRIPTS uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-dist_secureconfDATA \ + uninstall-dist_secureconfSCRIPTS uninstall-man \ + uninstall-sbinSCRIPTS uninstall-securelibLTLIBRARIES \ + uninstall-serviceDATA uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-data-local install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-man5 install-man8 install-pdf install-pdf-am \ - install-ps install-ps-am install-secureconfDATA \ - install-secureconfSCRIPTS install-securelibLTLIBRARIES \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am recheck tags tags-am uninstall \ - uninstall-am uninstall-man uninstall-man5 uninstall-man8 \ - uninstall-secureconfDATA uninstall-secureconfSCRIPTS \ - uninstall-securelibLTLIBRARIES - - -@HAVE_UNSHARE_TRUE@install-data-local: -@HAVE_UNSHARE_TRUE@ mkdir -p $(DESTDIR)$(namespaceddir) -@ENABLE_REGENERATE_MAN_TRUE@README: pam_namespace.8.xml namespace.conf.5.xml +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-local install-dist_secureconfDATA \ + install-dist_secureconfSCRIPTS install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man5 \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinSCRIPTS install-securelibLTLIBRARIES \ + install-serviceDATA install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am recheck tags tags-am \ + uninstall uninstall-am uninstall-dist_secureconfDATA \ + uninstall-dist_secureconfSCRIPTS uninstall-man uninstall-man5 \ + uninstall-man8 uninstall-sbinSCRIPTS \ + uninstall-securelibLTLIBRARIES uninstall-serviceDATA + +.PRECIOUS: Makefile + + +install-data-local: + mkdir -p $(DESTDIR)$(namespaceddir) @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README index 6c580d6a..c5a6ec4d 100644 --- a/modules/pam_namespace/README +++ b/modules/pam_namespace/README @@ -14,6 +14,9 @@ polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments. +If /etc/security/namespace.init does not exist, %vendordir%/security/ +namespace.init is the alternative to be used for it. + The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate @@ -117,6 +120,16 @@ The /etc/security/namespace.conf file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. +The /etc/security/namespace.conf file ( or %vendordir%/security/namespace.conf +if it does not exist) specifies which directories are polyinstantiated, how +they are polyinstantiated, how instance directories would be named, and any +users for whom polyinstantiation would not be performed. Then individual *.conf +files from the /etc/security/namespace.d/ and %vendordir%/security/namespace.d +directories are taken too. If /etc/security/namespace.d/@filename@.conf exists, +then %vendordir%/security/namespace.d/@filename@.conf will not be used. All +namespace.d/*.conf files are sorted by their @filename@.conf in lexicographic +order regardless of which of the directories they reside in. + When someone logs in, the file namespace.conf is scanned. Comments are marked by # characters. Each non comment line represents one polyinstantiated directory. The fields are separated by spaces but can be quoted by " characters @@ -169,7 +182,10 @@ contain the user name and will be shared among all users. mntopts=value - value of this flag is passed to the mount call when the tmpfs mount is done. It allows for example the specification of the maximum size of -the tmpfs instance that is created by the mount call. See mount(8) for details. +the tmpfs instance that is created by the mount call. In addition to options +specified in the tmpfs(5) manual the nosuid, noexec, and nodev flags can be +used to respectively disable setuid bit effect, disable running executables, +and disable devices to be interpreted on the mounted tmpfs filesystem. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000. The requirement that the instance diff --git a/modules/pam_namespace/README.xml b/modules/pam_namespace/README.xml index 4ef99c9f..f94cb065 100644 --- a/modules/pam_namespace/README.xml +++ b/modules/pam_namespace/README.xml @@ -1,44 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamns SYSTEM "pam_namespace.8.xml"> ---> -<!-- -<!ENTITY nsconf SYSTEM "namespace.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index dc95ab14..07ad9a02 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -18,20 +18,22 @@ * */ -#include <string.h> #include "md5.h" +#include <string.h> + +#include "pam_inline.h" #define MD5Name(x) x -#if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) -#define byteReverse(buf, len) /* Nothing */ -#else -static void byteReverse(unsigned char *buf, unsigned longs); +#ifdef WORDS_BIGENDIAN +typedef unsigned char PAM_ATTRIBUTE_ALIGNED(4) uint8_aligned; + +static void byteReverse(uint8_aligned *buf, unsigned longs); /* * Note: this code is harmless on little-endian machines. */ -static void byteReverse(unsigned char *buf, unsigned longs) +static void byteReverse(uint8_aligned *buf, unsigned longs) { uint32 t; do { @@ -41,6 +43,8 @@ static void byteReverse(unsigned char *buf, unsigned longs) buf += 4; } while (--longs); } +#else +#define byteReverse(buf, len) /* Nothing */ #endif /* @@ -49,10 +53,10 @@ static void byteReverse(unsigned char *buf, unsigned longs) */ void MD5Name(MD5Init)(struct MD5Context *ctx) { - ctx->buf[0] = 0x67452301U; - ctx->buf[1] = 0xefcdab89U; - ctx->buf[2] = 0x98badcfeU; - ctx->buf[3] = 0x10325476U; + ctx->buf.i[0] = 0x67452301U; + ctx->buf.i[1] = 0xefcdab89U; + ctx->buf.i[2] = 0x98badcfeU; + ctx->buf.i[3] = 0x10325476U; ctx->bits[0] = 0; ctx->bits[1] = 0; @@ -78,7 +82,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign /* Handle any leading odd-sized chunks */ if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; + unsigned char *p = ctx->in.c + t; t = 64 - t; if (len < t) { @@ -86,24 +90,24 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign return; } memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += t; len -= t; } /* Process data in 64-byte chunks */ while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + memcpy(ctx->in.c, buf, 64); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += 64; len -= 64; } /* Handle any remaining bytes of data. */ - memcpy(ctx->in, buf, len); + memcpy(ctx->in.c, buf, len); } /* @@ -120,7 +124,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) /* Set the first char of padding to 0x80. This is safe since there is always at least one byte free */ - p = ctx->in + count; + p = ctx->in.c + count; *p++ = 0x80; /* Bytes of padding needed to make 64 bytes */ @@ -130,24 +134,24 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) if (count < 8) { /* Two lots of padding: Pad the first block to 64 bytes */ memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.c, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); /* Now fill the next block with 56 bytes */ - memset(ctx->in, 0, 56); + memset(ctx->in.c, 0, 56); } else { /* Pad block to 56 bytes */ memset(p, 0, count - 8); } - byteReverse(ctx->in, 14); + byteReverse(ctx->in.c, 14); /* Append length in bits and transform */ - memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); + memcpy(ctx->in.i + 14, ctx->bits, 2*sizeof(uint32)); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + byteReverse(ctx->buf.c, 4); + memcpy(digest, ctx->buf.c, 16); + pam_overwrite_object(ctx); /* In case it's sensitive */ } /* The four core functions - F1 is optimized somewhat */ diff --git a/modules/pam_namespace/md5.h b/modules/pam_namespace/md5.h index 73f85833..501aab4b 100644 --- a/modules/pam_namespace/md5.h +++ b/modules/pam_namespace/md5.h @@ -2,12 +2,20 @@ #ifndef MD5_H #define MD5_H +#include "pam_cc_compat.h" + typedef unsigned int uint32; struct MD5Context { - uint32 buf[4]; + union { + uint32 i[4]; + unsigned char c[16] PAM_ATTRIBUTE_ALIGNED(4); + } buf; uint32 bits[2]; - unsigned char in[64]; + union { + uint32 i[16]; + unsigned char c[64] PAM_ATTRIBUTE_ALIGNED(4); + } in; }; #define MD5_DIGEST_LENGTH 16 diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf index b611a0f2..75ec6193 100644 --- a/modules/pam_namespace/namespace.conf +++ b/modules/pam_namespace/namespace.conf @@ -21,7 +21,10 @@ # is explicitly called with an argument to ignore the mode of the # instance parent. System administrators should use this argument with # caution, as it will reduce security and isolation achieved by -# polyinstantiation. +# polyinstantiation. The parent directories (except $HOME) are created +# at boot by pam_namespace_helper, but in a live system, system +# administrators should create the parent directories before enabling +# them here. # #/tmp /tmp-inst/ level root,adm #/var/tmp /var/tmp/tmp-inst/ level root,adm diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 index be3458f8..e4e8cfdd 100644 --- a/modules/pam_namespace/namespace.conf.5 +++ b/modules/pam_namespace/namespace.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: namespace.conf .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "NAMESPACE\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "NAMESPACE\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -53,7 +53,10 @@ characters also escape sequences \fI\et\fR are recognized\&. The fields are as follows: .PP -\fIpolydir\fR\fIinstance_prefix\fR\fImethod\fR\fIlist_of_uids\fR +\fIpolydir\fR +\fIinstance_prefix\fR +\fImethod\fR +\fIlist_of_uids\fR .PP The first field, \fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. The special string @@ -98,9 +101,13 @@ characters\&. \- the instance directories for "context" and "level" methods will not contain the user name and will be shared among all users\&. .PP \fImntopts\fR=\fIvalue\fR -\- value of this flag is passed to the mount call when the tmpfs mount is done\&. It allows for example the specification of the maximum size of the tmpfs instance that is created by the mount call\&. See -\fBmount\fR(8) -for details\&. +\- value of this flag is passed to the mount call when the tmpfs mount is done\&. It allows for example the specification of the maximum size of the tmpfs instance that is created by the mount call\&. In addition to options specified in the +\fBtmpfs\fR(5) +manual the +\fInosuid\fR, +\fInoexec\fR, and +\fInodev\fR +flags can be used to respectively disable setuid bit effect, disable running executables, and disable devices to be interpreted on the mounted tmpfs filesystem\&. .PP The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000\&. The requirement that the instance parent be of mode 0000 can be overridden with the command line option \fIignore_instance_parent_mode\fR @@ -155,7 +162,7 @@ This module also depends on pam_selinux\&.so setting the context\&. .PP \fBpam_namespace\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHORS" .PP The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index c7698cb4..dcf69732 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="namespace.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="namespace.conf"> <refmeta> <refentrytitle>namespace.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -16,7 +13,7 @@ </refnamediv> - <refsect1 id='namespace.conf-description'> + <refsect1 xml:id="namespace.conf-description"> <title>DESCRIPTION</title> <para> @@ -30,13 +27,29 @@ directory path and the instance directory path as its arguments. </para> - <para> + <para condition="without_vendordir"> The <filename>/etc/security/namespace.conf</filename> file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. </para> + <para condition="with_vendordir"> + The <filename>/etc/security/namespace.conf</filename> file + ( or <filename>%vendordir%/security/namespace.conf</filename> if it does + not exist) specifies which directories are polyinstantiated, how they are + polyinstantiated, how instance directories would be named, and any users + for whom polyinstantiation would not be performed. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/namespace.d/</filename> and + <filename>%vendordir%/security/namespace.d</filename> directories are taken too. + If <filename>/etc/security/namespace.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/namespace.d/@filename@.conf</filename> will not be used. + All <filename>namespace.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + </para> + <para> When someone logs in, the file <filename>namespace.conf</filename> is scanned. Comments are marked by <emphasis>#</emphasis> characters. @@ -122,9 +135,14 @@ <para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable> - value of this flag is passed to the mount call when the tmpfs mount is done. It allows for example the specification of the maximum size of the - tmpfs instance that is created by the mount call. See <citerefentry> - <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> for details. + tmpfs instance that is created by the mount call. In addition to + options specified in the <citerefentry> + <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> manual the <emphasis>nosuid</emphasis>, + <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags + can be used to respectively disable setuid bit effect, disable running + executables, and disable devices to be interpreted on the mounted + tmpfs filesystem. </para> <para> @@ -154,7 +172,7 @@ </refsect1> - <refsect1 id="namespace.conf-examples"> + <refsect1 xml:id="namespace.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -199,20 +217,20 @@ </refsect1> - <refsect1 id="namespace.conf-see_also"> + <refsect1 xml:id="namespace.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="namespace.conf-author"> + <refsect1 xml:id="namespace.conf-author"> <title>AUTHORS</title> <para> The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. More features added by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init index 67d4aa2d..d9053a13 100755 --- a/modules/pam_namespace/namespace.init +++ b/modules/pam_namespace/namespace.init @@ -16,7 +16,7 @@ if [ "$3" = 1 ]; then cp -rT /etc/skel "$homedir" chown -R "$user":"$gid" "$homedir" mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs) - mode=$(printf "%o" $((0777 & ~$mask))) + mode=$(printf "%o" $((0777 & ~mask))) chmod ${mode:-700} "$homedir" [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" fi diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index 630f1a92..d69f9fd6 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -41,57 +41,57 @@ exists, it is used to initialize the instance directory after it is set up and m The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is logged using syslog .RE .PP -\fBunmnt_remnt\fR +unmnt_remnt .RS 4 For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context .RE .PP -\fBunmnt_only\fR +unmnt_only .RS 4 For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories .RE .PP -\fBrequire_selinux\fR +require_selinux .RS 4 If selinux is not enabled, return failure .RE .PP -\fBgen_hash\fR +gen_hash .RS 4 Instead of using the security context string for the instance name, generate and use its md5 hash\&. .RE .PP -\fBignore_config_error\fR +ignore_config_error .RS 4 If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. .RE .PP -\fBignore_instance_parent_mode\fR +ignore_instance_parent_mode .RS 4 Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. .RE .PP -\fBunmount_on_close\fR +unmount_on_close .RS 4 Explicitly unmount the polyinstantiated directories instead of relying on automatic namespace destruction after the last process in a namespace exits\&. This option should be used only in case it is ensured by other means that there cannot be any processes running in the private namespace left after the session close\&. It is also useful only in case there are multiple pam session calls in sequence from the same process\&. .RE .PP -\fBuse_current_context\fR +use_current_context .RS 4 Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. .RE .PP -\fBuse_default_context\fR +use_default_context .RS 4 Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. .RE .PP -\fBmount_private\fR +mount_private .RS 4 This option can be used on systems where the / mount point or its submounts are made shared (for example with a \fBmount \-\-make\-rshared /\fR @@ -142,43 +142,13 @@ For the <service>s you need polyinstantiation (login for example) put the follow .PP session required pam_namespace\&.so [arguments] .PP -To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default: -.PP -/usr/sbin/gdm\-safe\-restart -.PP -This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\&. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\&. Please use the initialization script -/etc/security/namespace\&.init -to ensure that the X server and its clients can appropriately access the communication socket X0\&. Please refer to the sample instructions provided in the comment section of the instance initialization script -/etc/security/namespace\&.init\&. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: -.PP -.if n \{\ -.RS 4 -.\} -.nf - 1\&. Disable the use of font server by commenting out "FontPath" - line in /etc/X11/xorg\&.conf\&. If you do want to use the font server - then you will have to augment the instance initialization - script to appropriately provide /tmp/\&.font\-unix from the - polyinstantiated /tmp\&. - 2\&. Ensure that the gdm service is setup to use pam_namespace, - as described above, by modifying /etc/pam\&.d/gdm\&. - 3\&. Ensure that the display manager is configured to restart X server - with each new session\&. This default setup can be verified by - making sure that /usr/share/gdm/defaults\&.conf contains - "AlwaysRestartServer=true", and it is not overridden by - /etc/gdm/custom\&.conf\&. - -.fi -.if n \{\ -.RE -.\} -.sp +To use polyinstantiation with graphical display manager gdm, please refer to gdm\*(Aqs documentation\&. .SH "SEE ALSO" .PP \fBnamespace.conf\fR(5), \fBpam.d\fR(5), \fBmount\fR(8), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index f0f80d33..954093d9 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_namespace'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace"> <refmeta> <refentrytitle>pam_namespace</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_namespace-name'> + <refnamediv xml:id="pam_namespace-name"> <refname>pam_namespace</refname> <refpurpose> PAM module for configuring namespace for a session @@ -20,46 +17,46 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_namespace-cmdsynopsis"> + <cmdsynopsis xml:id="pam_namespace-cmdsynopsis" sepchar=" "> <command>pam_namespace.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_remnt </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_only </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> require_selinux </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> gen_hash </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_config_error </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_instance_parent_mode </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmount_on_close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_current_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_default_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> mount_private </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_namespace-description"> + <refsect1 xml:id="pam_namespace-description"> <title>DESCRIPTION</title> <para> The pam_namespace PAM module sets up a private namespace for a session @@ -74,6 +71,12 @@ and the user name as its arguments. </para> + <para condition="with_vendordir"> + If <filename>/etc/security/namespace.init</filename> does not exist, + <filename>%vendordir%/security/namespace.init</filename> is the + alternative to be used for it. + </para> + <para> The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent @@ -88,13 +91,13 @@ </refsect1> - <refsect1 id="pam_namespace-options"> + <refsect1 xml:id="pam_namespace-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -105,7 +108,7 @@ <varlistentry> <term> - <option>unmnt_remnt</option> + unmnt_remnt </term> <listitem> <para> @@ -125,7 +128,7 @@ <varlistentry> <term> - <option>unmnt_only</option> + unmnt_only </term> <listitem> <para> @@ -140,7 +143,7 @@ <varlistentry> <term> - <option>require_selinux</option> + require_selinux </term> <listitem> <para> @@ -151,7 +154,7 @@ <varlistentry> <term> - <option>gen_hash</option> + gen_hash </term> <listitem> <para> @@ -164,7 +167,7 @@ <varlistentry> <term> - <option>ignore_config_error</option> + ignore_config_error </term> <listitem> <para> @@ -180,7 +183,7 @@ <varlistentry> <term> - <option>ignore_instance_parent_mode</option> + ignore_instance_parent_mode </term> <listitem> <para> @@ -195,7 +198,7 @@ <varlistentry> <term> - <option>unmount_on_close</option> + unmount_on_close </term> <listitem> <para> @@ -212,7 +215,7 @@ <varlistentry> <term> - <option>use_current_context</option> + use_current_context </term> <listitem> <para> @@ -226,7 +229,7 @@ <varlistentry> <term> - <option>use_default_context</option> + use_default_context </term> <listitem> <para> @@ -240,7 +243,7 @@ <varlistentry> <term> - <option>mount_private</option> + mount_private </term> <listitem> <para> @@ -265,7 +268,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-types"> + <refsect1 xml:id="pam_namespace-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. @@ -273,7 +276,7 @@ </para> </refsect1> - <refsect1 id="pam_namespace-return_values"> + <refsect1 xml:id="pam_namespace-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -303,33 +306,57 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-files"> + <refsect1 xml:id="pam_namespace-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/namespace.conf</filename></term> + <term>/etc/security/namespace.conf</term> <listitem> <para>Main configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/namespace.conf</filename> does not exist.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.d</filename></term> + <term>/etc/security/namespace.d</term> <listitem> <para>Directory for additional configuration files</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.d</term> + <listitem> + <para>Directory for additional vendor specific configuration files.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.init</filename></term> + <term>/etc/security/namespace.init</term> <listitem> <para>Init script for instance directories</para> </listitem> </varlistentry> + + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.init</term> + <listitem> + <para>Vendor init script for instance directories if + /etc/security/namespace.init does not exist. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_namespace-examples"> + <refsect1 xml:id="pam_namespace-examples"> <title>EXAMPLES</title> <para> @@ -343,50 +370,13 @@ </para> <para> - To use polyinstantiation with graphical display manager gdm, insert the - following line, before exit 0, in /etc/gdm/PostSession/Default: - </para> - - <para> - /usr/sbin/gdm-safe-restart - </para> - - <para> - This allows gdm to restart after each session and appropriately adjust - namespaces of display manager and the X server. If polyinstantiation - of /tmp is desired along with the graphical environment, then additional - configuration changes are needed to address the interaction of X server - and font server namespaces with their use of /tmp to create - communication sockets. Please use the initialization script - <filename>/etc/security/namespace.init</filename> to ensure that - the X server and its clients can appropriately access the - communication socket X0. Please refer to the sample instructions - provided in the comment section of the instance initialization script - <filename>/etc/security/namespace.init</filename>. In addition, - perform the following changes to use graphical environment with - polyinstantiation of /tmp: - </para> - - <para> - <literallayout> - 1. Disable the use of font server by commenting out "FontPath" - line in /etc/X11/xorg.conf. If you do want to use the font server - then you will have to augment the instance initialization - script to appropriately provide /tmp/.font-unix from the - polyinstantiated /tmp. - 2. Ensure that the gdm service is setup to use pam_namespace, - as described above, by modifying /etc/pam.d/gdm. - 3. Ensure that the display manager is configured to restart X server - with each new session. This default setup can be verified by - making sure that /usr/share/gdm/defaults.conf contains - "AlwaysRestartServer=true", and it is not overridden by - /etc/gdm/custom.conf. - </literallayout> + To use polyinstantiation with graphical display manager gdm, please refer + to gdm's documentation. </para> </refsect1> - <refsect1 id="pam_namespace-see_also"> + <refsect1 xml:id="pam_namespace-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -399,12 +389,12 @@ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_namespace-authors"> + <refsect1 xml:id="pam_namespace-authors"> <title>AUTHORS</title> <para> The namespace setup scheme was designed by Stephen Smalley, Janak Desai @@ -415,4 +405,4 @@ <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index f541f891..ef856443 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -34,9 +34,99 @@ #define _ATFILE_SOURCE +#include "pam_cc_compat.h" +#include "pam_inline.h" #include "pam_namespace.h" #include "argv_parse.h" +/* --- evaluting all files in VENDORDIR/security/namespace.d and /etc/security/namespace.d --- */ +static const char *base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (char * const *) a), + base_name(* (char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/namespace.d/@filename@.conf exists, then + * %vendordir%/security/namespace.d/@filename@.conf should not be used. + * - All files in both namespace.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char **read_namespace_dir(struct instance_data *idata) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_NAMESPACE_D_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* * Adds an entry for a polyinstantiated directory to the linked list of * polyinstantiated directories. It is called from process_line() while @@ -230,6 +320,73 @@ static int parse_iscript_params(char *params, struct polydir_s *poly) return 0; } +struct mntflag { + const char *name; + size_t len; + unsigned long flag; +}; + +#define LITERAL_AND_LEN(x) x, sizeof(x) - 1 + +static const struct mntflag mntflags[] = { + { LITERAL_AND_LEN("noexec"), MS_NOEXEC }, + { LITERAL_AND_LEN("nosuid"), MS_NOSUID }, + { LITERAL_AND_LEN("nodev"), MS_NODEV } + }; + +static int filter_mntopts(const char *opts, char **filtered, + unsigned long *mountflags) +{ + size_t origlen = strlen(opts); + const char *end; + char *dest; + + dest = *filtered = NULL; + *mountflags = 0; + + if (origlen == 0) + return 0; + + do { + size_t len; + unsigned int i; + + end = strchr(opts, ','); + if (end == NULL) { + len = strlen(opts); + } else { + len = end - opts; + } + + for (i = 0; i < PAM_ARRAY_SIZE(mntflags); i++) { + if (mntflags[i].len != len) + continue; + if (memcmp(mntflags[i].name, opts, len) == 0) { + *mountflags |= mntflags[i].flag; + opts = end; + break; + } + } + + if (opts != end) { + if (dest != NULL) { + *dest = ','; + ++dest; + } else { + dest = *filtered = calloc(1, origlen + 1); + if (dest == NULL) + return -1; + } + memcpy(dest, opts, len); + dest += len; + } + + opts = end + 1; + } while (end != NULL); + + return 0; +} + static int parse_method(char *method, struct polydir_s *poly, struct instance_data *idata) { @@ -289,7 +446,8 @@ static int parse_method(char *method, struct polydir_s *poly, break; } free(poly->mount_opts); /* if duplicate mntopts specified */ - if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) { + poly->mount_opts = NULL; + if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) { pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); return -1; } @@ -554,8 +712,6 @@ static int parse_config_file(struct instance_data *idata) char *line; int retval; size_t len = 0; - glob_t globbuf; - const char *oldlocale; size_t n; /* @@ -594,13 +750,16 @@ static int parse_config_file(struct instance_data *idata) * process_line to process each line. */ - memset(&globbuf, '\0', sizeof(globbuf)); - oldlocale = setlocale(LC_COLLATE, "C"); - glob(NAMESPACE_D_GLOB, 0, NULL, &globbuf); - if (oldlocale != NULL) - setlocale(LC_COLLATE, oldlocale); - confname = PAM_NAMESPACE_CONFIG; +#ifdef VENDOR_PAM_NAMESPACE_CONFIG + /* Check whether PAM_NAMESPACE_CONFIG file is available. + * If it does not exist, fall back to VENDOR_PAM_NAMESPACE_CONFIG file. */ + struct stat buffer; + if (stat(confname, &buffer) != 0 && errno == ENOENT) { + confname = VENDOR_PAM_NAMESPACE_CONFIG; + } +#endif + char **filename_list = read_namespace_dir(idata); n = 0; for (;;) { if (idata->flags & PAMNS_DEBUG) @@ -610,7 +769,6 @@ static int parse_config_file(struct instance_data *idata) if (fil == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s", confname); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -628,7 +786,6 @@ static int parse_config_file(struct instance_data *idata) "Error processing conf file %s line %s", confname, line); fclose(fil); free(line); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -637,14 +794,18 @@ static int parse_config_file(struct instance_data *idata) fclose(fil); free(line); - if (n >= globbuf.gl_pathc) + if (filename_list == NULL || filename_list[n] == NULL) break; - confname = globbuf.gl_pathv[n]; - n++; + confname = filename_list[n++]; + } + + if (filename_list != NULL) { + for (size_t i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); } - globfree(&globbuf); free(rhome); free(home); @@ -670,7 +831,7 @@ static int parse_config_file(struct instance_data *idata) /* - * This funtion returns true if a given uid is present in the polyinstantiated + * This function returns true if a given uid is present in the polyinstantiated * directory's list of override uids. If the uid is one of the override * uids for the polyinstantiated directory, polyinstantiation is not * performed for that user for that directory. @@ -727,11 +888,11 @@ static char *md5hash(const char *instname, struct instance_data *idata) #ifdef WITH_SELINUX static int form_context(const struct polydir_s *polyptr, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) { int rc = PAM_SUCCESS; - security_context_t scon = NULL; + char *scon = NULL; security_class_t tclass; /* @@ -774,6 +935,12 @@ static int form_context(const struct polydir_s *polyptr, if (polyptr->method == CONTEXT) { tclass = string_to_security_class("dir"); + if (tclass == 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting dir security class"); + freecon(scon); + return PAM_SESSION_ERR; + } if (security_compute_member(scon, *origcon, tclass, i_context) < 0) { @@ -810,7 +977,7 @@ static int form_context(const struct polydir_s *polyptr, goto fail; } if (context_range_set(fcontext, context_range_get(scontext)) != 0) { - pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context"); + pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Component of context"); goto fail; } *i_context=strdup(context_str(fcontext)); @@ -840,7 +1007,7 @@ static int form_context(const struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int poly_name(const struct polydir_s *polyptr, char **i_name, - security_context_t *i_context, security_context_t *origcon, + char **i_context, char **origcon, struct instance_data *idata) #else static int poly_name(const struct polydir_s *polyptr, char **i_name, @@ -851,7 +1018,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, char *hash = NULL; enum polymethod pm; #ifdef WITH_SELINUX - security_context_t rawcon = NULL; + char *rawcon = NULL; #endif *i_name = NULL; @@ -1027,7 +1194,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int dfd = AT_FDCWD; int dfd_next; int save_errno; - int flags = O_RDONLY; + int flags = O_RDONLY | O_DIRECTORY; int rv = -1; struct stat st; @@ -1081,22 +1248,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, rv = openat(dfd, dir, flags); } - if (rv != -1) { - if (fstat(rv, &st) != 0) { - save_errno = errno; - close(rv); - rv = -1; - errno = save_errno; - goto error; - } - if (!S_ISDIR(st.st_mode)) { - close(rv); - errno = ENOTDIR; - rv = -1; - goto error; - } - } - if (flags & O_NOFOLLOW) { /* we are inside user-owned dir - protect */ if (protect_mount(rv, p, idata) == -1) { @@ -1174,16 +1325,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, struct instance_data *idata, int newdir) { pid_t rc, pid; - struct sigaction newsa, oldsa; int status; const char *init_script = NAMESPACE_INIT_SCRIPT; - memset(&newsa, '\0', sizeof(newsa)); - newsa.sa_handler = SIG_DFL; - if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { - pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); - return PAM_SESSION_ERR; +#ifdef VENDOR_NAMESPACE_INIT_SCRIPT + /* Check whether NAMESPACE_INIT_SCRIPT file is available. + * If it does not exist, fall back to VENDOR_NAMESPACE_INIT_SCRIPT file. */ + struct stat buffer; + if (stat(init_script, &buffer) != 0 && errno == ENOENT) { + init_script = VENDOR_NAMESPACE_INIT_SCRIPT; } +#endif if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script) init_script = polyptr->init_script; @@ -1193,9 +1345,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Namespace init script not executable"); - rc = PAM_SESSION_ERR; - goto out; + return PAM_SESSION_ERR; } else { + struct sigaction newsa, oldsa; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler"); + return PAM_SESSION_ERR; + } + pid = fork(); if (pid == 0) { static char *envp[] = { NULL }; @@ -1233,13 +1393,13 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, rc = PAM_SESSION_ERR; goto out; } + rc = PAM_SUCCESS; +out: + (void) sigaction(SIGCHLD, &oldsa, NULL); + return rc; } } - rc = PAM_SUCCESS; -out: - (void) sigaction(SIGCHLD, &oldsa, NULL); - - return rc; + return PAM_SUCCESS; } static int create_polydir(struct polydir_s *polyptr, @@ -1248,7 +1408,8 @@ static int create_polydir(struct polydir_s *polyptr, mode_t mode; int rc; #ifdef WITH_SELINUX - security_context_t dircon, oldcon = NULL; + char *dircon_raw, *oldcon_raw = NULL; + struct selabel_handle *label_handle; #endif const char *dir = polyptr->dir; uid_t uid; @@ -1261,21 +1422,28 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - getfscreatecon(&oldcon); - rc = matchpathcon(dir, S_IFDIR, &dircon); - if (rc) { - pam_syslog(idata->pamh, LOG_NOTICE, - "Unable to get default context for directory %s, check your policy: %m", dir); - } else { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "Polydir %s context: %s", dir, (char *)dircon); - if (setfscreatecon(dircon) != 0) + getfscreatecon_raw(&oldcon_raw); + + label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_handle) { + pam_syslog(idata->pamh, LOG_NOTICE, + "Unable to initialize SELinux labeling handle: %m"); + } else { + rc = selabel_lookup_raw(label_handle, &dircon_raw, dir, S_IFDIR); + if (rc) { pam_syslog(idata->pamh, LOG_NOTICE, - "Error setting context for directory %s: %m", dir); - freecon(dircon); - } - matchpathcon_fini(); + "Unable to get default context for directory %s, check your policy: %m", dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir %s context: %s", dir, dircon_raw); + if (setfscreatecon_raw(dircon_raw) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error setting context for directory %s: %m", dir); + freecon(dircon_raw); + } + selabel_close(label_handle); + } } #endif @@ -1288,10 +1456,10 @@ static int create_polydir(struct polydir_s *polyptr, #ifdef WITH_SELINUX if (idata->flags & PAMNS_SELINUX_ENABLED) { - if (setfscreatecon(oldcon) != 0) + if (setfscreatecon_raw(oldcon_raw) != 0) pam_syslog(idata->pamh, LOG_NOTICE, "Error resetting fs create context: %m"); - freecon(oldcon); + freecon(oldcon_raw); } #endif @@ -1343,7 +1511,7 @@ static int create_polydir(struct polydir_s *polyptr, */ #ifdef WITH_SELINUX static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, - security_context_t icontext, security_context_t ocontext, + const char *icontext, const char *ocontext, struct instance_data *idata) #else static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, @@ -1418,6 +1586,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * if (fstat(fd, &newstatbuf) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", ipath); + close(fd); rmdir(ipath); return PAM_SESSION_ERR; } @@ -1460,7 +1629,7 @@ static int ns_setup(struct polydir_s *polyptr, char *instname = NULL; struct stat statbuf; #ifdef WITH_SELINUX - security_context_t instcontext = NULL, origcontext = NULL; + char *instcontext = NULL, *origcontext = NULL; #endif if (idata->flags & PAMNS_DEBUG) @@ -1484,7 +1653,7 @@ static int ns_setup(struct polydir_s *polyptr, } if (polyptr->method == TMPFS) { - if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) { + if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", polyptr->dir); return PAM_SESSION_ERR; @@ -1895,7 +2064,7 @@ static int orig_namespace(struct instance_data *idata) */ static int ctxt_based_inst_needed(void) { - security_context_t scon = NULL; + char *scon = NULL; int rc = 0; rc = getexeccon(&scon); @@ -1941,7 +2110,7 @@ static int root_shared(void) break; if (i == 6) { - if (strncmp(tok, "shared:", 7) == 0) + if (pam_str_skip_prefix(tok, "shared:") != NULL) /* there might be more / mounts, the last one counts */ rv = 1; else @@ -2109,7 +2278,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, { int i, retval; struct instance_data idata; - void *polyptr; + const void *polyptr; /* init instance data */ idata.flags = 0; @@ -2149,7 +2318,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); if (idata.flags & PAMNS_DEBUG) - pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - successful"); return PAM_SUCCESS; } @@ -2157,12 +2326,14 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, if (retval != PAM_SUCCESS) return retval; - retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, (const void **)&polyptr); + retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, &polyptr); if (retval != PAM_SUCCESS || polyptr == NULL) /* nothing to reset */ return PAM_SUCCESS; - idata.polydirs_ptr = polyptr; + DIAG_PUSH_IGNORE_CAST_QUAL; + idata.polydirs_ptr = (void *)polyptr; + DIAG_POP_IGNORE_CAST_QUAL; if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d", diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 47ebcc33..a991b4c4 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -30,7 +30,7 @@ * DEALINGS IN THE SOFTWARE. */ -#if !(defined(linux)) +#ifndef __linux__ #error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! #endif @@ -68,6 +68,7 @@ #include <selinux/selinux.h> #include <selinux/get_context_list.h> #include <selinux/context.h> +#include <selinux/label.h> #endif #ifndef CLONE_NEWNS @@ -89,15 +90,17 @@ /* * Module defines */ -#ifndef SECURECONF_DIR -#define SECURECONF_DIR "/etc/security/" +#define PAM_NAMESPACE_CONFIG (SCONFIGDIR "/namespace.conf") +#define NAMESPACE_INIT_SCRIPT (SCONFIGDIR "/namespace.init") +#define NAMESPACE_D_DIR (SCONFIGDIR "/namespace.d/") +#define NAMESPACE_D_GLOB (SCONFIGDIR "/namespace.d/*.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_NAMESPACE_INIT_SCRIPT (VENDOR_SCONFIGDIR "/namespace.init") +#define VENDOR_PAM_NAMESPACE_CONFIG (VENDOR_SCONFIGDIR "/namespace.conf") +#define VENDOR_NAMESPACE_D_DIR (VENDOR_SCONFIGDIR "/namespace.d/") +#define VENDOR_NAMESPACE_D_GLOB (VENDOR_SCONFIGDIR "/namespace.d/*.conf") #endif -#define PAM_NAMESPACE_CONFIG (SECURECONF_DIR "namespace.conf") -#define NAMESPACE_INIT_SCRIPT (SECURECONF_DIR "namespace.init") -#define NAMESPACE_D_DIR (SECURECONF_DIR "namespace.d/") -#define NAMESPACE_D_GLOB (SECURECONF_DIR "namespace.d/*.conf") - /* module flags */ #define PAMNS_DEBUG 0x00000100 /* Running in debug mode */ #define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */ @@ -138,12 +141,12 @@ enum polymethod { /* * Depending on the application using this namespace module, we - * may need to unmount priviously bind mounted instance directory. + * may need to unmount previously bind mounted instance directory. * Applications such as login and sshd, that establish a new * session unmount of instance directory is not needed. For applications * such as su and newrole, that switch the identity, this module * has to unmount previous instance directory first and re-mount - * based on the new indentity. For other trusted applications that + * based on the new identity. For other trusted applications that * just want to undo polyinstantiation, only unmount of previous * instance directory is needed. */ @@ -166,6 +169,7 @@ struct polydir_s { unsigned int flags; /* polydir flags */ char *init_script; /* path to init script */ char *mount_opts; /* mount options for tmpfs mount */ + unsigned long mount_flags; /* mount flags for tmpfs mount */ uid_t owner; /* user which should own the polydir */ gid_t group; /* group which should own the polydir */ mode_t mode; /* mode of the polydir */ diff --git a/modules/pam_namespace/pam_namespace.service.in b/modules/pam_namespace/pam_namespace.service.in new file mode 100644 index 00000000..e2311917 --- /dev/null +++ b/modules/pam_namespace/pam_namespace.service.in @@ -0,0 +1,11 @@ +[Unit] +After=local-fs.target +Before=multi-user.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +Description=Make sure parent directories configured in @SCONFIGDIR@/namespace.conf for polyinstantiation exist +Documentation=man:pam_namespace(8) + +[Service] +ExecStart=@sbindir@/pam_namespace_helper +Type=oneshot diff --git a/modules/pam_namespace/pam_namespace_helper.8 b/modules/pam_namespace/pam_namespace_helper.8 new file mode 100644 index 00000000..317cddc8 --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.8 @@ -0,0 +1,49 @@ +'\" t +.\" Title: pam_namespace_helper +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PAM_NAMESPACE_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_namespace_helper \- Helper binary that creates home directories +.SH "SYNOPSIS" +.HP \w'\fBpam_namespace_helper\fR\ 'u +\fBpam_namespace_helper\fR +.SH "DESCRIPTION" +.PP +\fIpam_namespace_helper\fR +is a helper program for the +\fIpam_namespace\fR +module that sets up a private namespace for a session with polyinstantiated directories\&. The helper ensures that the namespace mount points exist before they are started to be used for the polyinstantiated directories\&. Mount points for home directories (lines with $HOME) are not created\&. +.PP +\fIpam_namespace_helper\fR +should be run by systemd at system startup\&. It should also be run by the administrator after defining the polyinstantiated directories but before enabling them\&. +.SH "SEE ALSO" +.PP +\fBpam_namespace\fR(8) +.SH "AUTHOR" +.PP +Written by Topi Miettinen\&. diff --git a/modules/pam_namespace/pam_namespace_helper.8.xml b/modules/pam_namespace/pam_namespace_helper.8.xml new file mode 100644 index 00000000..002c254a --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.8.xml @@ -0,0 +1,59 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace_helper"> + + <refmeta> + <refentrytitle>pam_namespace_helper</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pam_namespace_helper-name"> + <refname>pam_namespace_helper</refname> + <refpurpose>Helper binary that creates home directories</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis xml:id="pam_namespace_helper-cmdsynopsis" sepchar=" "> + <command>pam_namespace_helper</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 xml:id="pam_namespace_helper-description"> + + <title>DESCRIPTION</title> + + <para> + <emphasis>pam_namespace_helper</emphasis> is a helper program + for the <emphasis>pam_namespace</emphasis> module that sets up a + private namespace for a session with polyinstantiated + directories. The helper ensures that the namespace mount points + exist before they are started to be used for the + polyinstantiated directories. Mount points for home directories + (lines with $HOME) are not created. + </para> + + <para> + <emphasis>pam_namespace_helper</emphasis> should be run by + systemd at system startup. It should also be run by the + administrator after defining the polyinstantiated directories + but before enabling them. + </para> + </refsect1> + + <refsect1 xml:id="pam_namespace_helper-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="pam_namespace_helper-author"> + <title>AUTHOR</title> + <para> + Written by Topi Miettinen. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/pam_namespace_helper.in b/modules/pam_namespace/pam_namespace_helper.in new file mode 100644 index 00000000..b9c361fb --- /dev/null +++ b/modules/pam_namespace/pam_namespace_helper.in @@ -0,0 +1,15 @@ +#!/bin/sh + +CONF=@SCONFIGDIR@/namespace.conf + +# Match logic of process_line(), except lines with $HOME are ignored +# skip the leading white space, rip off the comments, ignore empty lines +sed -e 's/^[ ]*//g' -e 's/#.*//g' -e '/.*\$HOME.*/d' -e '/^$/d' < $CONF | \ + while read polydir instance_prefix method uids; do + if [ ! -e "$instance_prefix" ]; then + echo "mkdir $instance_prefix" + mkdir --parents --mode=0 -Z "$instance_prefix" + fi + done + +exit 0 diff --git a/modules/pam_nologin/Makefile.am b/modules/pam_nologin/Makefile.am index a4ed9ff3..4343b61c 100644 --- a/modules/pam_nologin/Makefile.am +++ b/modules/pam_nologin/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_nologin +EXTRA_DIST = $(XMLS) -TESTS = tst-pam_nologin - -man_MANS = pam_nologin.8 +if HAVE_DOC +dist_man_MANS = pam_nologin.8 +endif XMLS = README.xml pam_nologin.8.xml +dist_check_SCRIPTS = tst-pam_nologin +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,8 +31,10 @@ endif securelib_LTLIBRARIES = pam_nologin.la pam_nologin_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_nologin-retval +tst_pam_nologin_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_nologin.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_nologin/Makefile.in b/modules/pam_nologin/Makefile.in index 00efb9f4..ebfa09b3 100644 --- a/modules/pam_nologin/Makefile.in +++ b/modules/pam_nologin/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_nologin-retval$(EXEEXT) subdir = modules/pam_nologin -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,10 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_nologin_retval_SOURCES = tst-pam_nologin-retval.c +tst_pam_nologin_retval_OBJECTS = tst-pam_nologin-retval.$(OBJEXT) +tst_pam_nologin_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +174,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_nologin.Plo \ + ./$(DEPDIR)/tst-pam_nologin-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +196,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_nologin.c -DIST_SOURCES = pam_nologin.c +SOURCES = pam_nologin.c tst-pam_nologin-retval.c +DIST_SOURCES = pam_nologin.c tst-pam_nologin-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +205,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +382,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +405,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +427,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +467,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +485,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +515,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +526,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +580,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +587,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +596,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_nologin -TESTS = tst-pam_nologin -man_MANS = pam_nologin.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_nologin.8 XMLS = README.xml pam_nologin.8.xml +dist_check_SCRIPTS = tst-pam_nologin +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_nologin.la pam_nologin_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_nologin_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +635,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_nologin/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_nologin/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +653,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +700,38 @@ clean-securelibLTLIBRARIES: pam_nologin.la: $(pam_nologin_la_OBJECTS) $(pam_nologin_la_DEPENDENCIES) $(EXTRA_pam_nologin_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_nologin_la_OBJECTS) $(pam_nologin_la_LIBADD) $(LIBS) +tst-pam_nologin-retval$(EXEEXT): $(tst_pam_nologin_retval_OBJECTS) $(tst_pam_nologin_retval_DEPENDENCIES) $(EXTRA_tst_pam_nologin_retval_DEPENDENCIES) + @rm -f tst-pam_nologin-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_nologin_retval_OBJECTS) $(tst_pam_nologin_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_nologin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_nologin.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_nologin-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +745,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +783,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +871,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +948,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +961,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +971,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +989,13 @@ tst-pam_nologin.log: tst-pam_nologin --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_nologin-retval.log: tst-pam_nologin-retval$(EXEEXT) + @p='tst-pam_nologin-retval$(EXEEXT)'; \ + b='tst-pam_nologin-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1011,10 @@ tst-pam_nologin.log: tst-pam_nologin @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1045,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1091,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_nologin.Plo + -rm -f ./$(DEPDIR)/tst-pam_nologin-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1142,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_nologin.Plo + -rm -f ./$(DEPDIR)/tst-pam_nologin-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1166,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1183,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_nologin.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_nologin/README.xml b/modules/pam_nologin/README.xml index bc0808e7..5a993324 100644 --- a/modules/pam_nologin/README.xml +++ b/modules/pam_nologin/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_nologin.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_nologin-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-note"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-note")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_nologin/pam_nologin.8 b/modules/pam_nologin/pam_nologin.8 index d65cd85c..c5df1b70 100644 --- a/modules/pam_nologin/pam_nologin.8 +++ b/modules/pam_nologin/pam_nologin.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_nologin .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NOLOGIN" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NOLOGIN" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -41,7 +41,7 @@ or exists\&. The contents of the file are displayed to the user\&. The pam_nologin module has no effect on the root user\*(Aqs ability to log in\&. .SH "OPTIONS" .PP -\fBfile=\fR\fB\fI/path/nologin\fR\fR +file=/path/nologin .RS 4 Use this file instead the default /var/run/nologin @@ -49,7 +49,7 @@ or /etc/nologin\&. .RE .PP -\fBsuccessok\fR +successok .RS 4 Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\&. .RE @@ -58,7 +58,7 @@ Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\&. The \fBauth\fR and -\fBacct\fR +\fBaccount\fR module types are provided\&. .SH "RETURN VALUES" .PP @@ -124,7 +124,7 @@ modules would lead to a successful login because the nologin module \fBnologin\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_nologin was written by Michael K\&. Johnson <johnsonm@redhat\&.com>\&. diff --git a/modules/pam_nologin/pam_nologin.8.xml b/modules/pam_nologin/pam_nologin.8.xml index e4f63707..1cc721a4 100644 --- a/modules/pam_nologin/pam_nologin.8.xml +++ b/modules/pam_nologin/pam_nologin.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_nologin"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_nologin"> <refmeta> <refentrytitle>pam_nologin</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_nologin-name"> + <refnamediv xml:id="pam_nologin-name"> <refname>pam_nologin</refname> <refpurpose>Prevent non-root users from login</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_nologin-cmdsynopsis"> + <cmdsynopsis xml:id="pam_nologin-cmdsynopsis" sepchar=" "> <command>pam_nologin.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> file=<replaceable>/path/nologin</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> successok </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_nologin-description"> + <refsect1 xml:id="pam_nologin-description"> <title>DESCRIPTION</title> @@ -40,13 +37,13 @@ </para> </refsect1> - <refsect1 id="pam_nologin-options"> + <refsect1 xml:id="pam_nologin-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>file=<replaceable>/path/nologin</replaceable></option> + file=/path/nologin </term> <listitem> <para> @@ -58,7 +55,7 @@ </varlistentry> <varlistentry> <term> - <option>successok</option> + successok </term> <listitem> <para> @@ -69,15 +66,15 @@ </variablelist> </refsect1> - <refsect1 id="pam_nologin-types"> + <refsect1 xml:id="pam_nologin-types"> <title>MODULE TYPES PROVIDED</title> <para> - The <option>auth</option> and <option>acct</option> module + The <option>auth</option> and <option>account</option> module types are provided. </para> </refsect1> - <refsect1 id='pam_nologin-return_values'> + <refsect1 xml:id="pam_nologin-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -123,7 +120,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_nologin-examples'> + <refsect1 xml:id="pam_nologin-examples"> <title>EXAMPLES</title> <para> The suggested usage for <filename>/etc/pam.d/login</filename> is: @@ -132,7 +129,7 @@ auth required pam_nologin.so </programlisting> </para> </refsect1> - <refsect1 id='pam_nologin-note'> + <refsect1 xml:id="pam_nologin-note"> <title>NOTES</title> <para> In order to make this module effective, all login methods should be @@ -147,7 +144,7 @@ auth required pam_nologin.so </para> </refsect1> - <refsect1 id='pam_nologin-see_also'> + <refsect1 xml:id="pam_nologin-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -160,16 +157,16 @@ auth required pam_nologin.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_nologin-author'> + <refsect1 xml:id="pam_nologin-author"> <title>AUTHOR</title> <para> pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index 56897670..d7f83e0c 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -1,10 +1,7 @@ -/* pam_nologin module */ - /* - * $Id$ + * pam_nologin module * * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 - * */ #include "config.h" @@ -19,19 +16,10 @@ #include <pwd.h> #include <security/_pam_macros.h> -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" #define DEFAULT_NOLOGIN_PATH "/var/run/nologin" #define COMPAT_NOLOGIN_PATH "/etc/nologin" @@ -54,10 +42,12 @@ parse_args(pam_handle_t *pamh, int argc, const char **argv, struct opt_s *opts) opts->retval_when_nofile = PAM_IGNORE; for (i=0; i<argc; ++i) { + const char *str; + if (!strcmp("successok", argv[i])) { opts->retval_when_nofile = PAM_SUCCESS; - } else if (!strncmp("file=", argv[i], 5)) { - opts->nologin_file = argv[i] + 5; + } else if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { + opts->nologin_file = str; } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]); } @@ -74,8 +64,8 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) int retval = opts->retval_when_nofile; int fd = -1; - if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) { - pam_syslog(pamh, LOG_ERR, "cannot determine username"); + if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS)) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } @@ -89,7 +79,6 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) if (fd >= 0) { - char *mtmp=NULL; int msg_style = PAM_TEXT_INFO; struct passwd *user_pwd; struct stat st; @@ -109,22 +98,26 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) goto clean_up_fd; } - mtmp = malloc(st.st_size+1); - if (!mtmp) { - pam_syslog(pamh, LOG_CRIT, "out of memory"); - retval = PAM_BUF_ERR; - goto clean_up_fd; + /* Don't print anything if the message is empty, will only + disturb the output with empty lines */ + if (st.st_size > 0) { + char *mtmp = malloc(st.st_size+1); + if (!mtmp) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + retval = PAM_BUF_ERR; + goto clean_up_fd; + } + + if (pam_modutil_read(fd, mtmp, st.st_size) == st.st_size) { + mtmp[st.st_size] = '\0'; + (void) pam_prompt (pamh, msg_style, NULL, "%s", mtmp); + } + else + retval = PAM_SYSTEM_ERR; + + free(mtmp); } - if (pam_modutil_read(fd, mtmp, st.st_size) == st.st_size) { - mtmp[st.st_size] = '\0'; - (void) pam_prompt (pamh, msg_style, NULL, "%s", mtmp); - } - else - retval = PAM_SYSTEM_ERR; - - free(mtmp); - clean_up_fd: close(fd); diff --git a/modules/pam_nologin/tst-pam_nologin-retval.c b/modules/pam_nologin/tst-pam_nologin-retval.c new file mode 100644 index 00000000..0046eec3 --- /dev/null +++ b/modules/pam_nologin/tst-pam_nologin-retval.c @@ -0,0 +1,226 @@ +/* + * Check pam_nologin return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <pwd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_nologin" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char missing_file[] = TEST_NAME ".missing"; +static const char empty_file[] = "/dev/null"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + struct passwd *pw; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_IGNORE -> PAM_PERM_DENIED */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_IGNORE -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so file=%s\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so file=%s\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so file=%s\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, missing_file, cwd, + cwd, MODULE_NAME, missing_file, cwd, + cwd, MODULE_NAME, missing_file, cwd, + cwd, MODULE_NAME, missing_file, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* successok -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so successok file=%s\n" + "account required %s/.libs/%s.so successok file=%s\n" + "password required %s/.libs/%s.so successok file=%s\n" + "session required %s/.libs/%s.so successok file=%s\n", + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* uid == 0 */ + if ((pw = getpwuid(0)) != NULL) { + /* successok -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so successok file=%s\n" + "account required %s/.libs/%s.so successok file=%s\n" + "password required %s/.libs/%s.so successok file=%s\n" + "session required %s/.libs/%s.so successok file=%s\n", + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, pw->pw_name, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_SYSTEM_ERR */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, ".", + cwd, MODULE_NAME, ".", + cwd, MODULE_NAME, ".", + cwd, MODULE_NAME, ".")); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, pw->pw_name, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SYSTEM_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SYSTEM_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + } + + /* uid != 0 */ + if (geteuid() != 0 && (pw = getpwuid(geteuid())) != NULL) { + /* PAM_AUTH_ERR */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, pw->pw_name, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_AUTH_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_AUTH_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + } + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_permit/Makefile.am b/modules/pam_permit/Makefile.am index dcc75ebb..e9a05156 100644 --- a/modules/pam_permit/Makefile.am +++ b/modules/pam_permit/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_permit +EXTRA_DIST = $(XMLS) -man_MANS = pam_permit.8 +if HAVE_DOC +dist_man_MANS = pam_permit.8 +endif XMLS = README.xml pam_permit.8.xml - -TESTS = tst-pam_permit +dist_check_SCRIPTS = tst-pam_permit +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,8 +31,10 @@ endif securelib_LTLIBRARIES = pam_permit.la pam_permit_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_permit-retval +tst_pam_permit_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_permit.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_permit/Makefile.in b/modules/pam_permit/Makefile.in index 117f0a9a..47e8fac8 100644 --- a/modules/pam_permit/Makefile.in +++ b/modules/pam_permit/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_permit-retval$(EXEEXT) subdir = modules/pam_permit -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_permit_retval_SOURCES = tst-pam_permit-retval.c +tst_pam_permit_retval_OBJECTS = tst-pam_permit-retval.$(OBJEXT) +tst_pam_permit_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +173,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_permit.Plo \ + ./$(DEPDIR)/tst-pam_permit-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +195,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_permit.c -DIST_SOURCES = pam_permit.c +SOURCES = pam_permit.c tst-pam_permit-retval.c +DIST_SOURCES = pam_permit.c tst-pam_permit-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +204,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +381,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +404,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +426,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +466,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +525,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +579,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +586,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +595,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_permit -man_MANS = pam_permit.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_permit.8 XMLS = README.xml pam_permit.8.xml -TESTS = tst-pam_permit +dist_check_SCRIPTS = tst-pam_permit +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_permit.la pam_permit_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_permit_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_permit/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_permit/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +652,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +699,38 @@ clean-securelibLTLIBRARIES: pam_permit.la: $(pam_permit_la_OBJECTS) $(pam_permit_la_DEPENDENCIES) $(EXTRA_pam_permit_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_permit_la_OBJECTS) $(pam_permit_la_LIBADD) $(LIBS) +tst-pam_permit-retval$(EXEEXT): $(tst_pam_permit_retval_OBJECTS) $(tst_pam_permit_retval_DEPENDENCIES) $(EXTRA_tst_pam_permit_retval_DEPENDENCIES) + @rm -f tst-pam_permit-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_permit_retval_OBJECTS) $(tst_pam_permit_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_permit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_permit.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_permit-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +744,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +782,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +870,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +947,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +960,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +970,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +988,13 @@ tst-pam_permit.log: tst-pam_permit --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_permit-retval.log: tst-pam_permit-retval$(EXEEXT) + @p='tst-pam_permit-retval$(EXEEXT)'; \ + b='tst-pam_permit-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1010,10 @@ tst-pam_permit.log: tst-pam_permit @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1044,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1090,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_permit.Plo + -rm -f ./$(DEPDIR)/tst-pam_permit-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1141,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_permit.Plo + -rm -f ./$(DEPDIR)/tst-pam_permit-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1165,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1182,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_permit.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_permit/README.xml b/modules/pam_permit/README.xml index acb38b51..c08425f8 100644 --- a/modules/pam_permit/README.xml +++ b/modules/pam_permit/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_permit.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_permit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_permit/pam_permit.8 b/modules/pam_permit/pam_permit.8 index 021c7590..5432b750 100644 --- a/modules/pam_permit/pam_permit.8 +++ b/modules/pam_permit/pam_permit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_permit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_PERMIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PERMIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -78,7 +78,7 @@ account required pam_permit\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_permit was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&. diff --git a/modules/pam_permit/pam_permit.8.xml b/modules/pam_permit/pam_permit.8.xml index 6bb49658..9e6c7d02 100644 --- a/modules/pam_permit/pam_permit.8.xml +++ b/modules/pam_permit/pam_permit.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_permit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_permit"> <refmeta> <refentrytitle>pam_permit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_permit-name"> + <refnamediv xml:id="pam_permit-name"> <refname>pam_permit</refname> <refpurpose>The promiscuous module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_permit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_permit-cmdsynopsis" sepchar=" "> <command>pam_permit.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_permit-description"> + <refsect1 xml:id="pam_permit-description"> <title>DESCRIPTION</title> @@ -41,13 +38,13 @@ </para> </refsect1> - <refsect1 id="pam_permit-options"> + <refsect1 xml:id="pam_permit-options"> <title>OPTIONS</title> <para> This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_permit-types"> + <refsect1 xml:id="pam_permit-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option>, <option>account</option>, @@ -56,7 +53,7 @@ </para> </refsect1> - <refsect1 id='pam_permit-return_values'> + <refsect1 xml:id="pam_permit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -70,7 +67,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_permit-examples'> + <refsect1 xml:id="pam_permit-examples"> <title>EXAMPLES</title> <para> Add this line to your other login entries to disable account @@ -81,7 +78,7 @@ account required pam_permit.so </para> </refsect1> - <refsect1 id='pam_permit-see_also'> + <refsect1 xml:id="pam_permit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -91,16 +88,16 @@ account required pam_permit.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_permit-author'> + <refsect1 xml:id="pam_permit-author"> <title>AUTHOR</title> <para> pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_permit/pam_permit.c b/modules/pam_permit/pam_permit.c index c773087a..4f973686 100644 --- a/modules/pam_permit/pam_permit.c +++ b/modules/pam_permit/pam_permit.c @@ -1,33 +1,17 @@ -/* pam_permit module */ - /* - * $Id$ + * pam_permit module * * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * */ #include "config.h" - -#define DEFAULT_USER "nobody" - #include <stdio.h> -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> #include <security/_pam_macros.h> +#define DEFAULT_USER "nobody" + /* --- authentication management functions --- */ int @@ -45,7 +29,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } - if (user == NULL || *user == '\0') { + if (*user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) diff --git a/modules/pam_permit/tst-pam_permit-retval.c b/modules/pam_permit/tst-pam_permit-retval.c new file mode 100644 index 00000000..33a789fe --- /dev/null +++ b/modules/pam_permit/tst-pam_permit-retval.c @@ -0,0 +1,58 @@ +/* + * Check pam_permit return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_permit" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am index 4bb4d6df..6cd5ffd3 100644 --- a/modules/pam_pwhistory/Makefile.am +++ b/modules/pam_pwhistory/Makefile.am @@ -1,35 +1,55 @@ # # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2013 Red Hat, Inc. # CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory +EXTRA_DIST = $(XMLS) -TESTS = tst-pam_pwhistory - -man_MANS = pam_pwhistory.8 - -XMLS = README.xml pam_pwhistory.8.xml +if HAVE_DOC +dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5 +endif +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \ + pwhistory.conf.5.xml +dist_check_SCRIPTS = tst-pam_pwhistory +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" + +pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -noinst_HEADERS = opasswd.h +noinst_HEADERS = opasswd.h pwhistory_config.h + +dist_secureconf_DATA = pwhistory.conf securelib_LTLIBRARIES = pam_pwhistory.la -pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ -pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c +pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) +pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ +pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c + +sbin_PROGRAMS = pwhistory_helper +pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@ +pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c +pwhistory_helper_LDFLAGS = @EXE_LDFLAGS@ +pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ + +check_PROGRAMS = tst-pam_pwhistory-retval +tst_pam_pwhistory_retval_LDADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_pwhistory.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_pwhistory/Makefile.in b/modules/pam_pwhistory/Makefile.in index d2e9849a..dcb969ac 100644 --- a/modules/pam_pwhistory/Makefile.in +++ b/modules/pam_pwhistory/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -16,12 +16,24 @@ # # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2013 Red Hat, Inc. # + VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,29 +97,38 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +sbin_PROGRAMS = pwhistory_helper$(EXEEXT) +check_PROGRAMS = tst-pam_pwhistory-retval$(EXEEXT) subdir = modules/pam_pwhistory -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(noinst_HEADERS) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(secureconfdir)" +PROGRAMS = $(sbin_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -135,15 +156,33 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) pam_pwhistory_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la -am_pam_pwhistory_la_OBJECTS = pam_pwhistory.lo opasswd.lo +am_pam_pwhistory_la_OBJECTS = pam_pwhistory_la-pam_pwhistory.lo \ + pam_pwhistory_la-opasswd.lo \ + pam_pwhistory_la-pwhistory_config.lo pam_pwhistory_la_OBJECTS = $(am_pam_pwhistory_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +pam_pwhistory_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(pam_pwhistory_la_CFLAGS) $(CFLAGS) \ + $(pam_pwhistory_la_LDFLAGS) $(LDFLAGS) -o $@ +am_pwhistory_helper_OBJECTS = \ + pwhistory_helper-pwhistory_helper.$(OBJEXT) \ + pwhistory_helper-opasswd.$(OBJEXT) +pwhistory_helper_OBJECTS = $(am_pwhistory_helper_OBJECTS) +pwhistory_helper_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pwhistory_helper_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(pwhistory_helper_CFLAGS) $(CFLAGS) \ + $(pwhistory_helper_LDFLAGS) $(LDFLAGS) -o $@ +tst_pam_pwhistory_retval_SOURCES = tst-pam_pwhistory-retval.c +tst_pam_pwhistory_retval_OBJECTS = tst-pam_pwhistory-retval.$(OBJEXT) +tst_pam_pwhistory_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -158,7 +197,13 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo \ + ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo \ + ./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo \ + ./$(DEPDIR)/pwhistory_helper-opasswd.Po \ + ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po \ + ./$(DEPDIR)/tst-pam_pwhistory-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -178,17 +223,21 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(pam_pwhistory_la_SOURCES) -DIST_SOURCES = $(pam_pwhistory_la_SOURCES) +SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) \ + tst-pam_pwhistory-retval.c +DIST_SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) \ + tst-pam_pwhistory-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -364,6 +413,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -386,6 +436,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -405,24 +458,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -436,7 +498,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -455,11 +516,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -482,8 +546,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -494,11 +557,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -541,7 +611,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -549,9 +618,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -561,25 +627,40 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory -TESTS = tst-pam_pwhistory -man_MANS = pam_pwhistory.8 -XMLS = README.xml pam_pwhistory.8.xml +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5 +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \ + pwhistory.conf.5.xml + +dist_check_SCRIPTS = tst-pam_pwhistory +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) -noinst_HEADERS = opasswd.h +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" + +pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module \ + $(am__append_1) +noinst_HEADERS = opasswd.h pwhistory_config.h +dist_secureconf_DATA = pwhistory.conf securelib_LTLIBRARIES = pam_pwhistory.la -pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ -pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) +pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ +pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c +pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@ +pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c +pwhistory_helper_LDFLAGS = @EXE_LDFLAGS@ +pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ +tst_pam_pwhistory_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -596,14 +677,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_pwhistory/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_pwhistory/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -615,6 +695,64 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -651,7 +789,15 @@ clean-securelibLTLIBRARIES: } pam_pwhistory.la: $(pam_pwhistory_la_OBJECTS) $(pam_pwhistory_la_DEPENDENCIES) $(EXTRA_pam_pwhistory_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_pwhistory_la_OBJECTS) $(pam_pwhistory_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(pam_pwhistory_la_LINK) -rpath $(securelibdir) $(pam_pwhistory_la_OBJECTS) $(pam_pwhistory_la_LIBADD) $(LIBS) + +pwhistory_helper$(EXEEXT): $(pwhistory_helper_OBJECTS) $(pwhistory_helper_DEPENDENCIES) $(EXTRA_pwhistory_helper_DEPENDENCIES) + @rm -f pwhistory_helper$(EXEEXT) + $(AM_V_CCLD)$(pwhistory_helper_LINK) $(pwhistory_helper_OBJECTS) $(pwhistory_helper_LDADD) $(LIBS) + +tst-pam_pwhistory-retval$(EXEEXT): $(tst_pam_pwhistory_retval_OBJECTS) $(tst_pam_pwhistory_retval_DEPENDENCIES) $(EXTRA_tst_pam_pwhistory_retval_DEPENDENCIES) + @rm -f tst-pam_pwhistory-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_pwhistory_retval_OBJECTS) $(tst_pam_pwhistory_retval_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -659,22 +805,32 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/opasswd.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhistory_helper-opasswd.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_pwhistory-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,15 +839,107 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +pam_pwhistory_la-pam_pwhistory.lo: pam_pwhistory.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -MT pam_pwhistory_la-pam_pwhistory.lo -MD -MP -MF $(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Tpo -c -o pam_pwhistory_la-pam_pwhistory.lo `test -f 'pam_pwhistory.c' || echo '$(srcdir)/'`pam_pwhistory.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Tpo $(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pam_pwhistory.c' object='pam_pwhistory_la-pam_pwhistory.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -c -o pam_pwhistory_la-pam_pwhistory.lo `test -f 'pam_pwhistory.c' || echo '$(srcdir)/'`pam_pwhistory.c + +pam_pwhistory_la-opasswd.lo: opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -MT pam_pwhistory_la-opasswd.lo -MD -MP -MF $(DEPDIR)/pam_pwhistory_la-opasswd.Tpo -c -o pam_pwhistory_la-opasswd.lo `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_pwhistory_la-opasswd.Tpo $(DEPDIR)/pam_pwhistory_la-opasswd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='opasswd.c' object='pam_pwhistory_la-opasswd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -c -o pam_pwhistory_la-opasswd.lo `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c + +pam_pwhistory_la-pwhistory_config.lo: pwhistory_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -MT pam_pwhistory_la-pwhistory_config.lo -MD -MP -MF $(DEPDIR)/pam_pwhistory_la-pwhistory_config.Tpo -c -o pam_pwhistory_la-pwhistory_config.lo `test -f 'pwhistory_config.c' || echo '$(srcdir)/'`pwhistory_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_pwhistory_la-pwhistory_config.Tpo $(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pwhistory_config.c' object='pam_pwhistory_la-pwhistory_config.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -c -o pam_pwhistory_la-pwhistory_config.lo `test -f 'pwhistory_config.c' || echo '$(srcdir)/'`pwhistory_config.c + +pwhistory_helper-pwhistory_helper.o: pwhistory_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-pwhistory_helper.o -MD -MP -MF $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo -c -o pwhistory_helper-pwhistory_helper.o `test -f 'pwhistory_helper.c' || echo '$(srcdir)/'`pwhistory_helper.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo $(DEPDIR)/pwhistory_helper-pwhistory_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pwhistory_helper.c' object='pwhistory_helper-pwhistory_helper.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-pwhistory_helper.o `test -f 'pwhistory_helper.c' || echo '$(srcdir)/'`pwhistory_helper.c + +pwhistory_helper-pwhistory_helper.obj: pwhistory_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-pwhistory_helper.obj -MD -MP -MF $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo -c -o pwhistory_helper-pwhistory_helper.obj `if test -f 'pwhistory_helper.c'; then $(CYGPATH_W) 'pwhistory_helper.c'; else $(CYGPATH_W) '$(srcdir)/pwhistory_helper.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo $(DEPDIR)/pwhistory_helper-pwhistory_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pwhistory_helper.c' object='pwhistory_helper-pwhistory_helper.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-pwhistory_helper.obj `if test -f 'pwhistory_helper.c'; then $(CYGPATH_W) 'pwhistory_helper.c'; else $(CYGPATH_W) '$(srcdir)/pwhistory_helper.c'; fi` + +pwhistory_helper-opasswd.o: opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-opasswd.o -MD -MP -MF $(DEPDIR)/pwhistory_helper-opasswd.Tpo -c -o pwhistory_helper-opasswd.o `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-opasswd.Tpo $(DEPDIR)/pwhistory_helper-opasswd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='opasswd.c' object='pwhistory_helper-opasswd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-opasswd.o `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c + +pwhistory_helper-opasswd.obj: opasswd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-opasswd.obj -MD -MP -MF $(DEPDIR)/pwhistory_helper-opasswd.Tpo -c -o pwhistory_helper-opasswd.obj `if test -f 'opasswd.c'; then $(CYGPATH_W) 'opasswd.c'; else $(CYGPATH_W) '$(srcdir)/opasswd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-opasswd.Tpo $(DEPDIR)/pwhistory_helper-opasswd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='opasswd.c' object='pwhistory_helper-opasswd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -c -o pwhistory_helper-opasswd.obj `if test -f 'opasswd.c'; then $(CYGPATH_W) 'opasswd.c'; else $(CYGPATH_W) '$(srcdir)/opasswd.c'; fi` + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man5: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -726,11 +974,32 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +install-dist_secureconfDATA: $(dist_secureconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(secureconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ + done + +uninstall-dist_secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -814,7 +1083,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -891,7 +1160,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -904,7 +1173,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -914,7 +1183,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -932,6 +1201,13 @@ tst-pam_pwhistory.log: tst-pam_pwhistory --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_pwhistory-retval.log: tst-pam_pwhistory-retval$(EXEEXT) + @p='tst-pam_pwhistory-retval$(EXEEXT)'; \ + b='tst-pam_pwhistory-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -947,7 +1223,10 @@ tst-pam_pwhistory.log: tst-pam_pwhistory @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -978,11 +1257,13 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1022,11 +1303,16 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo + -rm -f ./$(DEPDIR)/pwhistory_helper-opasswd.Po + -rm -f ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po + -rm -f ./$(DEPDIR)/tst-pam_pwhistory-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1043,13 +1329,14 @@ info: info-am info-am: -install-data-am: install-man install-securelibLTLIBRARIES +install-data-am: install-dist_secureconfDATA install-man \ + install-securelibLTLIBRARIES install-dvi: install-dvi-am install-dvi-am: -install-exec-am: +install-exec-am: install-sbinPROGRAMS install-html: install-html-am @@ -1059,7 +1346,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-man5 install-man8 install-pdf: install-pdf-am @@ -1072,7 +1359,12 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo + -rm -f ./$(DEPDIR)/pwhistory_helper-opasswd.Po + -rm -f ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po + -rm -f ./$(DEPDIR)/tst-pam_pwhistory-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1089,29 +1381,35 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ + uninstall-sbinPROGRAMS uninstall-securelibLTLIBRARIES -uninstall-man: uninstall-man8 +uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dist_secureconfDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-man8 install-pdf install-pdf-am \ + install-ps install-ps-am install-sbinPROGRAMS \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man8 uninstall-securelibLTLIBRARIES + recheck tags tags-am uninstall uninstall-am \ + uninstall-dist_secureconfDATA uninstall-man uninstall-man5 \ + uninstall-man8 uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile -@ENABLE_REGENERATE_MAN_TRUE@README: pam_pwhistory.8.xml @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_pwhistory/README b/modules/pam_pwhistory/README index 1634249b..b4868767 100644 --- a/modules/pam_pwhistory/README +++ b/modules/pam_pwhistory/README @@ -23,7 +23,7 @@ use_authtok When password changing enforce the module to use the new password provided by a previously stacked password module (this is used in the example of the - stacking of the pam_cracklib module documented below). + stacking of the pam_passwdqc module documented below). enforce_for_root @@ -31,9 +31,9 @@ enforce_for_root remember=N - The last N passwords for each user are saved in /etc/security/opasswd. The - default is 10. Value of 0 makes the module to keep the existing contents of - the opasswd file unchanged. + The last N passwords for each user are saved. The default is 10. Value of 0 + makes the module to keep the existing contents of the opasswd file + unchanged. retry=N @@ -43,6 +43,20 @@ authtok_type=STRING See pam_get_authtok(3) for more details. +file=/path/filename + + Store password history in file /path/filename rather than the default + location. The default location is /etc/security/opasswd. + +conf=/path/to/config-file + + Use another configuration file instead of the default /etc/security/ + pwhistory.conf. + +The options for configuring the module behavior are described in the +pwhistory.conf(5) manual page. The options specified on the module command line +override the values from the configuration file. + EXAMPLES An example password section would be: @@ -52,10 +66,10 @@ password required pam_pwhistory.so password required pam_unix.so use_authtok -In combination with pam_cracklib: +In combination with pam_passwdqc: #%PAM-1.0 -password required pam_cracklib.so retry=3 +password required pam_passwdqc.so config=/etc/passwdqc.conf password required pam_pwhistory.so use_authtok password required pam_unix.so use_authtok diff --git a/modules/pam_pwhistory/README.xml b/modules/pam_pwhistory/README.xml index f048e321..194edbc7 100644 --- a/modules/pam_pwhistory/README.xml +++ b/modules/pam_pwhistory/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_pwhistory.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_pwhistory-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index e6cf3469..859b3da4 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -38,25 +39,36 @@ #endif #include <pwd.h> +#include <shadow.h> #include <time.h> #include <ctype.h> #include <errno.h> #include <fcntl.h> +#include <limits.h> #include <stdio.h> #include <unistd.h> #include <string.h> #include <stdlib.h> #include <syslog.h> +#ifdef HELPER_COMPILE +#include <stdarg.h> +#endif #include <sys/stat.h> -#if defined (HAVE_XCRYPT_H) -#include <xcrypt.h> -#elif defined (HAVE_CRYPT_H) +#ifdef HAVE_CRYPT_H #include <crypt.h> #endif +#ifdef HELPER_COMPILE +#define pam_modutil_getpwnam(h,n) getpwnam(n) +#define pam_modutil_getspnam(h,n) getspnam(n) +#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__) +#else +#include <security/pam_modutil.h> #include <security/pam_ext.h> +#endif #include <security/pam_modules.h> +#include "pam_inline.h" #include "opasswd.h" @@ -64,8 +76,7 @@ #define RANDOM_DEVICE "/dev/urandom" #endif -#define OLD_PASSWORDS_FILE "/etc/security/opasswd" -#define TMP_PASSWORDS_FILE OLD_PASSWORDS_FILE".tmpXXXXXX" +#define DEFAULT_OLD_PASSWORDS_FILE SCONFIGDIR "/opasswd" #define DEFAULT_BUFLEN 4096 @@ -76,6 +87,20 @@ typedef struct { char *old_passwords; } opwd; +#ifdef HELPER_COMPILE +PAM_FORMAT((printf, 2, 3)) +void +helper_log_err(int err, const char *format, ...) +{ + va_list args; + + va_start(args, format); + openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); + vsyslog(err, format, args); + va_end(args); + closelog(); +} +#endif static int parse_entry (char *line, opwd *data) @@ -105,6 +130,7 @@ compare_password(const char *newpass, const char *oldpass) char *outval; #ifdef HAVE_CRYPT_R struct crypt_data output; + int retval; output.initialized = 0; @@ -113,13 +139,14 @@ compare_password(const char *newpass, const char *oldpass) outval = crypt (newpass, oldpass); #endif - return outval != NULL && strcmp(outval, oldpass) == 0; + retval = outval != NULL && strcmp(outval, oldpass) == 0; + pam_overwrite_string(outval); + return retval; } /* Check, if the new password is already in the opasswd file. */ -int -check_old_pass (pam_handle_t *pamh, const char *user, - const char *newpass, int debug) +PAMH_ARG_DECL(int +check_old_pass, const char *user, const char *newpass, const char *filename, int debug) { int retval = PAM_SUCCESS; FILE *oldpf; @@ -128,10 +155,18 @@ check_old_pass (pam_handle_t *pamh, const char *user, opwd entry; int found = 0; - if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) +#ifndef HELPER_COMPILE + if (SELINUX_ENABLED) + return PAM_PWHISTORY_RUN_HELPER; +#endif + + const char *opasswd_file = + (filename != NULL ? filename : DEFAULT_OLD_PASSWORDS_FILE); + + if ((oldpf = fopen (opasswd_file, "r")) == NULL) { if (errno != ENOENT) - pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", opasswd_file); return PAM_SUCCESS; } @@ -207,17 +242,15 @@ check_old_pass (pam_handle_t *pamh, const char *user, } while (oldpass != NULL); } - if (buf) - free (buf); + pam_overwrite_n(buf, buflen); + free (buf); return retval; } -int -save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, - const char *oldpass, int howmany, int debug UNUSED) +PAMH_ARG_DECL(int +save_old_pass, const char *user, int howmany, const char *filename, int debug UNUSED) { - char opasswd_tmp[] = TMP_PASSWORDS_FILE; struct stat opasswd_stat; FILE *oldpf, *newpf; int newpf_fd; @@ -226,31 +259,63 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, char *buf = NULL; size_t buflen = 0; int found = 0; + struct passwd *pwd; + const char *oldpass; + + /* Define opasswd file and temp file for opasswd */ + const char *opasswd_file = + (filename != NULL ? filename : DEFAULT_OLD_PASSWORDS_FILE); + char opasswd_tmp[PATH_MAX]; + + if ((size_t) snprintf (opasswd_tmp, sizeof (opasswd_tmp), "%s.tmpXXXXXX", + opasswd_file) >= sizeof (opasswd_tmp)) + return PAM_BUF_ERR; + + pwd = pam_modutil_getpwnam (pamh, user); + if (pwd == NULL) + return PAM_USER_UNKNOWN; if (howmany <= 0) return PAM_SUCCESS; +#ifndef HELPER_COMPILE + if (SELINUX_ENABLED) + return PAM_PWHISTORY_RUN_HELPER; +#endif + + if ((strcmp(pwd->pw_passwd, "x") == 0) || + ((pwd->pw_passwd[0] == '#') && + (pwd->pw_passwd[1] == '#') && + (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) + { + struct spwd *spw = pam_modutil_getspnam (pamh, user); + + if (spw == NULL) + return PAM_USER_UNKNOWN; + oldpass = spw->sp_pwdp; + } + else + oldpass = pwd->pw_passwd; + if (oldpass == NULL || *oldpass == '\0') return PAM_SUCCESS; - if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) + if ((oldpf = fopen (opasswd_file, "r")) == NULL) { if (errno == ENOENT) { - pam_syslog (pamh, LOG_NOTICE, "Creating %s", - OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_NOTICE, "Creating %s", opasswd_file); do_create = 1; } else { - pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", - OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", opasswd_file); return PAM_AUTHTOK_ERR; } } else if (fstat (fileno (oldpf), &opasswd_stat) < 0) { - pam_syslog (pamh, LOG_ERR, "Cannot stat %s: %m", OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_ERR, "Cannot stat %s: %m", opasswd_file); fclose (oldpf); return PAM_AUTHTOK_ERR; } @@ -260,7 +325,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, if (newpf_fd == -1) { pam_syslog (pamh, LOG_ERR, "Cannot create %s temp file: %m", - OLD_PASSWORDS_FILE); + opasswd_file); if (oldpf) fclose (oldpf); return PAM_AUTHTOK_ERR; @@ -269,23 +334,19 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, { if (fchmod (newpf_fd, S_IRUSR|S_IWUSR) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set permissions of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set permissions of %s temp file: %m", opasswd_file); if (fchown (newpf_fd, 0, 0) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set owner/group of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set owner/group of %s temp file: %m", opasswd_file); } else { if (fchmod (newpf_fd, opasswd_stat.st_mode) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set permissions of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set permissions of %s temp file: %m", opasswd_file); if (fchown (newpf_fd, opasswd_stat.st_uid, opasswd_stat.st_gid) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set owner/group of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set owner/group of %s temp file: %m", opasswd_file); } newpf = fdopen (newpf_fd, "w+"); if (newpf == NULL) @@ -326,6 +387,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, n = strlen (buf); #endif /* HAVE_GETLINE / HAVE_GETDELIM */ + if (n < 1) + break; + cp = buf; save = strdup (buf); /* Copy to write the original data back. */ if (save == NULL) @@ -336,9 +400,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, goto error_opasswd; } - if (n < 1) - break; - tmp = strchr (cp, '#'); /* remove comments */ if (tmp) *tmp = '\0'; @@ -452,7 +513,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, { char *out; - if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0) + if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0) { retval = PAM_AUTHTOK_ERR; if (oldpf) @@ -462,6 +523,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, } if (fputs (out, newpf) < 0) { + pam_overwrite_string(out); free (out); retval = PAM_AUTHTOK_ERR; if (oldpf) @@ -469,6 +531,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, fclose (newpf); goto error_opasswd; } + pam_overwrite_string(out); free (out); } @@ -498,14 +561,23 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, goto error_opasswd; } - unlink (OLD_PASSWORDS_FILE".old"); - if (link (OLD_PASSWORDS_FILE, OLD_PASSWORDS_FILE".old") != 0 && + char opasswd_backup[PATH_MAX]; + if ((size_t) snprintf (opasswd_backup, sizeof (opasswd_backup), "%s.old", + opasswd_file) >= sizeof (opasswd_backup)) + { + retval = PAM_BUF_ERR; + goto error_opasswd; + } + + unlink (opasswd_backup); + if (link (opasswd_file, opasswd_backup) != 0 && errno != ENOENT) pam_syslog (pamh, LOG_ERR, "Cannot create backup file of %s: %m", - OLD_PASSWORDS_FILE); - rename (opasswd_tmp, OLD_PASSWORDS_FILE); + opasswd_file); + rename (opasswd_tmp, opasswd_file); error_opasswd: unlink (opasswd_tmp); + pam_overwrite_n(buf, buflen); free (buf); return retval; diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h index db3e6568..19a4062c 100644 --- a/modules/pam_pwhistory/opasswd.h +++ b/modules/pam_pwhistory/opasswd.h @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,10 +37,30 @@ #ifndef __OPASSWD_H__ #define __OPASSWD_H__ -extern int check_old_pass (pam_handle_t *pamh, const char *user, - const char *newpass, int debug); -extern int save_old_pass (pam_handle_t *pamh, const char *user, - uid_t uid, const char *oldpass, - int howmany, int debug); +#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT + +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#define SELINUX_ENABLED (is_selinux_enabled()>0) +#else +#define SELINUX_ENABLED 0 +#endif + +#ifdef HELPER_COMPILE +#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__) +#else +#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__) +#endif + +#ifdef HELPER_COMPILE +void +helper_log_err(int err, const char *format, ...); +#endif + +PAMH_ARG_DECL(int check_old_pass, const char *user, const char *newpass, + const char *filename, int debug); + +PAMH_ARG_DECL(int save_old_pass, const char *user, int howmany, + const char *filename, int debug); #endif /* __OPASSWD_H__ */ diff --git a/modules/pam_pwhistory/pam_pwhistory.8 b/modules/pam_pwhistory/pam_pwhistory.8 index 45899be3..e430bcd1 100644 --- a/modules/pam_pwhistory/pam_pwhistory.8 +++ b/modules/pam_pwhistory/pam_pwhistory.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_pwhistory .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_PWHISTORY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PWHISTORY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pam_pwhistory \- PAM module to remember last passwords .SH "SYNOPSIS" .HP \w'\fBpam_pwhistory\&.so\fR\ 'u -\fBpam_pwhistory\&.so\fR [debug] [use_authtok] [enforce_for_root] [remember=\fIN\fR] [retry=\fIN\fR] [authtok_type=\fISTRING\fR] +\fBpam_pwhistory\&.so\fR [debug] [use_authtok] [enforce_for_root] [remember=\fIN\fR] [retry=\fIN\fR] [authtok_type=\fISTRING\fR] [file=\fI/path/filename\fR] [conf=\fI/path/to/config\-file\fR] .SH "DESCRIPTION" .PP This module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently\&. @@ -39,32 +39,31 @@ This module saves the last passwords for each user in order to force password ch This module does not work together with kerberos\&. In general, it does not make much sense to use this module in conjunction with NIS or LDAP, since the old passwords are stored on the local machine and are not available on another machine for password history checking\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP -\fBuse_authtok\fR +use_authtok .RS 4 When password changing enforce the module to use the new password provided by a previously stacked \fBpassword\fR module (this is used in the example of the stacking of the -\fBpam_cracklib\fR +\fBpam_passwdqc\fR module documented below)\&. .RE .PP -\fBenforce_for_root\fR +enforce_for_root .RS 4 If this option is set, the check is enforced for root, too\&. .RE .PP -\fBremember=\fR\fB\fIN\fR\fR +remember=N .RS 4 The last \fIN\fR -passwords for each user are saved in -/etc/security/opasswd\&. The default is +passwords for each user are saved\&. The default is \fI10\fR\&. Value of \fI0\fR makes the module to keep the existing contents of the @@ -72,7 +71,7 @@ opasswd file unchanged\&. .RE .PP -\fBretry=\fR\fB\fIN\fR\fR +retry=N .RS 4 Prompt user at most \fIN\fR @@ -80,12 +79,30 @@ times before returning with error\&. The default is \fI1\fR\&. .RE .PP -\fBauthtok_type=\fR\fB\fISTRING\fR\fR +authtok_type=STRING .RS 4 See \fBpam_get_authtok\fR(3) for more details\&. .RE +.PP +file=/path/filename +.RS 4 +Store password history in file +/path/filename +rather than the default location\&. The default location is +/etc/security/opasswd\&. +.RE +.PP +conf=/path/to/config\-file +.RS 4 +Use another configuration file instead of the default +/etc/security/pwhistory\&.conf\&. +.RE +.PP +The options for configuring the module behavior are described in the +\fBpwhistory.conf\fR(5) +manual page\&. The options specified on the module command line override the values from the configuration file\&. .SH "MODULE TYPES PROVIDED" .PP Only the @@ -130,14 +147,14 @@ password required pam_unix\&.so use_authtok .\} .PP In combination with -\fBpam_cracklib\fR: +\fBpam_passwdqc\fR: .sp .if n \{\ .RS 4 .\} .nf #%PAM\-1\&.0 -password required pam_cracklib\&.so retry=3 +password required pam_passwdqc\&.so config=/etc/passwdqc\&.conf password required pam_pwhistory\&.so use_authtok password required pam_unix\&.so use_authtok @@ -150,13 +167,20 @@ password required pam_unix\&.so use_authtok .PP /etc/security/opasswd .RS 4 -File with password history +Default file with password history +.RE +.PP +/etc/security/pwhistory\&.conf +.RS 4 +Config file for pam_pwhistory options .RE .SH "SEE ALSO" .PP +\fBpwhistory.conf\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\fBpam_get_authtok\fR(3) +\fBpam\fR(7) +\fBpam_get_authtok\fR(3) .SH "AUTHOR" .PP pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk\&.de> diff --git a/modules/pam_pwhistory/pam_pwhistory.8.xml b/modules/pam_pwhistory/pam_pwhistory.8.xml index 9e1056b2..a5185fcb 100644 --- a/modules/pam_pwhistory/pam_pwhistory.8.xml +++ b/modules/pam_pwhistory/pam_pwhistory.8.xml @@ -1,46 +1,49 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_pwhistory"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_pwhistory"> <refmeta> <refentrytitle>pam_pwhistory</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_pwhistory-name"> + <refnamediv xml:id="pam_pwhistory-name"> <refname>pam_pwhistory</refname> <refpurpose>PAM module to remember last passwords</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_pwhistory-cmdsynopsis"> + <cmdsynopsis xml:id="pam_pwhistory-cmdsynopsis" sepchar=" "> <command>pam_pwhistory.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_authtok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> enforce_for_root </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> remember=<replaceable>N</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> retry=<replaceable>N</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> authtok_type=<replaceable>STRING</replaceable> </arg> + <arg choice="opt" rep="norepeat"> + file=<replaceable>/path/filename</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + conf=<replaceable>/path/to/config-file</replaceable> + </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_pwhistory-description"> + <refsect1 xml:id="pam_pwhistory-description"> <title>DESCRIPTION</title> @@ -58,12 +61,12 @@ </para> </refsect1> - <refsect1 id="pam_pwhistory-options"> + <refsect1 xml:id="pam_pwhistory-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -76,20 +79,20 @@ </varlistentry> <varlistentry> <term> - <option>use_authtok</option> + use_authtok </term> <listitem> <para> When password changing enforce the module to use the new password provided by a previously stacked <option>password</option> module (this is used in the example of the stacking of the - <command>pam_cracklib</command> module documented below). + <command>pam_passwdqc</command> module documented below). </para> </listitem> </varlistentry> <varlistentry> <term> - <option>enforce_for_root</option> + enforce_for_root </term> <listitem> <para> @@ -99,12 +102,12 @@ </varlistentry> <varlistentry> <term> - <option>remember=<replaceable>N</replaceable></option> + remember=N </term> <listitem> <para> The last <replaceable>N</replaceable> passwords for each - user are saved in <filename>/etc/security/opasswd</filename>. + user are saved. The default is <emphasis>10</emphasis>. Value of <emphasis>0</emphasis> makes the module to keep the existing contents of the <filename>opasswd</filename> file unchanged. @@ -113,7 +116,7 @@ </varlistentry> <varlistentry> <term> - <option>retry=<replaceable>N</replaceable></option> + retry=N </term> <listitem> <para> @@ -126,7 +129,7 @@ <varlistentry> <term> - <option>authtok_type=<replaceable>STRING</replaceable></option> + authtok_type=STRING </term> <listitem> <para> @@ -137,17 +140,49 @@ </listitem> </varlistentry> + <varlistentry> + <term> + file=/path/filename + </term> + <listitem> + <para> + Store password history in file <filename>/path/filename</filename> + rather than the default location. The default location is + <filename>/etc/security/opasswd</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + conf=/path/to/config-file + </term> + <listitem> + <para> + Use another configuration file instead of the default + <filename>/etc/security/pwhistory.conf</filename>. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The options for configuring the module behavior are described in the + <citerefentry><refentrytitle>pwhistory.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manual page. The options + specified on the module command line override the values from the + configuration file. + </para> </refsect1> - <refsect1 id="pam_pwhistory-types"> + <refsect1 xml:id="pam_pwhistory-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>password</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_pwhistory-return_values'> + <refsect1 xml:id="pam_pwhistory-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -186,7 +221,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_pwhistory-examples'> + <refsect1 xml:id="pam_pwhistory-examples"> <title>EXAMPLES</title> <para> An example password section would be: @@ -197,39 +232,57 @@ password required pam_unix.so use_authtok </programlisting> </para> <para> - In combination with <command>pam_cracklib</command>: + In combination with <command>pam_passwdqc</command>: <programlisting> #%PAM-1.0 -password required pam_cracklib.so retry=3 +password required pam_passwdqc.so config=/etc/passwdqc.conf password required pam_pwhistory.so use_authtok password required pam_unix.so use_authtok </programlisting> </para> </refsect1> - <refsect1 id="pam_pwhistory-files"> + <refsect1 xml:id="pam_pwhistory-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/opasswd</filename></term> + <term>/etc/security/opasswd</term> <listitem> - <para>File with password history</para> + <para>Default file with password history</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/etc/security/pwhistory.conf</filename></term> + <listitem> + <para>Config file for pam_pwhistory options</para> + </listitem> + </varlistentry> + <varlistentry condition="with_vendordir"> + <term><filename>%vendordir%/security/pwhistory.conf</filename></term> + <listitem> + <para> + Config file for pam_pwhistory options. It will be used if + <filename>/etc/security/pwhistory.conf</filename> does not exist. + </para> </listitem> </varlistentry> </variablelist> </refsect1> - <refsect1 id='pam_pwhistory-see_also'> + <refsect1 xml:id="pam_pwhistory-see_also"> <title>SEE ALSO</title> <para> <citerefentry> + <refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> <citerefentry> <refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum> @@ -237,11 +290,11 @@ password required pam_unix.so use_authtok </para> </refsect1> - <refsect1 id='pam_pwhistory-author'> + <refsect1 xml:id="pam_pwhistory-author"> <title>AUTHOR</title> <para> pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 3efb0ca5..5a7fb811 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -1,6 +1,9 @@ /* + * pam_pwhistory module + * * Copyright (c) 2008, 2012 Thorsten Kukuk * Author: Thorsten Kukuk <kukuk@thkukuk.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -38,18 +41,20 @@ #include <config.h> #endif -#define PAM_SM_PASSWORD - #include <pwd.h> #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> -#include <shadow.h> #include <syslog.h> #include <sys/types.h> #include <sys/stat.h> +#include <sys/time.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <signal.h> +#include <fcntl.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -57,21 +62,16 @@ #include <security/_pam_macros.h> #include "opasswd.h" +#include "pam_inline.h" +#include "pwhistory_config.h" -#define DEFAULT_BUFLEN 2048 - -struct options_t { - int debug; - int enforce_for_root; - int remember; - int tries; -}; -typedef struct options_t options_t; static void parse_option (pam_handle_t *pamh, const char *argv, options_t *options) { + const char *str; + if (strcasecmp (argv, "try_first_pass") == 0) /* ignore */; else if (strcasecmp (argv, "use_first_pass") == 0) @@ -80,36 +80,220 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) /* ignore, handled by pam_get_authtok */; else if (strcasecmp (argv, "debug") == 0) options->debug = 1; - else if (strncasecmp (argv, "remember=", 9) == 0) + else if ((str = pam_str_skip_icase_prefix(argv, "remember=")) != NULL) { - options->remember = strtol(&argv[9], NULL, 10); + options->remember = strtol(str, NULL, 10); if (options->remember < 0) options->remember = 0; if (options->remember > 400) options->remember = 400; } - else if (strncasecmp (argv, "retry=", 6) == 0) + else if ((str = pam_str_skip_icase_prefix(argv, "retry=")) != NULL) { - options->tries = strtol(&argv[6], NULL, 10); + options->tries = strtol(str, NULL, 10); if (options->tries < 0) options->tries = 1; } else if (strcasecmp (argv, "enforce_for_root") == 0) options->enforce_for_root = 1; - else if (strncasecmp (argv, "authtok_type=", 13) == 0) + else if (pam_str_skip_icase_prefix(argv, "authtok_type=") != NULL) { /* ignore, for pam_get_authtok */; } + else if ((str = pam_str_skip_icase_prefix(argv, "file=")) != NULL) + { + if (*str != '/') + { + pam_syslog (pamh, LOG_ERR, + "pam_pwhistory: file path should be absolute: %s", argv); + } + else + options->filename = str; + } else pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); } +static int +run_save_helper(pam_handle_t *pamh, const char *user, + int howmany, const char *filename, int debug) +{ + int retval, child; + struct sigaction newsa, oldsa; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); -/* This module saves the current crypted password in /etc/security/opasswd + child = fork(); + if (child == 0) + { + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL }; + + if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD) < 0) + { + _exit(PAM_SYSTEM_ERR); + } + + /* exec binary helper */ + DIAG_PUSH_IGNORE_CAST_QUAL; + args[0] = (char *)PWHISTORY_HELPER; + args[1] = (char *)"save"; + args[2] = (char *)user; + args[3] = (char *)filename; + DIAG_POP_IGNORE_CAST_QUAL; + if (asprintf(&args[4], "%d", howmany) < 0 || + asprintf(&args[5], "%d", debug) < 0) + { + pam_syslog(pamh, LOG_ERR, "asprintf: %m"); + _exit(PAM_SYSTEM_ERR); + } + + execve(args[0], args, envp); + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %s: %m", args[0]); + + _exit(PAM_SYSTEM_ERR); + } + else if (child > 0) + { + /* wait for child */ + int rc = 0; + while ((rc = waitpid (child, &retval, 0)) == -1 && + errno == EINTR); + if (rc < 0) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper save: waitpid: %m"); + retval = PAM_SYSTEM_ERR; + } + else if (!WIFEXITED(retval)) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval); + retval = PAM_SYSTEM_ERR; + } + else + { + retval = WEXITSTATUS(retval); + } + } + else + { + pam_syslog(pamh, LOG_ERR, "fork failed: %m"); + retval = PAM_SYSTEM_ERR; + } + + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + + return retval; +} + +static int +run_check_helper(pam_handle_t *pamh, const char *user, + const char *newpass, const char *filename, int debug) +{ + int retval, child, fds[2]; + struct sigaction newsa, oldsa; + + /* create a pipe for the password */ + if (pipe(fds) != 0) + return PAM_SYSTEM_ERR; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); + + child = fork(); + if (child == 0) + { + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; + + /* reopen stdin as pipe */ + if (dup2(fds[0], STDIN_FILENO) != STDIN_FILENO) + { + pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", "stdin"); + _exit(PAM_SYSTEM_ERR); + } + + if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_IGNORE_FD, + PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD) < 0) + { + _exit(PAM_SYSTEM_ERR); + } + + /* exec binary helper */ + DIAG_PUSH_IGNORE_CAST_QUAL; + args[0] = (char *)PWHISTORY_HELPER; + args[1] = (char *)"check"; + args[2] = (char *)user; + args[3] = (char *)filename; + DIAG_POP_IGNORE_CAST_QUAL; + if (asprintf(&args[4], "%d", debug) < 0) + { + pam_syslog(pamh, LOG_ERR, "asprintf: %m"); + _exit(PAM_SYSTEM_ERR); + } + + execve(args[0], args, envp); + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %s: %m", args[0]); + + _exit(PAM_SYSTEM_ERR); + } + else if (child > 0) + { + /* wait for child */ + int rc = 0; + if (newpass == NULL) + newpass = ""; + + /* send the password to the child */ + if (write(fds[1], newpass, strlen(newpass)+1) == -1) + { + pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_SYSTEM_ERR; + } + newpass = NULL; + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); + while ((rc = waitpid (child, &retval, 0)) == -1 && + errno == EINTR); + if (rc < 0) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper check: waitpid: %m"); + retval = PAM_SYSTEM_ERR; + } + else if (!WIFEXITED(retval)) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval); + retval = PAM_SYSTEM_ERR; + } + else + { + retval = WEXITSTATUS(retval); + } + } + else + { + pam_syslog(pamh, LOG_ERR, "fork failed: %m"); + close(fds[0]); + close(fds[1]); + retval = PAM_SYSTEM_ERR; + } + + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + + return retval; +} + +/* This module saves the current hashed password in /etc/security/opasswd and then compares the new password with all entries in this file. */ int pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) { - struct passwd *pwd; const char *newpass; const char *user; int retval, tries; @@ -121,6 +305,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) options.remember = 10; options.tries = 1; + parse_config_file(pamh, argc, argv, &options); + /* Parse parameters for module */ for ( ; argc-- > 0; argv++) parse_option (pamh, *argv, &options); @@ -128,7 +314,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered"); - if (options.remember == 0) return PAM_IGNORE; @@ -136,15 +321,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) return retval; - if (user == NULL || strlen (user) == 0) - { - if (options.debug) - pam_syslog (pamh, LOG_DEBUG, - "User is not known to system"); - - return PAM_USER_UNKNOWN; - } - if (flags & PAM_PRELIM_CHECK) { if (options.debug) @@ -154,31 +330,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SUCCESS; } - pwd = pam_modutil_getpwnam (pamh, user); - if (pwd == NULL) - return PAM_USER_UNKNOWN; + retval = save_old_pass (pamh, user, options.remember, options.filename, options.debug); - if ((strcmp(pwd->pw_passwd, "x") == 0) || - ((pwd->pw_passwd[0] == '#') && - (pwd->pw_passwd[1] == '#') && - (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) - { - struct spwd *spw = pam_modutil_getspnam (pamh, user); - if (spw == NULL) - return PAM_USER_UNKNOWN; + if (retval == PAM_PWHISTORY_RUN_HELPER) + retval = run_save_helper(pamh, user, options.remember, options.filename, options.debug); - retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, - options.remember, options.debug); - if (retval != PAM_SUCCESS) - return retval; - } - else - { - retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, - options.remember, options.debug); - if (retval != PAM_SUCCESS) - return retval; - } + if (retval != PAM_SUCCESS) + return retval; newpass = NULL; tries = 0; @@ -207,8 +365,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - if (check_old_pass (pamh, user, newpass, - options.debug) != PAM_SUCCESS) + retval = check_old_pass (pamh, user, newpass, options.filename, options.debug); + if (retval == PAM_PWHISTORY_RUN_HELPER) + retval = run_check_helper(pamh, user, newpass, options.filename, options.debug); + + if (retval != PAM_SUCCESS) { if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) diff --git a/modules/pam_pwhistory/pwhistory.conf b/modules/pam_pwhistory/pwhistory.conf new file mode 100644 index 00000000..070b7197 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory.conf @@ -0,0 +1,21 @@ +# Configuration for remembering the last passwords used by a user. +# +# Enable the debugging logs. +# Enabled if option is present. +# debug +# +# root account's passwords are also remembered. +# Enabled if option is present. +# enforce_for_root +# +# Number of passwords to remember. +# The default is 10. +# remember = 10 +# +# Number of times to prompt for the password. +# The default is 1. +# retry = 1 +# +# The directory where the last passwords are kept. +# The default is /etc/security/opasswd. +# file = /etc/security/opasswd diff --git a/modules/pam_pwhistory/pwhistory.conf.5 b/modules/pam_pwhistory/pwhistory.conf.5 new file mode 100644 index 00000000..ae57798f --- /dev/null +++ b/modules/pam_pwhistory/pwhistory.conf.5 @@ -0,0 +1,118 @@ +'\" t +.\" Title: pwhistory.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PWHISTORY\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pwhistory.conf \- pam_pwhistory configuration file +.SH "DESCRIPTION" +.PP +\fBpwhistory\&.conf\fR +provides a way to configure the default settings for saving the last passwords for each user\&. This file is read by the +\fIpam_pwhistory\fR +module and is the preferred method over configuring +\fIpam_pwhistory\fR +directly\&. +.PP +The file has a very simple +\fIname = value\fR +format with possible comments starting with +\fI#\fR +character\&. The whitespace at the beginning of line, end of line, and around the +\fI=\fR +sign is ignored\&. +.SH "OPTIONS" +.PP +debug +.RS 4 +Turns on debugging via +\fBsyslog\fR(3)\&. +.RE +.PP +enforce_for_root +.RS 4 +If this option is set, the check is enforced for root, too\&. +.RE +.PP +remember=N +.RS 4 +The last +\fIN\fR +passwords for each user are saved\&. The default is +\fI10\fR\&. Value of +\fI0\fR +makes the module to keep the existing contents of the +opasswd +file unchanged\&. +.RE +.PP +retry=N +.RS 4 +Prompt user at most +\fIN\fR +times before returning with error\&. The default is 1\&. +.RE +.PP +file=/path/filename +.RS 4 +Store password history in file +\fI/path/filename\fR +rather than the default location\&. The default location is +/etc/security/opasswd\&. +.RE +.SH "EXAMPLES" +.PP +/etc/security/pwhistory\&.conf file example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +debug +remember=5 +file=/tmp/opasswd + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/etc/security/pwhistory\&.conf +.RS 4 +the config file for custom options +.RE +.SH "SEE ALSO" +.PP +\fBpwhistory\fR(8), +\fBpam_pwhistory\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_pwhistory was written by Thorsten Kukuk\&. The support for pwhistory\&.conf was written by Iker Pedrosa\&. diff --git a/modules/pam_pwhistory/pwhistory.conf.5.xml b/modules/pam_pwhistory/pwhistory.conf.5.xml new file mode 100644 index 00000000..2a2dfd3a --- /dev/null +++ b/modules/pam_pwhistory/pwhistory.conf.5.xml @@ -0,0 +1,152 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pwhistory.conf"> + + <refmeta> + <refentrytitle>pwhistory.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pwhistory.conf-name"> + <refname>pwhistory.conf</refname> + <refpurpose>pam_pwhistory configuration file</refpurpose> + </refnamediv> + + <refsect1 xml:id="pwhistory.conf-description"> + + <title>DESCRIPTION</title> + <para> + <emphasis remap="B">pwhistory.conf</emphasis> provides a way to configure the + default settings for saving the last passwords for each user. + This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the + preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly. + </para> + <para> + The file has a very simple <emphasis>name = value</emphasis> format with possible comments + starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end + of line, and around the <emphasis>=</emphasis> sign is ignored. + </para> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + debug + </term> + <listitem> + <para> + Turns on debugging via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + enforce_for_root + </term> + <listitem> + <para> + If this option is set, the check is enforced for root, too. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + remember=N + </term> + <listitem> + <para> + The last <replaceable>N</replaceable> passwords for each + user are saved. + The default is <emphasis>10</emphasis>. Value of + <emphasis>0</emphasis> makes the module to keep the existing + contents of the <filename>opasswd</filename> file unchanged. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + retry=N + </term> + <listitem> + <para> + Prompt user at most <replaceable>N</replaceable> times + before returning with error. The default is 1. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + file=/path/filename + </term> + <listitem> + <para> + Store password history in file + <replaceable>/path/filename</replaceable> rather than the default + location. The default location is + <filename>/etc/security/opasswd</filename>. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-examples"> + <title>EXAMPLES</title> + <para> + /etc/security/pwhistory.conf file example: + </para> + <programlisting> +debug +remember=5 +file=/tmp/opasswd + </programlisting> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term>/etc/security/pwhistory.conf</term> + <listitem> + <para>the config file for custom options</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-author"> + <title>AUTHOR</title> + <para> + pam_pwhistory was written by Thorsten Kukuk. The support for + pwhistory.conf was written by Iker Pedrosa. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_pwhistory/pwhistory_config.c b/modules/pam_pwhistory/pwhistory_config.c new file mode 100644 index 00000000..692cf80e --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_config.c @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <sys/stat.h> + +#include <security/pam_modutil.h> + +#include "pam_inline.h" +#include "pwhistory_config.h" + +#define PWHISTORY_DEFAULT_CONF SCONFIGDIR "/pwhistory.conf" + +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_PWHISTORY_DEFAULT_CONF (VENDOR_SCONFIGDIR "/pwhistory.conf") +#endif + +void +parse_config_file(pam_handle_t *pamh, int argc, const char **argv, + struct options_t *options) +{ + const char *fname = NULL; + int i; + char *val; + + for (i = 0; i < argc; ++i) { + const char *str = pam_str_skip_prefix(argv[i], "conf="); + + if (str != NULL) { + fname = str; + } + } + + if (fname == NULL) { + fname = PWHISTORY_DEFAULT_CONF; + +#ifdef VENDOR_PWHISTORY_DEFAULT_CONF + /* + * Check whether PWHISTORY_DEFAULT_CONF file is available. + * If it does not exist, fall back to VENDOR_PWHISTORY_DEFAULT_CONF file. + */ + struct stat buffer; + if (stat(fname, &buffer) != 0 && errno == ENOENT) { + fname = VENDOR_PWHISTORY_DEFAULT_CONF; + } +#endif + } + + val = pam_modutil_search_key (pamh, fname, "debug"); + if (val != NULL) { + options->debug = 1; + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "enforce_for_root"); + if (val != NULL) { + options->enforce_for_root = 1; + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "remember"); + if (val != NULL) { + unsigned int temp; + if (sscanf(val, "%u", &temp) != 1) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for remember argument"); + } else { + options->remember = temp; + } + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "retry"); + if (val != NULL) { + unsigned int temp; + if (sscanf(val, "%u", &temp) != 1) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for retry argument"); + } else { + options->tries = temp; + } + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "file"); + if (val != NULL) { + if (*val != '/') { + pam_syslog (pamh, LOG_ERR, + "File path should be absolute: %s", val); + } else { + options->filename = val; + } + } +} diff --git a/modules/pam_pwhistory/pwhistory_config.h b/modules/pam_pwhistory/pwhistory_config.h new file mode 100644 index 00000000..e2b3bc83 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_config.h @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _PWHISTORY_CONFIG_H +#define _PWHISTORY_CONFIG_H + +#include <security/pam_ext.h> + +struct options_t { + int debug; + int enforce_for_root; + int remember; + int tries; + const char *filename; +}; +typedef struct options_t options_t; + +void +parse_config_file(pam_handle_t *pamh, int argc, const char **argv, + struct options_t *options); + +#endif /* _PWHISTORY_CONFIG_H */ diff --git a/modules/pam_pwhistory/pwhistory_helper.8 b/modules/pam_pwhistory/pwhistory_helper.8 new file mode 100644 index 00000000..0b837d32 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.8 @@ -0,0 +1,54 @@ +'\" t +.\" Title: pwhistory_helper +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PWHISTORY_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pwhistory_helper \- Helper binary that transfers password hashes from passwd or shadow to opasswd +.SH "SYNOPSIS" +.HP \w'\fBpwhistory_helper\fR\ 'u +\fBpwhistory_helper\fR [\&.\&.\&.] +.SH "DESCRIPTION" +.PP +\fIpwhistory_helper\fR +is a helper program for the +\fIpam_pwhistory\fR +module that transfers password hashes from passwd or shadow file to the opasswd file and checks a password supplied by user against the existing hashes in the opasswd file\&. +.PP +The purpose of the helper is to enable tighter confinement of login and password changing services\&. The helper is thus called only when SELinux is enabled on the system\&. +.PP +The interface of the helper \- command line options, and input/output data format are internal to the +\fIpam_pwhistory\fR +module and it should not be called directly from applications\&. +.SH "SEE ALSO" +.PP +\fBpam_pwhistory\fR(8) +.SH "AUTHOR" +.PP +Written by Tomas Mraz based on the code originally in +\fIpam_pwhistory and pam_unix\fR +modules\&. diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml new file mode 100644 index 00000000..8370a485 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.8.xml @@ -0,0 +1,65 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pwhistory_helper"> + + <refmeta> + <refentrytitle>pwhistory_helper</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pwhistory_helper-name"> + <refname>pwhistory_helper</refname> + <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis xml:id="pwhistory_helper-cmdsynopsis" sepchar=" "> + <command>pwhistory_helper</command> + <arg choice="opt" rep="norepeat"> + ... + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 xml:id="pwhistory_helper-description"> + + <title>DESCRIPTION</title> + + <para> + <emphasis>pwhistory_helper</emphasis> is a helper program for the + <emphasis>pam_pwhistory</emphasis> module that transfers password hashes + from passwd or shadow file to the opasswd file and checks a password + supplied by user against the existing hashes in the opasswd file. + </para> + + <para> + The purpose of the helper is to enable tighter confinement of + login and password changing services. The helper is thus called only + when SELinux is enabled on the system. + </para> + + <para> + The interface of the helper - command line options, and input/output + data format are internal to the <emphasis>pam_pwhistory</emphasis> + module and it should not be called directly from applications. + </para> + </refsect1> + + <refsect1 xml:id="pwhistory_helper-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="pwhistory_helper-author"> + <title>AUTHOR</title> + <para> + Written by Tomas Mraz based on the code originally in + <emphasis>pam_pwhistory and pam_unix</emphasis> modules. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c new file mode 100644 index 00000000..469d95fa --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.c @@ -0,0 +1,121 @@ +/* + * Copyright (c) 2013 Red Hat, Inc. + * Author: Tomas Mraz <tmraz@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <errno.h> +#include <unistd.h> +#include <signal.h> +#include <security/_pam_types.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include "opasswd.h" +#include "pam_inline.h" + + +static int +check_history(const char *user, const char *filename, const char *debug) +{ + char pass[PAM_MAX_RESP_SIZE + 1]; + char *passwords[] = { pass }; + int npass; + int dbg = atoi(debug); /* no need to be too fancy here */ + int retval; + + /* read the password from stdin (a pipe from the pam_pwhistory module) */ + npass = pam_read_passwords(STDIN_FILENO, 1, passwords); + + if (npass != 1) + { /* is it a valid password? */ + helper_log_err(LOG_DEBUG, "no password supplied"); + return PAM_AUTHTOK_ERR; + } + + retval = check_old_pass(user, pass, filename, dbg); + + pam_overwrite_array(pass); /* clear memory of the password */ + + return retval; +} + +static int +save_history(const char *user, const char *filename, const char *howmany, const char *debug) +{ + int num = atoi(howmany); + int dbg = atoi(debug); /* no need to be too fancy here */ + int retval; + + retval = save_old_pass(user, num, filename, dbg); + + return retval; +} + +int +main(int argc, char *argv[]) +{ + const char *option; + const char *user; + const char *filename; + + /* + * we establish that this program is running with non-tty stdin. + * this is to discourage casual use. + */ + + if (isatty(STDIN_FILENO) || argc < 5) + { + fprintf(stderr, + "This binary is not designed for running in this way.\n"); + return PAM_SYSTEM_ERR; + } + + option = argv[1]; + user = argv[2]; + filename = argv[3]; + + if (strcmp(option, "check") == 0 && argc == 5) + return check_history(user, filename, argv[4]); + else if (strcmp(option, "save") == 0 && argc == 6) + return save_history(user, filename, argv[4], argv[5]); + + fprintf(stderr, "This binary is not designed for running in this way.\n"); + + return PAM_SYSTEM_ERR; +} diff --git a/modules/pam_pwhistory/tst-pam_pwhistory-retval.c b/modules/pam_pwhistory/tst-pam_pwhistory-retval.c new file mode 100644 index 00000000..9c9a62b4 --- /dev/null +++ b/modules/pam_pwhistory/tst-pam_pwhistory-retval.c @@ -0,0 +1,60 @@ +/* + * Check pam_pwhistory return values. + * + * Copyright (c) 2023 Stefan Schubert <schubi@suse.de> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_pwhistory" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* cleanup */ + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am index 7e043833..cb7dbe53 100644 --- a/modules/pam_rhosts/Makefile.am +++ b/modules/pam_rhosts/Makefile.am @@ -5,18 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts - -TESTS = tst-pam_rhosts - -man_MANS = pam_rhosts.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_rhosts.8 +endif XMLS = README.xml pam_rhosts.8.xml +dist_check_SCRIPTS = tst-pam_rhosts +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -26,7 +32,6 @@ securelib_LTLIBRARIES = pam_rhosts.la pam_rhosts_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_rhosts.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_rhosts/Makefile.in b/modules/pam_rhosts/Makefile.in index 0c9e9fea..f67159cd 100644 --- a/modules/pam_rhosts/Makefile.in +++ b/modules/pam_rhosts/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_rhosts -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_rhosts.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts -TESTS = tst-pam_rhosts -man_MANS = pam_rhosts.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_rhosts.8 XMLS = README.xml pam_rhosts.8.xml +dist_check_SCRIPTS = tst-pam_rhosts +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_rhosts.la pam_rhosts_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_rhosts/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_rhosts/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_rhosts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_rhosts.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_rhosts.log: tst-pam_rhosts @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_rhosts.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_rhosts.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_rhosts.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_rhosts/README.xml b/modules/pam_rhosts/README.xml index 5d3307e7..2345dffd 100644 --- a/modules/pam_rhosts/README.xml +++ b/modules/pam_rhosts/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_rhosts.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rhosts-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8 index c52a5d85..327ad22e 100644 --- a/modules/pam_rhosts/pam_rhosts.8 +++ b/modules/pam_rhosts/pam_rhosts.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_rhosts .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_RHOSTS" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_RHOSTS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -54,17 +54,17 @@ connecting from the remote host (internally specified by the item \fBpam_authenticate()\fR\&. The module is not capable of independently probing the network connection for such information\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt print informative messages\&. .RE .PP -\fBsuperuser=\fR\fB\fIaccount\fR\fR +superuser=account .RS 4 Handle \fIaccount\fR @@ -122,7 +122,7 @@ auth required pam_unix\&.so \fBrhosts\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\&.de> diff --git a/modules/pam_rhosts/pam_rhosts.8.xml b/modules/pam_rhosts/pam_rhosts.8.xml index eb96371d..41d541c7 100644 --- a/modules/pam_rhosts/pam_rhosts.8.xml +++ b/modules/pam_rhosts/pam_rhosts.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_rhosts"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_rhosts"> <refmeta> <refentrytitle>pam_rhosts</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_rhosts-name"> + <refnamediv xml:id="pam_rhosts-name"> <refname>pam_rhosts</refname> <refpurpose>The rhosts PAM module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_rhosts-cmdsynopsis"> + <cmdsynopsis xml:id="pam_rhosts-cmdsynopsis" sepchar=" "> <command>pam_rhosts.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_rhosts-description"> + <refsect1 xml:id="pam_rhosts-description"> <title>DESCRIPTION</title> @@ -53,12 +50,12 @@ </para> </refsect1> - <refsect1 id="pam_rhosts-options"> + <refsect1 xml:id="pam_rhosts-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -68,7 +65,7 @@ </varlistentry> <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -78,7 +75,7 @@ </varlistentry> <varlistentry> <term> - <option>superuser=<replaceable>account</replaceable></option> + superuser=account </term> <listitem> <para> @@ -89,14 +86,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_rhosts-types"> + <refsect1 xml:id="pam_rhosts-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_rhosts-return_values'> + <refsect1 xml:id="pam_rhosts-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -120,7 +117,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_rhosts-examples'> + <refsect1 xml:id="pam_rhosts-examples"> <title>EXAMPLES</title> <para> To grant a remote user access by <filename>/etc/hosts.equiv</filename> @@ -137,7 +134,7 @@ auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_rhosts-see_also'> + <refsect1 xml:id="pam_rhosts-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -156,16 +153,16 @@ auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_rhosts-author'> + <refsect1 xml:id="pam_rhosts-author"> <title>AUTHOR</title> <para> pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c index ed98d630..a1b394d9 100644 --- a/modules/pam_rhosts/pam_rhosts.c +++ b/modules/pam_rhosts/pam_rhosts.c @@ -1,4 +1,6 @@ /* + * pam_rhosts module + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -35,13 +37,13 @@ #include <pwd.h> #include <netdb.h> #include <string.h> +#include <stdlib.h> #include <syslog.h> -#define PAM_SM_AUTH /* only defines this management group */ - #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) @@ -58,12 +60,14 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, opt_silent = flags & PAM_SILENT; while (argc-- > 0) { + const char *str; + if (strcmp(*argv, "debug") == 0) opt_debug = 1; else if (strcmp (*argv, "silent") == 0 || strcmp(*argv, "suppress") == 0) opt_silent = 1; - else if (strncmp(*argv, "superuser=", sizeof("superuser=")-1) == 0) - opt_superuser = *argv+sizeof("superuser=")-1; + else if ((str = pam_str_skip_prefix(*argv, "superuser=")) != NULL) + opt_superuser = str; else pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", *argv); @@ -86,11 +90,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, retval = pam_get_user(pamh, &luser, NULL); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "could not determine name of local user"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine local user name: %s", + pam_strerror(pamh, retval)); return retval; } - if (rhost == NULL || ruser == NULL || luser == NULL) + if (rhost == NULL || ruser == NULL) return PAM_AUTH_ERR; if (opt_superuser && strcmp(opt_superuser, luser) == 0) diff --git a/modules/pam_rootok/Makefile.am b/modules/pam_rootok/Makefile.am index f8f292eb..c5b838f6 100644 --- a/modules/pam_rootok/Makefile.am +++ b/modules/pam_rootok/Makefile.am @@ -5,20 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rootok +EXTRA_DIST = $(XMLS) -man_MANS = pam_rootok.8 +if HAVE_DOC +dist_man_MANS = pam_rootok.8 +endif XMLS = README.xml pam_rootok.8.xml - -TESTS = tst-pam_rootok +dist_check_SCRIPTS = tst-pam_rootok +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -if HAVE_LIBSELINUX -AM_CFLAGS += -DWITH_SELINUX endif + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -27,8 +31,10 @@ endif securelib_LTLIBRARIES = pam_rootok.la pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ +check_PROGRAMS = tst-pam_rootok-retval +tst_pam_rootok_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_rootok.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_rootok/Makefile.in b/modules/pam_rootok/Makefile.in index b3103b6d..64b6de13 100644 --- a/modules/pam_rootok/Makefile.in +++ b/modules/pam_rootok/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -83,27 +93,29 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@HAVE_LIBSELINUX_TRUE@am__append_1 = -DWITH_SELINUX -@HAVE_VERSIONING_TRUE@am__append_2 = -Wl,--version-script=$(srcdir)/../modules.map +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_rootok-retval$(EXEEXT) subdir = modules/pam_rootok -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -144,6 +156,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_rootok_retval_SOURCES = tst-pam_rootok-retval.c +tst_pam_rootok_retval_OBJECTS = tst-pam_rootok-retval.$(OBJEXT) +tst_pam_rootok_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -158,7 +173,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_rootok.Plo \ + ./$(DEPDIR)/tst-pam_rootok-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -178,8 +195,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_rootok.c -DIST_SOURCES = pam_rootok.c +SOURCES = pam_rootok.c tst-pam_rootok-retval.c +DIST_SOURCES = pam_rootok.c tst-pam_rootok-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -187,8 +204,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -363,6 +381,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -385,6 +404,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -404,24 +426,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -435,7 +466,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -454,11 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -481,8 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -493,11 +525,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -540,7 +579,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -548,9 +586,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -560,24 +595,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rootok -man_MANS = pam_rootok.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_rootok.8 XMLS = README.xml pam_rootok.8.xml -TESTS = tst-pam_rootok +dist_check_SCRIPTS = tst-pam_rootok +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include \ - -I$(top_srcdir)/libpamc/include $(am__append_1) -AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_2) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + +AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_rootok.la pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_rootok_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -594,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_rootok/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_rootok/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -613,6 +652,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -651,27 +699,38 @@ clean-securelibLTLIBRARIES: pam_rootok.la: $(pam_rootok_la_OBJECTS) $(pam_rootok_la_DEPENDENCIES) $(EXTRA_pam_rootok_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_rootok_la_OBJECTS) $(pam_rootok_la_LIBADD) $(LIBS) +tst-pam_rootok-retval$(EXEEXT): $(tst_pam_rootok_retval_OBJECTS) $(tst_pam_rootok_retval_DEPENDENCIES) $(EXTRA_tst_pam_rootok_retval_DEPENDENCIES) + @rm -f tst-pam_rootok-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_rootok_retval_OBJECTS) $(tst_pam_rootok_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_rootok.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_rootok.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_rootok-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -685,10 +744,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -723,7 +782,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -811,7 +870,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -888,7 +947,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -901,7 +960,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -911,7 +970,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -929,6 +988,13 @@ tst-pam_rootok.log: tst-pam_rootok --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_rootok-retval.log: tst-pam_rootok-retval$(EXEEXT) + @p='tst-pam_rootok-retval$(EXEEXT)'; \ + b='tst-pam_rootok-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -944,7 +1010,10 @@ tst-pam_rootok.log: tst-pam_rootok @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -975,6 +1044,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1019,11 +1090,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_rootok.Plo + -rm -f ./$(DEPDIR)/tst-pam_rootok-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1069,7 +1141,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_rootok.Plo + -rm -f ./$(DEPDIR)/tst-pam_rootok-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1092,15 +1165,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1108,7 +1182,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_rootok.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_rootok/README.xml b/modules/pam_rootok/README.xml index 6fb58cd0..58f77967 100644 --- a/modules/pam_rootok/README.xml +++ b/modules/pam_rootok/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_rootok.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rootok-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_rootok/pam_rootok.8 b/modules/pam_rootok/pam_rootok.8 index d5f04e36..984cadd6 100644 --- a/modules/pam_rootok/pam_rootok.8 +++ b/modules/pam_rootok/pam_rootok.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_rootok .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ROOTOK" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ROOTOK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -44,7 +44,7 @@ of the user but run with the authority of an enhanced effective\-UID\&. It is th that is checked\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE @@ -52,7 +52,7 @@ Print debug information\&. .PP The \fBauth\fR, -\fBacct\fR +\fBaccount\fR and \fBpassword\fR module types are provided\&. @@ -71,7 +71,8 @@ PAM_AUTH_ERR The \fIUID\fR is -\fBnot\fR\fI0\fR\&. +\fBnot\fR +\fI0\fR\&. .RE .SH "EXAMPLES" .PP @@ -99,7 +100,7 @@ auth required pam_unix\&.so \fBsu\fR(1), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_rootok was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&. diff --git a/modules/pam_rootok/pam_rootok.8.xml b/modules/pam_rootok/pam_rootok.8.xml index 6f44b845..f30ad37f 100644 --- a/modules/pam_rootok/pam_rootok.8.xml +++ b/modules/pam_rootok/pam_rootok.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_rootok"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_rootok"> <refmeta> <refentrytitle>pam_rootok</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_rootok-name"> + <refnamediv xml:id="pam_rootok-name"> <refname>pam_rootok</refname> <refpurpose>Gain only root access</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_rootok-cmdsynopsis"> + <cmdsynopsis xml:id="pam_rootok-cmdsynopsis" sepchar=" "> <command>pam_rootok.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_rootok-description"> + <refsect1 xml:id="pam_rootok-description"> <title>DESCRIPTION</title> @@ -38,12 +35,12 @@ </para> </refsect1> - <refsect1 id="pam_rootok-options"> + <refsect1 xml:id="pam_rootok-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -54,15 +51,15 @@ </variablelist> </refsect1> - <refsect1 id="pam_rootok-types"> + <refsect1 xml:id="pam_rootok-types"> <title>MODULE TYPES PROVIDED</title> <para> - The <option>auth</option>, <option>acct</option> and + The <option>auth</option>, <option>account</option> and <option>password</option> module types are provided. </para> </refsect1> - <refsect1 id='pam_rootok-return_values'> + <refsect1 xml:id="pam_rootok-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -77,7 +74,7 @@ <term>PAM_AUTH_ERR</term> <listitem> <para> - The <emphasis>UID</emphasis> is <emphasis remap='B'>not</emphasis> + The <emphasis>UID</emphasis> is <emphasis remap="B">not</emphasis> <emphasis>0</emphasis>. </para> </listitem> @@ -85,7 +82,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_rootok-examples'> + <refsect1 xml:id="pam_rootok-examples"> <title>EXAMPLES</title> <para> In the case of the <citerefentry> @@ -103,7 +100,7 @@ auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_rootok-see_also'> + <refsect1 xml:id="pam_rootok-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -116,16 +113,16 @@ auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_rootok-author'> + <refsect1 xml:id="pam_rootok-author"> <title>AUTHOR</title> <para> pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index 17baabe4..9bc15abf 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -1,7 +1,5 @@ -/* pam_rootok module */ - /* - * $Id$ + * pam_rootok module * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 */ @@ -14,15 +12,6 @@ #include <stdarg.h> #include <string.h> -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - #include <security/pam_modules.h> #include <security/pam_ext.h> @@ -61,28 +50,34 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) #ifdef WITH_SELINUX static int -log_callback (int type, const char *fmt, ...) +PAM_FORMAT((printf, 2, 3)) +log_callback (int type UNUSED, const char *fmt, ...) { - int audit_fd; va_list ap; - va_start(ap, fmt); #ifdef HAVE_LIBAUDIT - audit_fd = audit_open(); + int audit_fd = audit_open(); if (audit_fd >= 0) { char *buf; + int ret; - if (vasprintf (&buf, fmt, ap) < 0) + va_start(ap, fmt); + ret = vasprintf (&buf, fmt, ap); + va_end(ap); + if (ret < 0) { return 0; + } audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0); audit_close(audit_fd); free(buf); + va_end(ap); return 0; } #endif + va_start(ap, fmt); vsyslog (LOG_USER | LOG_INFO, fmt, ap); va_end(ap); return 0; @@ -92,7 +87,7 @@ static int selinux_check_root (void) { int status = -1; - security_context_t user_context; + char *user_context_raw; union selinux_callback old_callback; if (is_selinux_enabled() < 1) @@ -101,15 +96,15 @@ selinux_check_root (void) old_callback = selinux_get_callback(SELINUX_CB_LOG); /* setup callbacks */ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); - if ((status = getprevcon(&user_context)) < 0) { + if ((status = getprevcon_raw(&user_context_raw)) < 0) { selinux_set_callback(SELINUX_CB_LOG, old_callback); return status; } - status = selinux_check_access(user_context, user_context, "passwd", "rootok", NULL); + status = selinux_check_access(user_context_raw, user_context_raw, "passwd", "rootok", NULL); selinux_set_callback(SELINUX_CB_LOG, old_callback); - freecon(user_context); + freecon(user_context_raw); return status; } #endif diff --git a/modules/pam_rootok/tst-pam_rootok-retval.c b/modules/pam_rootok/tst-pam_rootok-retval.c new file mode 100644 index 00000000..b1797013 --- /dev/null +++ b/modules/pam_rootok/tst-pam_rootok-retval.c @@ -0,0 +1,72 @@ +/* + * Check pam_rootok return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_rootok" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + if (getuid() == 0) { + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_chauthtok(pamh, 0)); + } else { + ASSERT_EQ(PAM_AUTH_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_AUTH_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_AUTH_ERR, pam_chauthtok(pamh, 0)); + } + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am index 30cc879a..c695d413 100644 --- a/modules/pam_securetty/Makefile.am +++ b/modules/pam_securetty/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_securetty +EXTRA_DIST = $(XMLS) -TESTS = tst-pam_securetty - -man_MANS = pam_securetty.8 +if HAVE_DOC +dist_man_MANS = pam_securetty.8 +endif XMLS = README.xml pam_securetty.8.xml +dist_check_SCRIPTS = tst-pam_securetty +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,7 +32,6 @@ securelib_LTLIBRARIES = pam_securetty.la pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_securetty.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_securetty/Makefile.in b/modules/pam_securetty/Makefile.in index ee1c94cb..f207cf98 100644 --- a/modules/pam_securetty/Makefile.in +++ b/modules/pam_securetty/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_securetty -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_securetty.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_securetty -TESTS = tst-pam_securetty -man_MANS = pam_securetty.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_securetty.8 XMLS = README.xml pam_securetty.8.xml +dist_check_SCRIPTS = tst-pam_securetty +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_securetty.la pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_securetty/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_securetty/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_securetty.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_securetty.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_securetty.log: tst-pam_securetty @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_securetty.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_securetty.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_securetty.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_securetty/README b/modules/pam_securetty/README index 14518411..86dbe348 100644 --- a/modules/pam_securetty/README +++ b/modules/pam_securetty/README @@ -5,11 +5,12 @@ pam_securetty — Limit root login to special devices DESCRIPTION pam_securetty is a PAM module that allows root logins only if the user is -logging in on a "secure" tty, as defined by the listing in /etc/securetty. -pam_securetty also checks to make sure that /etc/securetty is a plain file and -not world writable. It will also allow root logins on the tty specified with -console= switch on the kernel command line and on ttys from the /sys/class/tty/ -console/active. +logging in on a "secure" tty, as defined by the listing in the securetty file. +pam_securetty checks at first, if /etc/securetty exists. If not and it was +built with vendordir support, it will use %vendordir%/securetty. pam_securetty +also checks that the securetty files are plain files and not world writable. It +will also allow root logins on the tty specified with console= switch on the +kernel command line and on ttys from the /sys/class/tty/console/active. This module has no effect on non-root users and requires that the application fills in the PAM_TTY item correctly. @@ -27,7 +28,7 @@ noconsole Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also - specified in the /etc/securetty file. + specified in the securetty file. EXAMPLES diff --git a/modules/pam_securetty/README.xml b/modules/pam_securetty/README.xml index a8c098a0..70176d75 100644 --- a/modules/pam_securetty/README.xml +++ b/modules/pam_securetty/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_securetty.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_securetty-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_securetty/pam_securetty.8 b/modules/pam_securetty/pam_securetty.8 index 95747fea..95804fb2 100644 --- a/modules/pam_securetty/pam_securetty.8 +++ b/modules/pam_securetty/pam_securetty.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_securetty .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SECURETTY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SECURETTY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -34,10 +34,14 @@ pam_securetty \- Limit root login to special devices \fBpam_securetty\&.so\fR [debug] .SH "DESCRIPTION" .PP -pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in -/etc/securetty\&. pam_securetty also checks to make sure that +pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in the +securetty +file\&. pam_securetty checks at first, if /etc/securetty -is a plain file and not world writable\&. It will also allow root logins on the tty specified with +exists\&. If not and it was built with vendordir support, it will use +/securetty\&. pam_securetty also checks that the +securetty +files are plain files and not world writable\&. It will also allow root logins on the tty specified with \fBconsole=\fR switch on the kernel command line and on ttys from the /sys/class/tty/console/active\&. @@ -53,15 +57,15 @@ authentication method before any authentication methods\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBnoconsole\fR +noconsole .RS 4 Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the -/etc/securetty +securetty file\&. .RE .SH "MODULE TYPES PROVIDED" @@ -79,19 +83,30 @@ The user is allowed to continue authentication\&. Either the user is not root, o PAM_AUTH_ERR .RS 4 Authentication is rejected\&. Either root is attempting to log in via an unacceptable device, or the -/etc/securetty +securetty file is world writable or not a normal file\&. .RE .PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP PAM_INCOMPLETE .RS 4 -An application error occurred\&. pam_securetty was not able to get information it required from the application that called it\&. +The conversation method supplied by the application returned PAM_CONV_AGAIN\&. .RE .PP PAM_SERVICE_ERR .RS 4 -An error occurred while the module was determining the user\*(Aqs name or tty, or the module could not open -/etc/securetty\&. +An error occurred while the module was determining the user\*(Aqs name or tty, or the module could not open the +securetty +file\&. .RE .PP PAM_USER_UNKNOWN @@ -119,7 +134,7 @@ auth required pam_unix\&.so \fBsecuretty\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&. diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml index 48215f5f..fcf0e881 100644 --- a/modules/pam_securetty/pam_securetty.8.xml +++ b/modules/pam_securetty/pam_securetty.8.xml @@ -1,62 +1,62 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_securetty"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_securetty"> <refmeta> <refentrytitle>pam_securetty</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_securetty-name"> + <refnamediv xml:id="pam_securetty-name"> <refname>pam_securetty</refname> <refpurpose>Limit root login to special devices</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_securetty-cmdsynopsis"> + <cmdsynopsis xml:id="pam_securetty-cmdsynopsis" sepchar=" "> <command>pam_securetty.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_securetty-description"> + <refsect1 xml:id="pam_securetty-description"> <title>DESCRIPTION</title> <para> pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing - in <filename>/etc/securetty</filename>. pam_securetty also checks - to make sure that <filename>/etc/securetty</filename> is a plain - file and not world writable. It will also allow root logins on + in the <filename>securetty</filename> file. pam_securetty checks at + first, if <filename>/etc/securetty</filename> exists. If not and + it was built with vendordir support, it will use + <filename>%vendordir%/securetty</filename>. pam_securetty also + checks that the <filename>securetty</filename> files are plain + files and not world writable. It will also allow root logins on the tty specified with <option>console=</option> switch on the kernel command line and on ttys from the <filename>/sys/class/tty/console/active</filename>. </para> <para> This module has no effect on non-root users and requires that the - application fills in the <emphasis remap='B'>PAM_TTY</emphasis> + application fills in the <emphasis remap="B">PAM_TTY</emphasis> item correctly. </para> <para> For canonical usage, should be listed as a - <emphasis remap='B'>required</emphasis> authentication method - before any <emphasis remap='B'>sufficient</emphasis> + <emphasis remap="B">required</emphasis> authentication method + before any <emphasis remap="B">sufficient</emphasis> authentication methods. </para> </refsect1> - <refsect1 id="pam_securetty-options"> + <refsect1 xml:id="pam_securetty-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -66,28 +66,28 @@ </varlistentry> <varlistentry> <term> - <option>noconsole</option> + noconsole </term> <listitem> <para> Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the - <filename>/etc/securetty</filename> file. + <filename>securetty</filename> file. </para> </listitem> </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_securetty-types"> + <refsect1 xml:id="pam_securetty-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_securetty-return_values'> + <refsect1 xml:id="pam_securetty-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -106,18 +106,34 @@ <para> Authentication is rejected. Either root is attempting to log in via an unacceptable device, or the - <filename>/etc/securetty</filename> file is world writable or + <filename>securetty</filename> file is world writable or not a normal file. </para> </listitem> </varlistentry> <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the application + failed to obtain the username. + </para> + </listitem> + </varlistentry> + <varlistentry> <term>PAM_INCOMPLETE</term> <listitem> <para> - An application error occurred. pam_securetty was not able - to get information it required from the application that - called it. + The conversation method supplied by the application + returned PAM_CONV_AGAIN. </para> </listitem> </varlistentry> @@ -127,7 +143,7 @@ <para> An error occurred while the module was determining the user's name or tty, or the module could not open - <filename>/etc/securetty</filename>. + the <filename>securetty</filename> file. </para> </listitem> </varlistentry> @@ -145,7 +161,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_securetty-examples'> + <refsect1 xml:id="pam_securetty-examples"> <title>EXAMPLES</title> <para> <programlisting> @@ -155,7 +171,7 @@ auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_securetty-see_also'> + <refsect1 xml:id="pam_securetty-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -168,16 +184,16 @@ auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_securetty-author'> + <refsect1 xml:id="pam_securetty-author"> <title>AUTHOR</title> <para> pam_securetty was written by Elliot Lee <sopwith@cuc.edu>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index cb1da252..47a5cd9f 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,11 +1,6 @@ -/* pam_securetty module */ - -#define SECURETTY_FILE "/etc/securetty" -#define TTY_PREFIX "/dev/" -#define CMDLINE_FILE "/proc/cmdline" -#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" - /* + * pam_securetty module + * * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. * July 25, 1996. * This code shamelessly ripped from the pam_rootok module. @@ -25,24 +20,24 @@ #include <string.h> #include <ctype.h> #include <limits.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT +#include <errno.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" #define PAM_DEBUG_ARG 0x0001 #define PAM_NOCONSOLE_ARG 0x0002 +#define SECURETTY_FILE "/etc/securetty" +#ifdef VENDORDIR +#define SECURETTY2_FILE VENDORDIR"/securetty" +#endif +#define TTY_PREFIX "/dev/" +#define CMDLINE_FILE "/proc/cmdline" +#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) { @@ -70,8 +65,10 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, const char *function_name) { int retval = PAM_AUTH_ERR; + const char *securettyfile; const char *username; const char *uttyname; + const char *str; const void *void_uttyname; char ttyfileline[256]; char ptname[256]; @@ -86,9 +83,10 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } retval = pam_get_user(pamh, &username, NULL); - if (retval != PAM_SUCCESS || username == NULL) { - pam_syslog(pamh, LOG_WARNING, "cannot determine username"); - return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); + return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE : retval); } user_pwd = pam_modutil_getpwnam(pamh, username); @@ -106,15 +104,33 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { - uttyname += sizeof(TTY_PREFIX)-1; - } + if ((str = pam_str_skip_prefix(uttyname, TTY_PREFIX)) != NULL) + uttyname = str; if (stat(SECURETTY_FILE, &ttyfileinfo)) { - pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +#ifdef VENDORDIR + if (errno == ENOENT) { + if (stat(SECURETTY2_FILE, &ttyfileinfo)) { + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh, LOG_DEBUG, + "Couldn't open %s: %m", SECURETTY2_FILE); + return PAM_SUCCESS; /* for compatibility with old securetty handling, + this needs to succeed. But we still log the + error. */ + } + securettyfile = SECURETTY2_FILE; + } else { +#endif + if (ctrl & PAM_DEBUG_ARG) + pam_syslog(pamh, LOG_DEBUG, "Couldn't open %s: %m", SECURETTY_FILE); return PAM_SUCCESS; /* for compatibility with old securetty handling, this needs to succeed. But we still log the error. */ +#ifdef VENDORDIR + } +#endif + } else { + securettyfile = SECURETTY_FILE; } if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { @@ -122,13 +138,13 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, normal file, return error */ pam_syslog(pamh, LOG_ERR, "%s is either world writable or not a normal file", - SECURETTY_FILE); + securettyfile); return PAM_AUTH_ERR; } - ttyfile = fopen(SECURETTY_FILE,"r"); + ttyfile = fopen(securettyfile,"r"); if (ttyfile == NULL) { /* Check that we opened it successfully */ - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", securettyfile); return PAM_SERVICE_ERR; } @@ -163,18 +179,17 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, fclose(cmdlinefile); for (; p; p = strstr(p+1, "console=")) { - char *e; + const char *e; /* Test whether this is a beginning of a word? */ if (p > line && p[-1] != ' ') continue; /* Is this our console? */ - if (strncmp(p + 8, uttyname, strlen(uttyname))) + if ((e = pam_str_skip_prefix_len(p + 8, uttyname, strlen(uttyname))) == NULL) continue; /* Is there any garbage after the TTY name? */ - e = p + 8 + strlen(uttyname); if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { retval = 0; break; diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index 28c60d84..fbb6de6d 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -5,21 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ - tst-pam_selinux +EXTRA_DIST = $(XMLS) pam_selinux_check.8 -if HAVE_LIBSELINUX - TESTS = tst-pam_selinux - man_MANS = pam_selinux.8 +if HAVE_DOC +dist_man_MANS = pam_selinux.8 endif - XMLS = README.xml pam_selinux.8.xml +dist_check_SCRIPTS = tst-pam_selinux +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(top_srcdir)/libpam_misc/include + -I$(top_srcdir)/libpam_misc/include $(WARN_CFLAGS) pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ @@ -27,14 +30,12 @@ if HAVE_VERSIONING pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_LIBSELINUX - securelib_LTLIBRARIES = pam_selinux.la - noinst_PROGRAMS = pam_selinux_check - pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ - $(top_builddir)/libpam_misc/libpam_misc.la -endif +securelib_LTLIBRARIES = pam_selinux.la +noinst_PROGRAMS = pam_selinux_check +pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_selinux.8 -README: pam_selinux.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_selinux/Makefile.in b/modules/pam_selinux/Makefile.in index 6c39eefd..cad48d6c 100644 --- a/modules/pam_selinux/Makefile.in +++ b/modules/pam_selinux/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,30 +95,33 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map -@HAVE_LIBSELINUX_TRUE@noinst_PROGRAMS = pam_selinux_check$(EXEEXT) +noinst_PROGRAMS = pam_selinux_check$(EXEEXT) subdir = modules/pam_selinux -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +PROGRAMS = $(noinst_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -149,13 +162,10 @@ pam_selinux_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(pam_selinux_la_LDFLAGS) $(LDFLAGS) -o \ $@ -@HAVE_LIBSELINUX_TRUE@am_pam_selinux_la_rpath = -rpath $(securelibdir) -PROGRAMS = $(noinst_PROGRAMS) pam_selinux_check_SOURCES = pam_selinux_check.c pam_selinux_check_OBJECTS = pam_selinux_check.$(OBJEXT) -@HAVE_LIBSELINUX_TRUE@pam_selinux_check_DEPENDENCIES = \ -@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam/libpam.la \ -@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la +pam_selinux_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -170,7 +180,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_selinux.Plo \ + ./$(DEPDIR)/pam_selinux_check.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -199,8 +211,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -375,6 +388,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -397,6 +411,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -416,24 +433,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -447,7 +473,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -466,11 +491,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -493,8 +521,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -505,11 +532,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -552,7 +586,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -560,9 +593,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -572,31 +602,32 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ - tst-pam_selinux - -@HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_selinux -@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8 +EXTRA_DIST = $(XMLS) pam_selinux_check.8 +@HAVE_DOC_TRUE@dist_man_MANS = pam_selinux.8 XMLS = README.xml pam_selinux.8.xml +dist_check_SCRIPTS = tst-pam_selinux +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(top_srcdir)/libpam_misc/include + -I$(top_srcdir)/libpam_misc/include $(WARN_CFLAGS) pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ -@HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_selinux.la -@HAVE_LIBSELINUX_TRUE@pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ -@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la +securelib_LTLIBRARIES = pam_selinux.la +pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_selinux.8 +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -613,14 +644,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_selinux/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -632,6 +662,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -668,16 +707,7 @@ clean-securelibLTLIBRARIES: } pam_selinux.la: $(pam_selinux_la_OBJECTS) $(pam_selinux_la_DEPENDENCIES) $(EXTRA_pam_selinux_la_DEPENDENCIES) - $(AM_V_CCLD)$(pam_selinux_la_LINK) $(am_pam_selinux_la_rpath) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list + $(AM_V_CCLD)$(pam_selinux_la_LINK) -rpath $(securelibdir) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS) pam_selinux_check$(EXEEXT): $(pam_selinux_check_OBJECTS) $(pam_selinux_check_DEPENDENCIES) $(EXTRA_pam_selinux_check_DEPENDENCIES) @rm -f pam_selinux_check$(EXEEXT) @@ -689,22 +719,28 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux_check.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux_check.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -718,10 +754,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -756,7 +792,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -844,7 +880,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -921,7 +957,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -934,7 +970,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -944,7 +980,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -977,7 +1013,10 @@ tst-pam_selinux.log: tst-pam_selinux @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1008,9 +1047,10 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) installdirs: for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ @@ -1056,7 +1096,8 @@ clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_selinux.Plo + -rm -f ./$(DEPDIR)/pam_selinux_check.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1102,7 +1143,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_selinux.Plo + -rm -f ./$(DEPDIR)/pam_selinux_check.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1125,10 +1167,10 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-noinstPROGRAMS \ - clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-noinstPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -1142,7 +1184,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_selinux.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_selinux/README.xml b/modules/pam_selinux/README.xml index 7e1baf55..dc1b5697 100644 --- a/modules/pam_selinux/README.xml +++ b/modules/pam_selinux/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_selinux.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_selinux-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 index 5822cc13..12fe0159 100644 --- a/modules/pam_selinux/pam_selinux.8 +++ b/modules/pam_selinux/pam_selinux.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_selinux .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 09/13/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SELINUX" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SELINUX" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -51,43 +51,43 @@ should be placed before them\&. When such a placement is not feasible, could be used to temporary restore original security contexts\&. .SH "OPTIONS" .PP -\fBopen\fR +open .RS 4 Only execute the open_session part of the module\&. .RE .PP -\fBclose\fR +close .RS 4 Only execute the close_session part of the module\&. .RE .PP -\fBrestore\fR +restore .RS 4 In open_session part of the module, temporarily restore the security contexts as they were before the previous call of the module\&. Another call of this module without the restore option will set up the new security contexts again\&. .RE .PP -\fBnottys\fR +nottys .RS 4 Do not setup security context of the controlling terminal\&. .RE .PP -\fBdebug\fR +debug .RS 4 Turn on debug messages via \fBsyslog\fR(3)\&. .RE .PP -\fBverbose\fR +verbose .RS 4 Attempt to inform the user when security context is set\&. .RE .PP -\fBselect_context\fR +select_context .RS 4 Attempt to ask the user for a custom security context role\&. If MLS is on, ask also for sensitivity level\&. .RE .PP -\fBenv_params\fR +env_params .RS 4 Attempt to obtain a custom security context role from PAM environment\&. If MLS is on, obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are \fISELINUX_ROLE_REQUESTED\fR, @@ -95,7 +95,7 @@ Attempt to obtain a custom security context role from PAM environment\&. If MLS \fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&. .RE .PP -\fBuse_current_range\fR +use_current_range .RS 4 Use the sensitivity level of the current process for the user context instead of the default level\&. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment\&. .RE @@ -144,7 +144,7 @@ session optional pam_selinux\&.so \fBexecve\fR(2), \fBtty\fR(4), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBselinux\fR(8) .SH "AUTHOR" .PP diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 28d465f5..7ec5dafb 100644 --- a/modules/pam_selinux/pam_selinux.8.xml +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -1,54 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_selinux"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_selinux"> <refmeta> <refentrytitle>pam_selinux</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_selinux-name"> + <refnamediv xml:id="pam_selinux-name"> <refname>pam_selinux</refname> <refpurpose>PAM module to set the default security context</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_selinux-cmdsynopsis"> + <cmdsynopsis xml:id="pam_selinux-cmdsynopsis" sepchar=" "> <command>pam_selinux.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> open </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> restore </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nottys </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> verbose </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> select_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> env_params </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_current_range </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_selinux-description"> + <refsect1 xml:id="pam_selinux-description"> <title>DESCRIPTION</title> <para> pam_selinux is a PAM module that sets up the default SELinux security @@ -79,12 +76,12 @@ </para> </refsect1> - <refsect1 id="pam_selinux-options"> + <refsect1 xml:id="pam_selinux-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>open</option> + open </term> <listitem> <para> @@ -94,7 +91,7 @@ </varlistentry> <varlistentry> <term> - <option>close</option> + close </term> <listitem> <para> @@ -104,7 +101,7 @@ </varlistentry> <varlistentry> <term> - <option>restore</option> + restore </term> <listitem> <para> @@ -117,7 +114,7 @@ </varlistentry> <varlistentry> <term> - <option>nottys</option> + nottys </term> <listitem> <para> @@ -127,7 +124,7 @@ </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -140,7 +137,7 @@ </varlistentry> <varlistentry> <term> - <option>verbose</option> + verbose </term> <listitem> <para> @@ -150,7 +147,7 @@ </varlistentry> <varlistentry> <term> - <option>select_context</option> + select_context </term> <listitem> <para> @@ -161,7 +158,7 @@ </varlistentry> <varlistentry> <term> - <option>env_params</option> + env_params </term> <listitem> <para> @@ -178,7 +175,7 @@ </varlistentry> <varlistentry> <term> - <option>use_current_range</option> + use_current_range </term> <listitem> <para> @@ -191,14 +188,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_selinux-types"> + <refsect1 xml:id="pam_selinux-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_selinux-return_values'> + <refsect1 xml:id="pam_selinux-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -236,7 +233,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_selinux-examples'> + <refsect1 xml:id="pam_selinux-examples"> <title>EXAMPLES</title> <programlisting> auth required pam_unix.so @@ -245,7 +242,7 @@ session optional pam_selinux.so </programlisting> </refsect1> - <refsect1 id='pam_selinux-see_also'> + <refsect1 xml:id="pam_selinux-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -258,7 +255,7 @@ session optional pam_selinux.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> @@ -266,11 +263,11 @@ session optional pam_selinux.so </para> </refsect1> - <refsect1 id='pam_selinux-author'> + <refsect1 xml:id="pam_selinux-author"> <title>AUTHOR</title> <para> pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 348cdd40..e52e0fc4 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -36,7 +36,6 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * */ #include "config.h" @@ -53,81 +52,80 @@ #include <fcntl.h> #include <syslog.h> -#define PAM_SM_AUTH -#define PAM_SM_SESSION - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" #include <selinux/selinux.h> #include <selinux/get_context_list.h> -#include <selinux/flask.h> -#include <selinux/av_permissions.h> -#include <selinux/selinux.h> #include <selinux/context.h> #include <selinux/get_default_type.h> #ifdef HAVE_LIBAUDIT #include <libaudit.h> #include <sys/select.h> -#include <errno.h> #endif /* Send audit message */ -static - -int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context, - security_context_t selected_context) +static void +send_audit_message(const pam_handle_t *pamh, int success, const char *default_context, + const char *selected_context) { - int rc=0; #ifdef HAVE_LIBAUDIT char *msg = NULL; int audit_fd = audit_open(); - security_context_t default_raw=NULL; - security_context_t selected_raw=NULL; + char *default_raw = NULL; + char *selected_raw = NULL; const void *tty = NULL, *rhost = NULL; - rc = -1; if (audit_fd < 0) { if (errno == EINVAL || errno == EPROTONOSUPPORT || - errno == EAFNOSUPPORT) - return 0; /* No audit support in kernel */ - pam_syslog(pamh, LOG_ERR, "Error connecting to audit system."); - return rc; + errno == EAFNOSUPPORT) { + goto fallback; /* No audit support in kernel */ + } + pam_syslog(pamh, LOG_ERR, "Error connecting to audit system: %m"); + goto fallback; } (void)pam_get_item(pamh, PAM_TTY, &tty); (void)pam_get_item(pamh, PAM_RHOST, &rhost); if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { - pam_syslog(pamh, LOG_ERR, "Error translating default context."); + pam_syslog(pamh, LOG_ERR, "Error translating default context '%s'.", default_context); default_raw = NULL; } if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { - pam_syslog(pamh, LOG_ERR, "Error translating selected context."); + pam_syslog(pamh, LOG_ERR, "Error translating selected context '%s'.", selected_context); selected_raw = NULL; } if (asprintf(&msg, "pam: default-context=%s selected-context=%s", default_raw ? default_raw : (default_context ? default_context : "?"), selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { + msg = NULL; /* asprintf leaves msg in undefined state on failure */ pam_syslog(pamh, LOG_ERR, "Error allocating memory."); - goto out; + goto fallback; } if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, msg, rhost, NULL, tty, success) <= 0) { - pam_syslog(pamh, LOG_ERR, "Error sending audit message."); - goto out; + pam_syslog(pamh, LOG_ERR, "Error sending audit message: %m"); + goto fallback; } - rc = 0; - out: + goto cleanup; + + fallback: +#endif /* HAVE_LIBAUDIT */ + pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", + default_context, selected_context, success); + +#ifdef HAVE_LIBAUDIT + cleanup: free(msg); freecon(default_raw); freecon(selected_raw); - close(audit_fd); -#else - pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); -#endif - return rc; + if (audit_fd >= 0) + close(audit_fd); +#endif /* HAVE_LIBAUDIT */ } + static int send_text (pam_handle_t *pamh, const char *text, int debug) { @@ -161,53 +159,17 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, return rc; } -static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) -{ - struct av_decision avd; - int retval; - security_class_t class; - access_vector_t bit; - context_t src_context; - context_t dst_context; - - class = string_to_security_class("context"); - if (!class) { - pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m"); - return 0; - } - - bit = string_to_av_perm(class, "contains"); - if (!bit) { - pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m"); - return 0; - } - - src_context = context_new (src); - dst_context = context_new (dst); - context_range_set(dst_context, context_range_get(src_context)); - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); - - retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd); - context_free(src_context); - context_free(dst_context); - if (retval || ((bit & avd.allowed) != bit)) - return 0; - - return 1; -} - -static security_context_t -config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug) +static char * +config_context (pam_handle_t *pamh, const char *defaultcon, int use_current_range, int debug) { - security_context_t newcon=NULL; + char *newcon = NULL; context_t new_context; int mls_enabled = is_selinux_mls_enabled(); char *response=NULL; char *type=NULL; char resp_val = 0; - pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), defaultcon); + pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("The default security context is %s."), defaultcon); while (1) { if (query_response(pamh, @@ -227,7 +189,8 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (query_response(pamh, _("role:"), context_role_get(new_context), &response, debug) == PAM_SUCCESS && response[0]) { if (get_default_type(response, &type)) { - pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response); + pam_prompt(pamh, PAM_ERROR_MSG, NULL, + _("There is no default type for role %s."), response); _pam_drop(response); continue; } else { @@ -243,7 +206,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (mls_enabled) { if (use_current_range) { - security_context_t mycon = NULL; + char *mycon = NULL; context_t my_context; if (getcon(&mycon) != 0) @@ -277,22 +240,23 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre goto fail_set; context_free(new_context); - /* we have to check that this user is allowed to go into the - range they have specified ... role is tied to an seuser, so that'll - be checked at setexeccon time */ - if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { + /* we have to check that this user is allowed to go into the + range they have specified ... role is tied to an seuser, so that'll + be checked at setexeccon time */ + if (mls_enabled && + selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) { pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); send_audit_message(pamh, 0, defaultcon, newcon); free(newcon); - goto fail_range; + goto fail_range; } return newcon; } else { send_audit_message(pamh, 0, defaultcon, context_str(new_context)); - send_text(pamh,_("Not a valid security context"),debug); + send_text(pamh,_("This is not a valid security context."),debug); } context_free(new_context); /* next time around allocates another */ } @@ -311,10 +275,10 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre return NULL; } -static security_context_t -context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_params, int use_current_range, int debug) +static char * +context_from_env (pam_handle_t *pamh, const char *defaultcon, int env_params, int use_current_range, int debug) { - security_context_t newcon = NULL; + char *newcon = NULL; context_t new_context; context_t my_context = NULL; int mls_enabled = is_selinux_mls_enabled(); @@ -348,7 +312,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par } if (use_current_range) { - security_context_t mycon = NULL; + char *mycon = NULL; if (getcon(&mycon) != 0) goto fail_set; @@ -388,7 +352,8 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par /* we have to check that this user is allowed to go into the range they have specified ... role is tied to an seuser, so that'll be checked at setexeccon time */ - if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { + if (mls_enabled && + selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) { pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); goto fail_set; @@ -410,11 +375,11 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par #define DATANAME "pam_selinux_context" typedef struct { - security_context_t exec_context; - security_context_t prev_exec_context; - security_context_t default_user_context; - security_context_t tty_context; - security_context_t prev_tty_context; + char *exec_context; + char *prev_exec_context; + char *default_user_context; + char *tty_context; + char *prev_tty_context; char *tty_path; } module_data_t; @@ -428,7 +393,6 @@ free_module_data(module_data_t *data) freecon(data->prev_exec_context); if (data->exec_context != data->default_user_context) freecon(data->exec_context); - memset(data, 0, sizeof(*data)); free(data); } @@ -455,7 +419,7 @@ get_item(const pam_handle_t *pamh, int item_type) } static int -set_exec_context(const pam_handle_t *pamh, security_context_t context) +set_exec_context(const pam_handle_t *pamh, const char *context) { if (setexeccon(context) == 0) return 0; @@ -465,7 +429,7 @@ set_exec_context(const pam_handle_t *pamh, security_context_t context) } static int -set_file_context(const pam_handle_t *pamh, security_context_t context, +set_file_context(const pam_handle_t *pamh, const char *context, const char *file) { if (!file) @@ -489,7 +453,7 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data, #endif char *seuser = NULL; char *level = NULL; - security_context_t *contextlist = NULL; + char **contextlist = NULL; int num_contexts = 0; const struct passwd *pwd; @@ -541,7 +505,7 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data, if (!data->exec_context) { pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username); pam_prompt(pamh, PAM_ERROR_MSG, NULL, - _("Unable to get valid context for %s"), username); + _("A valid context for %s could not be obtained."), username); } if (getexeccon(&data->prev_exec_context) < 0) @@ -554,8 +518,10 @@ static int compute_tty_context(const pam_handle_t *pamh, module_data_t *data) { const char *tty = get_item(pamh, PAM_TTY); + security_class_t tclass; - if (!tty || !*tty || !strcmp(tty, "ssh") || !strncmp(tty, "NODEV", 5)) { + if (!tty || !*tty || !strcmp(tty, "ssh") + || pam_str_skip_prefix(tty, "NODEV") != NULL) { tty = ttyname(STDIN_FILENO); if (!tty || !*tty) tty = ttyname(STDOUT_FILENO); @@ -565,7 +531,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) return PAM_SUCCESS; } - if (strncmp("/dev/", tty, 5)) { + if (pam_str_skip_prefix(tty, "/dev/") == NULL) { if (asprintf(&data->tty_path, "%s%s", "/dev/", tty) < 0) data->tty_path = NULL; } else { @@ -586,11 +552,21 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) } pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m", data->tty_path); - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; + } + + tclass = string_to_security_class("chr_file"); + if (tclass == 0) { + pam_syslog(pamh, LOG_ERR, "Failed to get chr_file security class"); + freecon(data->prev_tty_context); + data->prev_tty_context = NULL; + free(data->tty_path); + data->tty_path = NULL; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } if (security_compute_relabel(data->exec_context, data->prev_tty_context, - SECCLASS_CHR_FILE, &data->tty_context)) { + tclass, &data->tty_context)) { data->tty_context = NULL; pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m", data->tty_path); @@ -598,7 +574,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) data->prev_tty_context = NULL; free(data->tty_path); data->tty_path = NULL; - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } return PAM_SUCCESS; @@ -629,7 +605,7 @@ restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug) data->prev_exec_context ? data->prev_exec_context : ""); err |= set_exec_context(pamh, data->prev_exec_context); - if (err && security_getenforce() == 1) + if (err && security_getenforce() != 0) return PAM_SESSION_ERR; return PAM_SUCCESS; @@ -660,7 +636,7 @@ set_context(pam_handle_t *pamh, const module_data_t *data, char msg[PATH_MAX]; snprintf(msg, sizeof(msg), - _("Security Context %s Assigned"), data->exec_context); + _("Security context %s has been assigned."), data->exec_context); send_text(pamh, msg, debug); } #ifdef HAVE_SETKEYCREATECON @@ -676,12 +652,12 @@ set_context(pam_handle_t *pamh, const module_data_t *data, char msg[PATH_MAX]; snprintf(msg, sizeof(msg), - _("Key Creation Context %s Assigned"), data->exec_context); + _("Key creation context %s has been assigned."), data->exec_context); send_text(pamh, msg, debug); } #endif - if (err && security_getenforce() == 1) + if (err && security_getenforce() != 0) return PAM_SESSION_ERR; return PAM_SUCCESS; @@ -740,7 +716,7 @@ create_context(pam_handle_t *pamh, int argc, const char **argv, if (!data->exec_context) { free_module_data(data); - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) { diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index bc822757..6e7e96e5 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -6,23 +6,26 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit +EXTRA_DIST = $(XMLS) -if HAVE_LIBSELINUX - TESTS = tst-pam_sepermit - man_MANS = pam_sepermit.8 sepermit.conf.5 +if HAVE_DOC +dist_man_MANS = pam_sepermit.8 sepermit.conf.5 endif - XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml +dist_check_SCRIPTS = tst-pam_sepermit +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif sepermitlockdir = ${localstatedir}/run/sepermit AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include \ - -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ - -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" + -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" $(WARN_CFLAGS) pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module @@ -30,15 +33,16 @@ if HAVE_VERSIONING pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_LIBSELINUX - secureconf_DATA = sepermit.conf - securelib_LTLIBRARIES = pam_sepermit.la +dist_secureconf_DATA = sepermit.conf +securelib_LTLIBRARIES = pam_sepermit.la + +check_PROGRAMS = tst-pam_sepermit-retval +tst_pam_sepermit_retval_LDADD = $(top_builddir)/libpam/libpam.la install-data-local: mkdir -p $(DESTDIR)$(sepermitlockdir) -endif + if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_sepermit.8 sepermit.conf.5 -README: pam_sepermit.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_sepermit/Makefile.in b/modules/pam_sepermit/Makefile.in index 0e530a9c..4fb5cbf7 100644 --- a/modules/pam_sepermit/Makefile.in +++ b/modules/pam_sepermit/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,25 +95,29 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_sepermit-retval$(EXEEXT) subdir = modules/pam_sepermit -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -149,8 +163,10 @@ pam_sepermit_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(pam_sepermit_la_LDFLAGS) $(LDFLAGS) \ -o $@ -@HAVE_LIBSELINUX_TRUE@am_pam_sepermit_la_rpath = -rpath \ -@HAVE_LIBSELINUX_TRUE@ $(securelibdir) +tst_pam_sepermit_retval_SOURCES = tst-pam_sepermit-retval.c +tst_pam_sepermit_retval_OBJECTS = tst-pam_sepermit-retval.$(OBJEXT) +tst_pam_sepermit_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -165,7 +181,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_sepermit.Plo \ + ./$(DEPDIR)/tst-pam_sepermit-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -185,8 +203,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_sepermit.c -DIST_SOURCES = pam_sepermit.c +SOURCES = pam_sepermit.c tst-pam_sepermit-retval.c +DIST_SOURCES = pam_sepermit.c tst-pam_sepermit-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -195,8 +213,9 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -371,6 +390,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -393,6 +413,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -412,24 +435,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -443,7 +475,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -462,11 +493,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -489,8 +523,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -501,11 +534,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -548,7 +588,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -556,9 +595,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -568,30 +604,33 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit -@HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_sepermit -@HAVE_LIBSELINUX_TRUE@man_MANS = pam_sepermit.8 sepermit.conf.5 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_sepermit.8 sepermit.conf.5 XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml +dist_check_SCRIPTS = tst-pam_sepermit +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) sepermitlockdir = ${localstatedir}/run/sepermit AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include \ - -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ - -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" + -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" $(WARN_CFLAGS) pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) -@HAVE_LIBSELINUX_TRUE@secureconf_DATA = sepermit.conf -@HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_sepermit.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_sepermit.8 sepermit.conf.5 +dist_secureconf_DATA = sepermit.conf +securelib_LTLIBRARIES = pam_sepermit.la +tst_pam_sepermit_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -608,14 +647,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_sepermit/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_sepermit/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -627,6 +665,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -663,7 +710,11 @@ clean-securelibLTLIBRARIES: } pam_sepermit.la: $(pam_sepermit_la_OBJECTS) $(pam_sepermit_la_DEPENDENCIES) $(EXTRA_pam_sepermit_la_DEPENDENCIES) - $(AM_V_CCLD)$(pam_sepermit_la_LINK) $(am_pam_sepermit_la_rpath) $(pam_sepermit_la_OBJECTS) $(pam_sepermit_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(pam_sepermit_la_LINK) -rpath $(securelibdir) $(pam_sepermit_la_OBJECTS) $(pam_sepermit_la_LIBADD) $(LIBS) + +tst-pam_sepermit-retval$(EXEEXT): $(tst_pam_sepermit_retval_OBJECTS) $(tst_pam_sepermit_retval_DEPENDENCIES) $(EXTRA_tst_pam_sepermit_retval_DEPENDENCIES) + @rm -f tst-pam_sepermit-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_sepermit_retval_OBJECTS) $(tst_pam_sepermit_retval_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -671,21 +722,28 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_sepermit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_sepermit.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_sepermit-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -699,10 +757,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -737,15 +795,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -780,14 +838,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -801,9 +859,9 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) @@ -889,7 +947,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -966,7 +1024,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -979,7 +1037,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -989,7 +1047,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1007,6 +1065,13 @@ tst-pam_sepermit.log: tst-pam_sepermit --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_sepermit-retval.log: tst-pam_sepermit-retval$(EXEEXT) + @p='tst-pam_sepermit-retval$(EXEEXT)'; \ + b='tst-pam_sepermit-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1022,7 +1087,10 @@ tst-pam_sepermit.log: tst-pam_sepermit @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1053,6 +1121,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1095,14 +1165,14 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) -@HAVE_LIBSELINUX_FALSE@install-data-local: clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_sepermit.Plo + -rm -f ./$(DEPDIR)/tst-pam_sepermit-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1119,8 +1189,8 @@ info: info-am info-am: -install-data-am: install-data-local install-man install-secureconfDATA \ - install-securelibLTLIBRARIES +install-data-am: install-data-local install-dist_secureconfDATA \ + install-man install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1149,7 +1219,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_sepermit.Plo + -rm -f ./$(DEPDIR)/tst-pam_sepermit-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1166,35 +1237,37 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-data-local install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-man5 install-man8 install-pdf install-pdf-am \ - install-ps install-ps-am install-secureconfDATA \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-local install-dist_secureconfDATA \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-html install-html-am install-info install-info-am \ + install-man install-man5 install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ - uninstall-securelibLTLIBRARIES + recheck tags tags-am uninstall uninstall-am \ + uninstall-dist_secureconfDATA uninstall-man uninstall-man5 \ + uninstall-man8 uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile -@HAVE_LIBSELINUX_TRUE@install-data-local: -@HAVE_LIBSELINUX_TRUE@ mkdir -p $(DESTDIR)$(sepermitlockdir) -@ENABLE_REGENERATE_MAN_TRUE@README: pam_sepermit.8.xml +install-data-local: + mkdir -p $(DESTDIR)$(sepermitlockdir) @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_sepermit/README b/modules/pam_sepermit/README index cd697bb9..b91424e6 100644 --- a/modules/pam_sepermit/README +++ b/modules/pam_sepermit/README @@ -23,6 +23,9 @@ disabled and pam_sepermit will return PAM_IGNORE. See sepermit.conf(5) for details. +If there is no explicitly specified configuration file and /etc/security/ +sepermit.conf does not exist, %vendordir%/security/sepermit.conf is used. + OPTIONS debug diff --git a/modules/pam_sepermit/README.xml b/modules/pam_sepermit/README.xml index bb65951c..a8d31d8c 100644 --- a/modules/pam_sepermit/README.xml +++ b/modules/pam_sepermit/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_sepermit.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_sepermit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_sepermit/pam_sepermit.8 b/modules/pam_sepermit/pam_sepermit.8 index 71fd28d6..32707460 100644 --- a/modules/pam_sepermit/pam_sepermit.8 +++ b/modules/pam_sepermit/pam_sepermit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_sepermit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SEPERMIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SEPERMIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -55,13 +55,13 @@ See for details\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP -\fBconf=\fR\fB\fI/path/to/config/file\fR\fR +conf=/path/to/config/file .RS 4 Path to alternative config file overriding the default\&. .RE @@ -124,7 +124,8 @@ session required pam_permit\&.so \fBsepermit.conf\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\fBselinux\fR(8) +\fBpam\fR(7) +\fBselinux\fR(8) .SH "AUTHOR" .PP pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml index 30d9cc54..1ead4298 100644 --- a/modules/pam_sepermit/pam_sepermit.8.xml +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_sepermit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_sepermit"> <refmeta> <refentrytitle>pam_sepermit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_sepermit-name"> + <refnamediv xml:id="pam_sepermit-name"> <refname>pam_sepermit</refname> <refpurpose>PAM module to allow/deny login depending on SELinux enforcement state</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_sepermit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_sepermit-cmdsynopsis" sepchar=" "> <command>pam_sepermit.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conf=<replaceable>/path/to/config/file</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_sepermit-description"> + <refsect1 xml:id="pam_sepermit-description"> <title>DESCRIPTION</title> <para> The pam_sepermit module allows or denies login depending on SELinux @@ -54,15 +51,19 @@ <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry> for details. </para> - + <para condition="with_vendordir"> + If there is no explicitly specified configuration file and + <filename>/etc/security/sepermit.conf</filename> does not exist, + <filename>%vendordir%/security/sepermit.conf</filename> is used. + </para> </refsect1> - <refsect1 id="pam_sepermit-options"> + <refsect1 xml:id="pam_sepermit-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -75,7 +76,7 @@ </varlistentry> <varlistentry> <term> - <option>conf=<replaceable>/path/to/config/file</replaceable></option> + conf=/path/to/config/file </term> <listitem> <para> @@ -86,7 +87,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_sepermit-types"> + <refsect1 xml:id="pam_sepermit-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> @@ -94,7 +95,7 @@ </para> </refsect1> - <refsect1 id='pam_sepermit-return_values'> + <refsect1 xml:id="pam_sepermit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -141,11 +142,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_sepermit-files"> + <refsect1 xml:id="pam_sepermit-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/sepermit.conf</filename></term> + <term>/etc/security/sepermit.conf</term> <listitem> <para>Default configuration file</para> </listitem> @@ -153,7 +154,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_sepermit-examples'> + <refsect1 xml:id="pam_sepermit-examples"> <title>EXAMPLES</title> <programlisting> auth [success=done ignore=ignore default=bad] pam_sepermit.so @@ -163,7 +164,7 @@ session required pam_permit.so </programlisting> </refsect1> - <refsect1 id='pam_sepermit-see_also'> + <refsect1 xml:id="pam_sepermit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -176,7 +177,7 @@ session required pam_permit.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> <citerefentry> <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> @@ -184,11 +185,11 @@ session required pam_permit.so </para> </refsect1> - <refsect1 id='pam_sepermit-author'> + <refsect1 xml:id="pam_sepermit-author"> <title>AUTHOR</title> <para> pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index c6532907..5fbc8fdd 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -1,5 +1,5 @@ /****************************************************************************** - * A module for Linux-PAM that allows/denies acces based on SELinux state. + * A module for Linux-PAM that allows/denies access based on SELinux state. * * Copyright (c) 2007, 2008, 2009 Red Hat, Inc. * Originally written by Tomas Mraz <tmraz@redhat.com> @@ -35,7 +35,6 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * */ #include "config.h" @@ -53,12 +52,8 @@ #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> -#include <pwd.h> #include <dirent.h> -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_modutil.h> @@ -66,6 +61,12 @@ #include <selinux/selinux.h> +#include "pam_inline.h" + +#define SEPERMIT_CONF_FILE (SCONFIGDIR "/sepermit.conf") +#ifdef VENDOR_SCONFIGDIR +# define SEPERMIT_VENDOR_CONF_FILE (VENDOR_SCONFIGDIR "/sepermit.conf"); +#endif #define MODULE "pam_sepermit" #define OPT_DELIM ":" @@ -232,7 +233,8 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug) struct passwd *pw = pam_modutil_getpwnam( pamh, user ); if (!pw) { - pam_syslog(pamh, LOG_ERR, "Unable to find uid for user %s", user); + pam_syslog(pamh, LOG_NOTICE, "Unable to find uid for user %s", + user); return -1; } if (check_running(pamh, pw->pw_uid, 0, debug) > 0) { @@ -353,7 +355,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (*sense == PAM_SUCCESS) { if (ignore) *sense = PAM_IGNORE; - if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1) + if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1) if (sepermit_lock(pamh, user, debug) < 0) *sense = PAM_AUTH_ERR; } @@ -374,24 +376,38 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, const char *user = NULL; char *seuser = NULL; char *level = NULL; - const char *cfgfile = SEPERMIT_CONF_FILE; + const char *cfgfile = NULL; /* Parse arguments. */ for (i = 0; i < argc; i++) { + const char *str; + if (strcmp(argv[i], "debug") == 0) { debug = 1; + } else if ((str = pam_str_skip_prefix(argv[i], "conf=")) != NULL) { + cfgfile = str; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]); } - if (strcmp(argv[i], "conf=") == 0) { - cfgfile = argv[i] + 5; - } + } + + if (cfgfile == NULL) { +#ifdef SEPERMIT_VENDOR_CONF_FILE + struct stat buffer; + + cfgfile = SEPERMIT_CONF_FILE; + if (stat(cfgfile, &buffer) != 0 && errno == ENOENT) + cfgfile = SEPERMIT_VENDOR_CONF_FILE; +#else + cfgfile = SEPERMIT_CONF_FILE; +#endif } if (debug) pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_sepermit/sepermit.conf b/modules/pam_sepermit/sepermit.conf index 951f3dfe..0a12cd83 100644 --- a/modules/pam_sepermit/sepermit.conf +++ b/modules/pam_sepermit/sepermit.conf @@ -1,7 +1,7 @@ # /etc/security/sepermit.conf # # Each line contains either: -# - an user name +# - a user name # - a group name, with @group syntax # - a SELinux user name, with %seuser syntax # Each line can contain optional arguments separated by : diff --git a/modules/pam_sepermit/sepermit.conf.5 b/modules/pam_sepermit/sepermit.conf.5 index d797b535..d2cd3810 100644 --- a/modules/pam_sepermit/sepermit.conf.5 +++ b/modules/pam_sepermit/sepermit.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: sepermit.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "SEPERMIT\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "SEPERMIT\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -78,12 +78,12 @@ syntax\&. .PP The recognized options are: .PP -\fBexclusive\fR +exclusive .RS 4 Only single login session will be allowed for the user and the user\*(Aqs processes will be killed on logout\&. .RE .PP -\fBignore\fR +ignore .RS 4 The module will never return PAM_SUCCESS status for the user\&. It will return PAM_IGNORE if SELinux is in the enforcing mode, and PAM_AUTH_ERR otherwise\&. It is useful if you want to support passwordless guest users and other confined users with passwords simultaneously\&. .RE @@ -110,7 +110,7 @@ These are some example lines which might be specified in .PP \fBpam_sepermit\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBselinux\fR(8), .SH "AUTHOR" .PP diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml index 511480f6..1f1dcaeb 100644 --- a/modules/pam_sepermit/sepermit.conf.5.xml +++ b/modules/pam_sepermit/sepermit.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="sepermit.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="sepermit.conf"> <refmeta> <refentrytitle>sepermit.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_sepermit module</refpurpose> </refnamediv> - <refsect1 id='sepermit.conf-description'> + <refsect1 xml:id="sepermit.conf-description"> <title>DESCRIPTION</title> <para> The lines of the configuration file have the following syntax: @@ -24,7 +21,7 @@ <replaceable><user></replaceable>[:<replaceable><option></replaceable>:<replaceable><option></replaceable>...] </para> <para> - The <emphasis remap='B'>user</emphasis> can be specified in the following manner: + The <emphasis remap="B">user</emphasis> can be specified in the following manner: </para> <itemizedlist> <listitem> @@ -34,13 +31,13 @@ </listitem> <listitem> <para> - a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + a groupname, with <emphasis remap="B">@group</emphasis> syntax. This should not be confused with netgroups. </para> </listitem> <listitem> <para> - a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax. + a SELinux user name with <emphasis remap="B">%seuser</emphasis> syntax. </para> </listitem> </itemizedlist> @@ -51,7 +48,7 @@ <variablelist> <varlistentry> - <term><option>exclusive</option></term> + <term>exclusive</term> <listitem> <para> Only single login session will be allowed for the user @@ -60,7 +57,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>ignore</option></term> + <term>ignore</term> <listitem> <para> The module will never return PAM_SUCCESS status for the user. @@ -78,7 +75,7 @@ </para> </refsect1> - <refsect1 id="sepermit.conf-examples"> + <refsect1 xml:id="sepermit.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -91,20 +88,20 @@ </programlisting> </refsect1> - <refsect1 id="sepermit.conf-see_also"> + <refsect1 xml:id="sepermit.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>, </para> </refsect1> - <refsect1 id="sepermit.conf-author"> + <refsect1 xml:id="sepermit.conf-author"> <title>AUTHOR</title> <para> pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_sepermit/tst-pam_sepermit-retval.c b/modules/pam_sepermit/tst-pam_sepermit-retval.c new file mode 100644 index 00000000..321bd6d1 --- /dev/null +++ b/modules/pam_sepermit/tst-pam_sepermit-retval.c @@ -0,0 +1,158 @@ +/* + * Check pam_sepermit return values and conf= option. + * + * Copyright (c) 2020-2022 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_sepermit" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char missing_file[] = TEST_NAME ".missing"; +static const char config_file[] = TEST_NAME ".conf"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_NE(NULL, fp = fopen(config_file, "w")); + ASSERT_LT(0, fprintf(fp, "nosuchuser:ignore\n")); + ASSERT_EQ(0, fclose(fp)); + + /* + * conf= specifies an existing file, + * PAM_IGNORE -> PAM_PERM_DENIED + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conf=%s\n" + "account required %s/.libs/%s.so conf=%s\n" + "password required %s/.libs/%s.so conf=%s\n" + "session required %s/.libs/%s.so conf=%s\n", + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * conf= specifies an existing file, + * PAM_IGNORE -> PAM_SUCCESS + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conf=%s\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so conf=%s\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so conf=%s\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so conf=%s\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, config_file, cwd, + cwd, MODULE_NAME, config_file, cwd, + cwd, MODULE_NAME, config_file, cwd, + cwd, MODULE_NAME, config_file, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * conf= specifies a missing file, + * PAM_IGNORE -> PAM_PERM_DENIED + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conf=%s\n" + "account required %s/.libs/%s.so conf=%s\n" + "password required %s/.libs/%s.so conf=%s\n" + "session required %s/.libs/%s.so conf=%s\n", + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* cleanup */ + ASSERT_EQ(0, unlink(config_file)); + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_setquota/Makefile.am b/modules/pam_setquota/Makefile.am new file mode 100644 index 00000000..1582e515 --- /dev/null +++ b/modules/pam_setquota/Makefile.am @@ -0,0 +1,33 @@ +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = $(XMLS) + +if HAVE_DOC +dist_man_MANS = pam_setquota.8 +endif +XMLS = README.xml pam_setquota.8.xml +dist_check_SCRIPTS = tst-pam_setquota +TESTS = $(dist_check_SCRIPTS) + +securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else +secureconfdir = $(SCONFIGDIR) +endif + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) +AM_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_setquota.la +pam_setquota_la_LIBADD = $(top_builddir)/libpam/libpam.la + +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_cracklib/Makefile.in b/modules/pam_setquota/Makefile.in index 03d8547f..5e4375a9 100644 --- a/modules/pam_cracklib/Makefile.in +++ b/modules/pam_setquota/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,13 +14,19 @@ @SET_MAKE@ -# -# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de> -# - VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +90,27 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map -subdir = modules/pam_cracklib -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README +subdir = modules/pam_setquota ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -136,14 +144,13 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_cracklib_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la -pam_cracklib_la_SOURCES = pam_cracklib.c -pam_cracklib_la_OBJECTS = pam_cracklib.lo +pam_setquota_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pam_setquota_la_SOURCES = pam_setquota.c +pam_setquota_la_OBJECTS = pam_setquota.lo AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -@HAVE_LIBCRACK_TRUE@am_pam_cracklib_la_rpath = -rpath $(securelibdir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -158,7 +165,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_setquota.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -178,8 +186,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_cracklib.c -DIST_SOURCES = pam_cracklib.c +SOURCES = pam_setquota.c +DIST_SOURCES = pam_setquota.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -187,8 +195,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -363,6 +372,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -385,6 +395,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -404,24 +417,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -435,7 +457,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -454,11 +475,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -481,8 +505,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -493,11 +516,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -540,7 +570,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -548,9 +577,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -560,25 +586,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_cracklib.8 tst-pam_cracklib -@HAVE_LIBCRACK_TRUE@TESTS = tst-pam_cracklib -@HAVE_LIBCRACK_TRUE@man_MANS = pam_cracklib.8 -XMLS = README.xml pam_cracklib.8.xml +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_setquota.8 +XMLS = README.xml pam_setquota.8.xml +dist_check_SCRIPTS = tst-pam_setquota +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) -pam_cracklib_la_LIBADD = $(top_builddir)/libpam/libpam.la \ - @LIBCRACK@ @LIBCRYPT@ +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) -@HAVE_LIBCRACK_TRUE@securelib_LTLIBRARIES = pam_cracklib.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_cracklib.8 +AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) +securelib_LTLIBRARIES = pam_setquota.la +pam_setquota_la_LIBADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,17 +621,16 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_cracklib/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_setquota/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu modules/pam_cracklib/Makefile -.PRECIOUS: Makefile + $(AUTOMAKE) --gnu modules/pam_setquota/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -649,8 +677,8 @@ clean-securelibLTLIBRARIES: rm -f $${locs}; \ } -pam_cracklib.la: $(pam_cracklib_la_OBJECTS) $(pam_cracklib_la_DEPENDENCIES) $(EXTRA_pam_cracklib_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) $(am_pam_cracklib_la_rpath) $(pam_cracklib_la_OBJECTS) $(pam_cracklib_la_LIBADD) $(LIBS) +pam_setquota.la: $(pam_setquota_la_OBJECTS) $(pam_setquota_la_DEPENDENCIES) $(EXTRA_pam_setquota_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_setquota_la_OBJECTS) $(pam_setquota_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -658,21 +686,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_cracklib.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_setquota.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -686,10 +720,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -724,7 +758,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -812,7 +846,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -889,7 +923,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -902,7 +936,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -912,7 +946,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -923,9 +957,9 @@ recheck: all am__force_recheck=am--force-recheck \ TEST_LOGS="$$log_list"; \ exit $$? -tst-pam_cracklib.log: tst-pam_cracklib - @p='tst-pam_cracklib'; \ - b='tst-pam_cracklib'; \ +tst-pam_setquota.log: tst-pam_setquota + @p='tst-pam_setquota'; \ + b='tst-pam_setquota'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -945,7 +979,10 @@ tst-pam_cracklib.log: tst-pam_cracklib @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -976,6 +1013,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1024,7 +1062,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_setquota.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1070,7 +1108,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_setquota.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1093,15 +1131,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1109,7 +1148,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_cracklib.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_setquota/README b/modules/pam_setquota/README new file mode 100644 index 00000000..fd00da7d --- /dev/null +++ b/modules/pam_setquota/README @@ -0,0 +1,80 @@ +pam_setquota — PAM module to set or modify disk quotas on session start + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_setquota is a PAM module to set or modify a disk quota at session start + +This makes quotas usable with central user databases, such as MySQL or LDAP. + +OPTIONS + +fs=/home + + The device file or mountpoint the policy applies to. Defaults to the + filesystem containing the users home directory. + +overwrite=0 + + Overwrite an existing quota. Note: Enabling this will remove the ability + for the admin to manually configure different quotas for users for a + filesystem with edquota(8). (Defaults to 0) + +debug=0 + + Enable debugging. A value of 1 outputs the old and new quota on a device. A + value of 2 also prints out the matched and found filesystems should fs be + unset. (Defaults to 0) + +startuid=1000 + + Describe the start of the UID range the policy is applied to. (Defaults to + UID_MIN from login.defs or the uidmin value defined at compile-time if + UID_MIN is undefined.) + +enduid=0 + + Describe the end of the UID range the policy is applied to. Setting enduid= + 0 results in an open-ended UID range (i.e. all uids greater than startuid + are included). (Defaults to 0) + +bsoftlimit=19000 + + Soft limit for disk quota blocks, as defined by quotactl(2). Note: + bsoftlimit and bhardlimit must be set at the same time! + +bhardlimit=20000 + + Hard limit for disk quota blocks, as defined by quotactl(2). Note: + bsoftlimit and bhardlimit must be set at the same time! + +isoftlimit=3000 + + Soft limit for inodes, as defined by quotactl(2). Note: isoftlimit and + ihardlimit must be set at the same time! + +ihardlimit=4000 + + Hard limit for inodes, as defined by quotactl(2). Note: isoftlimit and + ihardlimit must be set at the same time! + +EXAMPLES + +A single invocation of `pam_setquota` applies a specific policy to a UID range. +Applying different policies to specific UID ranges is done by invoking +pam_setquota more than once. The last matching entry defines the resulting +quota. + + session required pam_setquota.so bsoftlimit=1000 bhardlimit=2000 isoftlimit=1000 ihardlimit=2000 startuid=1000 enduid=0 fs=/home + session required pam_setquota.so bsoftlimit=19000 bhardlimit=20000 isoftlimit=3000 ihardlimit=4000 startuid=2001 enduid=3000 fs=/dev/sda1 + session required pam_setquota.so bsoftlimit=19000 bhardlimit=20000 isoftlimit=3000 ihardlimit=4000 startuid=3001 enduid=4000 fs=/dev/sda1 overwrite=1 + + +AUTHOR + +pam_setquota was originally written by Ruslan Savchenko <savrus@mexmat.net>. + +Further modifications were made by Shane Tzen <shane@ict.usc.edu>, Sven Hartge +<sven@svenhartge.de> and Keller Fuchs <kellerfuchs@hashbang.sh>. + diff --git a/modules/pam_setquota/README.xml b/modules/pam_setquota/README.xml new file mode 100644 index 00000000..7f5e429d --- /dev/null +++ b/modules/pam_setquota/README.xml @@ -0,0 +1,27 @@ +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-name")/*)'/> + </title> + + </info> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-description")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-options")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-examples")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-author")/*)'/> + </section> + +</article>
\ No newline at end of file diff --git a/modules/pam_setquota/pam_setquota.8 b/modules/pam_setquota/pam_setquota.8 new file mode 100644 index 00000000..2c95097c --- /dev/null +++ b/modules/pam_setquota/pam_setquota.8 @@ -0,0 +1,186 @@ +'\" t +.\" Title: pam_setquota +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PAM_SETQUOTA" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_setquota \- PAM module to set or modify disk quotas on session start +.SH "SYNOPSIS" +.HP \w'\fBpam_setquota\&.so\fR\ 'u +\fBpam_setquota\&.so\fR [fs=\fI/home\fR] [overwrite=\fI0\fR] [debug=\fI0\fR] [startuid=\fI1000\fR] [enduid=\fI0\fR] [bsoftlimit=\fI19000\fR] [bhardlimit=\fI20000\fR] [isoftlimit=\fI3000\fR] [ihardlimit=\fI4000\fR] +.SH "DESCRIPTION" +.PP +pam_setquota is a PAM module to set or modify a disk quota at session start +.PP +This makes quotas usable with central user databases, such as MySQL or LDAP\&. +.SH "OPTIONS" +.PP +.PP +fs=/home +.RS 4 +The device file or mountpoint the policy applies to\&. Defaults to the filesystem containing the users home directory\&. +.RE +.PP +overwrite=0 +.RS 4 +Overwrite an existing quota\&. Note: Enabling this will remove the ability for the admin to manually configure different quotas for users for a filesystem with +\fBedquota\fR(8)\&. (Defaults to 0) +.RE +.PP +debug=0 +.RS 4 +Enable debugging\&. A value of 1 outputs the old and new quota on a device\&. A value of 2 also prints out the matched and found filesystems should +\fBfs\fR +be unset\&. (Defaults to 0) +.RE +.PP +startuid=1000 +.RS 4 +Describe the start of the UID range the policy is applied to\&. (Defaults to UID_MIN from login\&.defs or the uidmin value defined at compile\-time if UID_MIN is undefined\&.) +.RE +.PP +enduid=0 +.RS 4 +Describe the end of the UID range the policy is applied to\&. Setting +\fIenduid=0\fR +results in an open\-ended UID range (i\&.e\&. all uids greater than +\fBstartuid\fR +are included)\&. (Defaults to 0) +.RE +.PP +bsoftlimit=19000 +.RS 4 +Soft limit for disk quota blocks, as defined by +\fBquotactl\fR(2)\&. Note: +\fBbsoftlimit\fR +and +\fBbhardlimit\fR +\fImust\fR +be set at the same time! +.RE +.PP +bhardlimit=20000 +.RS 4 +Hard limit for disk quota blocks, as defined by +\fBquotactl\fR(2)\&. Note: +\fBbsoftlimit\fR +and +\fBbhardlimit\fR +\fImust\fR +be set at the same time! +.RE +.PP +isoftlimit=3000 +.RS 4 +Soft limit for inodes, as defined by +\fB quotactl\fR(2)\&. Note: +\fBisoftlimit\fR +and +\fBihardlimit\fR +\fImust\fR +be set at the same time! +.RE +.PP +ihardlimit=4000 +.RS 4 +Hard limit for inodes, as defined by +\fB quotactl\fR(2)\&. Note: +\fBisoftlimit\fR +and +\fBihardlimit\fR +\fImust\fR +be set at the same time! +.RE +.SH "MODULE TYPES PROVIDED" +.PP +Only the +\fBsession\fR +module type is provided\&. +.SH "RETURN VALUES" +.PP +.PP +PAM_SUCCESS +.RS 4 +The quota was set successfully\&. +.RE +.PP +PAM_IGNORE +.RS 4 +No action was taken because either the UID of the user was outside of the specified range, a quota already existed and +\fBoverwrite=1\fR +was not configured or no limits were configured at all\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The user was not found\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +/proc/mounts +could not be opened\&. +.sp +The filesystem or device specified was not found\&. +.sp +The limits for the user could not be retrieved\&. See syslog for more information\&. +.sp +The limits for the user could not be set\&. See syslog for more information\&. +.sp +Either +\fBisoftlimit\fR/\fBihardlimit\fR +or +\fBbsoftlimit\fR/\fBbhardlimit\fR +were not set at the same time\&. +.RE +.SH "EXAMPLES" +.PP +A single invocation of `pam_setquota` applies a specific policy to a UID range\&. Applying different policies to specific UID ranges is done by invoking pam_setquota more than once\&. The last matching entry defines the resulting quota\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf + session required pam_setquota\&.so bsoftlimit=1000 bhardlimit=2000 isoftlimit=1000 ihardlimit=2000 startuid=1000 enduid=0 fs=/home + session required pam_setquota\&.so bsoftlimit=19000 bhardlimit=20000 isoftlimit=3000 ihardlimit=4000 startuid=2001 enduid=3000 fs=/dev/sda1 + session required pam_setquota\&.so bsoftlimit=19000 bhardlimit=20000 isoftlimit=3000 ihardlimit=4000 startuid=3001 enduid=4000 fs=/dev/sda1 overwrite=1 + +.fi +.if n \{\ +.RE +.\} +.sp +.SH "SEE ALSO" +.PP +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_setquota was originally written by Ruslan Savchenko <savrus@mexmat\&.net>\&. +.PP +Further modifications were made by Shane Tzen <shane@ict\&.usc\&.edu>, Sven Hartge <sven@svenhartge\&.de> and Keller Fuchs <kellerfuchs@hashbang\&.sh>\&. diff --git a/modules/pam_setquota/pam_setquota.8.xml b/modules/pam_setquota/pam_setquota.8.xml new file mode 100644 index 00000000..41644eeb --- /dev/null +++ b/modules/pam_setquota/pam_setquota.8.xml @@ -0,0 +1,299 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_setquota"> + + <refmeta> + <refentrytitle>pam_setquota</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pam_setquota-name"> + <refname>pam_setquota</refname> + <refpurpose>PAM module to set or modify disk quotas on session start</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis xml:id="pam_setquota-cmdsynopsis" sepchar=" "> + <command>pam_setquota.so</command> + <arg choice="opt" rep="norepeat"> + fs=<replaceable>/home</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + overwrite=<replaceable>0</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + debug=<replaceable>0</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + startuid=<replaceable>1000</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + enduid=<replaceable>0</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + bsoftlimit=<replaceable>19000</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + bhardlimit=<replaceable>20000</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + isoftlimit=<replaceable>3000</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + ihardlimit=<replaceable>4000</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 xml:id="pam_setquota-description"> + + <title>DESCRIPTION</title> + + <para> + pam_setquota is a PAM module to set or modify a disk quota at session start + </para> + <para> + This makes quotas usable with central user databases, such as MySQL or LDAP. + </para> + + </refsect1> + + <refsect1 xml:id="pam_setquota-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + <varlistentry> + <term> + fs=/home + </term> + <listitem> + <para> + The device file or mountpoint the policy applies to. Defaults to the + filesystem containing the users home directory. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + overwrite=0 + </term> + <listitem> + <para> + Overwrite an existing quota. Note: Enabling this will remove the ability + for the admin to manually configure different quotas for users for a + filesystem with <citerefentry><refentrytitle>edquota</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>. (Defaults to 0) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + debug=0 + </term> + <listitem> + <para> + Enable debugging. A value of 1 outputs the old and new quota on a device. + A value of 2 also prints out the matched and found filesystems should + <option>fs</option> be unset. (Defaults to 0) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + startuid=1000 + </term> + <listitem> + <para> + Describe the start of the UID range the policy is applied to. + (Defaults to UID_MIN from login.defs or the uidmin value defined + at compile-time if UID_MIN is undefined.) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + enduid=0 + </term> + <listitem> + <para> + Describe the end of the UID range the policy is applied to. Setting + <emphasis>enduid=0</emphasis> results in an open-ended UID + range (i.e. all uids greater than <option>startuid</option> are + included). (Defaults to 0) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + bsoftlimit=19000 + </term> + <listitem> + <para> + Soft limit for disk quota blocks, as defined by <citerefentry> + <refentrytitle>quotactl</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>. + Note: <option>bsoftlimit</option> and <option>bhardlimit</option> + <emphasis>must</emphasis> be set at the same time! + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + bhardlimit=20000 + </term> + <listitem> + <para> + Hard limit for disk quota blocks, as defined by <citerefentry> + <refentrytitle>quotactl</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>. + Note: <option>bsoftlimit</option> and <option>bhardlimit</option> + <emphasis>must</emphasis> be set at the same time! + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + isoftlimit=3000 + </term> + <listitem> + <para> + Soft limit for inodes, as defined by <citerefentry><refentrytitle> + quotactl</refentrytitle><manvolnum>2</manvolnum></citerefentry>. + Note: <option>isoftlimit</option> and <option>ihardlimit</option> + <emphasis>must</emphasis> be set at the same time! + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + ihardlimit=4000 + </term> + <listitem> + <para> + Hard limit for inodes, as defined by <citerefentry><refentrytitle> + quotactl</refentrytitle><manvolnum>2</manvolnum></citerefentry>. + Note: <option>isoftlimit</option> and <option>ihardlimit</option> + <emphasis>must</emphasis> be set at the same time! + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + </refsect1> + + <refsect1 xml:id="pam_setquota-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + Only the <option>session</option> module type is provided. + </para> + </refsect1> + + <refsect1 xml:id="pam_setquota-return_values"> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The quota was set successfully. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + No action was taken because either the UID of the user was outside + of the specified range, a quota already existed and + <option>overwrite=1</option> was not configured or no limits were + configured at all. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user was not found. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + <filename>/proc/mounts</filename> could not be opened. + </para> + <para> + The filesystem or device specified was not found. + </para> + <para> + The limits for the user could not be retrieved. See syslog for + more information. + </para> + <para> + The limits for the user could not be set. See syslog for + more information. + </para> + <para> + Either <option>isoftlimit</option>/<option>ihardlimit</option> + or <option>bsoftlimit</option>/<option>bhardlimit</option> were + not set at the same time. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 xml:id="pam_setquota-examples"> + <title>EXAMPLES</title> + <para> + A single invocation of `pam_setquota` applies a specific policy to a UID + range. Applying different policies to specific UID ranges is done by + invoking pam_setquota more than once. The last matching entry + defines the resulting quota. + <programlisting> + session required pam_setquota.so bsoftlimit=1000 bhardlimit=2000 isoftlimit=1000 ihardlimit=2000 startuid=1000 enduid=0 fs=/home + session required pam_setquota.so bsoftlimit=19000 bhardlimit=20000 isoftlimit=3000 ihardlimit=4000 startuid=2001 enduid=3000 fs=/dev/sda1 + session required pam_setquota.so bsoftlimit=19000 bhardlimit=20000 isoftlimit=3000 ihardlimit=4000 startuid=3001 enduid=4000 fs=/dev/sda1 overwrite=1 + </programlisting> + </para> + </refsect1> + + <refsect1 xml:id="pam_setquota-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="pam_setquota-author"> + <title>AUTHOR</title> + <para> + pam_setquota was originally written by + Ruslan Savchenko <savrus@mexmat.net>. + </para> + <para> + Further modifications were made by Shane Tzen <shane@ict.usc.edu>, + Sven Hartge <sven@svenhartge.de> + and Keller Fuchs <kellerfuchs@hashbang.sh>. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_setquota/pam_setquota.c b/modules/pam_setquota/pam_setquota.c new file mode 100644 index 00000000..ec45baac --- /dev/null +++ b/modules/pam_setquota/pam_setquota.c @@ -0,0 +1,389 @@ +/* PAM setquota module + + This PAM module sets disk quota when a session begins. + + Copyright © 2006 Ruslan Savchenko <savrus@mexmat.net> + Copyright © 2010 Shane Tzen <shane@ict.usc.edu> + Copyright © 2012-2020 Sven Hartge <sven@svenhartge.de> + Copyright © 2016 Keller Fuchs <kellerfuchs@hashbang.sh> +*/ + +#include <sys/types.h> +#include <sys/quota.h> +#include <linux/quota.h> +#include <pwd.h> +#include <syslog.h> +#include <errno.h> +#include <mntent.h> +#include <stdio.h> +#include <stdbool.h> + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_ext.h> +#include <security/pam_modutil.h> +#include "pam_inline.h" + +#ifndef PATH_LOGIN_DEFS +# define PATH_LOGIN_DEFS "/etc/login.defs" +#endif + +#define MAX_UID_VALUE 0xFFFFFFFFUL + +struct pam_params { + uid_t start_uid; + uid_t end_uid; + const char *fs; + size_t fs_len; + int overwrite; + int debug; +}; + +static inline void +debug(pam_handle_t *pamh, const struct if_dqblk *p, + const char *device, const char *dbgprefix) { + pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu " + "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu", + dbgprefix, device, + (unsigned long long) p->dqb_bsoftlimit, + (unsigned long long) p->dqb_bhardlimit, + (unsigned long long) p->dqb_isoftlimit, + (unsigned long long) p->dqb_ihardlimit, + (unsigned long long) p->dqb_btime, + (unsigned long long) p->dqb_itime); +} + +static unsigned long long +str_to_dqb_num(pam_handle_t *pamh, const char *str, const char *param) { + char *ep = NULL; + + errno = 0; + long long temp = strtoll(str, &ep, 10); + if (temp < 0 || str == ep || *ep != '\0' || errno !=0) { + pam_syslog(pamh, LOG_ERR, "Parameter \"%s=%s\" invalid, setting to 0", param, str); + return 0; + } + else { + return temp; + } +} + +static bool +parse_dqblk(pam_handle_t *pamh, int argc, const char **argv, struct if_dqblk *p) { + bool bhard = false, bsoft = false, ihard = false, isoft = false; + + /* step through arguments */ + for (; argc-- > 0; ++argv) { + const char *str; + if ((str = pam_str_skip_prefix(*argv, "bhardlimit=")) != NULL) { + p->dqb_bhardlimit = str_to_dqb_num(pamh, str, "bhardlimit"); + p->dqb_valid |= QIF_BLIMITS; + bhard = true; + } else if ((str = pam_str_skip_prefix(*argv, "bsoftlimit=")) != NULL) { + p->dqb_bsoftlimit = str_to_dqb_num(pamh, str, "bsoftlimit"); + p->dqb_valid |= QIF_BLIMITS; + bsoft = true; + } else if ((str = pam_str_skip_prefix(*argv, "ihardlimit=")) != NULL) { + p->dqb_ihardlimit = str_to_dqb_num(pamh, str, "ihardlimit"); + p->dqb_valid |= QIF_ILIMITS; + ihard = true; + } else if ((str = pam_str_skip_prefix(*argv, "isoftlimit=")) != NULL) { + p->dqb_isoftlimit = str_to_dqb_num(pamh, str, "isoftlimit"); + p->dqb_valid |= QIF_ILIMITS; + isoft = true; + } else if ((str = pam_str_skip_prefix(*argv, "btime=")) != NULL) { + p->dqb_btime = str_to_dqb_num(pamh, str, "btime"); + p->dqb_valid |= QIF_BTIME; + } else if ((str = pam_str_skip_prefix(*argv, "itime=")) != NULL) { + p->dqb_itime = str_to_dqb_num(pamh, str, "itime"); + p->dqb_valid |= QIF_ITIME; + } + } + + /* return FALSE if a softlimit or hardlimit has been set + * independently of its counterpart. + */ + return !(bhard ^ bsoft) && !(ihard ^ isoft); +} + +/* inspired by pam_usertype_get_id */ +static uid_t +str_to_uid(pam_handle_t *pamh, const char *value, uid_t default_value, const char *param) { + unsigned long ul; + char *ep; + uid_t uid; + + errno = 0; + ul = strtoul(value, &ep, 10); + if (!(ul >= MAX_UID_VALUE + || (uid_t)ul >= MAX_UID_VALUE + || (errno != 0 && ul == 0) + || value == ep + || *ep != '\0')) { + uid = (uid_t)ul; + } else { + pam_syslog(pamh, LOG_ERR, "Parameter \"%s=%s\" invalid, " + "setting to %u", param, value, default_value); + uid = default_value; + } + + return uid; +} + +static void +parse_params(pam_handle_t *pamh, int argc, const char **argv, struct pam_params *p) { + /* step through arguments */ + for (; argc-- > 0; ++argv) { + const char *str; + char *ep = NULL; + if ((str = pam_str_skip_prefix(*argv, "startuid=")) != NULL) { + p->start_uid = str_to_uid(pamh, str, p->start_uid, "startuid"); + } else if ((str = pam_str_skip_prefix(*argv, "enduid=")) != NULL) { + p->end_uid = str_to_uid(pamh, str, p->end_uid, "enduid"); + } else if ((str = pam_str_skip_prefix(*argv, "fs=")) != NULL) { + p->fs = str; + p->fs_len = strlen(str); + /* Mask the unnecessary '/' from the end of fs parameter */ + if (p->fs_len > 1 && p->fs[p->fs_len - 1] == '/') + --p->fs_len; + } else if ((str = pam_str_skip_prefix(*argv, "overwrite=")) != NULL) { + errno = 0; + p->overwrite = strtol(str, &ep, 10); + if (*ep != '\0' || str == ep || errno !=0 || (p->overwrite < 0)) { + pam_syslog(pamh, LOG_ERR, "Parameter \"overwrite=%s\" invalid, " + "setting to 0", str); + p->overwrite = 0; + } + } else if ((str = pam_str_skip_prefix(*argv, "debug=")) != NULL) { + errno = 0; + p->debug = strtol(str, &ep, 10); + if (*ep != '\0' || str == ep || errno != 0 || (p->debug < 0)) { + pam_syslog(pamh, LOG_ERR, "Parameter \"debug=%s\" invalid, " + "setting to 0", str); + p->debug = 0; + } + } + } +} + +int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int retval; + char *val, *mntdevice = NULL; + const void *user; + const struct passwd *pwd; + struct pam_params param = { + .start_uid = PAM_USERTYPE_UIDMIN, + .end_uid = 0, + .fs = NULL }; + struct if_dqblk ndqblk; + FILE *fp; + size_t mnt_len = 0, match_size = 0; +#ifdef HAVE_GETMNTENT_R + char buf[BUFSIZ]; + struct mntent ent; +#endif + const struct mntent *mnt; + const char *service; + + if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) != PAM_SUCCESS) + service = ""; + + /* Get UID_MIN for default start_uid from login.defs */ + val = pam_modutil_search_key(pamh, PATH_LOGIN_DEFS, "UID_MIN"); + + /* Should UID_MIN be undefined, use current value of param.start_uid + * pre-defined as PAM_USERTYPE_UIDMIN set by configure as safe + * starting UID to avoid setting a quota for root and system + * users if startuid= parameter is absent. + */ + if (val) { + param.start_uid = str_to_uid(pamh, val, param.start_uid, PATH_LOGIN_DEFS":UID_MIN"); + } + + /* Parse parameter values + * Must come after pam_modutil_search_key so that the current system + * default for UID_MIN is already in p.start_uid to serve as default + * for str_to_uid in case of a parse error. + * */ + parse_params(pamh, argc, argv, ¶m); + + if (param.debug >= 1) + pam_syslog(pamh, LOG_DEBUG, "Config: startuid=%u enduid=%u fs=%s " + "debug=%d overwrite=%d", + param.start_uid, param.end_uid, + param.fs ? param.fs : "(none)", + param.debug, param.overwrite); + + /* Determine the user name so we can get the home directory */ + retval = pam_get_item(pamh, PAM_USER, &user); + if (retval != PAM_SUCCESS || user == NULL || *(const char *)user == '\0') { + pam_syslog(pamh, LOG_NOTICE, "user unknown"); + return PAM_USER_UNKNOWN; + } + + /* Get the password entry */ + pwd = pam_modutil_getpwnam(pamh, user); + if (pwd == NULL) { + pam_syslog(pamh, LOG_NOTICE, "user unknown"); + return PAM_USER_UNKNOWN; + } + + /* Check if we should not set quotas for user */ + if ((pwd->pw_uid < param.start_uid) || + ((param.end_uid >= param.start_uid) && (param.start_uid != 0) && + (pwd->pw_uid > param.end_uid))) + return PAM_SUCCESS; + + /* Find out what device the filesystem is hosted on */ + if ((fp = setmntent("/proc/mounts", "r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to open /proc/mounts"); + return PAM_PERM_DENIED; + } + + while ( +#ifdef HAVE_GETMNTENT_R + (mnt = getmntent_r(fp, &ent, buf, sizeof(buf))) != NULL +#else + (mnt = getmntent(fp)) != NULL +#endif + ) { + /* If param.fs is not specified use filesystem with users homedir + * as default. + */ + if (param.fs == NULL) { + /* Mask trailing / from mnt->mnt_dir, to get a leading / on the + * remaining suffix returned by pam_str_skip_prefix_len() + */ + for (mnt_len = strlen(mnt->mnt_dir); mnt_len > 0; --mnt_len) + if (mnt->mnt_dir[mnt_len - 1] != '/') + break; + const char *s; + if (param.debug >= 2) + pam_syslog(pamh, LOG_DEBUG, "Trying to match pw_dir=\"%s\" " + "with mnt_dir=\"%s\"", pwd->pw_dir, mnt->mnt_dir); + /* + * (mnt_len > match_size) Only try matching the mnt_dir if its length + * is longer than the last matched length, trying to find the longest + * mnt_dir for a given pwd_dir. + * + * (mnt_len == 0 && mnt->mnt_dir[0] == '/') special-cases the + * root-dir /, which is the only mnt_dir with a trailing '/', which + * got masked earlier. + */ + if ((mnt_len > match_size || (mnt_len == 0 && mnt->mnt_dir[0] == '/')) && + (s = pam_str_skip_prefix_len(pwd->pw_dir, mnt->mnt_dir, mnt_len)) != NULL && + s[0] == '/') { + free(mntdevice); + if ((mntdevice = strdup(mnt->mnt_fsname)) == NULL) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + endmntent(fp); + return PAM_PERM_DENIED; + } + match_size = mnt_len; + if (param.debug >= 2) + pam_syslog(pamh, LOG_DEBUG, "Found pw_dir=\"%s\" in mnt_dir=\"%s\" " + "with suffix=\"%s\" on device=\"%s\"", pwd->pw_dir, + mnt->mnt_dir, s, mntdevice); + } + /* param.fs has been specified, find exactly matching filesystem */ + } else if ((strncmp(param.fs, mnt->mnt_dir, param.fs_len) == 0 + && mnt->mnt_dir[param.fs_len] == '\0') || + (strncmp(param.fs, mnt->mnt_fsname, param.fs_len) == 0 + && mnt->mnt_fsname[param.fs_len] == '\0' )) { + free(mntdevice); + if ((mntdevice = strdup(mnt->mnt_fsname)) == NULL) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + endmntent(fp); + return PAM_PERM_DENIED; + } + if (param.debug >= 2) + pam_syslog(pamh, LOG_DEBUG, "Found fs=\"%s\" in mnt_dir=\"%s\" " + "on device=\"%s\"", param.fs, mnt->mnt_dir, mntdevice); + } + } + + endmntent(fp); + + if (mntdevice == NULL) { + pam_syslog(pamh, LOG_ERR, "Filesystem or device not found: %s", param.fs ? param.fs : pwd->pw_dir); + return PAM_PERM_DENIED; + } + + /* Get limits */ + if (quotactl(QCMD(Q_GETQUOTA, USRQUOTA), mntdevice, pwd->pw_uid, + (void *)&ndqblk) == -1) { + pam_syslog(pamh, LOG_ERR, "fail to get limits for user %s : %m", + pwd->pw_name); + free(mntdevice); + return PAM_PERM_DENIED; + } + + if (param.debug >= 1) + debug(pamh, &ndqblk, mntdevice, "Quota read:"); + + /* Only overwrite if quotas aren't already set or if overwrite is set */ + if ((ndqblk.dqb_bsoftlimit == 0 && ndqblk.dqb_bhardlimit == 0 && + ndqblk.dqb_isoftlimit == 0 && ndqblk.dqb_ihardlimit == 0) || + param.overwrite == 1) { + + /* Parse new limits + * Exit with an error should only the hard- or softlimit be + * configured but not both. + * This avoids errors, inconsistencies and possible race conditions + * during setquota. + */ + ndqblk.dqb_valid = 0; + if (!parse_dqblk(pamh, argc, argv, &ndqblk)) { + pam_syslog(pamh, LOG_ERR, + "Both soft- and hardlimits for %s need to be configured " + "at the same time!", mntdevice); + free(mntdevice); + return PAM_PERM_DENIED; + } + + /* Nothing changed? Are no limits defined at all in configuration? */ + if (ndqblk.dqb_valid == 0) { + pam_syslog(pamh, LOG_AUTH | LOG_WARNING, "no limits defined in " + "configuration for user %s on %s", pwd->pw_name, mntdevice); + free(mntdevice); + return PAM_IGNORE; + } + + /* Set limits */ + if (quotactl(QCMD(Q_SETQUOTA, USRQUOTA), mntdevice, pwd->pw_uid, + (void *)&ndqblk) == -1) { + pam_syslog(pamh, LOG_ERR, "failed to set limits for user %s on %s: %m", + pwd->pw_name, mntdevice); + free(mntdevice); + return PAM_PERM_DENIED; + } + if (param.debug >= 1) + debug(pamh, &ndqblk, mntdevice, "Quota set:"); + + /* End module */ + free(mntdevice); + return PAM_SUCCESS; + + } else { + /* Quota exists and overwrite!=1 */ + if (param.debug >= 1) { + pam_syslog(pamh, LOG_DEBUG, "Quota already exists for user %s " + "on %s, not overwriting it without \"overwrite=1\"", + pwd->pw_name, mntdevice); + } + /* End module */ + free(mntdevice); + return PAM_IGNORE; + } + +} + +int +pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} diff --git a/modules/pam_setquota/tst-pam_setquota b/modules/pam_setquota/tst-pam_setquota new file mode 100755 index 00000000..f50c958d --- /dev/null +++ b/modules/pam_setquota/tst-pam_setquota @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_setquota.so diff --git a/modules/pam_shells/Makefile.am b/modules/pam_shells/Makefile.am index c9e01ccd..e44915f2 100644 --- a/modules/pam_shells/Makefile.am +++ b/modules/pam_shells/Makefile.am @@ -5,27 +5,33 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_shells +EXTRA_DIST = $(XMLS) -man_MANS = pam_shells.8 +if HAVE_DOC +dist_man_MANS = pam_shells.8 +endif XMLS = README.xml pam_shells.8.xml - -TESTS = tst-pam_shells +dist_check_SCRIPTS = tst-pam_shells +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) $(ECONF_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_shells.la -pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_shells.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_shells/Makefile.in b/modules/pam_shells/Makefile.in index c1f008c8..3c236b33 100644 --- a/modules/pam_shells/Makefile.in +++ b/modules/pam_shells/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_shells -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -136,7 +148,9 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_shells_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_shells_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_shells_la_SOURCES = pam_shells.c pam_shells_la_OBJECTS = pam_shells.lo AM_V_lt = $(am__v_lt_@AM_V@) @@ -157,7 +171,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_shells.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +201,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +378,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +401,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +423,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +463,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +481,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +511,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +522,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +576,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +583,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +592,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_shells -man_MANS = pam_shells.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_shells.8 XMLS = README.xml pam_shells.8.xml -TESTS = tst-pam_shells +dist_check_SCRIPTS = tst-pam_shells +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) $(ECONF_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_shells.la -pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +630,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_shells/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_shells/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +692,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_shells.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_shells.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +726,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +764,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +852,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +929,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +942,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +952,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +985,10 @@ tst-pam_shells.log: tst-pam_shells @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1019,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1068,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_shells.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1114,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_shells.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1137,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1154,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_shells.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_shells/README b/modules/pam_shells/README index e09dd205..bde6667c 100644 --- a/modules/pam_shells/README +++ b/modules/pam_shells/README @@ -7,7 +7,11 @@ DESCRIPTION pam_shells is a PAM module that only allows access to the system if the user's shell is listed in /etc/shells. -It also checks if /etc/shells is a plain file and not world writable. +If this file does not exist, entries are taken from files %vendordir%/shells, +%vendordir%/shells.d/* and /etc/shells.d/* in that order. + +It also checks if needed files (e.g. /etc/shells) are plain files and not world +writable. OPTIONS diff --git a/modules/pam_shells/README.xml b/modules/pam_shells/README.xml index 154b97b5..c4da1a06 100644 --- a/modules/pam_shells/README.xml +++ b/modules/pam_shells/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_shells.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_shells-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_shells/pam_shells.8 b/modules/pam_shells/pam_shells.8 index f0f6ea20..7962badc 100644 --- a/modules/pam_shells/pam_shells.8 +++ b/modules/pam_shells/pam_shells.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_shells .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SHELLS" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SHELLS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,9 +37,8 @@ pam_shells \- PAM module to check for valid login shell pam_shells is a PAM module that only allows access to the system if the user\*(Aqs shell is listed in /etc/shells\&. .PP -It also checks if -/etc/shells -is a plain file and not world writable\&. +It also checks if needed files (e\&.g\&. +/etc/shells) are plain files and not world writable\&. .SH "OPTIONS" .PP This module does not recognise any options\&. @@ -85,7 +84,7 @@ auth required pam_shells\&.so \fBshells\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_shells was written by Erik Troan <ewt@redhat\&.com>\&. diff --git a/modules/pam_shells/pam_shells.8.xml b/modules/pam_shells/pam_shells.8.xml index 15f47671..bff889fb 100644 --- a/modules/pam_shells/pam_shells.8.xml +++ b/modules/pam_shells/pam_shells.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_shells"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_shells"> <refmeta> <refentrytitle>pam_shells</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_shells-name"> + <refnamediv xml:id="pam_shells-name"> <refname>pam_shells</refname> <refpurpose>PAM module to check for valid login shell</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_shells-cmdsynopsis"> + <cmdsynopsis xml:id="pam_shells-cmdsynopsis" sepchar=" "> <command>pam_shells.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_shells-description"> + <refsect1 xml:id="pam_shells-description"> <title>DESCRIPTION</title> @@ -29,19 +26,27 @@ pam_shells is a PAM module that only allows access to the system if the user's shell is listed in <filename>/etc/shells</filename>. </para> + + <para condition="with_vendordir_and_with_econf"> + If this file does not exist, entries are taken from files + <filename>%vendordir%/shells</filename>, + <filename>%vendordir%/shells.d/*</filename> and + <filename>/etc/shells.d/*</filename> in that order. + </para> + <para> - It also checks if <filename>/etc/shells</filename> is a plain - file and not world writable. + It also checks if needed files (e.g. <filename>/etc/shells</filename>) are plain + files and not world writable. </para> </refsect1> - <refsect1 id="pam_shells-options"> + <refsect1 xml:id="pam_shells-options"> <title>OPTIONS</title> <para> This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_shells-types"> + <refsect1 xml:id="pam_shells-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> @@ -49,7 +54,7 @@ </para> </refsect1> - <refsect1 id='pam_shells-return_values'> + <refsect1 xml:id="pam_shells-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -80,7 +85,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_shells-examples'> + <refsect1 xml:id="pam_shells-examples"> <title>EXAMPLES</title> <para> <programlisting> @@ -89,7 +94,7 @@ auth required pam_shells.so </para> </refsect1> - <refsect1 id='pam_shells-see_also'> + <refsect1 xml:id="pam_shells-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -102,16 +107,16 @@ auth required pam_shells.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_shells-author'> + <refsect1 xml:id="pam_shells-author"> <title>AUTHOR</title> <para> pam_shells was written by Erik Troan <ewt@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index c8acb9e2..abebdd0c 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -1,8 +1,6 @@ -/* pam_shells module */ - -#define SHELL_FILE "/etc/shells" - /* + * pam_shells module + * * by Erik Troan <ewt@redhat.com>, Red Hat Software. * August 5, 1996. * This code shamelessly ripped from the pam_securetty module. @@ -15,70 +13,105 @@ #include <string.h> #include <stdio.h> #include <stdlib.h> -#include <string.h> +#include <stdbool.h> #include <sys/stat.h> #include <syslog.h> #include <unistd.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT +#if defined (USE_ECONF) && defined (VENDORDIR) +#include <libeconf.h> +#endif #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#define SHELL_FILE "/etc/shells" +#define SHELLS "shells" +#define ETCDIR "/etc" +#define DEFAULT_SHELL "/bin/sh" + +static bool check_file(const char *filename, const void *pamh) +{ + struct stat sb; + + if (stat(filename, &sb)) { + pam_syslog(pamh, LOG_ERR, "Cannot stat %s: %m", filename); + return false; /* must have /etc/shells */ + } + + if ((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) { + pam_syslog(pamh, LOG_ERR, + "%s is either world writable or not a normal file", + filename); + return false; + } + return true; +} + static int perform_check(pam_handle_t *pamh) { int retval = PAM_AUTH_ERR; const char *userName; - char *userShell; - char shellFileLine[256]; - struct stat sb; + const char *userShell; struct passwd * pw; - FILE * shellFile; retval = pam_get_user(pamh, &userName, NULL); if (retval != PAM_SUCCESS) { return PAM_SERVICE_ERR; } - if (!userName || (userName[0] == '\0')) { - - /* Don't let them use a NULL username... */ - retval = pam_get_user(pamh,&userName,NULL); - if (retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - - /* It could still be NULL the second time. */ - if (!userName || (userName[0] == '\0')) - return PAM_SERVICE_ERR; - } - pw = pam_modutil_getpwnam(pamh, userName); - if (!pw) { + if (pw == NULL || pw->pw_shell == NULL) { return PAM_AUTH_ERR; /* user doesn't exist */ } userShell = pw->pw_shell; - - if (stat(SHELL_FILE,&sb)) { - pam_syslog(pamh, LOG_ERR, "Cannot stat %s: %m", SHELL_FILE); - return PAM_AUTH_ERR; /* must have /etc/shells */ + if (userShell[0] == '\0') + userShell = DEFAULT_SHELL; + +#if defined (USE_ECONF) && defined (VENDORDIR) + size_t size = 0; + econf_err error; + char **keys; + econf_file *key_file; + + error = econf_readDirsWithCallback(&key_file, + VENDORDIR, + ETCDIR, + SHELLS, + NULL, + "", /* key only */ + "#", /* comment */ + check_file, pamh); + if (error) { + pam_syslog(pamh, LOG_ERR, + "Cannot parse shell files: %s", + econf_errString(error)); + return PAM_AUTH_ERR; } - if ((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) { + error = econf_getKeys(key_file, NULL, &size, &keys); + if (error) { pam_syslog(pamh, LOG_ERR, - "%s is either world writable or not a normal file", - SHELL_FILE); + "Cannot evaluate entries in shell files: %s", + econf_errString(error)); + econf_free (key_file); return PAM_AUTH_ERR; } + retval = 1; + for (size_t i = 0; i < size; i++) { + retval = strcmp(keys[i], userShell); + if (!retval) + break; + } + econf_free (key_file); +#else + char shellFileLine[256]; + FILE * shellFile; + + if (!check_file(SHELL_FILE, pamh)) + return PAM_AUTH_ERR; + shellFile = fopen(SHELL_FILE,"r"); if (shellFile == NULL) { /* Check that we opened it successfully */ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SHELL_FILE); @@ -94,6 +127,7 @@ static int perform_check(pam_handle_t *pamh) } fclose(shellFile); + #endif if (retval) { return PAM_AUTH_ERR; diff --git a/modules/pam_stress/Makefile.am b/modules/pam_stress/Makefile.am index a8d50eb8..ee78daef 100644 --- a/modules/pam_stress/Makefile.am +++ b/modules/pam_stress/Makefile.am @@ -3,18 +3,34 @@ # CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README tst-pam_stress +EXTRA_DIST = $(XMLS) -TESTS = tst-pam_stress +if HAVE_DOC +dist_man_MANS = pam_stress.8 +endif +XMLS = README.xml pam_stress.8.xml +dist_check_SCRIPTS = tst-pam_stress +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_stress.la pam_stress_la_LIBADD = $(top_builddir)/libpam/libpam.la + +if ENABLE_REGENERATE_MAN +dist_noinst_DATA = README +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_stress/Makefile.in b/modules/pam_stress/Makefile.in index 4f643fa7..4788de54 100644 --- a/modules/pam_stress/Makefile.in +++ b/modules/pam_stress/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -18,8 +18,19 @@ # Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de> # + VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_stress -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -133,7 +146,7 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) pam_stress_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la pam_stress_la_SOURCES = pam_stress.c @@ -156,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_stress.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -183,6 +197,11 @@ am__can_run_installinfo = \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -357,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -379,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -398,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -429,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -448,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -475,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -487,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -534,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -542,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -554,19 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ -EXTRA_DIST = README tst-pam_stress -TESTS = tst-pam_stress +MAINTAINERCLEANFILES = $(MANS) README +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_stress.8 +XMLS = README.xml pam_stress.8.xml +dist_check_SCRIPTS = tst-pam_stress +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_stress.la pam_stress_la_LIBADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -583,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_stress/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_stress/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -646,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_stress.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_stress.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -674,6 +724,49 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +install-man8: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -757,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -834,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -847,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -857,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -890,7 +983,10 @@ tst-pam_stress.log: tst-pam_stress @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -921,11 +1017,12 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(securelibdir)"; do \ + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -962,13 +1059,14 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_stress.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -985,7 +1083,7 @@ info: info-am info-am: -install-data-am: install-securelibLTLIBRARIES +install-data-am: install-man install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1001,7 +1099,7 @@ install-info: install-info-am install-info-am: -install-man: +install-man: install-man8 install-pdf: install-pdf-am @@ -1014,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_stress.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1031,26 +1129,32 @@ ps: ps-am ps-am: -uninstall-am: uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am \ - uninstall-securelibLTLIBRARIES + recheck tags tags-am uninstall uninstall-am uninstall-man \ + uninstall-man8 uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/modules/pam_stress/README b/modules/pam_stress/README index e64bf2d3..230e8621 100644 --- a/modules/pam_stress/README +++ b/modules/pam_stress/README @@ -1,64 +1,61 @@ -# -# This describes the behavior of this module with respect to the -# /etc/pam.conf file. -# -# writen by Andrew Morgan <morgan@parc.power.net> -# +pam_stress — The stress-testing PAM module -This module recognizes the following arguments. +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” -debug put lots of information in syslog. - *NOTE* this option writes passwords to syslog, so - don't use anything sensitive when testing. +DESCRIPTION -no_warn don't give warnings about things (otherwise warnings are issued - via the conversation function) +The pam_stress PAM module is mainly intended to give the impression of failing +as a fully functioning module might. -use_first_pass don't prompt for a password, for pam_sm_authentication - function just use item PAM_AUTHTOK. +OPTIONS -try_first_pass don't prompt for a password unless there has been no - previous authentication token (item PAM_AUTHTOK is NULL) +debug -rootok This is intended for the pam_sm_chauthtok function and - it instructs this function to permit root to change - the user's password without entering the old password. + Put lots of information in syslog. *NOTE* this option writes passwords to + syslog, so don't use anything sensitive when testing. -The following arguments are acted on by the module. They are intended -to make the module give the impression of failing as a fully -functioning module might. +no_warn -expired an argument intended for the account and chauthtok module - parts. It instructs the module to act as if the user's - password has expired + Do not give warnings about things (otherwise warnings are issued via the + conversation function) -fail_1 this instructs the module to make its first function fail. +use_first_pass -fail_2 this instructs the module to make its second function (if there - is one) fail. + Do not prompt for a password, for pam_sm_authentication function just use + item PAM_AUTHTOK. - The function break up is indicated in the Module - Developers' Guide. Listed here it is: +try_first_pass - service function 1 function 2 - ------- ---------- ---------- - auth pam_sm_authenticate pam_sm_setcred - password pam_sm_chauthtok - session pam_sm_open_session pam_sm_close_session - account pam_sm_acct_mgmt + Do not prompt for a password unless there has been no previous + authentication token (item PAM_AUTHTOK is NULL) -prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. +rootok -required for pam_sm_chauthtok, means fail if the user hasn't already - been authenticated by this module. (See stress_new_pwd data - item below.) + This is intended for the pam_sm_chauthtok function and it instructs this + function to permit root to change the user's password without entering the + old password. -# -# data strings that this module uses are the following: -# +expired + + An argument intended for the account and chauthtok module parts. It + instructs the module to act as if the user's password has expired + +fail_1 + + This instructs the module to make its first function fail. + +fail_2 + + This instructs the module to make its second function (if there is one) + fail. + +prelim + + For pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. + +required + + For pam_sm_chauthtok, means fail if the user hasn't already been + authenticated by this module. (See stress_new_pwd data string in the + NOTES.) -data name value(s) Comments ---------- -------- -------- -stress_new_pwd yes tells pam_sm_chauthtok that - pam_sm_acct_mgmt says we need a new - password diff --git a/modules/pam_stress/README.xml b/modules/pam_stress/README.xml new file mode 100644 index 00000000..cc7a1848 --- /dev/null +++ b/modules/pam_stress/README.xml @@ -0,0 +1,19 @@ +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_stress.8.xml" xpointer='xpointer(id("pam_stress-name")/*)'/> + </title> + + </info> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_stress.8.xml" xpointer='xpointer(id("pam_stress-description")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_stress.8.xml" xpointer='xpointer(id("pam_stress-options")/*)'/> + </section> + +</article>
\ No newline at end of file diff --git a/modules/pam_stress/pam_stress.8 b/modules/pam_stress/pam_stress.8 new file mode 100644 index 00000000..a522b7fb --- /dev/null +++ b/modules/pam_stress/pam_stress.8 @@ -0,0 +1,190 @@ +'\" t +.\" Title: pam_stress +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PAM_STRESS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_stress \- The stress\-testing PAM module +.SH "SYNOPSIS" +.HP \w'\fBpam_stress\&.so\fR\ 'u +\fBpam_stress\&.so\fR [debug] [no_warn] [use_first_pass] [try_first_pass] [rootok] [expired] [fail_1] [fail_2] [prelim] [required] +.SH "DESCRIPTION" +.PP +The pam_stress PAM module is mainly intended to give the impression of failing as a fully functioning module might\&. +.SH "OPTIONS" +.PP +debug +.RS 4 +Put lots of information in syslog\&. *NOTE* this option writes passwords to syslog, so don\*(Aqt use anything sensitive when testing\&. +.RE +.PP +no_warn +.RS 4 +Do not give warnings about things (otherwise warnings are issued via the conversation function) +.RE +.PP +use_first_pass +.RS 4 +Do not prompt for a password, for pam_sm_authentication function just use item PAM_AUTHTOK\&. +.RE +.PP +try_first_pass +.RS 4 +Do not prompt for a password unless there has been no previous authentication token (item PAM_AUTHTOK is NULL) +.RE +.PP +rootok +.RS 4 +This is intended for the pam_sm_chauthtok function and it instructs this function to permit root to change the user\*(Aqs password without entering the old password\&. +.RE +.PP +expired +.RS 4 +An argument intended for the account and chauthtok module parts\&. It instructs the module to act as if the user\*(Aqs password has expired +.RE +.PP +fail_1 +.RS 4 +This instructs the module to make its first function fail\&. +.RE +.PP +fail_2 +.RS 4 +This instructs the module to make its second function (if there is one) fail\&. +.RE +.PP +prelim +.RS 4 +For pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK\&. +.RE +.PP +required +.RS 4 +For pam_sm_chauthtok, means fail if the user hasn\*(Aqt already been authenticated by this module\&. (See stress_new_pwd data string in the NOTES\&.) +.RE +.SH "MODULE TYPES PROVIDED" +.PP +All module types (\fBauth\fR, +\fBaccount\fR, +\fBpassword\fR +and +\fBsession\fR) are provided\&. +.SH "RETURN VALUES" +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +Permission denied\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +Access to the system was denied\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +Conversation failure\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The function passes all checks\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The user is not known to the system\&. +.RE +.PP +PAM_CRED_ERR +.RS 4 +Failure involving user credentials\&. +.RE +.PP +PAM_NEW_AUTHTOK_REQD +.RS 4 +Authentication token is no longer valid; new one required\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Session failure\&. +.RE +.PP +PAM_TRY_AGAIN +.RS 4 +Failed preliminary check by service\&. +.RE +.PP +PAM_AUTHTOK_LOCK_BUSY +.RS 4 +Authentication token lock busy\&. +.RE +.PP +PAM_AUTHTOK_ERR +.RS 4 +Authentication token manipulation error\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +System error\&. +.RE +.SH "NOTES" +.PP +This module uses the stress_new_pwd data string which tells pam_sm_chauthtok that pam_sm_acct_mgmt says we need a new password\&. The only possible value for this data string is \*(Aqyes\*(Aq\&. +.SH "EXAMPLES" +.sp +.if n \{\ +.RS 4 +.\} +.nf +#%PAM\-1\&.0 +# +# Any of the following will suffice +account required pam_stress\&.so +auth required pam_stress\&.so +password required pam_stress\&.so +session required pam_stress\&.so + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8)\&. +.SH "AUTHORS" +.PP +The pam_stress PAM module was developed by Andrew Morgan <morgan@linux\&.kernel\&.org>\&. The man page for pam_stress was written by Lucas Ramage <ramage\&.lucas@protonmail\&.com>\&. diff --git a/modules/pam_stress/pam_stress.8.xml b/modules/pam_stress/pam_stress.8.xml new file mode 100644 index 00000000..617b7aae --- /dev/null +++ b/modules/pam_stress/pam_stress.8.xml @@ -0,0 +1,353 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_stress"> + + <refmeta> + <refentrytitle>pam_stress</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pam_stress-name"> + <refname>pam_stress</refname> + <refpurpose>The stress-testing PAM module</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis xml:id="pam_stress-cmdsynopsis" sepchar=" "> + <command>pam_stress.so</command> + <arg choice="opt" rep="norepeat"> + debug + </arg> + <arg choice="opt" rep="norepeat"> + no_warn + </arg> + <arg choice="opt" rep="norepeat"> + use_first_pass + </arg> + <arg choice="opt" rep="norepeat"> + try_first_pass + </arg> + <arg choice="opt" rep="norepeat"> + rootok + </arg> + <arg choice="opt" rep="norepeat"> + expired + </arg> + <arg choice="opt" rep="norepeat"> + fail_1 + </arg> + <arg choice="opt" rep="norepeat"> + fail_2 + </arg> + <arg choice="opt" rep="norepeat"> + prelim + </arg> + <arg choice="opt" rep="norepeat"> + required + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 xml:id="pam_stress-description"> + <title>DESCRIPTION</title> + <para> + The pam_stress PAM module is mainly intended to give the impression of failing as a fully +functioning module might. + </para> + </refsect1> + + <refsect1 xml:id="pam_stress-options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term> + debug + </term> + <listitem> + <para> + Put lots of information in syslog. + *NOTE* this option writes passwords to syslog, so don't use anything sensitive when testing. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + no_warn + </term> + <listitem> + <para> + Do not give warnings about things (otherwise warnings are issued + via the conversation function) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + use_first_pass + </term> + <listitem> + <para> + Do not prompt for a password, for pam_sm_authentication + function just use item PAM_AUTHTOK. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + try_first_pass + </term> + <listitem> + <para> + Do not prompt for a password unless there has been no + previous authentication token (item PAM_AUTHTOK is NULL) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + rootok + </term> + <listitem> + <para> + This is intended for the pam_sm_chauthtok function and + it instructs this function to permit root to change + the user's password without entering the old password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + expired + </term> + <listitem> + <para> + An argument intended for the account and chauthtok module + parts. It instructs the module to act as if the user's + password has expired + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + fail_1 + </term> + <listitem> + <para> + This instructs the module to make its first function fail. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + fail_2 + </term> + <listitem> + <para> + This instructs the module to make its second function (if there + is one) fail. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + prelim + </term> + <listitem> + <para> + For pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + required + </term> + <listitem> + <para> + For pam_sm_chauthtok, means fail if the user hasn't already + been authenticated by this module. (See stress_new_pwd data + string in the NOTES.) + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 xml:id="pam_stress-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + All module types (<option>auth</option>, <option>account</option>, + <option>password</option> and <option>session</option>) are provided. + </para> + </refsect1> + + <refsect1 xml:id="pam_stress-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Permission denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Access to the system was denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + Conversation failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The function passes all checks. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para> + Failure involving user credentials. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_NEW_AUTHTOK_REQD</term> + <listitem> + <para> + Authentication token is no longer valid; new one required. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Session failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_TRY_AGAIN</term> + <listitem> + <para> + Failed preliminary check by service. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_LOCK_BUSY</term> + <listitem> + <para> + Authentication token lock busy. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + Authentication token manipulation error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + System error. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pam_stress-notes"> + <title>NOTES</title> + <para> + This module uses the stress_new_pwd data string which tells + pam_sm_chauthtok that pam_sm_acct_mgmt says we need a new password. + The only possible value for this data string is 'yes'. + </para> + </refsect1> + + <refsect1 xml:id="pam_stress-examples"> + <title>EXAMPLES</title> + <programlisting> +#%PAM-1.0 +# +# Any of the following will suffice +account required pam_stress.so +auth required pam_stress.so +password required pam_stress.so +session required pam_stress.so + </programlisting> + </refsect1> + + <refsect1 xml:id="pam_stress-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 xml:id="pam_stress-authors"> + <title>AUTHORS</title> + <para> + The pam_stress PAM module was developed by + Andrew Morgan <morgan@linux.kernel.org>. + The man page for pam_stress was written by + Lucas Ramage <ramage.lucas@protonmail.com>. + </para> + </refsect1> +</refentry>
\ No newline at end of file diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c index 87a6e7c6..b2c55586 100644 --- a/modules/pam_stress/pam_stress.c +++ b/modules/pam_stress/pam_stress.c @@ -15,21 +15,10 @@ #include <string.h> #include <unistd.h> -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* ---------- */ @@ -229,11 +218,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* try to get the username */ retval = pam_get_user(pamh, &username, "username: "); - if (retval != PAM_SUCCESS || !username) { - pam_syslog(pamh, LOG_WARNING, - "pam_sm_authenticate: failed to get username"); - if (retval == PAM_SUCCESS) - retval = PAM_USER_UNKNOWN; /* username was null */ + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, + "pam_sm_authenticate: cannot determine user name: %s", + pam_strerror(pamh, retval)); return retval; } else if (ctrl & PAM_ST_DEBUG) { @@ -253,7 +241,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* try to set password item */ retval = pam_set_item(pamh,PAM_AUTHTOK,pass); - _pam_overwrite(pass); /* clean up local copy of password */ + pam_overwrite_string(pass); /* clean up local copy of password */ free(pass); pass = NULL; if (retval != PAM_SUCCESS) { @@ -445,7 +433,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, return retval; } retval = pam_set_item(pamh, PAM_OLDAUTHTOK, pass); - _pam_overwrite(pass); + pam_overwrite_string(pass); free(pass); pass = NULL; if (retval != PAM_SUCCESS) { @@ -467,7 +455,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, } pmsg[0] = &msg[0]; msg[0].msg_style = PAM_TEXT_INFO; - if (asprintf(&txt, _("Changing STRESS password for %s."), + if (asprintf(&txt, "Changing STRESS password for %s.", (const char *)username) < 0) { pam_syslog(pamh, LOG_CRIT, "out of memory"); return PAM_BUF_ERR; @@ -481,10 +469,10 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = _("Enter new STRESS password: "); + msg[i++].msg = "Enter new STRESS password: "; pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = _("Retype new STRESS password: "); + msg[i++].msg = "Retype new STRESS password: "; resp = NULL; retval = converse(pamh,i,pmsg,&resp); @@ -508,17 +496,17 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (strcmp(resp[i-2].resp,resp[i-1].resp)) { /* passwords are not the same; forget and return error */ - _pam_drop_reply(resp, i); + pam_drop_response(resp, i); if (!(flags & PAM_SILENT) && !(ctrl & PAM_ST_NO_WARN)) { pmsg[0] = &msg[0]; msg[0].msg_style = PAM_ERROR_MSG; - msg[0].msg = _("Verification mis-typed; " - "password unchanged"); + msg[0].msg = "Verification mis-typed; " + "password unchanged"; resp = NULL; (void) converse(pamh,1,pmsg,&resp); if (resp) { - _pam_drop_reply(resp, 1); + pam_drop_response(resp, 1); } } return PAM_AUTHTOK_ERR; @@ -536,7 +524,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, retval = PAM_SYSTEM_ERR; } - _pam_drop_reply(resp, i); /* clean up the passwords */ + pam_drop_response(resp, i); /* clean up the passwords */ } else { pam_syslog(pamh, LOG_ERR, "pam_sm_chauthtok: this must be a Linux-PAM error"); diff --git a/modules/pam_succeed_if/Makefile.am b/modules/pam_succeed_if/Makefile.am index ce1eb500..f79a4b03 100644 --- a/modules/pam_succeed_if/Makefile.am +++ b/modules/pam_succeed_if/Makefile.am @@ -5,18 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_succeed_if - -TESTS = tst-pam_succeed_if - -man_MANS = pam_succeed_if.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_succeed_if.8 +endif XMLS = README.xml pam_succeed_if.8.xml +dist_check_SCRIPTS = tst-pam_succeed_if +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -26,7 +32,6 @@ securelib_LTLIBRARIES = pam_succeed_if.la pam_succeed_if_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_succeed_if.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_succeed_if/Makefile.in b/modules/pam_succeed_if/Makefile.in index db2bcb69..5028fe07 100644 --- a/modules/pam_succeed_if/Makefile.in +++ b/modules/pam_succeed_if/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_succeed_if -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_succeed_if.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_succeed_if -TESTS = tst-pam_succeed_if -man_MANS = pam_succeed_if.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_succeed_if.8 XMLS = README.xml pam_succeed_if.8.xml +dist_check_SCRIPTS = tst-pam_succeed_if +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_succeed_if.la pam_succeed_if_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_succeed_if/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_succeed_if/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_succeed_if.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_succeed_if.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_succeed_if.log: tst-pam_succeed_if @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_succeed_if.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_succeed_if.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_succeed_if.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README index 82102605..3d2f3d50 100644 --- a/modules/pam_succeed_if/README +++ b/modules/pam_succeed_if/README @@ -94,13 +94,13 @@ field notin item:item:... Field is not contained in the list of items separated by colons. -user ingroup group +user ingroup group[:group:....] - User is in given group. + User is in given group(s). -user notingroup group +user notingroup group[:group:....] - User is not in given group. + User is not in given group(s). user innetgr netgroup @@ -112,9 +112,10 @@ user notinnetgr group EXAMPLES -To emulate the behaviour of pam_wheel, except there is no fallback to group 0: +To emulate the behaviour of pam_wheel, except there is no fallback to group 0 +being only approximated by checking also the root group membership: -auth required pam_succeed_if.so quiet user ingroup wheel +auth required pam_succeed_if.so quiet user ingroup wheel:root Given that the type matches, only loads the othermodule rule if the UID is over diff --git a/modules/pam_succeed_if/README.xml b/modules/pam_succeed_if/README.xml index c52f00a0..1c174af0 100644 --- a/modules/pam_succeed_if/README.xml +++ b/modules/pam_succeed_if/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_succeed_if.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_succeed_if-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 index 07524beb..98a9d857 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8 +++ b/modules/pam_succeed_if/pam_succeed_if.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_succeed_if .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 -.\" Manual: Linux-PAM +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual .\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SUCCEED_IF" "8" "05/18/2017" "Linux-PAM" "Linux\-PAM" +.TH "PAM_SUCCEED_IF" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -42,32 +42,32 @@ The module should be given one or more conditions as module arguments, and authe The following \fIflag\fRs are supported: .PP -\fBdebug\fR +debug .RS 4 Turns on debugging messages sent to syslog\&. .RE .PP -\fBuse_uid\fR +use_uid .RS 4 Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Don\*(Aqt log failure or success to the system log\&. .RE .PP -\fBquiet_fail\fR +quiet_fail .RS 4 Don\*(Aqt log failure to the system log\&. .RE .PP -\fBquiet_success\fR +quiet_success .RS 4 Don\*(Aqt log success to the system log\&. .RE .PP -\fBaudit\fR +audit .RS 4 Log unknown users to the system log\&. .RE @@ -86,82 +86,82 @@ Available fields are and \fIservice\fR: .PP -\fBfield < number\fR +field < number .RS 4 Field has a value numerically less than number\&. .RE .PP -\fBfield <= number\fR +field <= number .RS 4 Field has a value numerically less than or equal to number\&. .RE .PP -\fBfield eq number\fR +field eq number .RS 4 Field has a value numerically equal to number\&. .RE .PP -\fBfield >= number\fR +field >= number .RS 4 Field has a value numerically greater than or equal to number\&. .RE .PP -\fBfield > number\fR +field > number .RS 4 Field has a value numerically greater than number\&. .RE .PP -\fBfield ne number\fR +field ne number .RS 4 Field has a value numerically different from number\&. .RE .PP -\fBfield = string\fR +field = string .RS 4 Field exactly matches the given string\&. .RE .PP -\fBfield != string\fR +field != string .RS 4 Field does not match the given string\&. .RE .PP -\fBfield =~ glob\fR +field =~ glob .RS 4 Field matches the given glob\&. .RE .PP -\fBfield !~ glob\fR +field !~ glob .RS 4 Field does not match the given glob\&. .RE .PP -\fBfield in item:item:\&.\&.\&.\fR +field in item:item:\&.\&.\&. .RS 4 Field is contained in the list of items separated by colons\&. .RE .PP -\fBfield notin item:item:\&.\&.\&.\fR +field notin item:item:\&.\&.\&. .RS 4 Field is not contained in the list of items separated by colons\&. .RE .PP -\fBuser ingroup group\fR +user ingroup group[:group:\&.\&.\&.\&.] .RS 4 -User is in given group\&. +User is in given group(s)\&. .RE .PP -\fBuser notingroup group\fR +user notingroup group[:group:\&.\&.\&.\&.] .RS 4 -User is not in given group\&. +User is not in given group(s)\&. .RE .PP -\fBuser innetgr netgroup\fR +user innetgr netgroup .RS 4 (user,host) is in given netgroup\&. .RE .PP -\fBuser notinnetgr group\fR +user notinnetgr group .RS 4 (user,host) is not in given netgroup\&. .RE @@ -191,13 +191,13 @@ A service error occurred or the arguments can\*(Aqt be parsed correctly\&. .SH "EXAMPLES" .PP To emulate the behaviour of -\fIpam_wheel\fR, except there is no fallback to group 0: +\fIpam_wheel\fR, except there is no fallback to group 0 being only approximated by checking also the root group membership: .sp .if n \{\ .RS 4 .\} .nf -auth required pam_succeed_if\&.so quiet user ingroup wheel +auth required pam_succeed_if\&.so quiet user ingroup wheel:root .fi .if n \{\ @@ -220,7 +220,7 @@ type required othermodule\&.so arguments\&.\&.\&. .SH "SEE ALSO" .PP \fBglob\fR(7), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP Nalin Dahyabhai <nalin@redhat\&.com> diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml index 7bdcb024..b8f65e7d 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8.xml +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -1,34 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - - -<refentry id='pam_succeed_if'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_succeed_if"> <!-- Copyright 2003, 2004 Red Hat, Inc. --> <!-- Written by Nalin Dahyabhai <nalin@redhat.com> --> <refmeta> <refentrytitle>pam_succeed_if</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_succeed_if-name'> + <refnamediv xml:id="pam_succeed_if-name"> <refname>pam_succeed_if</refname> <refpurpose>test account characteristics</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id='pam_succeed_if-cmdsynopsis'> + <cmdsynopsis xml:id="pam_succeed_if-cmdsynopsis" sepchar=" "> <command>pam_succeed_if.so</command> - <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg> - <arg choice='opt' rep='repeat'><replaceable>condition</replaceable></arg> + <arg choice="opt" rep="repeat"><replaceable>flag</replaceable></arg> + <arg choice="opt" rep="repeat"><replaceable>condition</replaceable></arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id='pam_succeed_if-description'> + <refsect1 xml:id="pam_succeed_if-description"> <title>DESCRIPTION</title> <para> pam_succeed_if.so is designed to succeed or fail authentication @@ -43,7 +39,7 @@ </para> </refsect1> - <refsect1 id="pam_succeed_if-options"> + <refsect1 xml:id="pam_succeed_if-options"> <title>OPTIONS</title> <para> The following <emphasis>flag</emphasis>s are supported: @@ -51,13 +47,13 @@ <variablelist> <varlistentry> - <term><option>debug</option></term> + <term>debug</term> <listitem> <para>Turns on debugging messages sent to syslog.</para> </listitem> </varlistentry> <varlistentry> - <term><option>use_uid</option></term> + <term>use_uid</term> <listitem> <para> Evaluate conditions using the account of the user whose UID @@ -67,13 +63,13 @@ </listitem> </varlistentry> <varlistentry> - <term><option>quiet</option></term> + <term>quiet</term> <listitem> <para>Don't log failure or success to the system log.</para> </listitem> </varlistentry> <varlistentry> - <term><option>quiet_fail</option></term> + <term>quiet_fail</term> <listitem> <para> Don't log failure to the system log. @@ -81,7 +77,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>quiet_success</option></term> + <term>quiet_success</term> <listitem> <para> Don't log success to the system log. @@ -89,7 +85,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>audit</option></term> + <term>audit</term> <listitem> <para> Log unknown users to the system log. @@ -112,13 +108,13 @@ <variablelist> <varlistentry> - <term><option>field < number</option></term> + <term>field < number</term> <listitem> <para>Field has a value numerically less than number.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field <= number</option></term> + <term>field <= number</term> <listitem> <para> Field has a value numerically less than or equal to number. @@ -126,7 +122,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field eq number</option></term> + <term>field eq number</term> <listitem> <para> Field has a value numerically equal to number. @@ -134,7 +130,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field >= number</option></term> + <term>field >= number</term> <listitem> <para> Field has a value numerically greater than or equal to number. @@ -142,7 +138,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field > number</option></term> + <term>field > number</term> <listitem> <para> Field has a value numerically greater than number. @@ -150,7 +146,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field ne number</option></term> + <term>field ne number</term> <listitem> <para> Field has a value numerically different from number. @@ -158,7 +154,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field = string</option></term> + <term>field = string</term> <listitem> <para> Field exactly matches the given string. @@ -166,7 +162,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field != string</option></term> + <term>field != string</term> <listitem> <para> Field does not match the given string. @@ -174,49 +170,49 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field =~ glob</option></term> + <term>field =~ glob</term> <listitem> <para>Field matches the given glob.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field !~ glob</option></term> + <term>field !~ glob</term> <listitem> <para>Field does not match the given glob.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field in item:item:...</option></term> + <term>field in item:item:...</term> <listitem> <para>Field is contained in the list of items separated by colons.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field notin item:item:...</option></term> + <term>field notin item:item:...</term> <listitem> <para>Field is not contained in the list of items separated by colons.</para> </listitem> </varlistentry> <varlistentry> - <term><option>user ingroup group</option></term> + <term>user ingroup group[:group:....]</term> <listitem> - <para>User is in given group.</para> + <para>User is in given group(s).</para> </listitem> </varlistentry> <varlistentry> - <term><option>user notingroup group</option></term> + <term>user notingroup group[:group:....]</term> <listitem> - <para>User is not in given group.</para> + <para>User is not in given group(s).</para> </listitem> </varlistentry> <varlistentry> - <term><option>user innetgr netgroup</option></term> + <term>user innetgr netgroup</term> <listitem> <para>(user,host) is in given netgroup.</para> </listitem> </varlistentry> <varlistentry> - <term><option>user notinnetgr group</option></term> + <term>user notinnetgr group</term> <listitem> <para>(user,host) is not in given netgroup.</para> </listitem> @@ -224,7 +220,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_succeed_if-types"> + <refsect1 xml:id="pam_succeed_if-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -232,7 +228,7 @@ </para> </refsect1> - <refsect1 id='pam_succeed_if-return_values'> + <refsect1 xml:id="pam_succeed_if-return_values"> <title>RETURN VALUES</title> <variablelist> @@ -267,14 +263,14 @@ </refsect1> - <refsect1 id='pam_succeed_if-examples'> + <refsect1 xml:id="pam_succeed_if-examples"> <title>EXAMPLES</title> <para> To emulate the behaviour of <emphasis>pam_wheel</emphasis>, except - there is no fallback to group 0: + there is no fallback to group 0 being only approximated by checking also the root group membership: </para> <programlisting> -auth required pam_succeed_if.so quiet user ingroup wheel +auth required pam_succeed_if.so quiet user ingroup wheel:root </programlisting> <para> @@ -288,20 +284,20 @@ type required othermodule.so arguments... </programlisting> </refsect1> - <refsect1 id='pam_succeed_if-see_also'> + <refsect1 xml:id="pam_succeed_if-see_also"> <title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_succeed_if-author'> + <refsect1 xml:id="pam_succeed_if-author"> <title>AUTHOR</title> <para>Nalin Dahyabhai <nalin@redhat.com></para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index aac3eeb0..5bf79c45 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -34,7 +34,6 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * */ #include "config.h" @@ -54,11 +53,6 @@ #include <grp.h> #include <netdb.h> -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> @@ -215,23 +209,60 @@ evaluate_notinlist(const char *left, const char *right) } /* Return PAM_SUCCESS if the user is in the group. */ static int -evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *group) +evaluate_ingroup(pam_handle_t *pamh, const char *user, const char *grouplist) { - if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 1) - return PAM_SUCCESS; + char *ptr = NULL; + static const char delim[] = ":"; + char const *grp = NULL; + char *group = strdup(grouplist); + + if (group == NULL) + return PAM_BUF_ERR; + + grp = strtok_r(group, delim, &ptr); + while(grp != NULL) { + if (pam_modutil_user_in_group_nam_nam(pamh, user, grp) == 1) { + free(group); + return PAM_SUCCESS; + } + grp = strtok_r(NULL, delim, &ptr); + } + free(group); return PAM_AUTH_ERR; } /* Return PAM_SUCCESS if the user is NOT in the group. */ static int -evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group) +evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *grouplist) { - if (pam_modutil_user_in_group_nam_nam(pamh, user, group) == 0) - return PAM_SUCCESS; - return PAM_AUTH_ERR; + char *ptr = NULL; + static const char delim[] = ":"; + char const *grp = NULL; + char *group = strdup(grouplist); + + if (group == NULL) + return PAM_BUF_ERR; + + grp = strtok_r(group, delim, &ptr); + while(grp != NULL) { + if (pam_modutil_user_in_group_nam_nam(pamh, user, grp) == 1) { + free(group); + return PAM_AUTH_ERR; + } + grp = strtok_r(NULL, delim, &ptr); + } + free(group); + return PAM_SUCCESS; } + +#ifdef HAVE_INNETGR +# define SOMETIMES_UNUSED UNUSED +#else +# define SOMETIMES_UNUSED +#endif + /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ static int -evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) +evaluate_innetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group) { #ifdef HAVE_INNETGR if (innetgr(group, host, user, NULL) == 1) @@ -244,7 +275,7 @@ evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, c } /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ static int -evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) +evaluate_notinnetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group) { #ifdef HAVE_INNETGR if (innetgr(group, host, user, NULL) == 0) @@ -259,44 +290,51 @@ evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user static int evaluate(pam_handle_t *pamh, int debug, const char *left, const char *qual, const char *right, - struct passwd *pwd, const char *user) + struct passwd **pwd, const char *user) { char buf[LINE_MAX] = ""; const char *attribute = left; + /* Get information about the user if needed. */ + if ((*pwd == NULL) && + ((strcasecmp(left, "uid") == 0) || + (strcasecmp(left, "gid") == 0) || + (strcasecmp(left, "shell") == 0) || + (strcasecmp(left, "home") == 0) || + (strcasecmp(left, "dir") == 0) || + (strcasecmp(left, "homedir") == 0))) { + *pwd = pam_modutil_getpwnam(pamh, user); + if (*pwd == NULL) { + return PAM_USER_UNKNOWN; + } + } /* Figure out what we're evaluating here, and convert it to a string.*/ if ((strcasecmp(left, "login") == 0) || (strcasecmp(left, "name") == 0) || (strcasecmp(left, "user") == 0)) { snprintf(buf, sizeof(buf), "%s", user); left = buf; - } - if (strcasecmp(left, "uid") == 0) { - snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_uid); + } else if (strcasecmp(left, "uid") == 0) { + snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_uid); left = buf; - } - if (strcasecmp(left, "gid") == 0) { - snprintf(buf, sizeof(buf), "%lu", (unsigned long) pwd->pw_gid); + } else if (strcasecmp(left, "gid") == 0) { + snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_gid); left = buf; - } - if (strcasecmp(left, "shell") == 0) { - snprintf(buf, sizeof(buf), "%s", pwd->pw_shell); + } else if (strcasecmp(left, "shell") == 0) { + snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_shell); left = buf; - } - if ((strcasecmp(left, "home") == 0) || + } else if ((strcasecmp(left, "home") == 0) || (strcasecmp(left, "dir") == 0) || (strcasecmp(left, "homedir") == 0)) { - snprintf(buf, sizeof(buf), "%s", pwd->pw_dir); + snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_dir); left = buf; - } - if (strcasecmp(left, "service") == 0) { + } else if (strcasecmp(left, "service") == 0) { const void *svc; if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS || svc == NULL) svc = ""; snprintf(buf, sizeof(buf), "%s", (const char *)svc); left = buf; - } - if (strcasecmp(left, "ruser") == 0) { + } else if (strcasecmp(left, "ruser") == 0) { const void *ruser; if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS || ruser == NULL) @@ -304,16 +342,14 @@ evaluate(pam_handle_t *pamh, int debug, snprintf(buf, sizeof(buf), "%s", (const char *)ruser); left = buf; user = buf; - } - if (strcasecmp(left, "rhost") == 0) { + } else if (strcasecmp(left, "rhost") == 0) { const void *rhost; if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS || rhost == NULL) rhost = ""; snprintf(buf, sizeof(buf), "%s", (const char *)rhost); left = buf; - } - if (strcasecmp(left, "tty") == 0) { + } else if (strcasecmp(left, "tty") == 0) { const void *tty; if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS || tty == NULL) @@ -383,11 +419,11 @@ evaluate(pam_handle_t *pamh, int debug, if (strcasecmp(qual, "notin") == 0) { return evaluate_notinlist(left, right); } - /* User is in this group. */ + /* User is in this group(s). */ if (strcasecmp(qual, "ingroup") == 0) { return evaluate_ingroup(pamh, user, right); } - /* User is not in this group. */ + /* User is not in this group(s). */ if (strcasecmp(qual, "notingroup") == 0) { return evaluate_notingroup(pamh, user, right); } @@ -413,19 +449,12 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - const void *prompt; const char *user; - struct passwd *pwd; + struct passwd *pwd = NULL; int ret, i, count, use_uid, debug; const char *left, *right, *qual; int quiet_fail, quiet_succ, audit; - /* Get the user prompt. */ - ret = pam_get_item(pamh, PAM_USER_PROMPT, &prompt); - if ((ret != PAM_SUCCESS) || (prompt == NULL) || (strlen(prompt) == 0)) { - prompt = "login: "; - } - quiet_fail = 0; quiet_succ = 0; audit = 0; @@ -463,23 +492,15 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, user = pwd->pw_name; } else { /* Get the user's name. */ - ret = pam_get_user(pamh, &user, prompt); - if ((ret != PAM_SUCCESS) || (user == NULL)) { - pam_syslog(pamh, LOG_ERR, - "error retrieving user name: %s", + ret = pam_get_user(pamh, &user, NULL); + if (ret != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, + "cannot determine user name: %s", pam_strerror(pamh, ret)); return ret; } - /* Get information about the user. */ - pwd = pam_modutil_getpwnam(pamh, user); - if (pwd == NULL) { - if(audit) - pam_syslog(pamh, LOG_NOTICE, - "error retrieving information about user %s", - user); - return PAM_USER_UNKNOWN; - } + /* Postpone requesting password data until it is needed */ } /* Walk the argument list. */ @@ -520,9 +541,13 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, count++; ret = evaluate(pamh, debug, left, qual, right, - pwd, user); + &pwd, user); + if (ret == PAM_USER_UNKNOWN && audit) + pam_syslog(pamh, LOG_NOTICE, + "error retrieving information about user %s", + user); if (ret != PAM_SUCCESS) { - if(!quiet_fail) + if(!quiet_fail && ret != PAM_USER_UNKNOWN) pam_syslog(pamh, LOG_INFO, "requirement \"%s %s %s\" " "not met by user \"%s\"", diff --git a/modules/pam_tally/Makefile.am b/modules/pam_tally/Makefile.am deleted file mode 100644 index 53d0c0a1..00000000 --- a/modules/pam_tally/Makefile.am +++ /dev/null @@ -1,37 +0,0 @@ -# -# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> -# - -CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MANS) README - -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally - -man_MANS = pam_tally.8 -XMLS = README.xml pam_tally.8.xml - -TESTS = tst-pam_tally - -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) - -noinst_HEADERS = faillog.h - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include - -pam_tally_la_LDFLAGS = -no-undefined -avoid-version -module -pam_tally_la_LIBADD = $(top_builddir)/libpam/libpam.la -if HAVE_VERSIONING - pam_tally_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -endif - -securelib_LTLIBRARIES = pam_tally.la -sbin_PROGRAMS = pam_tally - -pam_tally_SOURCES = pam_tally_app.c - -if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_tally.8.xml --include $(top_srcdir)/Make.xml.rules -endif diff --git a/modules/pam_tally/README b/modules/pam_tally/README deleted file mode 100644 index 93ceb2ae..00000000 --- a/modules/pam_tally/README +++ /dev/null @@ -1,143 +0,0 @@ -pam_tally — The login counter (tallying) module - -â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” - -DESCRIPTION - -This module maintains a count of attempted accesses, can reset count on -success, can deny access if too many attempts fail. - -pam_tally has several limitations, which are solved with pam_tally2. For this -reason pam_tally is deprecated and will be removed in a future release. - -pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM -module and the latter, a stand-alone program. pam_tally is an (optional) -application which can be used to interrogate and manipulate the counter file. -It can display user counts, set individual counts, or clear all counts. Setting -artificially high counts may be useful for blocking users without changing -their passwords. For example, one might find it useful to clear all counts -every midnight from a cron job. The faillog(8) command can be used instead of -pam_tally to to maintain the counter file. - -Normally, failed attempts to access root will not cause the root account to -become blocked, to prevent denial-of-service: if your users aren't given shell -accounts and root may only login via su or at the machine console (not telnet/ -rsh, etc), this is safe. - -OPTIONS - -GLOBAL OPTIONS - - This can be used for auth and account module types. - - onerr=[fail|succeed] - - If something weird happens (like unable to open the file), return with - PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM - error code. - - file=/path/to/counter - - File where to keep counts. Default is /var/log/faillog. - - audit - - Will log the user name into the system log if the user is not found. - - silent - - Don't print informative messages. - - no_log_info - - Don't log informative messages via syslog(3). - -AUTH OPTIONS - - Authentication phase first checks if user should be denied access and if - not it increments attempted login counter. Then on call to pam_setcred(3) - it resets the attempts counter. - - deny=n - - Deny access if tally for this user exceeds n. - - lock_time=n - - Always deny for n seconds after failed attempt. - - unlock_time=n - - Allow access after n seconds after failed attempt. If this option is - used the user will be locked out for the specified amount of time after - he exceeded his maximum allowed attempts. Otherwise the account is - locked until the lock is removed by a manual intervention of the system - administrator. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - incremented. The sysadmin should use this for user launched services, - like su, otherwise this argument should be omitted. - - no_lock_time - - Do not use the .fail_locktime field in /var/log/faillog for this user. - - no_reset - - Don't reset count on successful entry, only decrement. - - even_deny_root_account - - Root account can become unavailable. - - per_user - - If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field - for this user then use it instead of deny=n/ lock_time=n parameter. - - no_lock_time - - Don't use .fail_locktime filed in /var/log/faillog for this user. - -ACCOUNT OPTIONS - - Account phase resets attempts counter if the user is not magic root. This - phase can be used optionally for services which don't call pam_setcred(3) - correctly or if the reset should be done regardless of the failure of the - account phase of other modules. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - incremented. The sysadmin should use this for user launched services, - like su, otherwise this argument should be omitted. - - no_reset - - Don't reset count on successful entry, only decrement. - -EXAMPLES - -Add the following line to /etc/pam.d/login to lock the account after too many -failed logins. The number of allowed fails is specified by /var/log/faillog and -needs to be set with pam_tally or faillog(8) before. - -auth required pam_securetty.so -auth required pam_tally.so per_user -auth required pam_env.so -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_limits.so -session required pam_unix.so -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard - - -AUTHOR - -pam_tally was written by Tim Baverstock and Tomas Mraz. - diff --git a/modules/pam_tally/README.xml b/modules/pam_tally/README.xml deleted file mode 100644 index 3c6de50e..00000000 --- a/modules/pam_tally/README.xml +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_tally.8.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tally-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-options"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-examples"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-author"]/*)'/> - </section> - -</article> diff --git a/modules/pam_tally/faillog.h b/modules/pam_tally/faillog.h deleted file mode 100644 index 7f704713..00000000 --- a/modules/pam_tally/faillog.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright 1989 - 1994, Julianne Frances Haugh - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of Julianne F. Haugh nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * faillog.h - login failure logging file format - * - * $Id$ - * - * The login failure file is maintained by login(1) and faillog(8) - * Each record in the file represents a separate UID and the file - * is indexed in that fashion. - */ - -#ifndef _FAILLOG_H -#define _FAILLOG_H - -struct faillog { - short fail_cnt; /* failures since last success */ - short fail_max; /* failures before turning account off */ - char fail_line[12]; /* last failure occured here */ - time_t fail_time; /* last failure occured then */ - /* - * If nonzero, the account will be re-enabled if there are no - * failures for fail_locktime seconds since last failure. - */ - long fail_locktime; -}; - -#endif diff --git a/modules/pam_tally/pam_tally.8 b/modules/pam_tally/pam_tally.8 deleted file mode 100644 index 58070831..00000000 --- a/modules/pam_tally/pam_tally.8 +++ /dev/null @@ -1,254 +0,0 @@ -'\" t -.\" Title: pam_tally -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" Language: English -.\" -.TH "PAM_TALLY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -pam_tally \- The login counter (tallying) module -.SH "SYNOPSIS" -.HP \w'\fBpam_tally\&.so\fR\ 'u -\fBpam_tally\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] [silent] [no_log_info] -.HP \w'\fBpam_tally\fR\ 'u -\fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] -.SH "DESCRIPTION" -.PP -This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. -.PP -pam_tally has several limitations, which are solved with pam_tally2\&. For this reason pam_tally is deprecated and will be removed in a future release\&. -.PP -pam_tally comes in two parts: -\fBpam_tally\&.so\fR -and -\fBpam_tally\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. -\fBpam_tally\fR -is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display user counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. The -\fBfaillog\fR(8) -command can be used instead of pam_tally to to maintain the counter file\&. -.PP -Normally, failed attempts to access -\fIroot\fR -will -\fBnot\fR -cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via -\fBsu\fR -or at the machine console (not telnet/rsh, etc), this is safe\&. -.SH "OPTIONS" -.PP -GLOBAL OPTIONS -.RS 4 -This can be used for -\fIauth\fR -and -\fIaccount\fR -module types\&. -.PP -\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR -.RS 4 -If something weird happens (like unable to open the file), return with -\fBPAM_SUCCESS\fR -if -\fBonerr=\fR\fB\fIsucceed\fR\fR -is given, else with the corresponding PAM error code\&. -.RE -.PP -\fBfile=\fR\fB\fI/path/to/counter\fR\fR -.RS 4 -File where to keep counts\&. Default is -/var/log/faillog\&. -.RE -.PP -\fBaudit\fR -.RS 4 -Will log the user name into the system log if the user is not found\&. -.RE -.PP -\fBsilent\fR -.RS 4 -Don\*(Aqt print informative messages\&. -.RE -.PP -\fBno_log_info\fR -.RS 4 -Don\*(Aqt log informative messages via -\fBsyslog\fR(3)\&. -.RE -.RE -.PP -AUTH OPTIONS -.RS 4 -Authentication phase first checks if user should be denied access and if not it increments attempted login counter\&. Then on call to -\fBpam_setcred\fR(3) -it resets the attempts counter\&. -.PP -\fBdeny=\fR\fB\fIn\fR\fR -.RS 4 -Deny access if tally for this user exceeds -\fIn\fR\&. -.RE -.PP -\fBlock_time=\fR\fB\fIn\fR\fR -.RS 4 -Always deny for -\fIn\fR -seconds after failed attempt\&. -.RE -.PP -\fBunlock_time=\fR\fB\fIn\fR\fR -.RS 4 -Allow access after -\fIn\fR -seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. -.RE -.PP -\fBmagic_root\fR -.RS 4 -If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted\&. -.RE -.PP -\fBno_lock_time\fR -.RS 4 -Do not use the \&.fail_locktime field in -/var/log/faillog -for this user\&. -.RE -.PP -\fBno_reset\fR -.RS 4 -Don\*(Aqt reset count on successful entry, only decrement\&. -.RE -.PP -\fBeven_deny_root_account\fR -.RS 4 -Root account can become unavailable\&. -.RE -.PP -\fBper_user\fR -.RS 4 -If -/var/log/faillog -contains a non\-zero \&.fail_max/\&.fail_locktime field for this user then use it instead of -\fBdeny=\fR\fB\fIn\fR\fR/ -\fBlock_time=\fR\fB\fIn\fR\fR -parameter\&. -.RE -.PP -\fBno_lock_time\fR -.RS 4 -Don\*(Aqt use \&.fail_locktime filed in -/var/log/faillog -for this user\&. -.RE -.RE -.PP -ACCOUNT OPTIONS -.RS 4 -Account phase resets attempts counter if the user is -\fBnot\fR -magic root\&. This phase can be used optionally for services which don\*(Aqt call -\fBpam_setcred\fR(3) -correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. -.PP -\fBmagic_root\fR -.RS 4 -If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted\&. -.RE -.PP -\fBno_reset\fR -.RS 4 -Don\*(Aqt reset count on successful entry, only decrement\&. -.RE -.RE -.SH "MODULE TYPES PROVIDED" -.PP -The -\fBauth\fR -and -\fBaccount\fR -module types are provided\&. -.SH "RETURN VALUES" -.PP -PAM_AUTH_ERR -.RS 4 -A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&. -.RE -.PP -PAM_SUCCESS -.RS 4 -Everything was successful\&. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -User not known\&. -.RE -.SH "EXAMPLES" -.PP -Add the following line to -/etc/pam\&.d/login -to lock the account after too many failed logins\&. The number of allowed fails is specified by -/var/log/faillog -and needs to be set with pam_tally or -\fBfaillog\fR(8) -before\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -auth required pam_securetty\&.so -auth required pam_tally\&.so per_user -auth required pam_env\&.so -auth required pam_unix\&.so -auth required pam_nologin\&.so -account required pam_unix\&.so -password required pam_unix\&.so -session required pam_limits\&.so -session required pam_unix\&.so -session required pam_lastlog\&.so nowtmp -session optional pam_mail\&.so standard - -.fi -.if n \{\ -.RE -.\} -.SH "FILES" -.PP -/var/log/faillog -.RS 4 -failure logging file -.RE -.SH "SEE ALSO" -.PP -\fBfaillog\fR(8), -\fBpam.conf\fR(5), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_tally was written by Tim Baverstock and Tomas Mraz\&. diff --git a/modules/pam_tally/pam_tally.8.xml b/modules/pam_tally/pam_tally.8.xml deleted file mode 100644 index 48230a25..00000000 --- a/modules/pam_tally/pam_tally.8.xml +++ /dev/null @@ -1,459 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_tally"> - - <refmeta> - <refentrytitle>pam_tally</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_tally-name"> - <refname>pam_tally</refname> - <refpurpose>The login counter (tallying) module</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis id="pam_tally-cmdsynopsis1"> - <command>pam_tally.so</command> - <arg choice="opt"> - file=<replaceable>/path/to/counter</replaceable> - </arg> - <arg choice="opt"> - onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>] - </arg> - <arg choice="opt"> - magic_root - </arg> - <arg choice="opt"> - even_deny_root_account - </arg> - <arg choice="opt"> - deny=<replaceable>n</replaceable> - </arg> - <arg choice="opt"> - lock_time=<replaceable>n</replaceable> - </arg> - <arg choice="opt"> - unlock_time=<replaceable>n</replaceable> - </arg> - <arg choice="opt"> - per_user - </arg> - <arg choice="opt"> - no_lock_time - </arg> - <arg choice="opt"> - no_reset - </arg> - <arg choice="opt"> - audit - </arg> - <arg choice="opt"> - silent - </arg> - <arg choice="opt"> - no_log_info - </arg> - </cmdsynopsis> - <cmdsynopsis id="pam_tally-cmdsynopsis2"> - <command>pam_tally</command> - <arg choice="opt"> - --file <replaceable>/path/to/counter</replaceable> - </arg> - <arg choice="opt"> - --user <replaceable>username</replaceable> - </arg> - <arg choice="opt"> - --reset[=<replaceable>n</replaceable>] - </arg> - <arg choice="opt"> - --quiet - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1 id="pam_tally-description"> - - <title>DESCRIPTION</title> - - <para> - This module maintains a count of attempted accesses, can - reset count on success, can deny access if too many attempts - fail. - </para> - <para> - pam_tally has several limitations, which are solved with - pam_tally2. For this reason pam_tally is deprecated and - will be removed in a future release. - </para> - <para> - pam_tally comes in two parts: - <emphasis remap='B'>pam_tally.so</emphasis> and - <command>pam_tally</command>. The former is the PAM module and - the latter, a stand-alone program. <command>pam_tally</command> - is an (optional) application which can be used to interrogate and - manipulate the counter file. It can display user counts, set - individual counts, or clear all counts. Setting artificially high - counts may be useful for blocking users without changing their - passwords. For example, one might find it useful to clear all counts - every midnight from a cron job. The - <citerefentry> - <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> command can be used instead of pam_tally to to - maintain the counter file. - </para> - <para> - Normally, failed attempts to access <emphasis>root</emphasis> will - <emphasis remap='B'>not</emphasis> cause the root account to become - blocked, to prevent denial-of-service: if your users aren't given - shell accounts and root may only login via <command>su</command> or - at the machine console (not telnet/rsh, etc), this is safe. - </para> - </refsect1> - - <refsect1 id="pam_tally-options"> - - <title>OPTIONS</title> - <variablelist> - <varlistentry> - <term> - GLOBAL OPTIONS - </term> - <listitem> - <para> - This can be used for <emphasis>auth</emphasis> and - <emphasis>account</emphasis> module types. - </para> - <variablelist> - <varlistentry> - <term> - <option>onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>]</option> - </term> - <listitem> - <para> - If something weird happens (like unable to open the file), - return with <errorcode>PAM_SUCCESS</errorcode> if - <option>onerr=<replaceable>succeed</replaceable></option> - is given, else with the corresponding PAM error code. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>file=<replaceable>/path/to/counter</replaceable></option> - </term> - <listitem> - <para> - File where to keep counts. Default is - <filename>/var/log/faillog</filename>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>audit</option> - </term> - <listitem> - <para> - Will log the user name into the system log if the user is not found. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>silent</option> - </term> - <listitem> - <para> - Don't print informative messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>no_log_info</option> - </term> - <listitem> - <para> - Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - </para> - </listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> - - <varlistentry> - <term> - AUTH OPTIONS - </term> - <listitem> - <para> - Authentication phase first checks if user should be denied - access and if not it increments attempted login counter. Then - on call to <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> it resets the attempts counter. - </para> - <variablelist> - <varlistentry> - <term> - <option>deny=<replaceable>n</replaceable></option> - </term> - <listitem> - <para> - Deny access if tally for this user exceeds - <replaceable>n</replaceable>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>lock_time=<replaceable>n</replaceable></option> - </term> - <listitem> - <para> - Always deny for <replaceable>n</replaceable> seconds - after failed attempt. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>unlock_time=<replaceable>n</replaceable></option> - </term> - <listitem> - <para> - Allow access after <replaceable>n</replaceable> seconds - after failed attempt. If this option is used the user will - be locked out for the specified amount of time after he - exceeded his maximum allowed attempts. Otherwise the - account is locked until the lock is removed by a manual - intervention of the system administrator. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>magic_root</option> - </term> - <listitem> - <para> - If the module is invoked by a user with uid=0 the - counter is not incremented. The sysadmin should use this - for user launched services, like <command>su</command>, - otherwise this argument should be omitted. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>no_lock_time</option> - </term> - <listitem> - <para> - Do not use the .fail_locktime field in - <filename>/var/log/faillog</filename> for this user. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>no_reset</option> - </term> - <listitem> - <para> - Don't reset count on successful entry, only decrement. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>even_deny_root_account</option> - </term> - <listitem> - <para> - Root account can become unavailable. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>per_user</option> - </term> - <listitem> - <para> - If <filename>/var/log/faillog</filename> contains a non-zero - .fail_max/.fail_locktime field for this user then use it - instead of <option>deny=<replaceable>n</replaceable></option>/ - <option>lock_time=<replaceable>n</replaceable></option> parameter. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>no_lock_time</option> - </term> - <listitem> - <para> - Don't use .fail_locktime filed in - <filename>/var/log/faillog</filename> for this user. - </para> - </listitem> - </varlistentry> - - </variablelist> - </listitem> - </varlistentry> - - - <varlistentry> - <term> - ACCOUNT OPTIONS - </term> - <listitem> - <para> - Account phase resets attempts counter if the user is - <emphasis remap='B'>not</emphasis> magic root. - This phase can be used optionally for services which don't call - <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> correctly or if the reset should be done regardless - of the failure of the account phase of other modules. - </para> - <variablelist> - <varlistentry> - <term> - <option>magic_root</option> - </term> - <listitem> - <para> - If the module is invoked by a user with uid=0 the - counter is not incremented. The sysadmin should use this - for user launched services, like <command>su</command>, - otherwise this argument should be omitted. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>no_reset</option> - </term> - <listitem> - <para> - Don't reset count on successful entry, only decrement. - </para> - </listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_tally-types"> - <title>MODULE TYPES PROVIDED</title> - <para> - The <option>auth</option> and <option>account</option> - module types are provided. - </para> - </refsect1> - - <refsect1 id='pam_tally-return_values'> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - A invalid option was given, the module was not able - to retrieve the user name, no valid counter file - was found, or too many failed logins. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Everything was successful. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User not known. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_tally-examples'> - <title>EXAMPLES</title> - <para> - Add the following line to <filename>/etc/pam.d/login</filename> to - lock the account after too many failed logins. The number of - allowed fails is specified by <filename>/var/log/faillog</filename> - and needs to be set with pam_tally or <citerefentry> - <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> before. - </para> - <programlisting> -auth required pam_securetty.so -auth required pam_tally.so per_user -auth required pam_env.so -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_limits.so -session required pam_unix.so -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard - </programlisting> - </refsect1> - - <refsect1 id="pam_tally-files"> - <title>FILES</title> - <variablelist> - <varlistentry> - <term><filename>/var/log/faillog</filename></term> - <listitem> - <para>failure logging file</para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_tally-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_tally-author'> - <title>AUTHOR</title> - <para> - pam_tally was written by Tim Baverstock and Tomas Mraz. - </para> - </refsect1> - -</refentry> diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c deleted file mode 100644 index 66a515c2..00000000 --- a/modules/pam_tally/pam_tally.c +++ /dev/null @@ -1,871 +0,0 @@ -/* - * pam_tally.c - * - */ - - -/* By Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd. - * 5 March 1997 - * - * Stuff stolen from pam_rootok and pam_listfile - * - * Changes by Tomas Mraz <tmraz@redhat.com> 5 January 2005 - * Audit option added for Tomas patch by - * Sebastien Tricaud <toady@gscore.org> 13 January 2005 - */ - -#include "config.h" - -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <stdarg.h> -#include <stdlib.h> -#include <syslog.h> -#include <pwd.h> -#include <time.h> - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/param.h> -#include "faillog.h" - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#ifndef MAIN -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -/* #define PAM_SM_SESSION */ -/* #define PAM_SM_PASSWORD */ - -#include <security/pam_modutil.h> -#include <security/pam_ext.h> -#endif -#include <security/pam_modules.h> - -#ifndef TRUE -#define TRUE 1L -#define FALSE 0L -#endif - -#ifndef HAVE_FSEEKO -#define fseeko fseek -#endif - -/*---------------------------------------------------------------------*/ - -#define DEFAULT_LOGFILE "/var/log/faillog" -#define MODULE_NAME "pam_tally" - -#define tally_t unsigned short int -#define TALLY_FMT "%hu" -#define TALLY_HI ((tally_t)~0L) - -#ifndef FILENAME_MAX -# define FILENAME_MAX MAXPATHLEN -#endif - -struct fail_s { - struct faillog fs_faillog; -#ifndef MAIN - time_t fs_fail_time; -#endif /* ndef MAIN */ -}; - -struct tally_options { - const char *filename; - tally_t deny; - long lock_time; - long unlock_time; - unsigned int ctrl; -}; - -#define PHASE_UNKNOWN 0 -#define PHASE_AUTH 1 -#define PHASE_ACCOUNT 2 -#define PHASE_SESSION 3 - -#define OPT_MAGIC_ROOT 01 -#define OPT_FAIL_ON_ERROR 02 -#define OPT_DENY_ROOT 04 -#define OPT_PER_USER 010 -#define OPT_NO_LOCK_TIME 020 -#define OPT_NO_RESET 040 -#define OPT_AUDIT 0100 -#define OPT_SILENT 0200 -#define OPT_NOLOGNOTICE 0400 - - -/*---------------------------------------------------------------------*/ - -/* some syslogging */ - -#ifdef MAIN -#define pam_syslog tally_log -static void -tally_log (const pam_handle_t *pamh UNUSED, int priority UNUSED, - const char *fmt, ...) -{ - va_list args; - - va_start(args, fmt); - fprintf(stderr, "%s: ", MODULE_NAME); - vfprintf(stderr, fmt, args); - fprintf(stderr,"\n"); - va_end(args); -} - -#define pam_modutil_getpwnam(pamh,user) getpwnam(user) - -#endif - -/*---------------------------------------------------------------------*/ - -/* --- Support function: parse arguments --- */ - -#ifndef MAIN - -static void -log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv) -{ - if ( phase != PHASE_AUTH ) { - pam_syslog(pamh, LOG_ERR, - "option %s allowed in auth phase only", argv); - } -} - -static int -tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, - int phase, int argc, const char **argv) -{ - memset(opts, 0, sizeof(*opts)); - opts->filename = DEFAULT_LOGFILE; - - for ( ; argc-- > 0; ++argv ) { - - if ( ! strncmp( *argv, "file=", 5 ) ) { - const char *from = *argv + 5; - if ( *from!='/' || strlen(from)>FILENAME_MAX-1 ) { - pam_syslog(pamh, LOG_ERR, - "filename not /rooted or too long; %s", *argv); - return PAM_AUTH_ERR; - } - opts->filename = from; - } - else if ( ! strcmp( *argv, "onerr=fail" ) ) { - opts->ctrl |= OPT_FAIL_ON_ERROR; - } - else if ( ! strcmp( *argv, "onerr=succeed" ) ) { - opts->ctrl &= ~OPT_FAIL_ON_ERROR; - } - else if ( ! strcmp( *argv, "magic_root" ) ) { - opts->ctrl |= OPT_MAGIC_ROOT; - } - else if ( ! strcmp( *argv, "even_deny_root_account" ) ) { - log_phase_no_auth(pamh, phase, *argv); - opts->ctrl |= OPT_DENY_ROOT; - } - else if ( ! strncmp( *argv, "deny=", 5 ) ) { - log_phase_no_auth(pamh, phase, *argv); - if ( sscanf((*argv)+5,TALLY_FMT,&opts->deny) != 1 ) { - pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); - return PAM_AUTH_ERR; - } - } - else if ( ! strncmp( *argv, "lock_time=", 10 ) ) { - log_phase_no_auth(pamh, phase, *argv); - if ( sscanf((*argv)+10,"%ld",&opts->lock_time) != 1 ) { - pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); - return PAM_AUTH_ERR; - } - } - else if ( ! strncmp( *argv, "unlock_time=", 12 ) ) { - log_phase_no_auth(pamh, phase, *argv); - if ( sscanf((*argv)+12,"%ld",&opts->unlock_time) != 1 ) { - pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); - return PAM_AUTH_ERR; - } - } - else if ( ! strcmp( *argv, "per_user" ) ) - { - log_phase_no_auth(pamh, phase, *argv); - opts->ctrl |= OPT_PER_USER; - } - else if ( ! strcmp( *argv, "no_lock_time") ) - { - log_phase_no_auth(pamh, phase, *argv); - opts->ctrl |= OPT_NO_LOCK_TIME; - } - else if ( ! strcmp( *argv, "no_reset" ) ) { - opts->ctrl |= OPT_NO_RESET; - } - else if ( ! strcmp ( *argv, "audit") ) { - opts->ctrl |= OPT_AUDIT; - } - else if ( ! strcmp ( *argv, "silent") ) { - opts->ctrl |= OPT_SILENT; - } - else if ( ! strcmp ( *argv, "no_log_info") ) { - opts->ctrl |= OPT_NOLOGNOTICE; - } - else { - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } - } - - return PAM_SUCCESS; -} - -#endif /* #ifndef MAIN */ - -/*---------------------------------------------------------------------*/ - -/* --- Support function: get uid (and optionally username) from PAM or - cline_user --- */ - -#ifdef MAIN -static char *cline_user=0; /* cline_user is used in the administration prog */ -#endif - -static int -pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) -{ - const char *user = NULL; - struct passwd *pw; - -#ifdef MAIN - user = cline_user; -#else - if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "pam_get_user; user?"); - return PAM_AUTH_ERR; - } -#endif - - if ( !user || !*user ) { - pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); - return PAM_AUTH_ERR; - } - - if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) { - opts->ctrl & OPT_AUDIT ? - pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) : - pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user"); - return PAM_USER_UNKNOWN; - } - - if ( uid ) *uid = pw->pw_uid; - if ( userp ) *userp = user; - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- Support functions: set/get tally data --- */ - -#ifndef MAIN - -static void -_cleanup(pam_handle_t *pamh UNUSED, void *data, int error_status UNUSED) -{ - free(data); -} - - -static void -tally_set_data( pam_handle_t *pamh, time_t oldtime ) -{ - time_t *data; - - if ( (data=malloc(sizeof(time_t))) != NULL ) { - *data = oldtime; - pam_set_data(pamh, MODULE_NAME, (void *)data, _cleanup); - } -} - -static int -tally_get_data( pam_handle_t *pamh, time_t *oldtime ) -{ - int rv; - const void *data; - - rv = pam_get_data(pamh, MODULE_NAME, &data); - if ( rv == PAM_SUCCESS && data != NULL && oldtime != NULL ) { - *oldtime = *(const time_t *)data; - pam_set_data(pamh, MODULE_NAME, NULL, NULL); - } - else { - rv = -1; - if (oldtime) - *oldtime = 0; - } - return rv; -} -#endif /* #ifndef MAIN */ - -/*---------------------------------------------------------------------*/ - -/* --- Support function: open/create tallyfile and return tally for uid --- */ - -/* If on entry *tally==TALLY_HI, tallyfile is opened READONLY */ -/* Otherwise, if on entry tallyfile doesn't exist, creation is attempted. */ - -static int -get_tally(pam_handle_t *pamh, tally_t *tally, uid_t uid, - const char *filename, FILE **TALLY, struct fail_s *fsp) -{ - struct stat fileinfo; - int lstat_ret = lstat(filename,&fileinfo); - - if ( lstat_ret && *tally!=TALLY_HI ) { - int oldmask = umask(077); - *TALLY=fopen(filename, "a"); - /* Create file, or append-open in pathological case. */ - umask(oldmask); - if ( !*TALLY ) { - pam_syslog(pamh, LOG_ALERT, "Couldn't create %s", filename); - return PAM_AUTH_ERR; - } - lstat_ret = fstat(fileno(*TALLY),&fileinfo); - fclose(*TALLY); - } - - if ( lstat_ret ) { - pam_syslog(pamh, LOG_ALERT, "Couldn't stat %s", filename); - return PAM_AUTH_ERR; - } - - if((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - pam_syslog(pamh, LOG_ALERT, - "%s is either world writable or not a normal file", - filename); - return PAM_AUTH_ERR; - } - - if ( ! ( *TALLY = fopen(filename,(*tally!=TALLY_HI)?"r+":"r") ) ) { - pam_syslog(pamh, LOG_ALERT, "Error opening %s for %s", filename, *tally!=TALLY_HI?"update":"read"); - -/* Discovering why account service fails: e/uid are target user. - * - * perror(MODULE_NAME); - * fprintf(stderr,"uid %d euid %d\n",getuid(), geteuid()); - */ - return PAM_AUTH_ERR; - } - - if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) { - pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); - fclose(*TALLY); - return PAM_AUTH_ERR; - } - - if ( (size_t)fileinfo.st_size <= uid * sizeof(struct faillog) ) { - - memset(fsp, 0, sizeof(struct faillog)); - *tally=0; - fsp->fs_faillog.fail_time = time(NULL); - - } else if (( fread((char *) &fsp->fs_faillog, - sizeof(struct faillog), 1, *TALLY) )==0 ) { - - *tally=0; /* Assuming a gappy filesystem */ - - } else { - - *tally = fsp->fs_faillog.fail_cnt; - - } - - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- Support function: update and close tallyfile with tally!=TALLY_HI --- */ - -static int -set_tally(pam_handle_t *pamh, tally_t tally, uid_t uid, - const char *filename, FILE **TALLY, struct fail_s *fsp) -{ - int retval = PAM_SUCCESS; - - if ( tally!=TALLY_HI ) { - if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) { - pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); - retval = PAM_AUTH_ERR; - } else { - fsp->fs_faillog.fail_cnt = tally; - if (fwrite((char *) &fsp->fs_faillog, - sizeof(struct faillog), 1, *TALLY)==0 ) { - pam_syslog(pamh, LOG_ALERT, "update (fwrite) failed for %s", filename); - retval = PAM_AUTH_ERR; - } - } - } - - if ( fclose(*TALLY) ) { - pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename); - return PAM_AUTH_ERR; - } - *TALLY=NULL; - return retval; -} - -/*---------------------------------------------------------------------*/ - -/* --- PAM bits --- */ - -#ifndef MAIN - -#define RETURN_ERROR(i) return ((opts->ctrl & OPT_FAIL_ON_ERROR)?(i):(PAM_SUCCESS)) - -/*---------------------------------------------------------------------*/ - -/* --- tally bump function: bump tally for uid by (signed) inc --- */ - -static int -tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh, - uid_t uid, const char *user, struct tally_options *opts) -{ - tally_t - tally = 0; /* !TALLY_HI --> Log opened for update */ - - FILE - *TALLY = NULL; - const void - *remote_host = NULL, - *cur_tty = NULL; - struct fail_s fs, *fsp = &fs; - int i; - - i=get_tally(pamh, &tally, uid, opts->filename, &TALLY, fsp); - if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } - - /* to remember old fail time (for locktime) */ - fsp->fs_fail_time = fsp->fs_faillog.fail_time; - if ( inc > 0 ) { - if ( oldtime ) { - *oldtime = fsp->fs_faillog.fail_time; - } - fsp->fs_faillog.fail_time = time(NULL); - } else { - if ( oldtime ) { - fsp->fs_faillog.fail_time = *oldtime; - } - } - (void) pam_get_item(pamh, PAM_RHOST, &remote_host); - if (!remote_host) { - - (void) pam_get_item(pamh, PAM_TTY, &cur_tty); - if (!cur_tty) { - strncpy(fsp->fs_faillog.fail_line, "unknown", - sizeof(fsp->fs_faillog.fail_line) - 1); - fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0; - } else { - strncpy(fsp->fs_faillog.fail_line, cur_tty, - sizeof(fsp->fs_faillog.fail_line)-1); - fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0; - } - - } else { - strncpy(fsp->fs_faillog.fail_line, remote_host, - (size_t)sizeof(fsp->fs_faillog.fail_line)); - fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0; - } - - if ( !(opts->ctrl & OPT_MAGIC_ROOT) || getuid() ) { /* magic_root doesn't change tally */ - - tally+=inc; - - if ( tally==TALLY_HI ) { /* Overflow *and* underflow. :) */ - tally-=inc; - pam_syslog(pamh, LOG_ALERT, "Tally %sflowed for user %s", - (inc<0)?"under":"over",user); - } - } - - i=set_tally(pamh, tally, uid, opts->filename, &TALLY, fsp ); - if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } - - return PAM_SUCCESS; -} - -static int -tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid, - const char *user, struct tally_options *opts) -{ - tally_t - deny = opts->deny; - tally_t - tally = TALLY_HI; - long - lock_time = opts->lock_time; - - struct fail_s fs, *fsp = &fs; - FILE *TALLY=0; - int i; - - i=get_tally(pamh, &tally, uid, opts->filename, &TALLY, fsp); - if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } - - if ( TALLY != NULL ) { - fclose(TALLY); - } - - if ( !(opts->ctrl & OPT_MAGIC_ROOT) || getuid() ) { /* magic_root skips tally check */ - - /* To deny or not to deny; that is the question */ - - /* if there's .fail_max entry and per_user=TRUE then deny=.fail_max */ - - if ( (fsp->fs_faillog.fail_max) && (opts->ctrl & OPT_PER_USER) ) { - deny = fsp->fs_faillog.fail_max; - } - if ( (fsp->fs_faillog.fail_locktime) && (opts->ctrl & OPT_PER_USER) ) { - lock_time = fsp->fs_faillog.fail_locktime; - } - if (lock_time && oldtime - && !(opts->ctrl & OPT_NO_LOCK_TIME) ) - { - if ( lock_time + oldtime > time(NULL) ) - { - if (!(opts->ctrl & OPT_SILENT)) - pam_info (pamh, - _("Account temporary locked (%ld seconds left)"), - oldtime+lock_time-time(NULL)); - - if (!(opts->ctrl & OPT_NOLOGNOTICE)) - pam_syslog (pamh, LOG_NOTICE, - "user %s (%lu) has time limit [%lds left]" - " since last failure.", - user, (unsigned long int) uid, - oldtime+lock_time-time(NULL)); - return PAM_AUTH_ERR; - } - } - if (opts->unlock_time && oldtime) - { - if ( opts->unlock_time + oldtime <= time(NULL) ) - { /* ignore deny check after unlock_time elapsed */ - return PAM_SUCCESS; - } - } - if ( - ( deny != 0 ) && /* deny==0 means no deny */ - ( tally > deny ) && /* tally>deny means exceeded */ - ( ((opts->ctrl & OPT_DENY_ROOT) || uid) ) /* even_deny stops uid check */ - ) { - if (!(opts->ctrl & OPT_SILENT)) - pam_info (pamh, _("Account locked due to %u failed logins"), - (unsigned int)tally); - - if (!(opts->ctrl & OPT_NOLOGNOTICE)) - pam_syslog(pamh, LOG_NOTICE, - "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, - user, (unsigned long int) uid, tally, deny); - return PAM_AUTH_ERR; /* Only unconditional failure */ - } - } - - return PAM_SUCCESS; -} - -static int -tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts) -{ - tally_t - tally = 0; /* !TALLY_HI --> Log opened for update */ - - struct fail_s fs, *fsp = &fs; - FILE *TALLY=0; - int i; - - i=get_tally(pamh, &tally, uid, opts->filename, &TALLY, fsp); - if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } - - /* resets if not magic root - */ - - if ( (!(opts->ctrl & OPT_MAGIC_ROOT) || getuid()) - && !(opts->ctrl & OPT_NO_RESET) ) - { tally=0; } - - if (tally == 0) - { - fsp->fs_faillog.fail_time = (time_t) 0; - strcpy(fsp->fs_faillog.fail_line, ""); - } - - i=set_tally(pamh, tally, uid, opts->filename, &TALLY, fsp); - if ( i != PAM_SUCCESS ) { RETURN_ERROR( i ); } - - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -#ifdef PAM_SM_AUTH - -int -pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int - rvcheck, rvbump; - time_t - oldtime = 0; - struct tally_options - options, *opts = &options; - uid_t - uid; - const char - *user; - - rvcheck = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); - if ( rvcheck != PAM_SUCCESS ) - RETURN_ERROR( rvcheck ); - - if (flags & PAM_SILENT) - opts->ctrl |= OPT_SILENT; - - rvcheck = pam_get_uid(pamh, &uid, &user, opts); - if ( rvcheck != PAM_SUCCESS ) - RETURN_ERROR( rvcheck ); - - rvbump = tally_bump(1, &oldtime, pamh, uid, user, opts); - rvcheck = tally_check(oldtime, pamh, uid, user, opts); - - tally_set_data(pamh, oldtime); - - return rvcheck != PAM_SUCCESS ? rvcheck : rvbump; -} - -int -pam_sm_setcred(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int - rv; - time_t - oldtime = 0; - struct tally_options - options, *opts = &options; - uid_t - uid; - const char - *user; - - rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - if (flags & PAM_SILENT) - opts->ctrl |= OPT_SILENT; - - rv = pam_get_uid(pamh, &uid, &user, opts); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - if ( tally_get_data(pamh, &oldtime) != 0 ) - /* no data found */ - return PAM_SUCCESS; - - if ( (rv=tally_bump(-1, &oldtime, pamh, uid, user, opts)) != PAM_SUCCESS ) - return rv; - return tally_reset(pamh, uid, opts); -} - -#endif - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -#ifdef PAM_SM_ACCOUNT - -/* To reset failcount of user on successfull login */ - -int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int - rv; - time_t - oldtime = 0; - struct tally_options - options, *opts = &options; - uid_t - uid; - const char - *user; - - rv = tally_parse_args(pamh, opts, PHASE_ACCOUNT, argc, argv); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - if (flags & PAM_SILENT) - opts->ctrl |= OPT_SILENT; - - rv = pam_get_uid(pamh, &uid, &user, opts); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - if ( tally_get_data(pamh, &oldtime) != 0 ) - /* no data found */ - return PAM_SUCCESS; - - if ( (rv=tally_bump(-1, &oldtime, pamh, uid, user, opts)) != PAM_SUCCESS ) - return rv; - return tally_reset(pamh, uid, opts); -} - -#endif /* #ifdef PAM_SM_ACCOUNT */ - -/*-----------------------------------------------------------------------*/ - -#else /* #ifndef MAIN */ - -static const char *cline_filename = DEFAULT_LOGFILE; -static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */ -static int cline_quiet = 0; - -/* - * Not going to link with pamlib just for these.. :) - */ - -static const char * -pam_errors( int i ) -{ - switch (i) { - case PAM_AUTH_ERR: return _("Authentication error"); - case PAM_SERVICE_ERR: return _("Service error"); - case PAM_USER_UNKNOWN: return _("Unknown user"); - default: return _("Unknown error"); - } -} - -static int -getopts( char **argv ) -{ - const char *pname = *argv; - for ( ; *argv ; (void)(*argv && ++argv) ) { - if ( !strcmp (*argv,"--file") ) cline_filename=*++argv; - else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7; - else if ( !strcmp (*argv,"--user") ) cline_user=*++argv; - else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7; - else if ( !strcmp (*argv,"--reset") ) cline_reset=0; - else if ( !strncmp(*argv,"--reset=",8)) { - if ( sscanf(*argv+8,TALLY_FMT,&cline_reset) != 1 ) - fprintf(stderr,_("%s: Bad number given to --reset=\n"),pname), exit(0); - } - else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1; - else { - fprintf(stderr,_("%s: Unrecognised option %s\n"),pname,*argv); - return FALSE; - } - } - return TRUE; -} - -int main ( int argc UNUSED, char **argv ) -{ - struct fail_s fs, *fsp = &fs; - - if ( ! getopts( argv+1 ) ) { - printf(_("%s: [--file rooted-filename] [--user username] " - "[--reset[=n]] [--quiet]\n"), - *argv); - exit(0); - } - - umask(077); - - /* - * Major difference between individual user and all users: - * --user just handles one user, just like PAM. - * --user=* handles all users, sniffing cline_filename for nonzeros - */ - - if ( cline_user ) { - uid_t uid; - tally_t tally=cline_reset; - FILE *TALLY=0; - struct tally_options opts; - int i; - - memset(&opts, 0, sizeof(opts)); - opts.ctrl = OPT_AUDIT; - i=pam_get_uid(NULL, &uid, NULL, &opts); - if ( i != PAM_SUCCESS ) { - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - - i=get_tally(NULL, &tally, uid, cline_filename, &TALLY, fsp); - if ( i != PAM_SUCCESS ) { - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - - if ( !cline_quiet ) - printf("User %s\t(%lu)\t%s "TALLY_FMT"\n",cline_user, - (unsigned long int) uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - - i=set_tally(NULL, cline_reset, uid, cline_filename, &TALLY, fsp); - if ( i != PAM_SUCCESS ) { - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - } - else /* !cline_user (ie, operate on all users) */ { - FILE *TALLY=fopen(cline_filename, "r"); - uid_t uid=0; - if ( !TALLY ) perror(*argv), exit(0); - - for ( ; !feof(TALLY); uid++ ) { - tally_t tally; - struct passwd *pw; - if ( ! fread((char *) &fsp->fs_faillog, - sizeof (struct faillog), 1, TALLY) - || ! fsp->fs_faillog.fail_cnt ) { - continue; - } - tally = fsp->fs_faillog.fail_cnt; - - if ( ( pw=getpwuid(uid) ) ) { - printf("User %s\t(%lu)\t%s "TALLY_FMT"\n",pw->pw_name, - (unsigned long int) uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - } - else { - printf("User [NONAME]\t(%lu)\t%s "TALLY_FMT"\n", - (unsigned long int) uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - } - } - fclose(TALLY); - if ( cline_reset!=0 && cline_reset!=TALLY_HI ) { - fprintf(stderr,_("%s: Can't reset all users to non-zero\n"),*argv); - } - else if ( !cline_reset ) { - TALLY=fopen(cline_filename, "w"); - if ( !TALLY ) perror(*argv), exit(0); - fclose(TALLY); - } - } - return 0; -} - - -#endif /* #ifndef MAIN */ diff --git a/modules/pam_tally/pam_tally_app.c b/modules/pam_tally/pam_tally_app.c deleted file mode 100644 index ad288549..00000000 --- a/modules/pam_tally/pam_tally_app.c +++ /dev/null @@ -1,6 +0,0 @@ -/* - # This seemed like such a good idea at the time. :) - */ - -#define MAIN -#include "pam_tally.c" diff --git a/modules/pam_tally/tst-pam_tally b/modules/pam_tally/tst-pam_tally deleted file mode 100755 index 15291af6..00000000 --- a/modules/pam_tally/tst-pam_tally +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_tally.so diff --git a/modules/pam_tally2/Makefile.am b/modules/pam_tally2/Makefile.am deleted file mode 100644 index ec898645..00000000 --- a/modules/pam_tally2/Makefile.am +++ /dev/null @@ -1,41 +0,0 @@ -# -# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> -# Copyright (c) 2008 Red Hat, Inc. -# - -CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MANS) README - -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2 - -man_MANS = pam_tally2.8 -XMLS = README.xml pam_tally2.8.xml - -TESTS = tst-pam_tally2 - -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) - -noinst_HEADERS = tallylog.h - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include - -pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module -pam_tally2_la_LIBADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) -if HAVE_VERSIONING - pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -endif - -pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) - -securelib_LTLIBRARIES = pam_tally2.la -sbin_PROGRAMS = pam_tally2 - -pam_tally2_la_SOURCES = pam_tally2.c -pam_tally2_SOURCES = pam_tally2_app.c - -if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_tally2.8.xml --include $(top_srcdir)/Make.xml.rules -endif diff --git a/modules/pam_tally2/README b/modules/pam_tally2/README deleted file mode 100644 index 6ac77be3..00000000 --- a/modules/pam_tally2/README +++ /dev/null @@ -1,154 +0,0 @@ -pam_tally2 — The login counter (tallying) module - -â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” - -DESCRIPTION - -This module maintains a count of attempted accesses, can reset count on -success, can deny access if too many attempts fail. - -pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the -PAM module and the latter, a stand-alone program. pam_tally2 is an (optional) -application which can be used to interrogate and manipulate the counter file. -It can display user counts, set individual counts, or clear all counts. Setting -artificially high counts may be useful for blocking users without changing -their passwords. For example, one might find it useful to clear all counts -every midnight from a cron job. - -Normally, failed attempts to access root will not cause the root account to -become blocked, to prevent denial-of-service: if your users aren't given shell -accounts and root may only login via su or at the machine console (not telnet/ -rsh, etc), this is safe. - -OPTIONS - -GLOBAL OPTIONS - - This can be used for auth and account module types. - - onerr=[fail|succeed] - - If something weird happens (like unable to open the file), return with - PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM - error code. - - file=/path/to/counter - - File where to keep counts. Default is /var/log/tallylog. - - audit - - Will log the user name into the system log if the user is not found. - - silent - - Don't print informative messages. - - no_log_info - - Don't log informative messages via syslog(3). - - debug - - Always log tally count when it is incremented as a debug level message - to the system log. - -AUTH OPTIONS - - Authentication phase first increments attempted login counter and checks if - user should be denied access. If the user is authenticated and the login - process continues on call to pam_setcred(3) it resets the attempts counter. - - deny=n - - Deny access if tally for this user exceeds n. - - lock_time=n - - Always deny for n seconds after failed attempt. - - unlock_time=n - - Allow access after n seconds after failed attempt. If this option is - used the user will be locked out for the specified amount of time after - he exceeded his maximum allowed attempts. Otherwise the account is - locked until the lock is removed by a manual intervention of the system - administrator. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - incremented. The sysadmin should use this for user launched services, - like su, otherwise this argument should be omitted. - - even_deny_root - - Root account can become unavailable. - - root_unlock_time=n - - This option implies even_deny_root option. Allow access after n seconds - to root account after failed attempt. If this option is used the root - user will be locked out for the specified amount of time after he - exceeded his maximum allowed attempts. - - serialize - - Serialize access to the tally file using locks. This option might be - used only for non-multithreaded services because it depends on the - fcntl locking of the tally file. Also it is a good idea to use this - option only in such configurations where the time between auth phase - and account or setcred phase is not dependent on the authenticating - client. Otherwise the authenticating client will be able to prevent - simultaneous authentications by the same user by simply artificially - prolonging the time the file record lock is held. - -ACCOUNT OPTIONS - - Account phase resets attempts counter if the user is not magic root. This - phase can be used optionally for services which don't call pam_setcred(3) - correctly or if the reset should be done regardless of the failure of the - account phase of other modules. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - changed. The sysadmin should use this for user launched services, like - su, otherwise this argument should be omitted. - -NOTES - -pam_tally2 is not compatible with the old pam_tally faillog file format. This -is caused by requirement of compatibility of the tallylog file format between -32bit and 64bit architectures on multiarch systems. - -There is no setuid wrapper for access to the data file such as when the -pam_tally2.so module is called from xscreensaver. As this would make it -impossible to share PAM configuration with such services the following -workaround is used: If the data file cannot be opened because of insufficient -permissions (EACCES) the module returns PAM_IGNORE. - -EXAMPLES - -Add the following line to /etc/pam.d/login to lock the account after 4 failed -logins. Root account will be locked as well. The accounts will be automatically -unlocked after 20 minutes. The module does not have to be called in the account -phase because the login calls pam_setcred(3) correctly. - -auth required pam_securetty.so -auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 -auth required pam_env.so -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_limits.so -session required pam_unix.so -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard - - -AUTHOR - -pam_tally2 was written by Tim Baverstock and Tomas Mraz. - diff --git a/modules/pam_tally2/README.xml b/modules/pam_tally2/README.xml deleted file mode 100644 index aa470570..00000000 --- a/modules/pam_tally2/README.xml +++ /dev/null @@ -1,46 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_tally2.8.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally2.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tally2-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-options"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-notes"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-examples"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-author"]/*)'/> - </section> - -</article> diff --git a/modules/pam_tally2/pam_tally2.8 b/modules/pam_tally2/pam_tally2.8 deleted file mode 100644 index 4e700e70..00000000 --- a/modules/pam_tally2/pam_tally2.8 +++ /dev/null @@ -1,242 +0,0 @@ -'\" t -.\" Title: pam_tally2 -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" Language: English -.\" -.TH "PAM_TALLY2" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -pam_tally2 \- The login counter (tallying) module -.SH "SYNOPSIS" -.HP \w'\fBpam_tally2\&.so\fR\ 'u -\fBpam_tally2\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [serialize] [audit] [silent] [no_log_info] [debug] -.HP \w'\fBpam_tally2\fR\ 'u -\fBpam_tally2\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] -.SH "DESCRIPTION" -.PP -This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. -.PP -pam_tally2 comes in two parts: -\fBpam_tally2\&.so\fR -and -\fBpam_tally2\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. -\fBpam_tally2\fR -is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display user counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. -.PP -Normally, failed attempts to access -\fIroot\fR -will -\fBnot\fR -cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via -\fBsu\fR -or at the machine console (not telnet/rsh, etc), this is safe\&. -.SH "OPTIONS" -.PP -GLOBAL OPTIONS -.RS 4 -This can be used for -\fIauth\fR -and -\fIaccount\fR -module types\&. -.PP -\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR -.RS 4 -If something weird happens (like unable to open the file), return with -\fBPAM_SUCCESS\fR -if -\fBonerr=\fR\fB\fIsucceed\fR\fR -is given, else with the corresponding PAM error code\&. -.RE -.PP -\fBfile=\fR\fB\fI/path/to/counter\fR\fR -.RS 4 -File where to keep counts\&. Default is -/var/log/tallylog\&. -.RE -.PP -\fBaudit\fR -.RS 4 -Will log the user name into the system log if the user is not found\&. -.RE -.PP -\fBsilent\fR -.RS 4 -Don\*(Aqt print informative messages\&. -.RE -.PP -\fBno_log_info\fR -.RS 4 -Don\*(Aqt log informative messages via -\fBsyslog\fR(3)\&. -.RE -.PP -\fBdebug\fR -.RS 4 -Always log tally count when it is incremented as a debug level message to the system log\&. -.RE -.RE -.PP -AUTH OPTIONS -.RS 4 -Authentication phase first increments attempted login counter and checks if user should be denied access\&. If the user is authenticated and the login process continues on call to -\fBpam_setcred\fR(3) -it resets the attempts counter\&. -.PP -\fBdeny=\fR\fB\fIn\fR\fR -.RS 4 -Deny access if tally for this user exceeds -\fIn\fR\&. -.RE -.PP -\fBlock_time=\fR\fB\fIn\fR\fR -.RS 4 -Always deny for -\fIn\fR -seconds after failed attempt\&. -.RE -.PP -\fBunlock_time=\fR\fB\fIn\fR\fR -.RS 4 -Allow access after -\fIn\fR -seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. -.RE -.PP -\fBmagic_root\fR -.RS 4 -If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted\&. -.RE -.PP -\fBeven_deny_root\fR -.RS 4 -Root account can become unavailable\&. -.RE -.PP -\fBroot_unlock_time=\fR\fB\fIn\fR\fR -.RS 4 -This option implies -\fBeven_deny_root\fR -option\&. Allow access after -\fIn\fR -seconds to root account after failed attempt\&. If this option is used the root user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. -.RE -.PP -\fBserialize\fR -.RS 4 -Serialize access to the tally file using locks\&. This option might be used only for non\-multithreaded services because it depends on the fcntl locking of the tally file\&. Also it is a good idea to use this option only in such configurations where the time between auth phase and account or setcred phase is not dependent on the authenticating client\&. Otherwise the authenticating client will be able to prevent simultaneous authentications by the same user by simply artificially prolonging the time the file record lock is held\&. -.RE -.RE -.PP -ACCOUNT OPTIONS -.RS 4 -Account phase resets attempts counter if the user is -\fBnot\fR -magic root\&. This phase can be used optionally for services which don\*(Aqt call -\fBpam_setcred\fR(3) -correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. -.PP -\fBmagic_root\fR -.RS 4 -If the module is invoked by a user with uid=0 the counter is not changed\&. The sysadmin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted\&. -.RE -.RE -.SH "MODULE TYPES PROVIDED" -.PP -The -\fBauth\fR -and -\fBaccount\fR -module types are provided\&. -.SH "RETURN VALUES" -.PP -PAM_AUTH_ERR -.RS 4 -A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&. -.RE -.PP -PAM_SUCCESS -.RS 4 -Everything was successful\&. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -User not known\&. -.RE -.SH "NOTES" -.PP -pam_tally2 is not compatible with the old pam_tally faillog file format\&. This is caused by requirement of compatibility of the tallylog file format between 32bit and 64bit architectures on multiarch systems\&. -.PP -There is no setuid wrapper for access to the data file such as when the -\fBpam_tally2\&.so\fR -module is called from xscreensaver\&. As this would make it impossible to share PAM configuration with such services the following workaround is used: If the data file cannot be opened because of insufficient permissions (\fBEACCES\fR) the module returns -\fBPAM_IGNORE\fR\&. -.SH "EXAMPLES" -.PP -Add the following line to -/etc/pam\&.d/login -to lock the account after 4 failed logins\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. The module does not have to be called in the account phase because the -\fBlogin\fR -calls -\fBpam_setcred\fR(3) -correctly\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -auth required pam_securetty\&.so -auth required pam_tally2\&.so deny=4 even_deny_root unlock_time=1200 -auth required pam_env\&.so -auth required pam_unix\&.so -auth required pam_nologin\&.so -account required pam_unix\&.so -password required pam_unix\&.so -session required pam_limits\&.so -session required pam_unix\&.so -session required pam_lastlog\&.so nowtmp -session optional pam_mail\&.so standard - -.fi -.if n \{\ -.RE -.\} -.SH "FILES" -.PP -/var/log/tallylog -.RS 4 -failure count logging file -.RE -.SH "SEE ALSO" -.PP -\fBpam.conf\fR(5), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_tally2 was written by Tim Baverstock and Tomas Mraz\&. diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml deleted file mode 100644 index cf5d76d9..00000000 --- a/modules/pam_tally2/pam_tally2.8.xml +++ /dev/null @@ -1,450 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_tally2"> - - <refmeta> - <refentrytitle>pam_tally2</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_tally2-name"> - <refname>pam_tally2</refname> - <refpurpose>The login counter (tallying) module</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis id="pam_tally2-cmdsynopsis1"> - <command>pam_tally2.so</command> - <arg choice="opt"> - file=<replaceable>/path/to/counter</replaceable> - </arg> - <arg choice="opt"> - onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>] - </arg> - <arg choice="opt"> - magic_root - </arg> - <arg choice="opt"> - even_deny_root - </arg> - <arg choice="opt"> - deny=<replaceable>n</replaceable> - </arg> - <arg choice="opt"> - lock_time=<replaceable>n</replaceable> - </arg> - <arg choice="opt"> - unlock_time=<replaceable>n</replaceable> - </arg> - <arg choice="opt"> - root_unlock_time=<replaceable>n</replaceable> - </arg> - <arg choice="opt"> - serialize - </arg> - <arg choice="opt"> - audit - </arg> - <arg choice="opt"> - silent - </arg> - <arg choice="opt"> - no_log_info - </arg> - <arg choice="opt"> - debug - </arg> - </cmdsynopsis> - <cmdsynopsis id="pam_tally2-cmdsynopsis2"> - <command>pam_tally2</command> - <arg choice="opt"> - --file <replaceable>/path/to/counter</replaceable> - </arg> - <arg choice="opt"> - --user <replaceable>username</replaceable> - </arg> - <arg choice="opt"> - --reset[=<replaceable>n</replaceable>] - </arg> - <arg choice="opt"> - --quiet - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1 id="pam_tally2-description"> - - <title>DESCRIPTION</title> - - <para> - This module maintains a count of attempted accesses, can - reset count on success, can deny access if too many attempts fail. - </para> - <para> - pam_tally2 comes in two parts: - <emphasis remap='B'>pam_tally2.so</emphasis> and - <command>pam_tally2</command>. The former is the PAM module and - the latter, a stand-alone program. <command>pam_tally2</command> - is an (optional) application which can be used to interrogate and - manipulate the counter file. It can display user counts, set - individual counts, or clear all counts. Setting artificially high - counts may be useful for blocking users without changing their - passwords. For example, one might find it useful to clear all counts - every midnight from a cron job. - </para> - <para> - Normally, failed attempts to access <emphasis>root</emphasis> will - <emphasis remap='B'>not</emphasis> cause the root account to become - blocked, to prevent denial-of-service: if your users aren't given - shell accounts and root may only login via <command>su</command> or - at the machine console (not telnet/rsh, etc), this is safe. - </para> - </refsect1> - - <refsect1 id="pam_tally2-options"> - - <title>OPTIONS</title> - <variablelist> - <varlistentry> - <term> - GLOBAL OPTIONS - </term> - <listitem> - <para> - This can be used for <emphasis>auth</emphasis> and - <emphasis>account</emphasis> module types. - </para> - <variablelist> - <varlistentry> - <term> - <option>onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>]</option> - </term> - <listitem> - <para> - If something weird happens (like unable to open the file), - return with <errorcode>PAM_SUCCESS</errorcode> if - <option>onerr=<replaceable>succeed</replaceable></option> - is given, else with the corresponding PAM error code. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>file=<replaceable>/path/to/counter</replaceable></option> - </term> - <listitem> - <para> - File where to keep counts. Default is - <filename>/var/log/tallylog</filename>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>audit</option> - </term> - <listitem> - <para> - Will log the user name into the system log if the user is not found. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>silent</option> - </term> - <listitem> - <para> - Don't print informative messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>no_log_info</option> - </term> - <listitem> - <para> - Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - Always log tally count when it is incremented as a debug level message to the system log. - </para> - </listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> - - <varlistentry> - <term> - AUTH OPTIONS - </term> - <listitem> - <para> - Authentication phase first increments attempted login counter and - checks if user should be denied access. If the user is authenticated - and the login process continues on call to <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> it resets the attempts counter. - </para> - <variablelist> - <varlistentry> - <term> - <option>deny=<replaceable>n</replaceable></option> - </term> - <listitem> - <para> - Deny access if tally for this user exceeds - <replaceable>n</replaceable>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>lock_time=<replaceable>n</replaceable></option> - </term> - <listitem> - <para> - Always deny for <replaceable>n</replaceable> seconds - after failed attempt. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>unlock_time=<replaceable>n</replaceable></option> - </term> - <listitem> - <para> - Allow access after <replaceable>n</replaceable> seconds - after failed attempt. If this option is used the user will - be locked out for the specified amount of time after he - exceeded his maximum allowed attempts. Otherwise the - account is locked until the lock is removed by a manual - intervention of the system administrator. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>magic_root</option> - </term> - <listitem> - <para> - If the module is invoked by a user with uid=0 the - counter is not incremented. The sysadmin should use this - for user launched services, like <command>su</command>, - otherwise this argument should be omitted. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>even_deny_root</option> - </term> - <listitem> - <para> - Root account can become unavailable. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>root_unlock_time=<replaceable>n</replaceable></option> - </term> - <listitem> - <para> - This option implies <option>even_deny_root</option> option. - Allow access after <replaceable>n</replaceable> seconds - to root account after failed attempt. If this option is used - the root user will be locked out for the specified amount of - time after he exceeded his maximum allowed attempts. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <option>serialize</option> - </term> - <listitem> - <para> - Serialize access to the tally file using locks. This option might - be used only for non-multithreaded services because it depends on - the fcntl locking of the tally file. Also it is a good idea to use - this option only in such configurations where the time between auth - phase and account or setcred phase is not dependent on the - authenticating client. Otherwise the authenticating client will be - able to prevent simultaneous authentications by the same user by - simply artificially prolonging the time the file record lock is held. - </para> - </listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> - - - <varlistentry> - <term> - ACCOUNT OPTIONS - </term> - <listitem> - <para> - Account phase resets attempts counter if the user is - <emphasis remap='B'>not</emphasis> magic root. - This phase can be used optionally for services which don't call - <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> correctly or if the reset should be done regardless - of the failure of the account phase of other modules. - </para> - <variablelist> - <varlistentry> - <term> - <option>magic_root</option> - </term> - <listitem> - <para> - If the module is invoked by a user with uid=0 the - counter is not changed. The sysadmin should use this - for user launched services, like <command>su</command>, - otherwise this argument should be omitted. - </para> - </listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_tally2-types"> - <title>MODULE TYPES PROVIDED</title> - <para> - The <option>auth</option> and <option>account</option> - module types are provided. - </para> - </refsect1> - - <refsect1 id='pam_tally2-return_values'> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - A invalid option was given, the module was not able - to retrieve the user name, no valid counter file - was found, or too many failed logins. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Everything was successful. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User not known. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_tally2-notes'> - <title>NOTES</title> - <para> - pam_tally2 is not compatible with the old pam_tally faillog file format. - This is caused by requirement of compatibility of the tallylog file - format between 32bit and 64bit architectures on multiarch systems. - </para> - <para> - There is no setuid wrapper for access to the data file such as when the - <emphasis remap='B'>pam_tally2.so</emphasis> module is called from - xscreensaver. As this would make it impossible to share PAM configuration - with such services the following workaround is used: If the data file - cannot be opened because of insufficient permissions - (<errorcode>EACCES</errorcode>) the module returns - <errorcode>PAM_IGNORE</errorcode>. - </para> - </refsect1> - - <refsect1 id='pam_tally2-examples'> - <title>EXAMPLES</title> - <para> - Add the following line to <filename>/etc/pam.d/login</filename> to - lock the account after 4 failed logins. Root account will be locked - as well. The accounts will be automatically unlocked after 20 minutes. - The module does not have to be called in the account phase because the - <command>login</command> calls <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> correctly. - </para> - <programlisting> -auth required pam_securetty.so -auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 -auth required pam_env.so -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_limits.so -session required pam_unix.so -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard - </programlisting> - </refsect1> - - <refsect1 id="pam_tally2-files"> - <title>FILES</title> - <variablelist> - <varlistentry> - <term><filename>/var/log/tallylog</filename></term> - <listitem> - <para>failure count logging file</para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_tally2-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_tally2-author'> - <title>AUTHOR</title> - <para> - pam_tally2 was written by Tim Baverstock and Tomas Mraz. - </para> - </refsect1> - -</refentry> diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c deleted file mode 100644 index da1c0481..00000000 --- a/modules/pam_tally2/pam_tally2.c +++ /dev/null @@ -1,1049 +0,0 @@ -/* - * pam_tally2.c - * - */ - - -/* By Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd. - * 5 March 1997 - * - * Stuff stolen from pam_rootok and pam_listfile - * - * Changes by Tomas Mraz <tmraz@redhat.com> 5 January 2005, 26 January 2006 - * Audit option added for Tomas patch by Sebastien Tricaud <toady@gscore.org> 13 January 2005 - * Portions Copyright 2006, Red Hat, Inc. - * Portions Copyright 1989 - 1993, Julianne Frances Haugh - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of Julianne F. Haugh nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#if defined(MAIN) && defined(MEMORY_DEBUG) -# undef exit -#endif /* defined(MAIN) && defined(MEMORY_DEBUG) */ - -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <stdarg.h> -#include <stdlib.h> -#include <syslog.h> -#include <pwd.h> -#include <time.h> -#include <stdint.h> -#include <errno.h> -#ifdef HAVE_LIBAUDIT -#include <libaudit.h> -#endif - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/param.h> -#include <fcntl.h> -#include <unistd.h> -#include <signal.h> -#include "tallylog.h" - -#ifndef TRUE -#define TRUE 1L -#define FALSE 0L -#endif - -#ifndef HAVE_FSEEKO -#define fseeko fseek -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#ifndef MAIN -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -/* #define PAM_SM_SESSION */ -/* #define PAM_SM_PASSWORD */ - -#include <security/pam_ext.h> -#endif -#include <security/pam_modutil.h> -#include <security/pam_modules.h> - -/*---------------------------------------------------------------------*/ - -#define DEFAULT_LOGFILE "/var/log/tallylog" -#define MODULE_NAME "pam_tally2" - -#define tally_t uint16_t -#define TALLY_HI ((tally_t)~0L) - -struct tally_options { - const char *filename; - tally_t deny; - long lock_time; - long unlock_time; - long root_unlock_time; - unsigned int ctrl; -}; - -#define PHASE_UNKNOWN 0 -#define PHASE_AUTH 1 -#define PHASE_ACCOUNT 2 -#define PHASE_SESSION 3 - -#define OPT_MAGIC_ROOT 01 -#define OPT_FAIL_ON_ERROR 02 -#define OPT_DENY_ROOT 04 -#define OPT_QUIET 040 -#define OPT_AUDIT 0100 -#define OPT_NOLOGNOTICE 0400 -#define OPT_SERIALIZE 01000 -#define OPT_DEBUG 02000 - -#define MAX_LOCK_WAITING_TIME 10 - -/*---------------------------------------------------------------------*/ - -/* some syslogging */ - -#ifdef MAIN -#define pam_syslog tally_log -static void -tally_log (const pam_handle_t *pamh UNUSED, int priority UNUSED, - const char *fmt, ...) -{ - va_list args; - - va_start(args, fmt); - fprintf(stderr, "%s: ", MODULE_NAME); - vfprintf(stderr, fmt, args); - fprintf(stderr,"\n"); - va_end(args); -} - -#define pam_modutil_getpwnam(pamh, user) getpwnam(user) -#endif - -/*---------------------------------------------------------------------*/ - -/* --- Support function: parse arguments --- */ - -#ifndef MAIN - -static void -log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv) -{ - if ( phase != PHASE_AUTH ) { - pam_syslog(pamh, LOG_ERR, - "option %s allowed in auth phase only", argv); - } -} - -static int -tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, - int phase, int argc, const char **argv) -{ - memset(opts, 0, sizeof(*opts)); - opts->filename = DEFAULT_LOGFILE; - opts->ctrl = OPT_FAIL_ON_ERROR; - opts->root_unlock_time = -1; - - for ( ; argc-- > 0; ++argv ) { - - if ( ! strncmp( *argv, "file=", 5 ) ) { - const char *from = *argv + 5; - if ( *from!='/' ) { - pam_syslog(pamh, LOG_ERR, - "filename not /rooted; %s", *argv); - return PAM_AUTH_ERR; - } - opts->filename = from; - } - else if ( ! strcmp( *argv, "onerr=fail" ) ) { - opts->ctrl |= OPT_FAIL_ON_ERROR; - } - else if ( ! strcmp( *argv, "onerr=succeed" ) ) { - opts->ctrl &= ~OPT_FAIL_ON_ERROR; - } - else if ( ! strcmp( *argv, "magic_root" ) ) { - opts->ctrl |= OPT_MAGIC_ROOT; - } - else if ( ! strcmp( *argv, "serialize" ) ) { - opts->ctrl |= OPT_SERIALIZE; - } - else if ( ! strcmp( *argv, "debug" ) ) { - opts->ctrl |= OPT_DEBUG; - } - else if ( ! strcmp( *argv, "even_deny_root_account" ) || - ! strcmp( *argv, "even_deny_root" ) ) { - log_phase_no_auth(pamh, phase, *argv); - opts->ctrl |= OPT_DENY_ROOT; - } - else if ( ! strncmp( *argv, "deny=", 5 ) ) { - log_phase_no_auth(pamh, phase, *argv); - if ( sscanf((*argv)+5,"%hu",&opts->deny) != 1 ) { - pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); - return PAM_AUTH_ERR; - } - } - else if ( ! strncmp( *argv, "lock_time=", 10 ) ) { - log_phase_no_auth(pamh, phase, *argv); - if ( sscanf((*argv)+10,"%ld",&opts->lock_time) != 1 ) { - pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); - return PAM_AUTH_ERR; - } - } - else if ( ! strncmp( *argv, "unlock_time=", 12 ) ) { - log_phase_no_auth(pamh, phase, *argv); - if ( sscanf((*argv)+12,"%ld",&opts->unlock_time) != 1 ) { - pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); - return PAM_AUTH_ERR; - } - } - else if ( ! strncmp( *argv, "root_unlock_time=", 17 ) ) { - log_phase_no_auth(pamh, phase, *argv); - if ( sscanf((*argv)+17,"%ld",&opts->root_unlock_time) != 1 ) { - pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); - return PAM_AUTH_ERR; - } - opts->ctrl |= OPT_DENY_ROOT; /* even_deny_root implied */ - } - else if ( ! strcmp( *argv, "quiet" ) || - ! strcmp ( *argv, "silent")) { - opts->ctrl |= OPT_QUIET; - } - else if ( ! strcmp ( *argv, "no_log_info") ) { - opts->ctrl |= OPT_NOLOGNOTICE; - } - else if ( ! strcmp ( *argv, "audit") ) { - opts->ctrl |= OPT_AUDIT; - } - else { - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } - } - - if (opts->root_unlock_time == -1) - opts->root_unlock_time = opts->unlock_time; - - return PAM_SUCCESS; -} - -#endif /* #ifndef MAIN */ - -/*---------------------------------------------------------------------*/ - -/* --- Support function: get uid (and optionally username) from PAM or - cline_user --- */ - -#ifdef MAIN -static char *cline_user=0; /* cline_user is used in the administration prog */ -#endif - -static int -pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) -{ - const char *user = NULL; - struct passwd *pw; - -#ifdef MAIN - user = cline_user; -#else - if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { - user = NULL; - } -#endif - - if ( !user || !*user ) { - pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); - return PAM_AUTH_ERR; - } - - if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) { - opts->ctrl & OPT_AUDIT ? - pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) : - pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user"); - return PAM_USER_UNKNOWN; - } - - if ( uid ) *uid = pw->pw_uid; - if ( userp ) *userp = user; - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- Support functions: set/get tally data --- */ - -#ifndef MAIN - -struct tally_data { - time_t time; - int tfile; -}; - -static void -_cleanup(pam_handle_t *pamh UNUSED, void *void_data, int error_status UNUSED) -{ - struct tally_data *data = void_data; - if (data->tfile != -1) - close(data->tfile); - free(data); -} - -static void -tally_set_data( pam_handle_t *pamh, time_t oldtime, int tfile ) -{ - struct tally_data *data; - - if ( (data=malloc(sizeof(*data))) != NULL ) { - data->time = oldtime; - data->tfile = tfile; - pam_set_data(pamh, MODULE_NAME, (void *)data, _cleanup); - } -} - -static int -tally_get_data( pam_handle_t *pamh, time_t *oldtime, int *tfile ) -{ - int rv; - const void *void_data; - const struct tally_data *data; - - rv = pam_get_data(pamh, MODULE_NAME, &void_data); - if ( rv == PAM_SUCCESS && void_data != NULL && oldtime != NULL ) { - data = void_data; - *oldtime = data->time; - *tfile = data->tfile; - } - else { - rv = -1; - *oldtime = 0; - } - return rv; -} -#endif /* #ifndef MAIN */ - -/*---------------------------------------------------------------------*/ - -/* --- Support function: open/create tallyfile and return tally for uid --- */ - -/* If on entry tallyfile doesn't exist, creation is attempted. */ - -static void -alarm_handler(int sig UNUSED) -{ /* we just need to ignore it */ -} - -static int -get_tally(pam_handle_t *pamh, uid_t uid, const char *filename, - int *tfile, struct tallylog *tally, unsigned int ctrl) -{ - struct stat fileinfo; - int lstat_ret; - void *void_tally = tally; - int preopened = 0; - - if (*tfile != -1) { - preopened = 1; - goto skip_open; - } - - lstat_ret = lstat(filename, &fileinfo); - if (lstat_ret) { - *tfile=open(filename, O_APPEND|O_CREAT, S_IRUSR|S_IWUSR); - /* Create file, or append-open in pathological case. */ - if (*tfile == -1) { -#ifndef MAIN - if (errno == EACCES) { - return PAM_IGNORE; /* called with insufficient access rights */ - } -#endif - pam_syslog(pamh, LOG_ALERT, "Couldn't create %s: %m", filename); - return PAM_AUTH_ERR; - } - lstat_ret = fstat(*tfile, &fileinfo); - close(*tfile); - } - - *tfile = -1; - - if ( lstat_ret ) { - pam_syslog(pamh, LOG_ALERT, "Couldn't stat %s", filename); - return PAM_AUTH_ERR; - } - - if ((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - pam_syslog(pamh, LOG_ALERT, - "%s is either world writable or not a normal file", - filename); - return PAM_AUTH_ERR; - } - - if ((*tfile = open(filename, O_RDWR)) == -1) { -#ifndef MAIN - if (errno == EACCES) /* called with insufficient access rights */ - return PAM_IGNORE; -#endif - pam_syslog(pamh, LOG_ALERT, "Error opening %s for update: %m", filename); - - return PAM_AUTH_ERR; - } - -skip_open: - if (lseek(*tfile, (off_t)uid*(off_t)sizeof(*tally), SEEK_SET) == (off_t)-1) { - pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename); - if (!preopened) { - close(*tfile); - *tfile = -1; - } - return PAM_AUTH_ERR; - } - - if (!preopened && (ctrl & OPT_SERIALIZE)) { - /* this code is not thread safe as it uses fcntl locks and alarm() - so never use serialize with multithreaded services */ - struct sigaction newsa, oldsa; - unsigned int oldalarm; - int rv; - - memset(&newsa, '\0', sizeof(newsa)); - newsa.sa_handler = alarm_handler; - sigaction(SIGALRM, &newsa, &oldsa); - oldalarm = alarm(MAX_LOCK_WAITING_TIME); - - rv = lockf(*tfile, F_LOCK, sizeof(*tally)); - /* lock failure is not fatal, we attempt to read the tally anyway */ - - /* reinstate the eventual old alarm handler */ - if (rv == -1 && errno == EINTR) { - if (oldalarm > MAX_LOCK_WAITING_TIME) { - oldalarm -= MAX_LOCK_WAITING_TIME; - } else if (oldalarm > 0) { - oldalarm = 1; - } - } - sigaction(SIGALRM, &oldsa, NULL); - alarm(oldalarm); - } - - if (pam_modutil_read(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) { - memset(tally, 0, sizeof(*tally)); - } - - tally->fail_line[sizeof(tally->fail_line)-1] = '\0'; - - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- Support function: update tallyfile with tally!=TALLY_HI --- */ - -static int -set_tally(pam_handle_t *pamh, uid_t uid, - const char *filename, int *tfile, struct tallylog *tally) -{ - void *void_tally = tally; - if (tally->fail_cnt != TALLY_HI) { - if (lseek(*tfile, (off_t)uid * sizeof(*tally), SEEK_SET) == (off_t)-1) { - pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename); - return PAM_AUTH_ERR; - } - if (pam_modutil_write(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) { - pam_syslog(pamh, LOG_ALERT, "update (write) failed for %s: %m", filename); - return PAM_AUTH_ERR; - } - } - - if (fsync(*tfile)) { - pam_syslog(pamh, LOG_ALERT, "update (fsync) failed for %s: %m", filename); - return PAM_AUTH_ERR; - } - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- PAM bits --- */ - -#ifndef MAIN - -#define RETURN_ERROR(i) return ((opts->ctrl & OPT_FAIL_ON_ERROR)?(i):(PAM_SUCCESS)) - -/*---------------------------------------------------------------------*/ - -static int -tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, - const char *user, struct tally_options *opts, - struct tallylog *tally) -{ - int rv = PAM_SUCCESS; - int loglevel = LOG_DEBUG; -#ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd = -1; - const void *rhost = NULL, *tty = NULL; -#endif - - if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { - return PAM_SUCCESS; - } - /* magic_root skips tally check */ -#ifdef HAVE_LIBAUDIT - audit_fd = audit_open(); - /* If there is an error & audit support is in the kernel report error */ - if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || - errno == EAFNOSUPPORT)) - return PAM_SYSTEM_ERR; - (void)pam_get_item(pamh, PAM_TTY, &tty); - (void)pam_get_item(pamh, PAM_RHOST, &rhost); -#endif - if (opts->deny != 0 && /* deny==0 means no deny */ - tally->fail_cnt > opts->deny && /* tally>deny means exceeded */ - ((opts->ctrl & OPT_DENY_ROOT) || uid)) { /* even_deny stops uid check */ -#ifdef HAVE_LIBAUDIT - if (tally->fail_cnt == opts->deny+1) { - /* First say that max number was hit. */ - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); - audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, - rhost, NULL, tty, 1); - } -#endif - if (uid) { - /* Unlock time check */ - if (opts->unlock_time && oldtime) { - if (opts->unlock_time + oldtime <= time(NULL)) { - /* ignore deny check after unlock_time elapsed */ -#ifdef HAVE_LIBAUDIT - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, - rhost, NULL, tty, 1); -#endif - rv = PAM_SUCCESS; - goto cleanup; - } - } - } else { - /* Root unlock time check */ - if (opts->root_unlock_time && oldtime) { - if (opts->root_unlock_time + oldtime <= time(NULL)) { - /* ignore deny check after unlock_time elapsed */ -#ifdef HAVE_LIBAUDIT - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, - rhost, NULL, tty, 1); -#endif - rv = PAM_SUCCESS; - goto cleanup; - } - } - } - -#ifdef HAVE_LIBAUDIT - if (tally->fail_cnt == opts->deny+1) { - /* First say that max number was hit. */ - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, - rhost, NULL, tty, 1); - } -#endif - - if (!(opts->ctrl & OPT_QUIET)) { - pam_info(pamh, _("Account locked due to %u failed logins"), - (unsigned int)tally->fail_cnt); - } - loglevel = LOG_NOTICE; - rv = PAM_AUTH_ERR; /* Only unconditional failure */ - goto cleanup; - } - - /* Lock time check */ - if (opts->lock_time && oldtime) { - if (opts->lock_time + oldtime > time(NULL)) { - /* don't increase fail_cnt or update fail_time when - lock_time applies */ - tally->fail_cnt = oldcnt; - tally->fail_time = oldtime; - - if (!(opts->ctrl & OPT_QUIET)) { - pam_info(pamh, _("Account temporary locked (%ld seconds left)"), - oldtime+opts->lock_time-time(NULL)); - } - if (!(opts->ctrl & OPT_NOLOGNOTICE)) { - pam_syslog(pamh, LOG_NOTICE, - "user %s (%lu) has time limit [%lds left]" - " since last failure.", - user, (unsigned long)uid, - oldtime+opts->lock_time-time(NULL)); - } - rv = PAM_AUTH_ERR; - goto cleanup; - } - } - -cleanup: - if (!(opts->ctrl & OPT_NOLOGNOTICE) && (loglevel != LOG_DEBUG || opts->ctrl & OPT_DEBUG)) { - pam_syslog(pamh, loglevel, - "user %s (%lu) tally %hu, deny %hu", - user, (unsigned long)uid, tally->fail_cnt, opts->deny); - } -#ifdef HAVE_LIBAUDIT - if (audit_fd != -1) { - close(audit_fd); - } -#endif - return rv; -} - -/* --- tally bump function: bump tally for uid by (signed) inc --- */ - -static int -tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh, - uid_t uid, const char *user, struct tally_options *opts, int *tfile) -{ - struct tallylog tally; - tally_t oldcnt; - const void *remote_host = NULL; - int i, rv; - - tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */ - - i = get_tally(pamh, uid, opts->filename, tfile, &tally, opts->ctrl); - if (i != PAM_SUCCESS) { - if (*tfile != -1) { - close(*tfile); - *tfile = -1; - } - RETURN_ERROR(i); - } - - /* to remember old fail time (for locktime) */ - if (oldtime) { - *oldtime = (time_t)tally.fail_time; - } - - tally.fail_time = time(NULL); - - (void) pam_get_item(pamh, PAM_RHOST, &remote_host); - if (!remote_host) { - (void) pam_get_item(pamh, PAM_TTY, &remote_host); - if (!remote_host) { - remote_host = "unknown"; - } - } - - strncpy(tally.fail_line, remote_host, - sizeof(tally.fail_line)-1); - tally.fail_line[sizeof(tally.fail_line)-1] = 0; - - oldcnt = tally.fail_cnt; - - if (!(opts->ctrl & OPT_MAGIC_ROOT) || getuid()) { - /* magic_root doesn't change tally */ - tally.fail_cnt += inc; - - if (tally.fail_cnt == TALLY_HI) { /* Overflow *and* underflow. :) */ - tally.fail_cnt -= inc; - pam_syslog(pamh, LOG_ALERT, "Tally %sflowed for user %s", - (inc<0)?"under":"over",user); - } - } - - rv = tally_check(oldcnt, *oldtime, pamh, uid, user, opts, &tally); - - i = set_tally(pamh, uid, opts->filename, tfile, &tally); - if (i != PAM_SUCCESS) { - if (*tfile != -1) { - close(*tfile); - *tfile = -1; - } - if (rv == PAM_SUCCESS) - RETURN_ERROR( i ); - /* fallthrough */ - } else if (!(opts->ctrl & OPT_SERIALIZE)) { - close(*tfile); - *tfile = -1; - } - - return rv; -} - -static int -tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts, int old_tfile) -{ - struct tallylog tally; - int tfile = old_tfile; - int i; - - /* resets only if not magic root */ - - if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { - return PAM_SUCCESS; - } - - tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */ - - i=get_tally(pamh, uid, opts->filename, &tfile, &tally, opts->ctrl); - if (i != PAM_SUCCESS) { - if (tfile != old_tfile) /* the descriptor is not owned by pam data */ - close(tfile); - RETURN_ERROR(i); - } - - memset(&tally, 0, sizeof(tally)); - - i=set_tally(pamh, uid, opts->filename, &tfile, &tally); - if (i != PAM_SUCCESS) { - if (tfile != old_tfile) /* the descriptor is not owned by pam data */ - close(tfile); - RETURN_ERROR(i); - } - - if (tfile != old_tfile) - close(tfile); - - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -int -pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int - rv, tfile = -1; - time_t - oldtime = 0; - struct tally_options - options, *opts = &options; - uid_t - uid; - const char - *user; - - rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); - if (rv != PAM_SUCCESS) - RETURN_ERROR(rv); - - if (flags & PAM_SILENT) - opts->ctrl |= OPT_QUIET; - - rv = pam_get_uid(pamh, &uid, &user, opts); - if (rv != PAM_SUCCESS) - RETURN_ERROR(rv); - - rv = tally_bump(1, &oldtime, pamh, uid, user, opts, &tfile); - - tally_set_data(pamh, oldtime, tfile); - - return rv; -} - -int -pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int - rv, tfile = -1; - time_t - oldtime = 0; - struct tally_options - options, *opts = &options; - uid_t - uid; - const char - *user; - - rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - rv = pam_get_uid(pamh, &uid, &user, opts); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - if ( tally_get_data(pamh, &oldtime, &tfile) != 0 ) - /* no data found */ - return PAM_SUCCESS; - - rv = tally_reset(pamh, uid, opts, tfile); - - pam_set_data(pamh, MODULE_NAME, NULL, NULL); - - return rv; -} - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -/* To reset failcount of user on successfull login */ - -int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int - rv, tfile = -1; - time_t - oldtime = 0; - struct tally_options - options, *opts = &options; - uid_t - uid; - const char - *user; - - rv = tally_parse_args(pamh, opts, PHASE_ACCOUNT, argc, argv); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - rv = pam_get_uid(pamh, &uid, &user, opts); - if ( rv != PAM_SUCCESS ) - RETURN_ERROR( rv ); - - if ( tally_get_data(pamh, &oldtime, &tfile) != 0 ) - /* no data found */ - return PAM_SUCCESS; - - rv = tally_reset(pamh, uid, opts, tfile); - - pam_set_data(pamh, MODULE_NAME, NULL, NULL); - - return rv; -} - -/*-----------------------------------------------------------------------*/ - -#else /* #ifndef MAIN */ - -static const char *cline_filename = DEFAULT_LOGFILE; -static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */ -static int cline_quiet = 0; - -/* - * Not going to link with pamlib just for these.. :) - */ - -static const char * -pam_errors( int i ) -{ - switch (i) { - case PAM_AUTH_ERR: return _("Authentication error"); - case PAM_SERVICE_ERR: return _("Service error"); - case PAM_USER_UNKNOWN: return _("Unknown user"); - default: return _("Unknown error"); - } -} - -static int -getopts( char **argv ) -{ - const char *pname = *argv; - for ( ; *argv ; (void)(*argv && ++argv) ) { - if ( !strcmp (*argv,"--file") ) cline_filename=*++argv; - else if ( !strcmp(*argv,"-f") ) cline_filename=*++argv; - else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7; - else if ( !strcmp (*argv,"--user") ) cline_user=*++argv; - else if ( !strcmp (*argv,"-u") ) cline_user=*++argv; - else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7; - else if ( !strcmp (*argv,"--reset") ) cline_reset=0; - else if ( !strcmp (*argv,"-r") ) cline_reset=0; - else if ( !strncmp(*argv,"--reset=",8)) { - if ( sscanf(*argv+8,"%hu",&cline_reset) != 1 ) - fprintf(stderr,_("%s: Bad number given to --reset=\n"),pname), exit(0); - } - else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1; - else { - fprintf(stderr,_("%s: Unrecognised option %s\n"),pname,*argv); - return FALSE; - } - } - return TRUE; -} - -static void -print_one(const struct tallylog *tally, uid_t uid) -{ - static int once; - char *cp = "[UNKNOWN]"; - time_t fail_time; - struct tm *tm; - struct passwd *pwent; - const char *username = "[NONAME]"; - char ptime[80]; - - pwent = getpwuid(uid); - fail_time = tally->fail_time; - if ((tm = localtime(&fail_time)) != NULL) { - strftime (ptime, sizeof (ptime), "%D %H:%M:%S", tm); - cp = ptime; - } - if (pwent) { - username = pwent->pw_name; - } - if (!once) { - printf (_("Login Failures Latest failure From\n")); - once++; - } - printf ("%-15.15s %5hu ", username, tally->fail_cnt); - if (tally->fail_time) { - printf ("%-17.17s %s", cp, tally->fail_line); - } - putchar ('\n'); -} - -int -main( int argc UNUSED, char **argv ) -{ - struct tallylog tally; - - if ( ! getopts( argv+1 ) ) { - printf(_("%s: [-f rooted-filename] [--file rooted-filename]\n" - " [-u username] [--user username]\n" - " [-r] [--reset[=n]] [--quiet]\n"), - *argv); - exit(2); - } - - umask(077); - - /* - * Major difference between individual user and all users: - * --user just handles one user, just like PAM. - * without --user it handles all users, sniffing cline_filename for nonzeros - */ - - if ( cline_user ) { - uid_t uid; - int tfile = -1; - struct tally_options opts; - int i; - - memset(&opts, 0, sizeof(opts)); - opts.ctrl = OPT_AUDIT; - i=pam_get_uid(NULL, &uid, NULL, &opts); - if ( i != PAM_SUCCESS ) { - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(1); - } - - if (cline_reset == 0) { - struct stat st; - - if (stat(cline_filename, &st) && errno == ENOENT) { - if (!cline_quiet) { - memset(&tally, 0, sizeof(tally)); - print_one(&tally, uid); - } - return 0; /* no file => nothing to reset */ - } - } - - i=get_tally(NULL, uid, cline_filename, &tfile, &tally, 0); - if ( i != PAM_SUCCESS ) { - if (tfile != -1) - close(tfile); - fprintf(stderr, "%s: %s\n", *argv, pam_errors(i)); - exit(1); - } - - if ( !cline_quiet ) - print_one(&tally, uid); - - if (cline_reset != TALLY_HI) { -#ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd = audit_open(); - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, - buf, NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); -#endif - if (cline_reset == 0) { - memset(&tally, 0, sizeof(tally)); - } else { - tally.fail_cnt = cline_reset; - } - i=set_tally(NULL, uid, cline_filename, &tfile, &tally); - close(tfile); - if (i != PAM_SUCCESS) { - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(1); - } - } else { - close(tfile); - } - } - else /* !cline_user (ie, operate on all users) */ { - FILE *tfile=fopen(cline_filename, "r"); - uid_t uid=0; - if (!tfile && cline_reset != 0) { - perror(*argv); - exit(1); - } - - for ( ; tfile && !feof(tfile); uid++ ) { - if ( !fread(&tally, sizeof(tally), 1, tfile) - || !tally.fail_cnt ) { - continue; - } - print_one(&tally, uid); - } - if (tfile) - fclose(tfile); - if ( cline_reset!=0 && cline_reset!=TALLY_HI ) { - fprintf(stderr,_("%s: Can't reset all users to non-zero\n"),*argv); - } - else if ( !cline_reset ) { -#ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd = audit_open(); - snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, - buf, NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); -#endif - tfile=fopen(cline_filename, "w"); - if ( !tfile ) perror(*argv), exit(0); - fclose(tfile); - } - } - return 0; -} - - -#endif /* #ifndef MAIN */ diff --git a/modules/pam_tally2/pam_tally2_app.c b/modules/pam_tally2/pam_tally2_app.c deleted file mode 100644 index b72e9bfd..00000000 --- a/modules/pam_tally2/pam_tally2_app.c +++ /dev/null @@ -1,6 +0,0 @@ -/* - # This seemed like such a good idea at the time. :) - */ - -#define MAIN -#include "pam_tally2.c" diff --git a/modules/pam_tally2/tallylog.h b/modules/pam_tally2/tallylog.h deleted file mode 100644 index 596b1dac..00000000 --- a/modules/pam_tally2/tallylog.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2006, Red Hat, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of Red Hat, Inc. nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * tallylog.h - login failure data file format - * - * The new login failure file is not compatible with the old faillog(8) format - * Each record in the file represents a separate UID and the file - * is indexed in that fashion. - */ - - -#ifndef _TALLYLOG_H -#define _TALLYLOG_H - -#include <stdint.h> - -struct tallylog { - char fail_line[52]; /* rhost or tty of last failure */ - uint16_t reserved; /* reserved for future use */ - uint16_t fail_cnt; /* failures since last success */ - uint64_t fail_time; /* time of last failure */ -}; -/* 64 bytes / entry */ - -#endif diff --git a/modules/pam_tally2/tst-pam_tally2 b/modules/pam_tally2/tst-pam_tally2 deleted file mode 100755 index 83c71f41..00000000 --- a/modules/pam_tally2/tst-pam_tally2 +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_tally2.so diff --git a/modules/pam_time/Makefile.am b/modules/pam_time/Makefile.am index a1640c17..a71e6781 100644 --- a/modules/pam_time/Makefile.am +++ b/modules/pam_time/Makefile.am @@ -5,18 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) time.conf tst-pam_time +EXTRA_DIST = $(XMLS) -man_MANS = time.conf.5 pam_time.8 +if HAVE_DOC +dist_man_MANS = time.conf.5 pam_time.8 +endif XMLS = README.xml time.conf.5.xml pam_time.8.xml - -TESTS = tst-pam_time +dist_check_SCRIPTS = tst-pam_time +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,10 +30,12 @@ endif pam_time_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_time.la -secureconf_DATA = time.conf +dist_secureconf_DATA = time.conf + +check_PROGRAMS = tst-pam_time-retval +tst_pam_time_retval_LDADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_time.8.xml time.conf.5.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_time/Makefile.in b/modules/pam_time/Makefile.in index e1bd436e..a1f0467c 100644 --- a/modules/pam_time/Makefile.in +++ b/modules/pam_time/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,29 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_time-retval$(EXEEXT) subdir = modules/pam_time -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -144,6 +158,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_time_retval_SOURCES = tst-pam_time-retval.c +tst_pam_time_retval_OBJECTS = tst-pam_time-retval.$(OBJEXT) +tst_pam_time_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -158,7 +175,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_time.Plo \ + ./$(DEPDIR)/tst-pam_time-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -178,8 +197,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_time.c -DIST_SOURCES = pam_time.c +SOURCES = pam_time.c tst-pam_time-retval.c +DIST_SOURCES = pam_time.c tst-pam_time-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -188,8 +207,9 @@ am__can_run_installinfo = \ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) $(secureconf_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -364,6 +384,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -386,6 +407,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -405,24 +429,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -436,7 +469,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -455,11 +487,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -482,8 +517,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -494,11 +528,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -541,7 +582,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -549,9 +589,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -561,26 +598,30 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) time.conf tst-pam_time -man_MANS = time.conf.5 pam_time.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = time.conf.5 pam_time.8 XMLS = README.xml time.conf.5.xml pam_time.8.xml -TESTS = tst-pam_time +dist_check_SCRIPTS = tst-pam_time +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) pam_time_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_time.la -secureconf_DATA = time.conf -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +dist_secureconf_DATA = time.conf +tst_pam_time_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -597,14 +638,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_time/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_time/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -616,6 +656,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -654,27 +703,38 @@ clean-securelibLTLIBRARIES: pam_time.la: $(pam_time_la_OBJECTS) $(pam_time_la_DEPENDENCIES) $(EXTRA_pam_time_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_time_la_OBJECTS) $(pam_time_la_LIBADD) $(LIBS) +tst-pam_time-retval$(EXEEXT): $(tst_pam_time_retval_OBJECTS) $(tst_pam_time_retval_DEPENDENCIES) $(EXTRA_tst_pam_time_retval_DEPENDENCIES) + @rm -f tst-pam_time-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_time_retval_OBJECTS) $(tst_pam_time_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_time.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_time.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_time-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -688,10 +748,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -726,15 +786,15 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -769,14 +829,14 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-secureconfDATA: $(secureconf_DATA) +install-dist_secureconfDATA: $(dist_secureconf_DATA) @$(NORMAL_INSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ @@ -790,9 +850,9 @@ install-secureconfDATA: $(secureconf_DATA) $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ done -uninstall-secureconfDATA: +uninstall-dist_secureconfDATA: @$(NORMAL_UNINSTALL) - @list='$(secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) @@ -878,7 +938,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -955,7 +1015,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -968,7 +1028,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -978,7 +1038,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -996,6 +1056,13 @@ tst-pam_time.log: tst-pam_time --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_time-retval.log: tst-pam_time-retval$(EXEEXT) + @p='tst-pam_time-retval$(EXEEXT)'; \ + b='tst-pam_time-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1011,7 +1078,10 @@ tst-pam_time.log: tst-pam_time @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1042,6 +1112,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1086,11 +1158,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_time.Plo + -rm -f ./$(DEPDIR)/tst-pam_time-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1107,7 +1180,7 @@ info: info-am info-am: -install-data-am: install-man install-secureconfDATA \ +install-data-am: install-dist_secureconfDATA install-man \ install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1137,7 +1210,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_time.Plo + -rm -f ./$(DEPDIR)/tst-pam_time-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1154,32 +1228,33 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-secureconfDATA \ +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man5 \ - install-man8 install-pdf install-pdf-am install-ps \ - install-ps-am install-secureconfDATA \ - install-securelibLTLIBRARIES install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ - uninstall-securelibLTLIBRARIES +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dist_secureconfDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-man8 install-pdf install-pdf-am \ + install-ps install-ps-am install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am recheck tags tags-am uninstall \ + uninstall-am uninstall-dist_secureconfDATA uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile -@ENABLE_REGENERATE_MAN_TRUE@README: pam_time.8.xml time.conf.5.xml @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_time/README b/modules/pam_time/README index 04d6432b..2fa4c164 100644 --- a/modules/pam_time/README +++ b/modules/pam_time/README @@ -12,7 +12,10 @@ of day, the day of week, the service they are applying for and their terminal from which they are making their request. By default rules for time/port access are taken from config file /etc/security/ -time.conf. +time.conf. An alternative file can be specified with the conffile option. + +If there is no explicitly specified configuration file and /etc/security/ +time.conf does not exist, %vendordir%/security/time.conf is used. If Linux PAM is compiled with audit support the module will report when it denies access. diff --git a/modules/pam_time/README.xml b/modules/pam_time/README.xml index 6c11eec1..8a2faa0b 100644 --- a/modules/pam_time/README.xml +++ b/modules/pam_time/README.xml @@ -1,34 +1,19 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamtime SYSTEM "pam_time.8.xml"> ---> -<!-- -<!ENTITY timeconf SYSTEM "time.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_time-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_time.8.xml" xpointer='xpointer(id("pam_time-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_time.8.xml" xpointer='xpointer(id("pam_time-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="time.conf.5.xml" xpointer='xpointer(id("time.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 index 194427d3..13a53ef3 100644 --- a/modules/pam_time/pam_time.8 +++ b/modules/pam_time/pam_time.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_time .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIME" "8" "05/18/2017" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_TIME" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,24 +31,31 @@ pam_time \- PAM module for time control access .SH "SYNOPSIS" .HP \w'\fBpam_time\&.so\fR\ 'u -\fBpam_time\&.so\fR [debug] [noaudit] +\fBpam_time\&.so\fR [conffile=conf\-file] [debug] [noaudit] .SH "DESCRIPTION" .PP The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\&. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\&. .PP By default rules for time/port access are taken from config file -/etc/security/time\&.conf\&. +/etc/security/time\&.conf\&. An alternative file can be specified with the +\fIconffile\fR +option\&. .PP If Linux PAM is compiled with audit support the module will report when it denies access\&. .SH "OPTIONS" .PP -\fBdebug\fR +conffile=/path/to/time\&.conf +.RS 4 +Indicate an alternative time\&.conf style configuration file to override the default\&. +.RE +.PP +debug .RS 4 Some debug information is printed with \fBsyslog\fR(3)\&. .RE .PP -\fBnoaudit\fR +noaudit .RS 4 Do not report logins at disallowed time to the audit subsystem\&. .RE @@ -109,7 +116,7 @@ login account required pam_time\&.so .PP \fBtime.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHOR" .PP pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml index b673beb5..748bcd1e 100644 --- a/modules/pam_time/pam_time.8.xml +++ b/modules/pam_time/pam_time.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_time'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_time"> <refmeta> <refentrytitle>pam_time</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_time-name'> + <refnamediv xml:id="pam_time-name"> <refname>pam_time</refname> <refpurpose> PAM module for time control access @@ -20,19 +17,22 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_time-cmdsynopsis"> + <cmdsynopsis xml:id="pam_time-cmdsynopsis" sepchar=" "> <command>pam_time.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> + conffile=conf-file + </arg> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noaudit </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_time-description"> + <refsect1 xml:id="pam_time-description"> <title>DESCRIPTION</title> <para> The pam_time PAM module does not authenticate the user, but instead @@ -46,6 +46,12 @@ <para> By default rules for time/port access are taken from config file <filename>/etc/security/time.conf</filename>. + An alternative file can be specified with the <emphasis>conffile</emphasis> option. + </para> + <para condition="with_vendordir"> + If there is no explicitly specified configuration file and + <filename>/etc/security/time.conf</filename> does not exist, + <filename>%vendordir%/security/time.conf</filename> is used. </para> <para> If Linux PAM is compiled with audit support the module will report @@ -53,13 +59,24 @@ </para> </refsect1> - <refsect1 id="pam_time-options"> + <refsect1 xml:id="pam_time-options"> <title>OPTIONS</title> <variablelist> + <varlistentry> + <term> + conffile=/path/to/time.conf + </term> + <listitem> + <para> + Indicate an alternative time.conf style configuration file to override the default. + </para> + </listitem> + </varlistentry> + <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -71,7 +88,7 @@ <varlistentry> <term> - <option>noaudit</option> + noaudit </term> <listitem> <para> @@ -83,14 +100,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_time-types"> + <refsect1 xml:id="pam_time-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>account</option> type is provided. </para> </refsect1> - <refsect1 id="pam_time-return_values"> + <refsect1 xml:id="pam_time-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -136,11 +153,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_time-files"> + <refsect1 xml:id="pam_time-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/time.conf</filename></term> + <term>/etc/security/time.conf</term> <listitem> <para>Default configuration file</para> </listitem> @@ -148,7 +165,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_time-examples'> + <refsect1 xml:id="pam_time-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -159,7 +176,7 @@ login account required pam_time.so </programlisting> </refsect1> - <refsect1 id="pam_time-see_also"> + <refsect1 xml:id="pam_time-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -169,15 +186,15 @@ login account required pam_time.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_time-authors"> + <refsect1 xml:id="pam_time-authors"> <title>AUTHOR</title> <para> pam_time was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index 26a374b5..6b7adefc 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -1,6 +1,6 @@ -/* pam_time module */ - /* + * pam_time module + * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/6/22 * (File syntax and much other inspiration from the shadow package * shadow-960129) @@ -23,10 +23,21 @@ #include <fcntl.h> #include <netdb.h> +#include <security/_pam_macros.h> +#include <security/pam_modules.h> +#include <security/pam_ext.h> +#include <security/pam_modutil.h> +#include "pam_inline.h" + #ifdef HAVE_LIBAUDIT #include <libaudit.h> #endif +#define PAM_TIME_CONF (SCONFIGDIR "/time.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_PAM_TIME_CONF (VENDOR_SCONFIGDIR "/time.conf") +#endif + #define PAM_TIME_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ @@ -42,27 +53,15 @@ typedef enum { AND, OR } operator; -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_ACCOUNT - -#include <security/_pam_macros.h> -#include <security/pam_modules.h> -#include <security/pam_ext.h> -#include <security/pam_modutil.h> - static int -_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv, const char **conffile) { int ctrl = 0; + *conffile = NULL; /* step through arguments */ for (; argc-- > 0; ++argv) { + const char *str; /* generic options */ @@ -70,11 +69,33 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) ctrl |= PAM_DEBUG_ARG; } else if (!strcmp(*argv, "noaudit")) { ctrl |= PAM_NO_AUDIT; - } else { + } else if ((str = pam_str_skip_prefix(*argv, "conffile=")) != NULL) { + if (str[0] == '\0') { + pam_syslog(pamh, LOG_ERR, + "conffile= specification missing argument - ignored"); + } else { + *conffile = str; + D(("new Configuration File: %s", *conffile)); + } + } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } + if (*conffile == NULL) { + *conffile = PAM_TIME_CONF; +#ifdef VENDOR_PAM_TIME_CONF + /* + * Check whether PAM_TIME_CONF file is available. + * If it does not exist, fall back to VENDOR_PAM_TIME_CONF file. + */ + struct stat buffer; + if (stat(*conffile, &buffer) != 0 && errno == ENOENT) { + *conffile = VENDOR_PAM_TIME_CONF; + } +#endif + } + return ctrl; } @@ -86,7 +107,7 @@ shift_buf(char *mem, int from) char *start = mem; while ((*mem = mem[from]) != '\0') ++mem; - memset(mem, '\0', PAM_TIME_BUFLEN - (mem - start)); + pam_overwrite_n(mem, PAM_TIME_BUFLEN - (mem - start)); return mem; } @@ -108,7 +129,7 @@ trim_spaces(char *buf, char *from) #define STATE_EOF 3 /* end of file or error */ static int -read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) +read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state, const char *file) { char *to; char *src; @@ -127,9 +148,9 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) } *from = 0; *state = STATE_NL; - fd = open(PAM_TIME_CONF, O_RDONLY); + fd = open(file, O_RDONLY); if (fd < 0) { - pam_syslog(pamh, LOG_ERR, "error opening %s: %m", PAM_TIME_CONF); + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -145,9 +166,9 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) while (fd != -1 && to - *buf < PAM_TIME_BUFLEN) { i = pam_modutil_read(fd, to, PAM_TIME_BUFLEN - (to - *buf)); if (i < 0) { - pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_TIME_CONF); + pam_syslog(pamh, LOG_ERR, "error reading %s: %m", file); close(fd); - memset(*buf, 0, PAM_TIME_BUFLEN); + pam_overwrite_n(*buf, PAM_TIME_BUFLEN); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -166,7 +187,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) return -1; } - memset(to, '\0', PAM_TIME_BUFLEN - (to - *buf)); + pam_overwrite_n(to, PAM_TIME_BUFLEN - (to - *buf)); to = *buf; onspace = 1; /* delete any leading spaces */ @@ -213,6 +234,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) ++src; /* skip it */ break; } + /* fallthrough */ default: *to++ = c; onspace = 0; @@ -327,6 +349,7 @@ logic_field(pam_handle_t *pamh, const void *me, const char *x, int rule, return FALSE; } next = VAL; + not = FALSE; } at += l; } @@ -504,7 +527,7 @@ check_time(pam_handle_t *pamh, const void *AT, const char *times, static int check_account(pam_handle_t *pamh, const char *service, - const char *tty, const char *user) + const char *tty, const char *user, const char *file) { int from=0, state=STATE_NL, fd=-1; char *buffer=NULL; @@ -518,7 +541,7 @@ check_account(pam_handle_t *pamh, const char *service, /* here we get the service name field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, file); if (!buffer || !buffer[0]) { /* empty line .. ? */ continue; @@ -527,7 +550,7 @@ check_account(pam_handle_t *pamh, const char *service, if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_TIME_CONF, count); + "%s: malformed rule #%d", file, count); continue; } @@ -536,10 +559,10 @@ check_account(pam_handle_t *pamh, const char *service, /* here we get the terminal name field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, file); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_TIME_CONF, count); + "%s: malformed rule #%d", file, count); continue; } good &= logic_field(pamh, tty, buffer, count, is_same); @@ -547,10 +570,10 @@ check_account(pam_handle_t *pamh, const char *service, /* here we get the username field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, file); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_TIME_CONF, count); + "%s: malformed rule #%d", file, count); continue; } /* If buffer starts with @, we are using netgroups */ @@ -566,10 +589,10 @@ check_account(pam_handle_t *pamh, const char *service, /* here we get the time field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, file); if (state == STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: poorly terminated rule #%d", PAM_TIME_CONF, count); + "%s: poorly terminated rule #%d", file, count); continue; } @@ -599,10 +622,15 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, const void *service=NULL, *void_tty=NULL; const char *tty; const char *user=NULL; + const char *conf_file = NULL; int ctrl; int rv; - ctrl = _pam_parse(pamh, argc, argv); + ctrl = _pam_parse(pamh, argc, argv, &conf_file); + + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, "conffile=%s", conf_file); + } /* set service name */ @@ -614,9 +642,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "can not get the username"); + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } @@ -651,7 +678,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, D(("user=%s", user)); D(("tty=%s", tty)); - rv = check_account(pamh, service, tty, user); + rv = check_account(pamh, service, tty, user, conf_file); if (rv != PAM_SUCCESS) { #ifdef HAVE_LIBAUDIT if (!(ctrl & PAM_NO_AUDIT)) { diff --git a/modules/pam_time/time.conf.5 b/modules/pam_time/time.conf.5 index f6f16170..90649773 100644 --- a/modules/pam_time/time.conf.5 +++ b/modules/pam_time/time.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: time.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "TIME\&.CONF" "5" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "TIME\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -55,6 +55,8 @@ The third field, the \fIusers\fR field, is a logic list of users or a netgroup of users to whom this rule applies\&. .PP +A logic list namely means individual tokens that are optionally prefixed with \*(Aq!\*(Aq (logical not) and separated with \*(Aq&\*(Aq (logical and) and \*(Aq|\*(Aq (logical or)\&. +.PP For these items the simple wildcard \*(Aq*\*(Aq may be used only once\&. With netgroups no wildcards or logic operators are allowed\&. .PP The @@ -107,7 +109,7 @@ games ; * ; !waster ; Wd0000\-2400 | Wk1800\-0800 .PP \fBpam_time\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_time/time.conf.5.xml b/modules/pam_time/time.conf.5.xml index 82227ba0..30c9a921 100644 --- a/modules/pam_time/time.conf.5.xml +++ b/modules/pam_time/time.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="time.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="time.conf"> <refmeta> <refentrytitle>time.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_time module</refpurpose> </refnamediv> - <refsect1 id='time.conf-description'> + <refsect1 xml:id="time.conf-description"> <title>DESCRIPTION</title> <para> @@ -43,9 +40,9 @@ </para> <para> In words, each rule occupies a line, terminated with a newline - or the beginning of a comment; a '<emphasis remap='B'>#</emphasis>'. + or the beginning of a comment; a '<emphasis remap="B">#</emphasis>'. It contains four fields separated with semicolons, - '<emphasis remap='B'>;</emphasis>'. + '<emphasis remap="B">;</emphasis>'. </para> <para> @@ -65,6 +62,12 @@ </para> <para> + A logic list namely means individual tokens that are optionally prefixed + with '!' (logical not) and separated with '&' (logical and) and '|' + (logical or). + </para> + + <para> For these items the simple wildcard '*' may be used only once. With netgroups no wildcards or logic operators are allowed. </para> @@ -101,7 +104,7 @@ </para> </refsect1> - <refsect1 id="time.conf-examples"> + <refsect1 xml:id="time.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -125,19 +128,19 @@ games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 </para> </refsect1> - <refsect1 id="time.conf-see_also"> + <refsect1 xml:id="time.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="time.conf-author"> + <refsect1 xml:id="time.conf-author"> <title>AUTHOR</title> <para> pam_time was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_time/tst-pam_time-retval.c b/modules/pam_time/tst-pam_time-retval.c new file mode 100644 index 00000000..281ac80d --- /dev/null +++ b/modules/pam_time/tst-pam_time-retval.c @@ -0,0 +1,107 @@ +/* + * Check pam_time return values. + * + * Copyright (c) 2020-2022 Dmitry V. Levin <ldv@altlinux.org> + * Copyright (c) 2022 Stefan Schubert <schubi@suse.de> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_time" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char config_file[] = TEST_NAME ".conf"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_NE(NULL, fp = fopen(config_file, "w")); + ASSERT_LT(0, fprintf(fp, "# only root can access %s\n" + "%s ; * ; !root ; !Al0000-2400\n", + service_file, service_file)); + ASSERT_EQ(0, fclose(fp)); + + /* conffile= specifies an existing file */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conffile=%s\n" + "account required %s/.libs/%s.so conffile=%s\n" + "password required %s/.libs/%s.so conffile=%s\n" + "session required %s/.libs/%s.so conffile=%s\n", + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "noone", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* cleanup */ + ASSERT_EQ(0, unlink(config_file)); + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am index 5588225b..27d61237 100644 --- a/modules/pam_timestamp/Makefile.am +++ b/modules/pam_timestamp/Makefile.am @@ -6,23 +6,29 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml -man_MANS = pam_timestamp.8 pam_timestamp_check.8 -dist_TESTS = tst-pam_timestamp -nodist_TESTS = hmacfile -TESTS = $(dist_TESTS) $(nodist_TESTS) +EXTRA_DIST = $(XMLS) -EXTRA_DIST = $(man_MANS) $(XMLS) $(dist_TESTS) +if HAVE_DOC +dist_man_MANS = pam_timestamp.8 pam_timestamp_check.8 +endif +XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml +dist_check_SCRIPTS = tst-pam_timestamp +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -noinst_HEADERS = hmacsha1.h sha1.h +noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(LOGIND_CFLAGS) $(WARN_CFLAGS) -pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) -pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) $(CRYPTO_LIBS) +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) if HAVE_VERSIONING pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -30,21 +36,26 @@ endif securelib_LTLIBRARIES = pam_timestamp.la sbin_PROGRAMS = pam_timestamp_check -pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c +pam_timestamp_la_SOURCES = pam_timestamp.c +if COND_USE_OPENSSL +pam_timestamp_la_SOURCES += hmac_openssl_wrapper.c +else +pam_timestamp_la_SOURCES += hmacsha1.c sha1.c +endif pam_timestamp_la_CFLAGS = $(AM_CFLAGS) pam_timestamp_check_SOURCES = pam_timestamp_check.c -pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la -pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ +pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) +pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ +if !COND_USE_OPENSSL hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c hmacfile_LDADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = hmacfile +endif if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_timestamp.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif - -noinst_PROGRAMS = hmacfile diff --git a/modules/pam_timestamp/Makefile.in b/modules/pam_timestamp/Makefile.in index efc3969d..feffca8e 100644 --- a/modules/pam_timestamp/Makefile.in +++ b/modules/pam_timestamp/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -23,7 +23,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -86,33 +96,40 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -TESTS = $(dist_TESTS) $(am__EXEEXT_1) @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map sbin_PROGRAMS = pam_timestamp_check$(EXEEXT) -noinst_PROGRAMS = hmacfile$(EXEEXT) +@COND_USE_OPENSSL_TRUE@am__append_2 = hmac_openssl_wrapper.c +@COND_USE_OPENSSL_FALSE@am__append_3 = hmacsha1.c sha1.c +@COND_USE_OPENSSL_FALSE@check_PROGRAMS = hmacfile$(EXEEXT) subdir = modules/pam_timestamp -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(noinst_HEADERS) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -140,12 +157,17 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ - "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_timestamp_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_timestamp_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) +am__pam_timestamp_la_SOURCES_DIST = pam_timestamp.c \ + hmac_openssl_wrapper.c hmacsha1.c sha1.c +@COND_USE_OPENSSL_TRUE@am__objects_1 = pam_timestamp_la-hmac_openssl_wrapper.lo +@COND_USE_OPENSSL_FALSE@am__objects_2 = pam_timestamp_la-hmacsha1.lo \ +@COND_USE_OPENSSL_FALSE@ pam_timestamp_la-sha1.lo am_pam_timestamp_la_OBJECTS = pam_timestamp_la-pam_timestamp.lo \ - pam_timestamp_la-hmacsha1.lo pam_timestamp_la-sha1.lo + $(am__objects_1) $(am__objects_2) pam_timestamp_la_OBJECTS = $(am_pam_timestamp_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -155,15 +177,17 @@ pam_timestamp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(pam_timestamp_la_CFLAGS) $(CFLAGS) \ $(pam_timestamp_la_LDFLAGS) $(LDFLAGS) -o $@ -PROGRAMS = $(noinst_PROGRAMS) $(sbin_PROGRAMS) -am_hmacfile_OBJECTS = hmacfile.$(OBJEXT) hmacsha1.$(OBJEXT) \ - sha1.$(OBJEXT) +am__hmacfile_SOURCES_DIST = hmacfile.c hmacsha1.c sha1.c +@COND_USE_OPENSSL_FALSE@am_hmacfile_OBJECTS = hmacfile.$(OBJEXT) \ +@COND_USE_OPENSSL_FALSE@ hmacsha1.$(OBJEXT) sha1.$(OBJEXT) hmacfile_OBJECTS = $(am_hmacfile_OBJECTS) -hmacfile_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +@COND_USE_OPENSSL_FALSE@hmacfile_DEPENDENCIES = \ +@COND_USE_OPENSSL_FALSE@ $(top_builddir)/libpam/libpam.la am_pam_timestamp_check_OBJECTS = \ pam_timestamp_check-pam_timestamp_check.$(OBJEXT) pam_timestamp_check_OBJECTS = $(am_pam_timestamp_check_OBJECTS) -pam_timestamp_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_timestamp_check_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(pam_timestamp_check_CFLAGS) $(CFLAGS) \ @@ -182,7 +206,13 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/hmacfile.Po ./$(DEPDIR)/hmacsha1.Po \ + ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po \ + ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo \ + ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo \ + ./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo \ + ./$(DEPDIR)/pam_timestamp_la-sha1.Plo ./$(DEPDIR)/sha1.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -204,8 +234,8 @@ am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(pam_timestamp_la_SOURCES) $(hmacfile_SOURCES) \ $(pam_timestamp_check_SOURCES) -DIST_SOURCES = $(pam_timestamp_la_SOURCES) $(hmacfile_SOURCES) \ - $(pam_timestamp_check_SOURCES) +DIST_SOURCES = $(am__pam_timestamp_la_SOURCES_DIST) \ + $(am__hmacfile_SOURCES_DIST) $(pam_timestamp_check_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -213,8 +243,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -390,9 +421,9 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck -am__EXEEXT_1 = hmacfile$(EXEEXT) TEST_SUITE_LOG = test-suite.log TEST_EXTENSIONS = @EXEEXT@ .test LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver @@ -413,6 +444,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -432,24 +466,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -463,7 +506,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -482,11 +524,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,8 +554,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -521,11 +565,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -568,7 +619,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -576,9 +626,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -588,34 +635,39 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_timestamp.8 pam_timestamp_check.8 XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml -man_MANS = pam_timestamp.8 pam_timestamp_check.8 -dist_TESTS = tst-pam_timestamp -nodist_TESTS = hmacfile -EXTRA_DIST = $(man_MANS) $(XMLS) $(dist_TESTS) +dist_check_SCRIPTS = tst-pam_timestamp +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -noinst_HEADERS = hmacsha1.h sha1.h -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(LOGIND_CFLAGS) $(WARN_CFLAGS) + pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module \ - $(AM_LDFLAGS) $(am__append_1) -pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la + $(AM_LDFLAGS) $(CRYPTO_LIBS) $(am__append_1) +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) securelib_LTLIBRARIES = pam_timestamp.la -pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c +pam_timestamp_la_SOURCES = pam_timestamp.c $(am__append_2) \ + $(am__append_3) pam_timestamp_la_CFLAGS = $(AM_CFLAGS) pam_timestamp_check_SOURCES = pam_timestamp_check.c -pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la -pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ -hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c -hmacfile_LDADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) +pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ +@COND_USE_OPENSSL_FALSE@hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c +@COND_USE_OPENSSL_FALSE@hmacfile_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -632,14 +684,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -651,46 +702,8 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ - } - -uninstall-securelibLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ - done - -clean-securelibLTLIBRARIES: - -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) - @list='$(securelib_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -pam_timestamp.la: $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_DEPENDENCIES) $(EXTRA_pam_timestamp_la_DEPENDENCIES) - $(AM_V_CCLD)$(pam_timestamp_la_LINK) -rpath $(securelibdir) $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_LIBADD) $(LIBS) - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ @@ -747,6 +760,44 @@ clean-sbinPROGRAMS: echo " rm -f" $$list; \ rm -f $$list +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +pam_timestamp.la: $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_DEPENDENCIES) $(EXTRA_pam_timestamp_la_DEPENDENCIES) + $(AM_V_CCLD)$(pam_timestamp_la_LINK) -rpath $(securelibdir) $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_LIBADD) $(LIBS) + hmacfile$(EXEEXT): $(hmacfile_OBJECTS) $(hmacfile_DEPENDENCIES) $(EXTRA_hmacfile_DEPENDENCIES) @rm -f hmacfile$(EXEEXT) $(AM_V_CCLD)$(LINK) $(hmacfile_OBJECTS) $(hmacfile_LDADD) $(LIBS) @@ -761,27 +812,34 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacfile.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacsha1.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-sha1.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacfile.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacsha1.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-sha1.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -797,6 +855,13 @@ pam_timestamp_la-pam_timestamp.lo: pam_timestamp.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-pam_timestamp.lo `test -f 'pam_timestamp.c' || echo '$(srcdir)/'`pam_timestamp.c +pam_timestamp_la-hmac_openssl_wrapper.lo: hmac_openssl_wrapper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-hmac_openssl_wrapper.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Tpo -c -o pam_timestamp_la-hmac_openssl_wrapper.lo `test -f 'hmac_openssl_wrapper.c' || echo '$(srcdir)/'`hmac_openssl_wrapper.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Tpo $(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hmac_openssl_wrapper.c' object='pam_timestamp_la-hmac_openssl_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-hmac_openssl_wrapper.lo `test -f 'hmac_openssl_wrapper.c' || echo '$(srcdir)/'`hmac_openssl_wrapper.c + pam_timestamp_la-hmacsha1.lo: hmacsha1.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-hmacsha1.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo -c -o pam_timestamp_la-hmacsha1.lo `test -f 'hmacsha1.c' || echo '$(srcdir)/'`hmacsha1.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo $(DEPDIR)/pam_timestamp_la-hmacsha1.Plo @@ -830,10 +895,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -868,7 +933,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -956,7 +1021,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -1033,7 +1098,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -1046,7 +1111,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1056,7 +1121,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1096,7 +1161,10 @@ hmacfile.log: hmacfile$(EXEEXT) @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1127,11 +1195,13 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1171,11 +1241,18 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacsha1.Po + -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-sha1.Plo + -rm -f ./$(DEPDIR)/sha1.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1221,7 +1298,14 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacsha1.Po + -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo + -rm -f ./$(DEPDIR)/pam_timestamp_la-sha1.Plo + -rm -f ./$(DEPDIR)/sha1.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1245,8 +1329,8 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-noinstPROGRAMS \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ @@ -1263,7 +1347,8 @@ uninstall-man: uninstall-man8 uninstall-man8 uninstall-sbinPROGRAMS \ uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_timestamp.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_timestamp/README b/modules/pam_timestamp/README index 4f16bae0..e1ed508a 100644 --- a/modules/pam_timestamp/README +++ b/modules/pam_timestamp/README @@ -13,6 +13,9 @@ created in the timestampdir directory for the user. When an application attempts to authenticate the user, a pam_timestamp will treat a sufficiently recent timestamp file as grounds for succeeding. +The default encryption hash is taken from the HMAC_CRYPTO_ALGO variable from / +etc/login.defs. + OPTIONS timestampdir=directory diff --git a/modules/pam_timestamp/README.xml b/modules/pam_timestamp/README.xml index 5b72deb1..fe01080b 100644 --- a/modules/pam_timestamp/README.xml +++ b/modules/pam_timestamp/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_timestamp.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_timestamp-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-notes"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-notes")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c new file mode 100644 index 00000000..2549c1db --- /dev/null +++ b/modules/pam_timestamp/hmac_openssl_wrapper.c @@ -0,0 +1,382 @@ +/* Wrapper for hmac openssl implementation. + * + * Copyright (c) 2021 Red Hat, Inc. + * Written by Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#ifdef WITH_OPENSSL + +#include <sys/stat.h> +#include <fcntl.h> +#include <syslog.h> +#include <unistd.h> +#include <string.h> +#include <errno.h> +#include <openssl/evp.h> +#include <openssl/params.h> +#include <openssl/core_names.h> + +#include <security/pam_ext.h> +#include <security/pam_modutil.h> + +#include "hmac_openssl_wrapper.h" +#include "pam_inline.h" + +#define LOGIN_DEFS "/etc/login.defs" +#define CRYPTO_KEY "HMAC_CRYPTO_ALGO" +#define DEFAULT_ALGORITHM "SHA512" +#define MAX_HMAC_LENGTH 512 +#define MAX_KEY_LENGTH EVP_MAX_KEY_LENGTH + +static char * +get_crypto_algorithm(pam_handle_t *pamh, int debug){ + char *config_value = NULL; + + config_value = pam_modutil_search_key(pamh, LOGIN_DEFS, CRYPTO_KEY); + + if (config_value == NULL) { + config_value = strdup(DEFAULT_ALGORITHM); + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "Key [%s] not found, falling back to default algorithm [%s]\n", + CRYPTO_KEY, DEFAULT_ALGORITHM); + } + } + + return config_value; +} + +static int +generate_key(pam_handle_t *pamh, char **key, size_t key_size) +{ + int fd = 0; + size_t bytes_read = 0; + char * tmp = NULL; + + fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m"); + return PAM_AUTH_ERR; + } + + tmp = malloc(key_size); + if (!tmp) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + close(fd); + return PAM_AUTH_ERR; + } + + bytes_read = pam_modutil_read(fd, tmp, key_size); + close(fd); + + if (bytes_read < key_size) { + pam_syslog(pamh, LOG_ERR, "Short read on random device"); + free(tmp); + return PAM_AUTH_ERR; + } + + *key = tmp; + + return PAM_SUCCESS; +} + +static int +read_file(pam_handle_t *pamh, int fd, char **text, size_t *text_length) +{ + struct stat st; + size_t bytes_read = 0; + char *tmp = NULL; + + if (fstat(fd, &st) == -1) { + pam_syslog(pamh, LOG_ERR, "Unable to stat file: %m"); + close(fd); + return PAM_AUTH_ERR; + } + + if (st.st_size == 0) { + pam_syslog(pamh, LOG_ERR, "Key file size cannot be 0"); + close(fd); + return PAM_AUTH_ERR; + } + + tmp = malloc(st.st_size); + if (!tmp) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + close(fd); + return PAM_AUTH_ERR; + } + + bytes_read = pam_modutil_read(fd, tmp, st.st_size); + close(fd); + + if (bytes_read < (size_t)st.st_size) { + pam_syslog(pamh, LOG_ERR, "Short read on key file"); + pam_overwrite_n(tmp, st.st_size); + free(tmp); + return PAM_AUTH_ERR; + } + + *text = tmp; + *text_length = st.st_size; + + return PAM_SUCCESS; +} + +static int +write_file(pam_handle_t *pamh, const char *file_name, char *text, + size_t text_length, uid_t owner, gid_t group) +{ + int fd = 0; + size_t bytes_written = 0; + + fd = open(file_name, + O_WRONLY | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR); + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, "Unable to open [%s]: %m", file_name); + pam_overwrite_n(text, text_length); + free(text); + return PAM_AUTH_ERR; + } + + if (fchown(fd, owner, group) == -1) { + pam_syslog(pamh, LOG_ERR, "Unable to change ownership [%s]: %m", file_name); + pam_overwrite_n(text, text_length); + free(text); + close(fd); + return PAM_AUTH_ERR; + } + + bytes_written = pam_modutil_write(fd, text, text_length); + close(fd); + + if (bytes_written < text_length) { + pam_syslog(pamh, LOG_ERR, "Short write on %s", file_name); + free(text); + return PAM_AUTH_ERR; + } + + return PAM_SUCCESS; +} + +static int +key_management(pam_handle_t *pamh, const char *file_name, char **text, + size_t text_length, uid_t owner, gid_t group) +{ + int fd = 0; + + fd = open(file_name, O_RDONLY | O_NOFOLLOW); + if (fd == -1) { + if (errno == ENOENT) { + if (generate_key(pamh, text, text_length)) { + pam_syslog(pamh, LOG_ERR, "Unable to generate key"); + return PAM_AUTH_ERR; + } + + if (write_file(pamh, file_name, *text, text_length, owner, group)) { + pam_syslog(pamh, LOG_ERR, "Unable to write key"); + return PAM_AUTH_ERR; + } + } else { + pam_syslog(pamh, LOG_ERR, "Unable to open %s: %m", file_name); + return PAM_AUTH_ERR; + } + } else { + if (read_file(pamh, fd, text, &text_length)) { + pam_syslog(pamh, LOG_ERR, "Error reading key file %s\n", file_name); + return PAM_AUTH_ERR; + } + } + + return PAM_SUCCESS; +} + +static int +hmac_management(pam_handle_t *pamh, int debug, void **out, size_t *out_length, + char *key, size_t key_length, + const void *text, size_t text_length) +{ + int ret = PAM_AUTH_ERR; + EVP_MAC *evp_mac = NULL; + EVP_MAC_CTX *ctx = NULL; + unsigned char *hmac_message = NULL; + size_t hmac_length; + char *algo = NULL; + OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + algo = get_crypto_algorithm(pamh, debug); + + subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, + algo, + 0); + + evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + if (evp_mac == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation"); + goto done; + } + + ctx = EVP_MAC_CTX_new(evp_mac); + if (ctx == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac context"); + goto done; + } + + ret = EVP_MAC_init(ctx, (const unsigned char *)key, key_length, subalg_param); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context"); + goto done; + } + + ret = EVP_MAC_update(ctx, (const unsigned char *)text, text_length); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to update hmac context"); + goto done; + } + + hmac_message = (unsigned char*)malloc(sizeof(unsigned char) * MAX_HMAC_LENGTH); + if (!hmac_message) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + goto done; + } + + ret = EVP_MAC_final(ctx, hmac_message, &hmac_length, MAX_HMAC_LENGTH); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to calculate hmac message"); + goto done; + } + + *out_length = hmac_length; + *out = malloc(*out_length); + if (*out == NULL) { + pam_syslog(pamh, LOG_CRIT, "Not enough memory"); + goto done; + } + + memcpy(*out, hmac_message, *out_length); + ret = PAM_SUCCESS; + +done: + if (hmac_message != NULL) { + free(hmac_message); + } + if (key != NULL) { + pam_overwrite_n(key, key_length); + free(key); + } + if (ctx != NULL) { + EVP_MAC_CTX_free(ctx); + } + if (evp_mac != NULL) { + EVP_MAC_free(evp_mac); + } + free(algo); + + return ret; +} + +int +hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length) +{ + int ret = PAM_AUTH_ERR; + EVP_MAC *evp_mac = NULL; + EVP_MAC_CTX *ctx = NULL; + const unsigned char key[] = "ThisIsJustAKey"; + size_t key_length = MAX_KEY_LENGTH; + char *algo = NULL; + OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + algo = get_crypto_algorithm(pamh, debug); + + subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, + algo, + 0); + + evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + if (evp_mac == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation"); + goto done; + } + + ctx = EVP_MAC_CTX_new(evp_mac); + if (ctx == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to create hmac context"); + goto done; + } + + ret = EVP_MAC_init(ctx, key, key_length, subalg_param); + if (ret == 0) { + pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context"); + goto done; + } + + *hmac_length = EVP_MAC_CTX_get_mac_size(ctx); + ret = PAM_SUCCESS; + +done: + if (ctx != NULL) { + EVP_MAC_CTX_free(ctx); + } + if (evp_mac != NULL) { + EVP_MAC_free(evp_mac); + } + free(algo); + + return ret; +} + +int +hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length, + const char *key_file, uid_t owner, gid_t group, + const void *text, size_t text_length) +{ + char *key = NULL; + size_t key_length = MAX_KEY_LENGTH; + + if (key_management(pamh, key_file, &key, key_length, owner, group)) { + return PAM_AUTH_ERR; + } + + if (hmac_management(pamh, debug, mac, mac_length, key, key_length, + text, text_length)) { + return PAM_AUTH_ERR; + } + + return PAM_SUCCESS; +} + +#endif /* WITH_OPENSSL */ diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.h b/modules/pam_timestamp/hmac_openssl_wrapper.h new file mode 100644 index 00000000..cc27c811 --- /dev/null +++ b/modules/pam_timestamp/hmac_openssl_wrapper.h @@ -0,0 +1,57 @@ +/* Wrapper for hmac openssl implementation. + * + * Copyright (c) 2021 Red Hat, Inc. + * Written by Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#ifndef PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H +#define PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H + +#include "config.h" + +#ifdef WITH_OPENSSL + +#include <openssl/hmac.h> +#include <security/pam_modules.h> + +int +hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length); + +int +hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length, + const char *key_file, uid_t owner, gid_t group, + const void *text, size_t text_length); + +#endif /* WITH_OPENSSL */ +#endif /* PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H */ diff --git a/modules/pam_timestamp/hmacfile.c b/modules/pam_timestamp/hmacfile.c index 7c1f8bfb..371f814e 100644 --- a/modules/pam_timestamp/hmacfile.c +++ b/modules/pam_timestamp/hmacfile.c @@ -33,6 +33,8 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include "pam_inline.h" + #include <sys/types.h> #include <sys/stat.h> #include <errno.h> @@ -104,7 +106,7 @@ testvectors(void) "e8e99d0f45237d786d6bbaa7965c7808bbff1a91", }, }; - for (i = 0; i < sizeof(vectors) / sizeof(vectors[0]); i++) { + for (i = 0; i < PAM_ARRAY_SIZE(vectors); i++) { hmac = NULL; hmac_len = 0; hmac_sha1_generate(&hmac, &hmac_len, @@ -118,14 +120,16 @@ testvectors(void) if (strncasecmp(hex, vectors[i].hmac + 2 * j, 2) != 0) { - printf("Incorrect result for vector %lu\n", i + 1); + printf("Incorrect result for vector %lu\n", + (unsigned long) i + 1); exit(1); } } free(hmac); } else { - printf("Error in vector %lu.\n", i + 1); + printf("Error in vector %lu.\n", + (unsigned long) i + 1); exit(1); } } diff --git a/modules/pam_timestamp/hmacsha1.c b/modules/pam_timestamp/hmacsha1.c index 3f411061..384ccde8 100644 --- a/modules/pam_timestamp/hmacsha1.c +++ b/modules/pam_timestamp/hmacsha1.c @@ -36,6 +36,7 @@ * */ /* See RFC 2104 for descriptions. */ +#include "config.h" #include <sys/types.h> #include <sys/stat.h> #include <errno.h> @@ -47,6 +48,7 @@ #include <unistd.h> #include <syslog.h> #include <security/pam_ext.h> +#include "pam_inline.h" #include "hmacsha1.h" #include "sha1.h" @@ -106,7 +108,7 @@ hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, /* If we didn't get enough, stop here. */ if (count < key_size) { pam_syslog(pamh, LOG_ERR, "Short read on random device"); - memset(key, 0, key_size); + pam_overwrite_n(key, key_size); free(key); close(keyfd); return; @@ -121,7 +123,7 @@ hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, } count += i; } - memset(key, 0, key_size); + pam_overwrite_n(key, key_size); free(key); close(keyfd); } @@ -179,7 +181,7 @@ hmac_key_read(pam_handle_t *pamh, const char *filename, size_t default_key_size, /* Require that we got the expected amount of data. */ if (count < st.st_size) { - memset(tmp, 0, st.st_size); + pam_overwrite_n(tmp, st.st_size); free(tmp); return; } @@ -203,7 +205,7 @@ hmac_sha1_generate(void **mac, size_t *mac_length, const void *raw_key, size_t raw_key_size, const void *text, size_t text_length) { - unsigned char key[MAXIMUM_KEY_SIZE], tmp_key[MAXIMUM_KEY_SIZE]; + unsigned char key[MAXIMUM_KEY_SIZE] = {}, tmp_key[MAXIMUM_KEY_SIZE]; size_t maximum_key_size = SHA1_BLOCK_SIZE, minimum_key_size = SHA1_OUTPUT_SIZE; const unsigned char ipad = 0x36, opad = 0x5c; @@ -222,7 +224,6 @@ hmac_sha1_generate(void **mac, size_t *mac_length, /* If the key is too long, "compress" it, else copy it and pad it * out with zero bytes. */ - memset(key, 0, sizeof(key)); if (raw_key_size > maximum_key_size) { sha1_init(&sha1); sha1_update(&sha1, raw_key, raw_key_size); @@ -250,8 +251,8 @@ hmac_sha1_generate(void **mac, size_t *mac_length, sha1_output(&sha1, outer); /* We don't need any of the keys any more. */ - memset(key, 0, sizeof(key)); - memset(tmp_key, 0, sizeof(tmp_key)); + pam_overwrite_array(key); + pam_overwrite_array(tmp_key); /* Allocate space to store the output. */ *mac_length = sizeof(outer); @@ -283,7 +284,7 @@ hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length, hmac_sha1_generate(mac, mac_length, key, key_length, text, text_length); - memset(key, 0, key_length); + pam_overwrite_n(key, key_length); free(key); } diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8 index 5e804ab0..347724b3 100644 --- a/modules/pam_timestamp/pam_timestamp.8 +++ b/modules/pam_timestamp/pam_timestamp.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_timestamp .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIMESTAMP" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,26 +47,26 @@ directory for the user\&. When an application attempts to authenticate the user, will treat a sufficiently recent timestamp file as grounds for succeeding\&. .SH "OPTIONS" .PP -\fBtimestampdir=\fR\fB\fIdirectory\fR\fR +timestampdir=directory .RS 4 Specify an alternate directory where \fIpam_timestamp\fR creates timestamp files\&. .RE .PP -\fBtimestamp_timeout=\fR\fB\fInumber\fR\fR +timestamp_timeout=number .RS 4 How long should \fIpam_timestamp\fR treat timestamp as valid after their last modification date (in seconds)\&. Default is 300 seconds\&. .RE .PP -\fBverbose\fR +verbose .RS 4 Attempt to inform the user when access is granted\&. .RE .PP -\fBdebug\fR +debug .RS 4 Turns on debugging messages sent to \fBsyslog\fR(3)\&. @@ -124,7 +124,7 @@ timestamp files and directories \fBpam_timestamp_check\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_timestamp was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml index e19a0bcf..e6b2df70 100644 --- a/modules/pam_timestamp/pam_timestamp.8.xml +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -1,39 +1,36 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_timestamp"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_timestamp"> <refmeta> <refentrytitle>pam_timestamp</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_timestamp-name"> + <refnamediv xml:id="pam_timestamp-name"> <refname>pam_timestamp</refname> <refpurpose>Authenticate using cached successful authentication attempts</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_timestamp-cmdsynopsis"> + <cmdsynopsis xml:id="pam_timestamp-cmdsynopsis" sepchar=" "> <command>pam_timestamp.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> timestampdir=<replaceable>directory</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> timestamp_timeout=<replaceable>number</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> verbose </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_timestamp-description"> + <refsect1 xml:id="pam_timestamp-description"> <title>DESCRIPTION</title> @@ -50,15 +47,20 @@ for the user. When an application attempts to authenticate the user, a <emphasis>pam_timestamp</emphasis> will treat a sufficiently recent timestamp file as grounds for succeeding. </para> + <para condition="openssl_hmac"> + The default encryption hash is taken from the + <emphasis remap="B">HMAC_CRYPTO_ALGO</emphasis> variable from + <emphasis>/etc/login.defs</emphasis>. + </para> </refsect1> - <refsect1 id="pam_timestamp-options"> + <refsect1 xml:id="pam_timestamp-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>timestampdir=<replaceable>directory</replaceable></option> + timestampdir=directory </term> <listitem> <para> @@ -69,7 +71,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>timestamp_timeout=<replaceable>number</replaceable></option> + timestamp_timeout=number </term> <listitem> <para> @@ -81,7 +83,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>verbose</option> + verbose </term> <listitem> <para> @@ -91,7 +93,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -104,7 +106,7 @@ file as grounds for succeeding. </variablelist> </refsect1> - <refsect1 id="pam_timestamp-types"> + <refsect1 xml:id="pam_timestamp-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>session</option> @@ -112,7 +114,7 @@ file as grounds for succeeding. </para> </refsect1> - <refsect1 id='pam_timestamp-return_values'> + <refsect1 xml:id="pam_timestamp-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -143,7 +145,7 @@ file as grounds for succeeding. </variablelist> </refsect1> - <refsect1 id='pam_timestamp-notes'> + <refsect1 xml:id="pam_timestamp-notes"> <title>NOTES</title> <para> Users can get confused when they are not always asked for passwords when @@ -152,7 +154,7 @@ noticing that it is not being asked for. </para> </refsect1> - <refsect1 id='pam_timestamp-examples'> + <refsect1 xml:id="pam_timestamp-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_timestamp.so verbose @@ -163,11 +165,11 @@ session optional pam_timestamp.so </programlisting> </refsect1> - <refsect1 id="pam_timestamp-files"> + <refsect1 xml:id="pam_timestamp-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/pam_timestamp/...</filename></term> + <term>/var/run/pam_timestamp/...</term> <listitem> <para>timestamp files and directories</para> </listitem> @@ -175,7 +177,7 @@ session optional pam_timestamp.so </variablelist> </refsect1> - <refsect1 id='pam_timestamp-see_also'> + <refsect1 xml:id="pam_timestamp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -188,16 +190,16 @@ session optional pam_timestamp.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_timestamp-author'> + <refsect1 xml:id="pam_timestamp-author"> <title>AUTHOR</title> <para> pam_timestamp was written by Nalin Dahyabhai. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index e29ce6e9..c5fa6dfc 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -38,9 +38,6 @@ * */ -#define PAM_SM_AUTH -#define PAM_SM_SESSION - #include "config.h" #include <sys/stat.h> @@ -56,21 +53,31 @@ #include <time.h> #include <sys/time.h> #include <unistd.h> -#include <utmp.h> #include <syslog.h> #include <paths.h> +#ifdef WITH_OPENSSL +#include "hmac_openssl_wrapper.h" +#else #include "hmacsha1.h" +#endif /* WITH_OPENSSL */ + +#ifdef USE_LOGIND +#include <systemd/sd-login.h> +#else +#include <utmp.h> +#endif #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> #include <security/pam_modutil.h> +#include "pam_inline.h" /* The default timeout we use is 5 minutes, which matches the sudo default * for the timestamp_timeout parameter. */ #define DEFAULT_TIMESTAMP_TIMEOUT (5 * 60) #define MODULE "pam_timestamp" -#define TIMESTAMPDIR _PATH_VARRUN "/" MODULE +#define TIMESTAMPDIR _PATH_VARRUN MODULE #define TIMESTAMPKEY TIMESTAMPDIR "/_pam_timestamp_key" /* Various buffers we use need to be at least as large as either PATH_MAX or @@ -81,11 +88,14 @@ #define BUFLEN PATH_MAX #endif +#define ROOT_USER 0 +#define ROOT_GROUP 0 + /* Return PAM_SUCCESS if the given directory looks "safe". */ static int check_dir_perms(pam_handle_t *pamh, const char *tdir) { - char scratch[BUFLEN]; + char scratch[BUFLEN] = {}; struct stat st; int i; /* Check that the directory is "safe". */ @@ -93,7 +103,6 @@ check_dir_perms(pam_handle_t *pamh, const char *tdir) return PAM_AUTH_ERR; } /* Iterate over the path, checking intermediate directories. */ - memset(scratch, 0, sizeof(scratch)); for (i = 0; (tdir[i] != '\0') && (i < (int)sizeof(scratch)); i++) { scratch[i] = tdir[i]; if ((scratch[i] == '/') || (tdir[i + 1] == '\0')) { @@ -151,7 +160,7 @@ check_tty(const char *tty) } /* Pull out the meaningful part of the tty's name. */ if (strchr(tty, '/') != NULL) { - if (strncmp(tty, "/dev/", 5) != 0) { + if (pam_str_skip_prefix(tty, "/dev/") == NULL) { /* Make sure the device node is actually in /dev/, * noted by Michal Zalewski. */ return NULL; @@ -195,10 +204,26 @@ timestamp_good(time_t then, time_t now, time_t interval) } static int -check_login_time(const char *ruser, time_t timestamp) +check_login_time( +#ifdef USE_LOGIND + uid_t uid, +#else + const char *ruser, +#endif + time_t timestamp) { - struct utmp utbuf, *ut; time_t oldest_login = 0; +#ifdef USE_LOGIND +#define USEC_PER_SEC ((uint64_t) 1000000ULL) + uint64_t usec = 0; + + if (sd_uid_get_login_time(uid, &usec) < 0) { + return PAM_SERVICE_ERR; + } + + oldest_login = usec/USEC_PER_SEC; +#else + struct utmp utbuf, *ut; setutent(); while( @@ -219,6 +244,7 @@ check_login_time(const char *ruser, time_t timestamp) } } endutent(); +#endif if(oldest_login == 0 || timestamp < oldest_login) { return PAM_AUTH_ERR; } @@ -282,8 +308,10 @@ get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv, } } for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "timestampdir=", 13) == 0) { - tdir = argv[i] + 13; + const char *str; + + if ((str = pam_str_skip_prefix(argv[i], "timestampdir=")) != NULL) { + tdir = str; if (debug) { pam_syslog(pamh, LOG_DEBUG, "storing timestamps in `%s'", @@ -296,10 +324,7 @@ get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv, return i; } /* Get the name of the target user. */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - user = NULL; - } - if ((user == NULL) || (strlen(user) == 0)) { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user[0] == '\0') { return PAM_AUTH_ERR; } if (debug) { @@ -354,7 +379,8 @@ get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv, static void verbose_success(pam_handle_t *pamh, long diff) { - pam_info(pamh, _("Access granted (last access was %ld seconds ago)."), diff); + pam_info(pamh, _("Access has been granted" + " (last access was %ld seconds ago)."), diff); } int @@ -376,8 +402,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) } } for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "timestamp_timeout=", 18) == 0) { - tmp = strtol(argv[i] + 18, &p, 0); + const char *str; + + if ((str = pam_str_skip_prefix(argv[i], "timestamp_timeout=")) != NULL) { + tmp = strtol(str, &p, 0); if ((p != NULL) && (*p == '\0')) { interval = tmp; if (debug) { @@ -449,6 +477,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_AUTH_ERR; } +#ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { + return PAM_AUTH_ERR; + } +#else + maclen = hmac_sha1_size(); +#endif /* WITH_OPENSSL */ /* Check that the file is the expected size. */ if (st.st_size == 0) { /* Invalid, but may have been created by sudo. */ @@ -456,7 +491,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_AUTH_ERR; } if (st.st_size != - (off_t)(strlen(path) + 1 + sizeof(then) + hmac_sha1_size())) { + (off_t)(strlen(path) + 1 + sizeof(then) + maclen)) { pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' " "appears to be corrupted", path); close(fd); @@ -487,8 +522,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) message_end = message + strlen(path) + 1 + sizeof(then); /* Regenerate the MAC. */ - hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, 0, 0, - message, message_end - message); +#ifdef WITH_OPENSSL + if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, message, message_end - message)) { + close(fd); + free(message); + return PAM_AUTH_ERR; + } +#else + hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, message, message_end - message); +#endif /* WITH_OPENSSL */ if ((mac == NULL) || (memcmp(path, message, strlen(path)) != 0) || (memcmp(mac, message_end, maclen) != 0)) { @@ -509,7 +553,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) close(fd); return PAM_AUTH_ERR; } +#ifdef USE_LOGIND + struct passwd *pwd = pam_modutil_getpwnam(pamh, ruser); + if (pwd != NULL) { + return PAM_SERVICE_ERR; + } + if (check_login_time(pwd->pw_uid, then) != PAM_SUCCESS) +#else if (check_login_time(ruser, then) != PAM_SUCCESS) +#endif { pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " "older than oldest login, disallowing " @@ -577,10 +629,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * /* Create the directory for the timestamp file if it doesn't already * exist. */ - for (i = 1; path[i] != '\0'; i++) { + for (i = 1; i < (int) sizeof(path) && path[i] != '\0'; i++) { if (path[i] == '/') { /* Attempt to create the directory. */ - strncpy(subdir, path, i); + memcpy(subdir, path, i); subdir[i] = '\0'; if (mkdir(subdir, 0700) == 0) { /* Attempt to set the owner to the superuser. */ @@ -605,8 +657,16 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * } } +#ifdef WITH_OPENSSL + if (hmac_size(pamh, debug, &maclen)) { + return PAM_SESSION_ERR; + } +#else + maclen = hmac_sha1_size(); +#endif /* WITH_OPENSSL */ + /* Generate the message. */ - text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size()); + text = malloc(strlen(path) + 1 + sizeof(now) + maclen); if (text == NULL) { pam_syslog(pamh, LOG_CRIT, "unable to allocate memory: %m"); return PAM_SESSION_ERR; @@ -621,15 +681,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * p += sizeof(now); /* Generate the MAC and append it to the plaintext. */ - hmac_sha1_generate_file(pamh, &mac, &maclen, - TIMESTAMPKEY, - 0, 0, - text, p - text); +#ifdef WITH_OPENSSL + if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, text, p - text)) { + free(text); + return PAM_SESSION_ERR; + } +#else + hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, + ROOT_USER, ROOT_GROUP, text, p - text); if (mac == NULL) { pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m"); free(text); return PAM_SESSION_ERR; } +#endif /* WITH_OPENSSL */ memmove(p, mac, maclen); p += maclen; free(mac); @@ -691,6 +757,9 @@ main(int argc, char **argv) fd_set write_fds; char path[BUFLEN]; struct stat st; +#ifdef USE_LOGIND + uid_t uid; +#endif /* Check that there's nothing funny going on with stdio. */ if ((fstat(STDIN_FILENO, &st) == -1) || @@ -746,6 +815,9 @@ main(int argc, char **argv) if (pwd == NULL) { retval = 4; } +#ifdef USE_LOGIND + uid = pwd->pw_uid; +#endif /* Get the name of the target user. */ user = strdup(pwd->pw_name); @@ -796,10 +868,14 @@ main(int argc, char **argv) /* Check the timestamp. */ if (lstat(path, &st) != -1) { /* Check oldest login against timestamp */ +#ifdef USE_LOGIND + if (check_login_time(uid, st.st_mtime) != PAM_SUCCESS) { +#else if (check_login_time(user, st.st_mtime) != PAM_SUCCESS) { +#endif retval = 7; - } else if (!timestamp_good(st.st_mtime, time(NULL), - DEFAULT_TIMESTAMP_TIMEOUT) == PAM_SUCCESS) { + } else if (timestamp_good(st.st_mtime, time(NULL), + DEFAULT_TIMESTAMP_TIMEOUT) != PAM_SUCCESS) { retval = 7; } } else { diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8 index b90ab317..f19a2252 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8 +++ b/modules/pam_timestamp/pam_timestamp_check.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_timestamp_check .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIMESTAMP_CHECK" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP_CHECK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,19 +39,19 @@ With no arguments will check to see if the default timestamp is valid, or optionally remove it\&. .SH "OPTIONS" .PP -\fB\-k\fR +\-k .RS 4 Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\*(Aqs \fI\-k\fR option\&. .RE .PP -\fB\-d\fR +\-d .RS 4 Instead of returning validity using an exit status, loop indefinitely, polling regularly and printing the status on standard output\&. .RE .PP -\fB\fItarget_user\fR\fR +target_user .RS 4 By default \fBpam_timestamp_check\fR @@ -59,7 +59,7 @@ checks or removes timestamps generated by \fIpam_timestamp\fR when the user authenticates as herself\&. When the user authenticates as a different user, the name of the timestamp file changes to accommodate this\&. \fItarget_user\fR -allows to specify this user name\&. +allows one to specify this user name\&. .RE .SH "RETURN VALUES" .PP @@ -127,7 +127,7 @@ timestamp files and directories \fBpam_timestamp_check\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP -pam_tally was written by Nalin Dahyabhai\&. +pam_timestamp was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml index 06432e09..e947f753 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8.xml +++ b/modules/pam_timestamp/pam_timestamp_check.8.xml @@ -1,36 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_timestamp_check"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_timestamp_check"> <refmeta> <refentrytitle>pam_timestamp_check</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_timestamp_check-name"> + <refnamediv xml:id="pam_timestamp_check-name"> <refname>pam_timestamp_check</refname> <refpurpose>Check to see if the default timestamp is valid</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_timestamp_check-cmdsynopsis"> + <cmdsynopsis xml:id="pam_timestamp_check-cmdsynopsis" sepchar=" "> <command>pam_timestamp_check</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> -k </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> -d </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>target_user</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_timestamp_check-description"> + <refsect1 xml:id="pam_timestamp_check-description"> <title>DESCRIPTION</title> @@ -40,13 +37,13 @@ see if the default timestamp is valid, or optionally remove it. </para> </refsect1> - <refsect1 id="pam_timestamp_check-options"> + <refsect1 xml:id="pam_timestamp_check-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>-k</option> + -k </term> <listitem> <para> @@ -57,7 +54,7 @@ see if the default timestamp is valid, or optionally remove it. </varlistentry> <varlistentry> <term> - <option>-d</option> + -d </term> <listitem> <para> @@ -69,7 +66,7 @@ see if the default timestamp is valid, or optionally remove it. </varlistentry> <varlistentry> <term> - <option><replaceable>target_user</replaceable></option> + target_user </term> <listitem> <para> @@ -78,14 +75,14 @@ see if the default timestamp is valid, or optionally remove it. the user authenticates as herself. When the user authenticates as a different user, the name of the timestamp file changes to accommodate this. <replaceable>target_user</replaceable> allows - to specify this user name. + one to specify this user name. </para> </listitem> </varlistentry> </variablelist> </refsect1> - <refsect1 id='pam_timestamp_check-return_values'> + <refsect1 xml:id="pam_timestamp_check-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -147,7 +144,7 @@ see if the default timestamp is valid, or optionally remove it. </variablelist> </refsect1> - <refsect1 id='pam_timestamp-notes'> + <refsect1 xml:id="pam_timestamp-notes"> <title>NOTES</title> <para> Users can get confused when they are not always asked for passwords when @@ -156,7 +153,7 @@ noticing that it is not being asked for. </para> </refsect1> - <refsect1 id='pam_timestamp-examples'> + <refsect1 xml:id="pam_timestamp-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_timestamp.so verbose @@ -167,11 +164,11 @@ session optional pam_timestamp.so </programlisting> </refsect1> - <refsect1 id="pam_timestamp-files"> + <refsect1 xml:id="pam_timestamp-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/sudo/...</filename></term> + <term>/var/run/sudo/...</term> <listitem> <para>timestamp files and directories</para> </listitem> @@ -179,7 +176,7 @@ session optional pam_timestamp.so </variablelist> </refsect1> - <refsect1 id='pam_timestamp-see_also'> + <refsect1 xml:id="pam_timestamp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -192,16 +189,16 @@ session optional pam_timestamp.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_timestamp-author'> + <refsect1 xml:id="pam_timestamp-author"> <title>AUTHOR</title> <para> - pam_tally was written by Nalin Dahyabhai. + pam_timestamp was written by Nalin Dahyabhai. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_timestamp/sha1.c b/modules/pam_timestamp/sha1.c index 576b4b41..d713aed1 100644 --- a/modules/pam_timestamp/sha1.c +++ b/modules/pam_timestamp/sha1.c @@ -56,34 +56,34 @@ padding[SHA1_BLOCK_SIZE] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, }; -static u_int32_t -F(u_int32_t b, u_int32_t c, u_int32_t d) +static uint32_t +F(uint32_t b, uint32_t c, uint32_t d) { return (b & c) | ((~b) & d); } -static u_int32_t -G(u_int32_t b, u_int32_t c, u_int32_t d) +static uint32_t +G(uint32_t b, uint32_t c, uint32_t d) { return b ^ c ^ d; } -static u_int32_t -H(u_int32_t b, u_int32_t c, u_int32_t d) +static uint32_t +H(uint32_t b, uint32_t c, uint32_t d) { return (b & c) | (b & d) | (c & d); } -static u_int32_t -RL(u_int32_t n, u_int32_t s) +static uint32_t +RL(uint32_t n, uint32_t s) { return (n << s) | (n >> (32 - s)); } -static u_int32_t -sha1_round(u_int32_t (*FUNC)(u_int32_t, u_int32_t, u_int32_t), - u_int32_t a, u_int32_t b, u_int32_t c, u_int32_t d, u_int32_t e, - u_int32_t i, u_int32_t n) +static uint32_t +sha1_round(uint32_t (*FUNC)(uint32_t, uint32_t, uint32_t), + uint32_t a, uint32_t b, uint32_t c, uint32_t d, uint32_t e, + uint32_t i, uint32_t n) { return RL(a, 5) + FUNC(b, c, d) + e + i + n; } @@ -100,10 +100,10 @@ sha1_init(struct sha1_context *ctx) } static void -sha1_process(struct sha1_context *ctx, u_int32_t buffer[SHA1_BLOCK_SIZE / 4]) +sha1_process(struct sha1_context *ctx, uint32_t buffer[SHA1_BLOCK_SIZE / 4]) { - u_int32_t a, b, c, d, e, temp; - u_int32_t data[80]; + uint32_t a, b, c, d, e, temp; + uint32_t data[80]; int i; for (i = 0; i < 16; i++) { @@ -150,14 +150,14 @@ void sha1_update(struct sha1_context *ctx, const unsigned char *data, size_t length) { size_t i = 0, l = length, c, t; - u_int32_t count = 0; + uint32_t count = 0; /* Process any pending + data blocks. */ while (l + ctx->pending_count >= SHA1_BLOCK_SIZE) { c = ctx->pending_count; t = SHA1_BLOCK_SIZE - c; - memcpy(ctx->pending + c, &data[i], t); - sha1_process(ctx, (u_int32_t*) ctx->pending); + memcpy(ctx->pending.c + c, &data[i], t); + sha1_process(ctx, ctx->pending.i); i += t; l -= t; ctx->pending_count = 0; @@ -165,7 +165,7 @@ sha1_update(struct sha1_context *ctx, const unsigned char *data, size_t length) /* Save what's left of the data block as a pending data block. */ c = ctx->pending_count; - memcpy(ctx->pending + c, &data[i], l); + memcpy(ctx->pending.c + c, &data[i], l); ctx->pending_count += l; /* Update the message length. */ @@ -188,23 +188,22 @@ sha1_output(struct sha1_context *ctx, unsigned char *out) /* Output the sum. */ if (out != NULL) { - u_int32_t c; + uint32_t c; memcpy(&ctx2, ctx, sizeof(ctx2)); /* Pad this block. */ c = ctx2.pending_count; - memcpy(ctx2.pending + c, + memcpy(ctx2.pending.c + c, padding, SHA1_BLOCK_SIZE - c); /* Do we need to process two blocks now? */ - if (c >= (SHA1_BLOCK_SIZE - (sizeof(u_int32_t) * 2))) { + if (c >= (SHA1_BLOCK_SIZE - (sizeof(uint32_t) * 2))) { /* Process this block. */ - sha1_process(&ctx2, - (u_int32_t*) ctx2.pending); + sha1_process(&ctx2, ctx2.pending.i); /* Set up another block. */ ctx2.pending_count = 0; - memset(ctx2.pending, 0, SHA1_BLOCK_SIZE); - ctx2.pending[0] = + memset(ctx2.pending.c, 0, SHA1_BLOCK_SIZE); + ctx2.pending.c[0] = (c == SHA1_BLOCK_SIZE) ? 0x80 : 0; } @@ -217,11 +216,11 @@ sha1_output(struct sha1_context *ctx, unsigned char *out) ctx2.counts[0] <<= 3; ctx2.counts[0] = htonl(ctx2.counts[0]); ctx2.counts[1] = htonl(ctx2.counts[1]); - memcpy(ctx2.pending + 56, - &ctx2.counts[1], sizeof(u_int32_t)); - memcpy(ctx2.pending + 60, - &ctx2.counts[0], sizeof(u_int32_t)); - sha1_process(&ctx2, (u_int32_t*) ctx2.pending); + memcpy(ctx2.pending.c + 56, + &ctx2.counts[1], sizeof(uint32_t)); + memcpy(ctx2.pending.c + 60, + &ctx2.counts[0], sizeof(uint32_t)); + sha1_process(&ctx2, ctx2.pending.i); /* Output the data. */ out[ 3] = (ctx2.a >> 0) & 0xff; diff --git a/modules/pam_timestamp/sha1.h b/modules/pam_timestamp/sha1.h index 667b87ca..69f432e6 100644 --- a/modules/pam_timestamp/sha1.h +++ b/modules/pam_timestamp/sha1.h @@ -38,16 +38,21 @@ #ifndef pam_timestamp_sha1_h #define pam_timestamp_sha1_h +#include <stdint.h> #include <sys/types.h> +#include "pam_cc_compat.h" #define SHA1_BLOCK_SIZE 64 struct sha1_context { size_t count; - unsigned char pending[SHA1_BLOCK_SIZE]; - u_int32_t counts[2]; + union { + unsigned char c[SHA1_BLOCK_SIZE]; + uint32_t i[SHA1_BLOCK_SIZE / sizeof(uint32_t)]; + } pending; + uint32_t counts[2]; size_t pending_count; - u_int32_t a, b, c, d, e; + uint32_t a, b, c, d, e; }; #define SHA1_OUTPUT_SIZE 20 diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am index 63784835..e774c57d 100644 --- a/modules/pam_tty_audit/Makefile.am +++ b/modules/pam_tty_audit/Makefile.am @@ -5,29 +5,28 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README pam_tty_audit.8 $(XMLS) tst-pam_tty_audit +EXTRA_DIST = $(XMLS) -if HAVE_AUDIT_TTY_STATUS - TESTS = tst-pam_tty_audit - man_MANS = pam_tty_audit.8 +if HAVE_DOC +dist_man_MANS = pam_tty_audit.8 endif XMLS = README.xml pam_tty_audit.8.xml +dist_check_SCRIPTS = tst-pam_tty_audit +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_AUDIT_TTY_STATUS - pam_tty_audit_la_LIBADD = $(top_builddir)/libpam/libpam.la - securelib_LTLIBRARIES = pam_tty_audit.la -endif +pam_tty_audit_la_LIBADD = $(top_builddir)/libpam/libpam.la +securelib_LTLIBRARIES = pam_tty_audit.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_tty_audit.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_tty_audit/Makefile.in b/modules/pam_tty_audit/Makefile.in index 8740ccc1..e3f556bf 100644 --- a/modules/pam_tty_audit/Makefile.in +++ b/modules/pam_tty_audit/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_tty_audit -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -136,16 +148,13 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -@HAVE_AUDIT_TTY_STATUS_TRUE@pam_tty_audit_la_DEPENDENCIES = \ -@HAVE_AUDIT_TTY_STATUS_TRUE@ $(top_builddir)/libpam/libpam.la +pam_tty_audit_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la pam_tty_audit_la_SOURCES = pam_tty_audit.c pam_tty_audit_la_OBJECTS = pam_tty_audit.lo AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -@HAVE_AUDIT_TTY_STATUS_TRUE@am_pam_tty_audit_la_rpath = -rpath \ -@HAVE_AUDIT_TTY_STATUS_TRUE@ $(securelibdir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -160,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_tty_audit.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -189,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -365,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -387,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -406,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -437,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -456,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -483,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -495,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -542,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -550,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -562,22 +590,26 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README pam_tty_audit.8 $(XMLS) tst-pam_tty_audit -@HAVE_AUDIT_TTY_STATUS_TRUE@TESTS = tst-pam_tty_audit -@HAVE_AUDIT_TTY_STATUS_TRUE@man_MANS = pam_tty_audit.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_tty_audit.8 XMLS = README.xml pam_tty_audit.8.xml +dist_check_SCRIPTS = tst-pam_tty_audit +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) -@HAVE_AUDIT_TTY_STATUS_TRUE@pam_tty_audit_la_LIBADD = $(top_builddir)/libpam/libpam.la -@HAVE_AUDIT_TTY_STATUS_TRUE@securelib_LTLIBRARIES = pam_tty_audit.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +pam_tty_audit_la_LIBADD = $(top_builddir)/libpam/libpam.la +securelib_LTLIBRARIES = pam_tty_audit.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -594,14 +626,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_tty_audit/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_tty_audit/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -649,7 +680,7 @@ clean-securelibLTLIBRARIES: } pam_tty_audit.la: $(pam_tty_audit_la_OBJECTS) $(pam_tty_audit_la_DEPENDENCIES) $(EXTRA_pam_tty_audit_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) $(am_pam_tty_audit_la_rpath) $(pam_tty_audit_la_OBJECTS) $(pam_tty_audit_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_tty_audit_la_OBJECTS) $(pam_tty_audit_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -657,21 +688,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tty_audit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tty_audit.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -685,10 +722,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -723,7 +760,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -811,7 +848,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -888,7 +925,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -901,7 +938,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -911,7 +948,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -944,7 +981,10 @@ tst-pam_tty_audit.log: tst-pam_tty_audit @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -975,6 +1015,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1023,7 +1064,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_tty_audit.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1069,7 +1110,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_tty_audit.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1092,15 +1133,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1108,7 +1150,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_tty_audit.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_tty_audit/README b/modules/pam_tty_audit/README index ac947a32..91ea9cee 100644 --- a/modules/pam_tty_audit/README +++ b/modules/pam_tty_audit/README @@ -37,7 +37,7 @@ log_passwd NOTES When TTY auditing is enabled, it is inherited by all processes started by that -user. In particular, daemons restarted by an user will still have TTY auditing +user. In particular, daemons restarted by a user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled. Therefore, it is recommended to use disable=* as the first option for most daemons using PAM. @@ -50,6 +50,12 @@ range is specified as min_uid:max_uid where one of these values can be empty. If min_uid is empty only user with the uid max_uid will be matched. If max_uid is empty users with the uid greater than or equal to min_uid will be matched. +Please note that passwords in some circumstances may be logged by TTY auditing +even if the log_passwd is not used. For example, all input to an ssh session +will be logged - even if there is a password being typed into some software +running at the remote host because only the local TTY state affects the local +TTY auditing. + EXAMPLES Audit all administrative actions. diff --git a/modules/pam_tty_audit/README.xml b/modules/pam_tty_audit/README.xml index 4dad6bbe..95b851cb 100644 --- a/modules/pam_tty_audit/README.xml +++ b/modules/pam_tty_audit/README.xml @@ -1,41 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd"> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tty_audit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-notes")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8 index e0800815..2ba53358 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8 +++ b/modules/pam_tty_audit/pam_tty_audit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_tty_audit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2018 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TTY_AUDIT" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TTY_AUDIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_tty_audit \- Enable or disable TTY auditing for specified users The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&. .SH "OPTIONS" .PP -\fBdisable=\fR\fB\fIpatterns\fR\fR +disable=patterns .RS 4 For each user matching \fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous @@ -46,7 +46,7 @@ option matching the same user name on the command line\&. See NOTES for further \fB\fIpatterns\fR\fR\&. .RE .PP -\fBenable=\fR\fB\fIpatterns\fR\fR +enable=patterns .RS 4 For each user matching \fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous @@ -55,7 +55,7 @@ option matching the same user name on the command line\&. See NOTES for further \fB\fIpatterns\fR\fR\&. .RE .PP -\fBopen_only\fR +open_only .RS 4 Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\*(Aqt \fBfork()\fR @@ -63,7 +63,7 @@ to run the authenticated session, such as \fBsudo\fR\&. .RE .PP -\fBlog_passwd\fR +log_passwd .RS 4 Log keystrokes when ECHO mode is off but ICANON mode is active\&. This is the mode in which the tty is placed during password entry\&. By default, passwords are not logged\&. This option may not be available on older kernels (3\&.9?)\&. .RE @@ -85,7 +85,7 @@ Success\&. .RE .SH "NOTES" .PP -When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use +When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by a user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use \fBdisable=*\fR as the first option for most daemons using PAM\&. .PP @@ -105,6 +105,10 @@ will be matched\&. If is empty users with the uid greater than or equal to \fImin_uid\fR will be matched\&. +.PP +Please note that passwords in some circumstances may be logged by TTY auditing even if the +\fBlog_passwd\fR +is not used\&. For example, all input to an ssh session will be logged \- even if there is a password being typed into some software running at the remote host because only the local TTY state affects the local TTY auditing\&. .SH "EXAMPLES" .PP Audit all administrative actions\&. @@ -125,7 +129,7 @@ session required pam_tty_audit\&.so disable=* enable=root \fBaureport\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_tty_audit was written by Miloslav TrmaÄ <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&. diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 59a3406d..79d8115e 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_tty_audit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_tty_audit"> <refmeta> <refentrytitle>pam_tty_audit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_tty_audit-name"> + <refnamediv xml:id="pam_tty_audit-name"> <refname>pam_tty_audit</refname> <refpurpose>Enable or disable TTY auditing for specified users</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_tty_audit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_tty_audit-cmdsynopsis" sepchar=" "> <command>pam_tty_audit.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> disable=<replaceable>patterns</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> enable=<replaceable>patterns</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_tty_audit-description"> + <refsect1 xml:id="pam_tty_audit-description"> <title>DESCRIPTION</title> <para> The pam_tty_audit PAM module is used to enable or disable TTY auditing. @@ -35,12 +32,12 @@ </para> </refsect1> - <refsect1 id="pam_tty_audit-options"> + <refsect1 xml:id="pam_tty_audit-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>disable=<replaceable>patterns</replaceable></option> + disable=patterns </term> <listitem> <para> @@ -53,7 +50,7 @@ </varlistentry> <varlistentry> <term> - <option>enable=<replaceable>patterns</replaceable></option> + enable=patterns </term> <listitem> <para> @@ -66,7 +63,7 @@ </varlistentry> <varlistentry> <term> - <option>open_only</option> + open_only </term> <listitem> <para> @@ -79,7 +76,7 @@ </varlistentry> <varlistentry> <term> - <option>log_passwd</option> + log_passwd </term> <listitem> <para> @@ -93,14 +90,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_tty_audit-types"> + <refsect1 xml:id="pam_tty_audit-types"> <title>MODULE TYPES PROVIDED</title> <para> - Only the <emphasis remap='B'>session</emphasis> type is supported. + Only the <emphasis remap="B">session</emphasis> type is supported. </para> </refsect1> - <refsect1 id='pam_tty_audit-return_values'> + <refsect1 xml:id="pam_tty_audit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -125,11 +122,11 @@ </variablelist> </refsect1> - <refsect1 id='pam_tty_audit-notes'> + <refsect1 xml:id="pam_tty_audit-notes"> <title>NOTES</title> <para> When TTY auditing is enabled, it is inherited by all processes started by - that user. In particular, daemons restarted by an user will still have + that user. In particular, daemons restarted by a user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled. Therefore, it is recommended to use <option>disable=*</option> as the first option for @@ -149,9 +146,16 @@ greater than or equal to <replaceable>min_uid</replaceable> will be matched. </para> + <para> + Please note that passwords in some circumstances may be logged by TTY auditing + even if the <option>log_passwd</option> is not used. For example, all input to + an ssh session will be logged - even if there is a password being typed into + some software running at the remote host because only the local TTY state + affects the local TTY auditing. + </para> </refsect1> - <refsect1 id='pam_tty_audit-examples'> + <refsect1 xml:id="pam_tty_audit-examples"> <title>EXAMPLES</title> <para> Audit all administrative actions. @@ -161,7 +165,7 @@ session required pam_tty_audit.so disable=* enable=root </para> </refsect1> - <refsect1 id='pam_tty_audit-see_also'> + <refsect1 xml:id="pam_tty_audit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -174,19 +178,19 @@ session required pam_tty_audit.so disable=* enable=root <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_tty_audit-author'> + <refsect1 xml:id="pam_tty_audit-author"> <title>AUTHOR</title> <para> - pam_tty_audit was written by Miloslav Trmač + pam_tty_audit was written by Miloslav TrmaÄ <mitr@redhat.com>. The log_passwd option was added by Richard Guy Briggs <rgb@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 79e5d511..15fb910f 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -48,12 +48,13 @@ #include <libaudit.h> #include <linux/netlink.h> -#define PAM_SM_SESSION - #include <security/pam_ext.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> +#include "pam_cc_compat.h" +#include "pam_inline.h" + #define DATANAME "pam_tty_audit_last_state" /* Open an audit netlink socket */ @@ -79,7 +80,9 @@ nl_send (int fd, unsigned type, unsigned flags, const void *data, size_t size) nlm.nlmsg_pid = 0; iov[0].iov_base = &nlm; iov[0].iov_len = sizeof (nlm); + DIAG_PUSH_IGNORE_CAST_QUAL; iov[1].iov_base = (void *)data; + DIAG_POP_IGNORE_CAST_QUAL; iov[1].iov_len = size; addr.nl_family = AF_NETLINK; addr.nl_pid = 0; @@ -265,14 +268,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) if (pam_get_user (pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog (pamh, LOG_ERR, "error determining target user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_SESSION_ERR; } pwd = pam_modutil_getpwnam(pamh, user); if (pwd == NULL) { - pam_syslog(pamh, LOG_WARNING, + pam_syslog(pamh, LOG_NOTICE, "open_session unknown user '%s'", user); return PAM_SESSION_ERR; } @@ -284,14 +287,16 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ for (i = 0; i < argc; i++) { - if (strncmp (argv[i], "enable=", 7) == 0 - || strncmp (argv[i], "disable=", 8) == 0) + const char *str; + + if ((str = pam_str_skip_prefix(argv[i], "enable=")) != NULL + || (str = pam_str_skip_prefix(argv[i], "disable=")) != NULL) { enum command this_command; char *copy, *tok_data, *tok; this_command = *argv[i] == 'e' ? CMD_ENABLE : CMD_DISABLE; - copy = strdup (strchr (argv[i], '=') + 1); + copy = strdup (str); if (copy == NULL) return PAM_SESSION_ERR; for (tok = strtok_r (copy, ",", &tok_data); @@ -347,6 +352,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) fd = nl_open (); if (fd == -1 + && errno == EPROTONOSUPPORT) + { + pam_syslog (pamh, LOG_WARNING, "unable to open audit socket, audit not " + "supported; tty_audit skipped"); + free (old_status); + return PAM_IGNORE; + } + else if (fd == -1 || nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0 || nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0) { diff --git a/modules/pam_umask/Makefile.am b/modules/pam_umask/Makefile.am index 205e7718..1482a432 100644 --- a/modules/pam_umask/Makefile.am +++ b/modules/pam_umask/Makefile.am @@ -5,18 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_umask - -man_MANS = pam_umask.8 +EXTRA_DIST = $(XMLS) +if HAVE_DOC +dist_man_MANS = pam_umask.8 +endif XMLS = README.xml pam_umask.8.xml - -TESTS = tst-pam_umask +dist_check_SCRIPTS = tst-pam_umask +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -26,7 +32,6 @@ securelib_LTLIBRARIES = pam_umask.la pam_umask_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_umask.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_umask/Makefile.in b/modules/pam_umask/Makefile.in index 39f7b356..08ad8c69 100644 --- a/modules/pam_umask/Makefile.in +++ b/modules/pam_umask/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_umask -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_umask.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_umask -man_MANS = pam_umask.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_umask.8 XMLS = README.xml pam_umask.8.xml -TESTS = tst-pam_umask +dist_check_SCRIPTS = tst-pam_umask +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_umask.la pam_umask_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_umask/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_umask/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_umask.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_umask.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_umask.log: tst-pam_umask @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_umask.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_umask.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_umask.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_umask/README b/modules/pam_umask/README index 274dbf60..ddde8c21 100644 --- a/modules/pam_umask/README +++ b/modules/pam_umask/README @@ -40,6 +40,12 @@ usergroups the umask group bits are set to be the same as owner bits (examples: 022 -> 002, 077 -> 007). +nousergroups + + This is the direct opposite of the usergroups option described above, which + can be useful in case pam_umask has been compiled with usergroups enabled + by default and you want to disable it at runtime. + umask=mask Sets the calling process's file mode creation mask (umask) to mask & 0777. diff --git a/modules/pam_umask/README.xml b/modules/pam_umask/README.xml index 9afbe543..d2b82d10 100644 --- a/modules/pam_umask/README.xml +++ b/modules/pam_umask/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_umask.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_umask-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_umask/pam_umask.8 b/modules/pam_umask/pam_umask.8 index fd2d8a8a..c7636e2e 100644 --- a/modules/pam_umask/pam_umask.8 +++ b/modules/pam_umask/pam_umask.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_umask .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2018 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_UMASK" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_UMASK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pam_umask \- PAM module to set the file mode creation mask .SH "SYNOPSIS" .HP \w'\fBpam_umask\&.so\fR\ 'u -\fBpam_umask\&.so\fR [debug] [silent] [usergroups] [umask=\fImask\fR] +\fBpam_umask\&.so\fR [debug] [silent] [usergroups] [nousergroups] [umask=\fImask\fR] .SH "DESCRIPTION" .PP pam_umask is a PAM module to set the file mode creation mask of the current environment\&. The umask affects the default permissions assigned to newly created files\&. @@ -86,22 +86,27 @@ The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in a .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt print informative messages\&. .RE .PP -\fBusergroups\fR +usergroups .RS 4 If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. .RE .PP -\fBumask=\fR\fB\fImask\fR\fR +nousergroups +.RS 4 +This is the direct opposite of the usergroups option described above, which can be useful in case pam_umask has been compiled with usergroups enabled by default and you want to disable it at runtime\&. +.RE +.PP +umask=mask .RS 4 Sets the calling process\*(Aqs file mode creation mask (umask) to \fBmask\fR @@ -120,6 +125,21 @@ PAM_SUCCESS The new umask was set successfully\&. .RE .PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP +PAM_INCOMPLETE +.RS 4 +The conversation method supplied by the application returned PAM_CONV_AGAIN\&. +.RE +.PP PAM_SERVICE_ERR .RS 4 No username was given\&. @@ -150,7 +170,7 @@ to set the user specific umask at login: .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_umask was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&. diff --git a/modules/pam_umask/pam_umask.8.xml b/modules/pam_umask/pam_umask.8.xml index 92693f7f..acb3bc0b 100644 --- a/modules/pam_umask/pam_umask.8.xml +++ b/modules/pam_umask/pam_umask.8.xml @@ -1,39 +1,39 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_umask"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_umask"> <refmeta> <refentrytitle>pam_umask</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_umask-name"> + <refnamediv xml:id="pam_umask-name"> <refname>pam_umask</refname> <refpurpose>PAM module to set the file mode creation mask</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_umask-cmdsynopsis"> + <cmdsynopsis xml:id="pam_umask-cmdsynopsis" sepchar=" "> <command>pam_umask.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> silent </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> usergroups </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> + nousergroups + </arg> + <arg choice="opt" rep="norepeat"> umask=<replaceable>mask</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_umask-description"> + <refsect1 xml:id="pam_umask-description"> <title>DESCRIPTION</title> @@ -78,7 +78,7 @@ </refsect1> - <refsect1 id="pam_umask-options"> + <refsect1 xml:id="pam_umask-options"> <title>OPTIONS</title> <para> @@ -86,7 +86,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -97,7 +97,7 @@ <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -108,20 +108,33 @@ <varlistentry> <term> - <option>usergroups</option> + usergroups </term> <listitem> <para> If the user is not root and the username is the same as primary group name, the umask group bits are set to be the - same as owner bits (examples: 022 -> 002, 077 -> 007). + same as owner bits (examples: 022 -> 002, 077 -> 007). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + nousergroups + </term> + <listitem> + <para> + This is the direct opposite of the usergroups option described above, + which can be useful in case pam_umask has been compiled with + usergroups enabled by default and you want to disable it at runtime. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>umask=<replaceable>mask</replaceable></option> + umask=mask </term> <listitem> <para> @@ -137,14 +150,14 @@ </para> </refsect1> - <refsect1 id="pam_umask-types"> + <refsect1 xml:id="pam_umask-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> type is provided. </para> </refsect1> - <refsect1 id='pam_umask-return_values'> + <refsect1 xml:id="pam_umask-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -159,6 +172,35 @@ </varlistentry> <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the application + failed to obtain the username. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + The conversation method supplied by the application + returned PAM_CONV_AGAIN. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>PAM_SERVICE_ERR</term> <listitem> <para> @@ -180,7 +222,7 @@ </para> </refsect1> - <refsect1 id='pam_umask-examples'> + <refsect1 xml:id="pam_umask-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -191,7 +233,7 @@ </para> </refsect1> - <refsect1 id='pam_umask-see_also'> + <refsect1 xml:id="pam_umask-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -201,16 +243,16 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_umask-author'> + <refsect1 xml:id="pam_umask-author"> <title>AUTHOR</title> <para> pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index ab490645..72b10e92 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -1,4 +1,6 @@ /* + * pam_umask module + * * Copyright (c) 2005, 2006, 2007, 2010, 2013 Thorsten Kukuk <kukuk@thkukuk.de> * * Redistribution and use in source and binary forms, with or without @@ -50,13 +52,11 @@ #include <sys/resource.h> #include <syslog.h> -#define PAM_SM_SESSION - #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" -#define BUF_SIZE 4096 #define LOGIN_DEFS "/etc/login.defs" #define LOGIN_CONF "/etc/default/login" @@ -64,114 +64,51 @@ struct options_t { int debug; int usergroups; int silent; - char *umask; + const char *umask; + char *login_umask; }; typedef struct options_t options_t; static void parse_option (const pam_handle_t *pamh, const char *argv, options_t *options) { + const char *str; + if (argv == NULL || argv[0] == '\0') return; if (strcasecmp (argv, "debug") == 0) options->debug = 1; - else if (strncasecmp (argv, "umask=", 6) == 0) - options->umask = strdup (&argv[6]); + else if ((str = pam_str_skip_icase_prefix (argv, "umask=")) != NULL) + options->umask = str; else if (strcasecmp (argv, "usergroups") == 0) options->usergroups = 1; + else if (strcasecmp (argv, "nousergroups") == 0) + options->usergroups = 0; else if (strcasecmp (argv, "silent") == 0) options->silent = 1; else pam_syslog (pamh, LOG_ERR, "Unknown option: `%s'", argv); } -static char * -search_key (const char *filename) -{ - FILE *fp; - char *buf = NULL; - size_t buflen = 0; - char *retval = NULL; - - fp = fopen (filename, "r"); - if (NULL == fp) - return NULL; - - while (!feof (fp)) - { - char *tmp, *cp; -#if defined(HAVE_GETLINE) - ssize_t n = getline (&buf, &buflen, fp); -#elif defined (HAVE_GETDELIM) - ssize_t n = getdelim (&buf, &buflen, '\n', fp); -#else - ssize_t n; - - if (buf == NULL) - { - buflen = BUF_SIZE; - buf = malloc (buflen); - if (buf == NULL) { - fclose (fp); - return NULL; - } - } - buf[0] = '\0'; - if (fgets (buf, buflen - 1, fp) == NULL) - break; - else if (buf != NULL) - n = strlen (buf); - else - n = 0; -#endif /* HAVE_GETLINE / HAVE_GETDELIM */ - cp = buf; - - if (n < 1) - break; - - tmp = strchr (cp, '#'); /* remove comments */ - if (tmp) - *tmp = '\0'; - while (isspace ((int)*cp)) /* remove spaces and tabs */ - ++cp; - if (*cp == '\0') /* ignore empty lines */ - continue; - - if (cp[strlen (cp) - 1] == '\n') - cp[strlen (cp) - 1] = '\0'; - - tmp = strsep (&cp, " \t="); - if (cp != NULL) - while (isspace ((int)*cp) || *cp == '=') - ++cp; - - if (strcasecmp (tmp, "UMASK") == 0) - { - retval = strdup (cp); - break; - } - } - fclose (fp); - - free (buf); - - return retval; -} - static int -get_options (const pam_handle_t *pamh, options_t *options, +get_options (pam_handle_t *pamh, options_t *options, int argc, const char **argv) { memset (options, 0, sizeof (options_t)); + + options->usergroups = DEFAULT_USERGROUPS_SETTING; + /* Parse parameters for module */ for ( ; argc-- > 0; argv++) parse_option (pamh, *argv, options); - if (options->umask == NULL) - options->umask = search_key (LOGIN_DEFS); - if (options->umask == NULL) - options->umask = search_key (LOGIN_CONF); + if (options->umask == NULL) { + options->login_umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK"); + if (options->login_umask == NULL) + options->login_umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK"); + options->umask = options->login_umask; + } return 0; } @@ -218,25 +155,27 @@ setup_limits_from_gecos (pam_handle_t *pamh, options_t *options, /* See if the GECOS field contains values for NICE, UMASK or ULIMIT. */ for (cp = pw->pw_gecos; cp != NULL; cp = strchr (cp, ',')) { + const char *str; + if (*cp == ',') cp++; - if (strncasecmp (cp, "umask=", 6) == 0) - umask (strtol (cp + 6, NULL, 8) & 0777); - else if (strncasecmp (cp, "pri=", 4) == 0) + if ((str = pam_str_skip_icase_prefix (cp, "umask=")) != NULL) + umask (strtol (str, NULL, 8) & 0777); + else if ((str = pam_str_skip_icase_prefix (cp, "pri=")) != NULL) { errno = 0; - if (nice (strtol (cp + 4, NULL, 10)) == -1 && errno != 0) + if (nice (strtol (str, NULL, 10)) == -1 && errno != 0) { if (!options->silent || options->debug) pam_error (pamh, "nice failed: %m\n"); pam_syslog (pamh, LOG_ERR, "nice failed: %m"); } } - else if (strncasecmp (cp, "ulimit=", 7) == 0) + else if ((str = pam_str_skip_icase_prefix (cp, "ulimit=")) != NULL) { struct rlimit rlimit_fsize; - rlimit_fsize.rlim_cur = 512L * strtol (cp + 7, NULL, 10); + rlimit_fsize.rlim_cur = 512L * strtol (str, NULL, 10); rlimit_fsize.rlim_max = rlimit_fsize.rlim_cur; if (setrlimit (RLIMIT_FSIZE, &rlimit_fsize) == -1) { @@ -265,31 +204,23 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* get the user name. */ if ((retval = pam_get_user (pamh, &name, NULL)) != PAM_SUCCESS) { - pam_syslog (pamh, LOG_ERR, "pam_get_user failed: return %d", retval); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:retval); } - if (name == NULL || name[0] == '\0') - { - if (name) - { - pam_syslog (pamh, LOG_ERR, "bad username [%s]", name); - return PAM_USER_UNKNOWN; - } - return PAM_SERVICE_ERR; - } - pw = pam_modutil_getpwnam (pamh, name); if (pw == NULL) { - pam_syslog (pamh, LOG_ERR, "account for %s not found", name); + pam_syslog (pamh, LOG_NOTICE, "account for %s not found", name); return PAM_USER_UNKNOWN; } if (options.umask != NULL) { set_umask (options.umask); - free (options.umask); + free (options.login_umask); + options.umask = options.login_umask = NULL; } setup_limits_from_gecos (pamh, &options, pw); diff --git a/modules/pam_unix/CHANGELOG b/modules/pam_unix/CHANGELOG index c18acc27..f8f70f59 100644 --- a/modules/pam_unix/CHANGELOG +++ b/modules/pam_unix/CHANGELOG @@ -1,6 +1,6 @@ $Id$ -* Mon Aug 16 1999 Jan Rêkorajski <baggins@pld.org.pl> +* Mon Aug 16 1999 Jan RÄ™korajski <baggins@pld.org.pl> - fixed reentrancy problems * Sun Jul 4 21:03:42 PDT 1999 @@ -15,7 +15,7 @@ $Id$ * Sun Jun 27 1999 Steve Langasek <vorlon@netexpress.net> - fix to uid-handling code for NIS+ -* Sat Jun 26 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Sat Jun 26 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - merged MD5 fix and early failure syslog by Andrey Vladimirovich Savochkin <saw@msu.ru> - minor fixes @@ -24,31 +24,31 @@ $Id$ * Fri Jun 25 1999 Stephen Langasek <vorlon@netexpress.net> - reorganized the code to let it build as separate C files -* Sun Jun 20 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Sun Jun 20 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - fixes in pam_unix_auth, it incorrectly saved and restored return value when likeauth option was used -* Tue Jun 15 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Tue Jun 15 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - added NIS+ support -* Mon Jun 14 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Mon Jun 14 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - total rewrite based on pam_pwdb module, now there is ONE pam_unix.so module, it accepts the same options as pam_pwdb - all of them correctly ;) (pam_pwdb dosn't understand what DISALLOW_NULL_AUTHTOK means) -* Tue Apr 20 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Tue Apr 20 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - Arghhh, pam_unix_passwd was not updating /etc/shadow when used with pam_cracklib. -* Mon Apr 19 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Mon Apr 19 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - added "remember=XXX" option that means 'remember XXX old passwords' Old passwords are stored in /etc/security/opasswd, there can be maximum of 400 passwords per user. -* Sat Mar 27 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Sat Mar 27 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - added crypt16 to pam_unix_auth and pam_unix_passwd (check only, this algorithm is too lame to use it in real life) -* Sun Mar 21 1999 Jan Rêkorajski <baggins@mimuw.edu.pl> +* Sun Mar 21 1999 Jan RÄ™korajski <baggins@mimuw.edu.pl> - pam_unix_auth now correctly behave when user has NULL AUTHTOK - pam_unix_auth returns PAM_PERM_DENIED when seteuid fails diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index 56df1782..ddba63c5 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -5,25 +5,26 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c $(MANS) CHANGELOG \ - tst-pam_unix $(XMLS) +EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c yppasswd_xdr.c $(XMLS) CHANGELOG -man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8 +if HAVE_DOC +dist_man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8 +endif XMLS = README.xml pam_unix.8.xml unix_chkpwd.8.xml unix_update.8.xml - -TESTS = tst-pam_unix +dist_check_SCRIPTS = tst-pam_unix +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ -DUPDATE_HELPER=\"$(sbindir)/unix_update\" \ - @TIRPC_CFLAGS@ @NSL_CFLAGS@ - -if HAVE_LIBSELINUX - AM_CFLAGS += -D"WITH_SELINUX" -endif + @TIRPC_CFLAGS@ @NSL_CFLAGS@ $(WARN_CFLAGS) pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING @@ -42,7 +43,10 @@ noinst_PROGRAMS = bigcrypt pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ - passverify.c yppasswd_xdr.c md5_good.c md5_broken.c + passverify.c md5_good.c md5_broken.c obscure.c +if HAVE_NIS + pam_unix_la_SOURCES += yppasswd_xdr.c +endif bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) @@ -50,18 +54,17 @@ bigcrypt_LDADD = @LIBCRYPT@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c -unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" -unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ +unix_chkpwd_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" +unix_chkpwd_LDFLAGS = @EXE_LDFLAGS@ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c -unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" -unix_update_LDFLAGS = @PIE_LDFLAGS@ +unix_update_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" +unix_update_LDFLAGS = @EXE_LDFLAGS@ unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_unix.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_unix/Makefile.in b/modules/pam_unix/Makefile.in index 806f04c8..1de5b72b 100644 --- a/modules/pam_unix/Makefile.in +++ b/modules/pam_unix/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -22,7 +22,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,33 +95,39 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@HAVE_LIBSELINUX_TRUE@am__append_1 = -D"WITH_SELINUX" -@HAVE_VERSIONING_TRUE@am__append_2 = -Wl,--version-script=$(srcdir)/../modules.map +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map sbin_PROGRAMS = unix_chkpwd$(EXEEXT) unix_update$(EXEEXT) noinst_PROGRAMS = bigcrypt$(EXEEXT) +@HAVE_NIS_TRUE@am__append_2 = yppasswd_xdr.c subdir = modules/pam_unix -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(noinst_HEADERS) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ + "$(DESTDIR)$(man8dir)" +PROGRAMS = $(noinst_PROGRAMS) $(sbin_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -139,13 +155,15 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ - "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) pam_unix_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__pam_unix_la_SOURCES_DIST = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ + passverify.c md5_good.c md5_broken.c yppasswd_xdr.c +@HAVE_NIS_TRUE@am__objects_1 = yppasswd_xdr.lo am_pam_unix_la_OBJECTS = bigcrypt.lo pam_unix_acct.lo pam_unix_auth.lo \ pam_unix_passwd.lo pam_unix_sess.lo support.lo passverify.lo \ - yppasswd_xdr.lo md5_good.lo md5_broken.lo + md5_good.lo md5_broken.lo $(am__objects_1) pam_unix_la_OBJECTS = $(am_pam_unix_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -154,7 +172,6 @@ am__v_lt_1 = pam_unix_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(pam_unix_la_LDFLAGS) $(LDFLAGS) -o $@ -PROGRAMS = $(noinst_PROGRAMS) $(sbin_PROGRAMS) am_bigcrypt_OBJECTS = bigcrypt-bigcrypt.$(OBJEXT) \ bigcrypt-bigcrypt_main.$(OBJEXT) bigcrypt_OBJECTS = $(am_bigcrypt_OBJECTS) @@ -196,7 +213,24 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/bigcrypt-bigcrypt.Po \ + ./$(DEPDIR)/bigcrypt-bigcrypt_main.Po ./$(DEPDIR)/bigcrypt.Plo \ + ./$(DEPDIR)/md5_broken.Plo ./$(DEPDIR)/md5_good.Plo \ + ./$(DEPDIR)/pam_unix_acct.Plo ./$(DEPDIR)/pam_unix_auth.Plo \ + ./$(DEPDIR)/pam_unix_passwd.Plo ./$(DEPDIR)/pam_unix_sess.Plo \ + ./$(DEPDIR)/passverify.Plo ./$(DEPDIR)/support.Plo \ + ./$(DEPDIR)/unix_chkpwd-bigcrypt.Po \ + ./$(DEPDIR)/unix_chkpwd-md5_broken.Po \ + ./$(DEPDIR)/unix_chkpwd-md5_good.Po \ + ./$(DEPDIR)/unix_chkpwd-passverify.Po \ + ./$(DEPDIR)/unix_chkpwd-unix_chkpwd.Po \ + ./$(DEPDIR)/unix_update-bigcrypt.Po \ + ./$(DEPDIR)/unix_update-md5_broken.Po \ + ./$(DEPDIR)/unix_update-md5_good.Po \ + ./$(DEPDIR)/unix_update-passverify.Po \ + ./$(DEPDIR)/unix_update-unix_update.Po \ + ./$(DEPDIR)/yppasswd_xdr.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -218,7 +252,7 @@ am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \ $(unix_chkpwd_SOURCES) $(unix_update_SOURCES) -DIST_SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \ +DIST_SOURCES = $(am__pam_unix_la_SOURCES_DIST) $(bigcrypt_SOURCES) \ $(unix_chkpwd_SOURCES) $(unix_update_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ @@ -227,8 +261,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -404,6 +439,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -426,6 +462,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -445,24 +484,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,7 +524,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -495,11 +542,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -522,8 +572,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -534,11 +583,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -581,7 +637,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -589,9 +644,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -601,52 +653,52 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c $(MANS) CHANGELOG \ - tst-pam_unix $(XMLS) - -man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8 +EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c yppasswd_xdr.c $(XMLS) CHANGELOG +@HAVE_DOC_TRUE@dist_man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8 XMLS = README.xml pam_unix.8.xml unix_chkpwd.8.xml unix_update.8.xml -TESTS = tst-pam_unix +dist_check_SCRIPTS = tst-pam_unix +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include \ - -I$(top_srcdir)/libpamc/include \ +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ - -DUPDATE_HELPER=\"$(sbindir)/unix_update\" @TIRPC_CFLAGS@ \ - @NSL_CFLAGS@ $(am__append_1) + -DUPDATE_HELPER=\"$(sbindir)/unix_update\" \ + @TIRPC_CFLAGS@ @NSL_CFLAGS@ $(WARN_CFLAGS) + pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module \ - $(am__append_2) + $(am__append_1) pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ securelib_LTLIBRARIES = pam_unix.la noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h -pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ - pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ - passverify.c yppasswd_xdr.c md5_good.c md5_broken.c - +pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c pam_unix_auth.c \ + pam_unix_passwd.c pam_unix_sess.c support.c passverify.c \ + md5_good.c md5_broken.c $(am__append_2) bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) bigcrypt_LDADD = @LIBCRYPT@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c -unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" -unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ +unix_chkpwd_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" +unix_chkpwd_LDFLAGS = @EXE_LDFLAGS@ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c -unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" -unix_update_LDFLAGS = @PIE_LDFLAGS@ +unix_update_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" +unix_update_LDFLAGS = @EXE_LDFLAGS@ unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -663,14 +715,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_unix/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_unix/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -682,44 +733,6 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ - } - -uninstall-securelibLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ - done - -clean-securelibLTLIBRARIES: - -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) - @list='$(securelib_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -pam_unix.la: $(pam_unix_la_OBJECTS) $(pam_unix_la_DEPENDENCIES) $(EXTRA_pam_unix_la_DEPENDENCIES) - $(AM_V_CCLD)$(pam_unix_la_LINK) -rpath $(securelibdir) $(pam_unix_la_OBJECTS) $(pam_unix_la_LIBADD) $(LIBS) - clean-noinstPROGRAMS: @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ @@ -778,6 +791,44 @@ clean-sbinPROGRAMS: echo " rm -f" $$list; \ rm -f $$list +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +pam_unix.la: $(pam_unix_la_OBJECTS) $(pam_unix_la_DEPENDENCIES) $(EXTRA_pam_unix_la_DEPENDENCIES) + $(AM_V_CCLD)$(pam_unix_la_LINK) -rpath $(securelibdir) $(pam_unix_la_OBJECTS) $(pam_unix_la_LIBADD) $(LIBS) + bigcrypt$(EXEEXT): $(bigcrypt_OBJECTS) $(bigcrypt_DEPENDENCIES) $(EXTRA_bigcrypt_DEPENDENCIES) @rm -f bigcrypt$(EXEEXT) $(AM_V_CCLD)$(bigcrypt_LINK) $(bigcrypt_OBJECTS) $(bigcrypt_LDADD) $(LIBS) @@ -796,42 +847,48 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt-bigcrypt.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt-bigcrypt_main.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_broken.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_good.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_acct.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_auth.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_passwd.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_sess.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/passverify.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/support.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-bigcrypt.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-md5_broken.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-md5_good.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-passverify.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-unix_chkpwd.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-bigcrypt.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-md5_broken.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-md5_good.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-passverify.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-unix_update.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/yppasswd_xdr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt-bigcrypt.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt-bigcrypt_main.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bigcrypt.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_broken.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_good.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_acct.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_auth.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_passwd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_unix_sess.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/passverify.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/support.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-bigcrypt.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-md5_broken.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-md5_good.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-passverify.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_chkpwd-unix_chkpwd.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-bigcrypt.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-md5_broken.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-md5_good.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-passverify.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unix_update-unix_update.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/yppasswd_xdr.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -1013,10 +1070,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -1051,7 +1108,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -1139,7 +1196,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -1216,7 +1273,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -1229,7 +1286,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1239,7 +1296,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1272,7 +1329,10 @@ tst-pam_unix.log: tst-pam_unix @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1303,11 +1363,12 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1351,7 +1412,28 @@ clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/bigcrypt-bigcrypt.Po + -rm -f ./$(DEPDIR)/bigcrypt-bigcrypt_main.Po + -rm -f ./$(DEPDIR)/bigcrypt.Plo + -rm -f ./$(DEPDIR)/md5_broken.Plo + -rm -f ./$(DEPDIR)/md5_good.Plo + -rm -f ./$(DEPDIR)/pam_unix_acct.Plo + -rm -f ./$(DEPDIR)/pam_unix_auth.Plo + -rm -f ./$(DEPDIR)/pam_unix_passwd.Plo + -rm -f ./$(DEPDIR)/pam_unix_sess.Plo + -rm -f ./$(DEPDIR)/passverify.Plo + -rm -f ./$(DEPDIR)/support.Plo + -rm -f ./$(DEPDIR)/unix_chkpwd-bigcrypt.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-md5_broken.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-md5_good.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-passverify.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-unix_chkpwd.Po + -rm -f ./$(DEPDIR)/unix_update-bigcrypt.Po + -rm -f ./$(DEPDIR)/unix_update-md5_broken.Po + -rm -f ./$(DEPDIR)/unix_update-md5_good.Po + -rm -f ./$(DEPDIR)/unix_update-passverify.Po + -rm -f ./$(DEPDIR)/unix_update-unix_update.Po + -rm -f ./$(DEPDIR)/yppasswd_xdr.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1397,7 +1479,28 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/bigcrypt-bigcrypt.Po + -rm -f ./$(DEPDIR)/bigcrypt-bigcrypt_main.Po + -rm -f ./$(DEPDIR)/bigcrypt.Plo + -rm -f ./$(DEPDIR)/md5_broken.Plo + -rm -f ./$(DEPDIR)/md5_good.Plo + -rm -f ./$(DEPDIR)/pam_unix_acct.Plo + -rm -f ./$(DEPDIR)/pam_unix_auth.Plo + -rm -f ./$(DEPDIR)/pam_unix_passwd.Plo + -rm -f ./$(DEPDIR)/pam_unix_sess.Plo + -rm -f ./$(DEPDIR)/passverify.Plo + -rm -f ./$(DEPDIR)/support.Plo + -rm -f ./$(DEPDIR)/unix_chkpwd-bigcrypt.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-md5_broken.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-md5_good.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-passverify.Po + -rm -f ./$(DEPDIR)/unix_chkpwd-unix_chkpwd.Po + -rm -f ./$(DEPDIR)/unix_update-bigcrypt.Po + -rm -f ./$(DEPDIR)/unix_update-md5_broken.Po + -rm -f ./$(DEPDIR)/unix_update-md5_good.Po + -rm -f ./$(DEPDIR)/unix_update-passverify.Po + -rm -f ./$(DEPDIR)/unix_update-unix_update.Po + -rm -f ./$(DEPDIR)/yppasswd_xdr.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1421,10 +1524,11 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-noinstPROGRAMS \ - clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ - ctags ctags-am distclean distclean-compile distclean-generic \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-noinstPROGRAMS clean-sbinPROGRAMS \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -1439,7 +1543,8 @@ uninstall-man: uninstall-man8 uninstall-man8 uninstall-sbinPROGRAMS \ uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_unix.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_unix/README b/modules/pam_unix/README index 651ed9c8..be11095f 100644 --- a/modules/pam_unix/README +++ b/modules/pam_unix/README @@ -69,6 +69,12 @@ nullok service if their official password is blank. The nullok argument overrides this default. +nullresetok + + Allow users to authenticate with blank password if password reset is + enforced even if nullok is not set. If password reset is not required and + nullok is not set the authentication with blank password will be denied. + try_first_pass Before prompting the user for their password, the module first tries the @@ -93,7 +99,7 @@ use_authtok When password changing enforce the module to set the new password to the one provided by a previously stacked password module (this is used in the - example of the stacking of the pam_cracklib module documented below). + example of the stacking of the pam_passwdqc module documented below). authtok_type=type @@ -128,25 +134,35 @@ bigcrypt sha256 When a user changes their password next, encrypt it with the SHA256 - algorithm. If the SHA256 algorithm is not known to the crypt(3) function, - fall back to MD5. + algorithm. The SHA256 algorithm must be supported by the crypt(3) function. sha512 When a user changes their password next, encrypt it with the SHA512 - algorithm. If the SHA512 algorithm is not known to the crypt(3) function, - fall back to MD5. + algorithm. The SHA512 algorithm must be supported by the crypt(3) function. blowfish When a user changes their password next, encrypt it with the blowfish - algorithm. If the blowfish algorithm is not known to the crypt(3) function, - fall back to MD5. + algorithm. The blowfish algorithm must be supported by the crypt(3) + function. + +gost_yescrypt + + When a user changes their password next, encrypt it with the gost-yescrypt + algorithm. The gost-yescrypt algorithm must be supported by the crypt(3) + function. + +yescrypt + + When a user changes their password next, encrypt it with the yescrypt + algorithm. The yescrypt algorithm must be supported by the crypt(3) + function. rounds=n - Set the optional number of rounds of the SHA256, SHA512 and blowfish - password hashing algorithms to n. + Set the optional number of rounds of the SHA256, SHA512, blowfish, + gost-yescrypt, and yescrypt password hashing algorithms to n. broken_shadow @@ -155,8 +171,40 @@ broken_shadow minlen=n - Set a minimum password length of n characters. The max. for DES crypt based - passwords are 8 characters. + Set a minimum password length of n characters. The default value is 6. The + maximum for DES crypt-based passwords is 8 characters. + +obscure + + Enable some extra checks on password strength. These checks are based on + the "obscure" checks in the original shadow package. The behavior is + similar to the pam_cracklib module, but for non-dictionary-based checks. + The following checks are implemented: + + Palindrome + + Verifies that the new password is not a palindrome of (i.e., the + reverse of) the previous one. + + Case Change Only + + Verifies that the new password isn't the same as the old one with a + change of case. + + Similar + + Verifies that the new password isn't too much like the previous one. + + Simple + + Is the new password too simple? This is based on the length of the + password and the number of different types of characters (alpha, + numeric, etc.) used. + + Rotated + + Is the new password a rotated version of the old password? (E.g., + "billy" and "illyb") no_pass_expiry @@ -178,9 +226,9 @@ auth required pam_unix.so # Ensure users account and password are still active account required pam_unix.so # Change the user's password, but at first check the strength -# with pam_cracklib(8) -password required pam_cracklib.so retry=3 minlen=6 difok=3 -password required pam_unix.so use_authtok nullok md5 +# with pam_passwdqc(8) +password required pam_passwdqc.so config=/etc/passwdqc.conf +password required pam_unix.so use_authtok nullok yescrypt session required pam_unix.so diff --git a/modules/pam_unix/README.xml b/modules/pam_unix/README.xml index 7fd340b3..49a65946 100644 --- a/modules/pam_unix/README.xml +++ b/modules/pam_unix/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_unix.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_unix-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c index e1d57a07..c1028668 100644 --- a/modules/pam_unix/bigcrypt.c +++ b/modules/pam_unix/bigcrypt.c @@ -13,7 +13,7 @@ * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8 * characters or less. Each block is encrypted using the standard UNIX * libc crypt function. The result of the encryption for one block - * provides the salt for the suceeding block. + * provides the salt for the succeeding block. * * Restrictions: The buffer used to hold the encrypted result is * statically allocated. (see MAX_PASS_LEN below). This is necessary, @@ -29,9 +29,8 @@ #include <string.h> #include <stdlib.h> #include <security/_pam_macros.h> -#ifdef HAVE_LIBXCRYPT -#include <xcrypt.h> -#elif defined(HAVE_CRYPT_H) +#include "pam_inline.h" +#ifdef HAVE_CRYPT_H #include <crypt.h> #endif @@ -58,12 +57,12 @@ char *bigcrypt(const char *key, const char *salt) #endif unsigned long int keylen, n_seg, j; char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr; - char keybuf[KEYBUF_SIZE + 1]; + char keybuf[KEYBUF_SIZE + 1] = {}; D(("called with key='%s', salt='%s'.", key, salt)); /* reset arrays */ - dec_c2_cryptbuf = malloc(CBUF_SIZE); + dec_c2_cryptbuf = calloc(1, CBUF_SIZE); if (!dec_c2_cryptbuf) { return NULL; } @@ -75,8 +74,6 @@ char *bigcrypt(const char *key, const char *salt) } cdata->initialized = 0; #endif - memset(keybuf, 0, KEYBUF_SIZE + 1); - memset(dec_c2_cryptbuf, 0, CBUF_SIZE); /* fill KEYBUF_SIZE with key */ strncpy(keybuf, key, KEYBUF_SIZE); @@ -111,10 +108,14 @@ char *bigcrypt(const char *key, const char *salt) #endif if (tmp_ptr == NULL) { free(dec_c2_cryptbuf); +#ifdef HAVE_CRYPT_R + free(cdata); +#endif return NULL; } /* and place in the static area */ strncpy(cipher_ptr, tmp_ptr, 13); + pam_overwrite_string(tmp_ptr); cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */ @@ -135,13 +136,18 @@ char *bigcrypt(const char *key, const char *salt) tmp_ptr = crypt(plaintext_ptr, salt_ptr); #endif if (tmp_ptr == NULL) { - _pam_overwrite(dec_c2_cryptbuf); + pam_overwrite_string(dec_c2_cryptbuf); free(dec_c2_cryptbuf); +#ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); + free(cdata); +#endif return NULL; } /* skip the salt for seg!=0 */ strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); + pam_overwrite_string(tmp_ptr); cipher_ptr += ESEGMENT_SIZE; plaintext_ptr += SEGMENT_SIZE; @@ -151,6 +157,7 @@ char *bigcrypt(const char *key, const char *salt) D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf)); #ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); free(cdata); #endif diff --git a/modules/pam_unix/lckpwdf.-c b/modules/pam_unix/lckpwdf.-c index 7145617e..c3e63155 100644 --- a/modules/pam_unix/lckpwdf.-c +++ b/modules/pam_unix/lckpwdf.-c @@ -73,17 +73,17 @@ static int lckpwdf(void) lockfd = open(LOCKFILE, O_WRONLY); if(lockfd == -1 && errno == ENOENT) { - security_context_t create_context; + char *create_context_raw; int rc; - if(getfilecon("/etc/passwd", &create_context)) + if(getfilecon_raw("/etc/passwd", &create_context_raw)) return -1; - rc = setfscreatecon(create_context); - freecon(create_context); + rc = setfscreatecon_raw(create_context_raw); + freecon(create_context_raw); if(rc) return -1; lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); - if(setfscreatecon(NULL)) + if(setfscreatecon_raw(NULL)) return -1; } } diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c index 94f0485b..95b8de4c 100644 --- a/modules/pam_unix/md5.c +++ b/modules/pam_unix/md5.c @@ -21,23 +21,27 @@ #include <string.h> #include "md5.h" +#include "pam_inline.h" + #ifndef HIGHFIRST #define byteReverse(buf, len) /* Nothing */ #else -static void byteReverse(unsigned char *buf, unsigned longs); + +static void byteReverse(uint32 *buf, unsigned longs); #ifndef ASM_MD5 /* * Note: this code is harmless on little-endian machines. */ -static void byteReverse(unsigned char *buf, unsigned longs) +static void byteReverse(uint32 *buf, unsigned longs) { uint32 t; do { - t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | - ((unsigned) buf[1] << 8 | buf[0]); - *(uint32 *) buf = t; - buf += 4; + unsigned char *p = (unsigned char *) buf; + t = (uint32) ((unsigned) p[3] << 8 | p[2]) << 16 | + ((unsigned) p[1] << 8 | p[0]); + *buf = t; + ++buf; } while (--longs); } #endif @@ -49,10 +53,10 @@ static void byteReverse(unsigned char *buf, unsigned longs) */ void MD5Name(MD5Init)(struct MD5Context *ctx) { - ctx->buf[0] = 0x67452301U; - ctx->buf[1] = 0xefcdab89U; - ctx->buf[2] = 0x98badcfeU; - ctx->buf[3] = 0x10325476U; + ctx->buf.i[0] = 0x67452301U; + ctx->buf.i[1] = 0xefcdab89U; + ctx->buf.i[2] = 0x98badcfeU; + ctx->buf.i[3] = 0x10325476U; ctx->bits[0] = 0; ctx->bits[1] = 0; @@ -78,7 +82,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign /* Handle any leading odd-sized chunks */ if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; + unsigned char *p = ctx->in.c + t; t = 64 - t; if (len < t) { @@ -86,24 +90,24 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign return; } memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.i, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += t; len -= t; } /* Process data in 64-byte chunks */ while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + memcpy(ctx->in.c, buf, 64); + byteReverse(ctx->in.i, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += 64; len -= 64; } /* Handle any remaining bytes of data. */ - memcpy(ctx->in, buf, len); + memcpy(ctx->in.c, buf, len); } /* @@ -120,7 +124,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) /* Set the first char of padding to 0x80. This is safe since there is always at least one byte free */ - p = ctx->in + count; + p = ctx->in.c + count; *p++ = 0x80; /* Bytes of padding needed to make 64 bytes */ @@ -130,24 +134,24 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) if (count < 8) { /* Two lots of padding: Pad the first block to 64 bytes */ memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse(ctx->in.i, 16); + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); /* Now fill the next block with 56 bytes */ - memset(ctx->in, 0, 56); + memset(ctx->in.c, 0, 56); } else { /* Pad block to 56 bytes */ memset(p, 0, count - 8); } - byteReverse(ctx->in, 14); + byteReverse(ctx->in.i, 14); /* Append length in bits and transform */ - memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); + memcpy(ctx->in.i + 14, ctx->bits, 2*sizeof(uint32)); - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ + MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); + byteReverse(ctx->buf.i, 4); + memcpy(digest, ctx->buf.c, 16); + pam_overwrite_object(ctx); /* In case it's sensitive */ } #ifndef ASM_MD5 diff --git a/modules/pam_unix/md5.h b/modules/pam_unix/md5.h index 103f168a..3dc54bd2 100644 --- a/modules/pam_unix/md5.h +++ b/modules/pam_unix/md5.h @@ -2,12 +2,20 @@ #ifndef MD5_H #define MD5_H +#include "pam_cc_compat.h" + typedef unsigned int uint32; struct MD5Context { - uint32 buf[4]; + union { + uint32 i[4]; + unsigned char c[16] PAM_ATTRIBUTE_ALIGNED(4); + } buf; uint32 bits[2]; - unsigned char in[64]; + union { + uint32 i[16]; + unsigned char c[64] PAM_ATTRIBUTE_ALIGNED(4); + } in; }; void GoodMD5Init(struct MD5Context *); diff --git a/modules/pam_unix/md5_crypt.c b/modules/pam_unix/md5_crypt.c index 4ab9ec84..ed5ecda4 100644 --- a/modules/pam_unix/md5_crypt.c +++ b/modules/pam_unix/md5_crypt.c @@ -15,6 +15,7 @@ #include <string.h> #include <stdlib.h> #include "md5.h" +#include "pam_inline.h" static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; @@ -55,8 +56,8 @@ char *MD5Name(crypt_md5)(const char *pw, const char *salt) return NULL; /* If it starts with the magic string, then skip that */ - if (!strncmp(sp, magic, strlen(magic))) - sp += strlen(magic); + if ((ep = pam_str_skip_prefix_len(sp, magic, strlen(magic))) != NULL) + sp = ep; /* It stops at the first '$', max 8 chars */ for (ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++) @@ -86,7 +87,7 @@ char *MD5Name(crypt_md5)(const char *pw, const char *salt) MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl); /* Don't leave anything around in vm they could use. */ - memset(final, 0, sizeof final); + pam_overwrite_array(final); /* Then something really weird... */ for (j = 0, i = strlen(pw); i; i >>= 1) @@ -150,7 +151,7 @@ char *MD5Name(crypt_md5)(const char *pw, const char *salt) *p = '\0'; /* Don't leave anything around in vm they could use. */ - memset(final, 0, sizeof final); + pam_overwrite_array(final); return passwd; } diff --git a/modules/pam_unix/obscure.c b/modules/pam_unix/obscure.c new file mode 100644 index 00000000..2ffac920 --- /dev/null +++ b/modules/pam_unix/obscure.c @@ -0,0 +1,198 @@ +/* + * Copyright 1989 - 1994, Julianne Frances Haugh + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Julianne F. Haugh nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#include <ctype.h> +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> +#include <pwd.h> +#include <security/pam_modules.h> +#include <security/_pam_macros.h> + + +#include "support.h" + +/* can't be a palindrome - like `R A D A R' or `M A D A M' */ +static int palindrome(const char *old, const char *new) { + int i, j; + + i = strlen (new); + + for (j = 0;j < i;j++) + if (new[i - j - 1] != new[j]) + return 0; + + return 1; +} + +/* more than half of the characters are different ones. */ +static int similar(const char *old, const char *new) { + int i, j; + + /* + * XXX - sometimes this fails when changing from a simple password + * to a really long one (MD5). For now, I just return success if + * the new password is long enough. Please feel free to suggest + * something better... --marekm + */ + if (strlen(new) >= 8) + return 0; + + for (i = j = 0; new[i] && old[i]; i++) + if (strchr(new, old[i])) + j++; + + if (i >= j * 2) + return 0; + + return 1; +} + +/* a nice mix of characters. */ +static int simple(const char *old, const char *new) { + int digits = 0; + int uppers = 0; + int lowers = 0; + int others = 0; + int size; + int i; + + for (i = 0;new[i];i++) { + if (isdigit (new[i])) + digits++; + else if (isupper (new[i])) + uppers++; + else if (islower (new[i])) + lowers++; + else + others++; + } + + /* + * The scam is this - a password of only one character type + * must be 8 letters long. Two types, 7, and so on. + */ + + size = 9; + if (digits) size--; + if (uppers) size--; + if (lowers) size--; + if (others) size--; + + if (size <= i) + return 0; + + return 1; +} + +static char *str_lower(char *string) { + char *cp; + + for (cp = string; *cp; cp++) + *cp = tolower(*cp); + return string; +} + +static const char * password_check(const char *old, const char *new, + const struct passwd *pwdp) { + const char *msg = NULL; + char *oldmono, *newmono, *wrapped; + + if (strcmp(new, old) == 0) + return _("Bad: new password must be different than the old one"); + + newmono = str_lower(strdup(new)); + oldmono = str_lower(strdup(old)); + wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); + strcpy (wrapped, oldmono); + strcat (wrapped, oldmono); + + if (palindrome(oldmono, newmono)) { + msg = _("Bad: new password cannot be a palindrome"); + } else if (strcmp(oldmono, newmono) == 0) { + msg = _("Bad: new and old password must differ by more than just case"); + } else if (similar(oldmono, newmono)) { + msg = _("Bad: new and old password are too similar"); + } else if (simple(old, new)) { + msg = _("Bad: new password is too simple"); + } else if (strstr(wrapped, newmono)) { + msg = _("Bad: new password is just a wrapped version of the old one"); + } + + _pam_delete(newmono); + _pam_delete(oldmono); + _pam_delete(wrapped); + + return msg; +} + +const char *obscure_msg(const char *old, const char *new, + const struct passwd *pwdp, unsigned int ctrl) { + int oldlen, newlen; + char *new1, *old1; + const char *msg; + + if (old == NULL) + return NULL; /* no check if old is NULL */ + + oldlen = strlen(old); + newlen = strlen(new); + + /* Remaining checks are optional. */ + if (off(UNIX_OBSCURE_CHECKS,ctrl)) + return NULL; + + if ((msg = password_check(old, new, pwdp)) != NULL) + return msg; + + /* The traditional crypt() truncates passwords to 8 chars. It is + possible to circumvent the above checks by choosing an easy + 8-char password and adding some random characters to it... + Example: "password$%^&*123". So check it again, this time + truncated to the maximum length. Idea from npasswd. --marekm */ + + if (!UNIX_DES_CRYPT(ctrl)) + return NULL; /* unlimited password length */ + + if (oldlen <= 8 && newlen <= 8) + return NULL; + + new1 = strndup(new,8); + old1 = strndup(old,8); + + msg = password_check(old1, new1, pwdp); + + _pam_delete(new1); + _pam_delete(old1); + + return msg; +} diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 index b3808f1a..07f8308f 100644 --- a/modules/pam_unix/pam_unix.8 +++ b/modules/pam_unix/pam_unix.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_unix .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_UNIX" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_UNIX" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -71,67 +71,76 @@ Remaining arguments, supported by others functions of this module, are silently \fBsyslog\fR(3)\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP -\fBaudit\fR +audit .RS 4 A little more extreme than debug\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Turns off informational messages namely messages about session open and close via \fBsyslog\fR(3)\&. .RE .PP -\fBnullok\fR +nullok .RS 4 The default action of this module is to not permit the user access to a service if their official password is blank\&. The \fBnullok\fR argument overrides this default\&. .RE .PP -\fBtry_first_pass\fR +nullresetok +.RS 4 +Allow users to authenticate with blank password if password reset is enforced even if +\fBnullok\fR +is not set\&. If password reset is not required and +\fBnullok\fR +is not set the authentication with blank password will be denied\&. +.RE +.PP +try_first_pass .RS 4 Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&. .RE .PP -\fBuse_first_pass\fR +use_first_pass .RS 4 The argument \fBuse_first_pass\fR forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. .RE .PP -\fBnodelay\fR +nodelay .RS 4 This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&. .RE .PP -\fBuse_authtok\fR +use_authtok .RS 4 When password changing enforce the module to set the new password to the one provided by a previously stacked \fBpassword\fR module (this is used in the example of the stacking of the -\fBpam_cracklib\fR +\fBpam_passwdqc\fR module documented below)\&. .RE .PP -\fBauthtok_type=\fR\fB\fItype\fR\fR +authtok_type=type .RS 4 This argument can be used to modify the password prompt when changing passwords to include the type of the password\&. Empty by default\&. .RE .PP -\fBnis\fR +nis .RS 4 NIS RPC is used for setting new passwords\&. .RE .PP -\fBremember=\fR\fB\fIn\fR\fR +remember=n .RS 4 The last \fIn\fR @@ -142,61 +151,106 @@ in order to force password change history and keep the user from alternating bet module should be used\&. .RE .PP -\fBshadow\fR +shadow .RS 4 Try to maintain a shadow based system\&. .RE .PP -\fBmd5\fR +md5 .RS 4 When a user changes their password next, encrypt it with the MD5 algorithm\&. .RE .PP -\fBbigcrypt\fR +bigcrypt .RS 4 When a user changes their password next, encrypt it with the DEC C2 algorithm\&. .RE .PP -\fBsha256\fR +sha256 .RS 4 -When a user changes their password next, encrypt it with the SHA256 algorithm\&. If the SHA256 algorithm is not known to the +When a user changes their password next, encrypt it with the SHA256 algorithm\&. The SHA256 algorithm must be supported by the \fBcrypt\fR(3) -function, fall back to MD5\&. +function\&. .RE .PP -\fBsha512\fR +sha512 .RS 4 -When a user changes their password next, encrypt it with the SHA512 algorithm\&. If the SHA512 algorithm is not known to the +When a user changes their password next, encrypt it with the SHA512 algorithm\&. The SHA512 algorithm must be supported by the \fBcrypt\fR(3) -function, fall back to MD5\&. +function\&. .RE .PP -\fBblowfish\fR +blowfish .RS 4 -When a user changes their password next, encrypt it with the blowfish algorithm\&. If the blowfish algorithm is not known to the +When a user changes their password next, encrypt it with the blowfish algorithm\&. The blowfish algorithm must be supported by the \fBcrypt\fR(3) -function, fall back to MD5\&. +function\&. .RE .PP -\fBrounds=\fR\fB\fIn\fR\fR +gost_yescrypt .RS 4 -Set the optional number of rounds of the SHA256, SHA512 and blowfish password hashing algorithms to +When a user changes their password next, encrypt it with the gost\-yescrypt algorithm\&. The gost\-yescrypt algorithm must be supported by the +\fBcrypt\fR(3) +function\&. +.RE +.PP +yescrypt +.RS 4 +When a user changes their password next, encrypt it with the yescrypt algorithm\&. The yescrypt algorithm must be supported by the +\fBcrypt\fR(3) +function\&. +.RE +.PP +rounds=n +.RS 4 +Set the optional number of rounds of the SHA256, SHA512, blowfish, gost\-yescrypt, and yescrypt password hashing algorithms to \fIn\fR\&. .RE .PP -\fBbroken_shadow\fR +broken_shadow .RS 4 Ignore errors reading shadow information for users in the account management module\&. .RE .PP -\fBminlen=\fR\fB\fIn\fR\fR +minlen=n .RS 4 Set a minimum password length of \fIn\fR -characters\&. The max\&. for DES crypt based passwords are 8 characters\&. +characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. +.RE +.PP +\fBobscure\fR +.RS 4 +Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: +.PP +\fBPalindrome\fR +.RS 4 +Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. +.RE +.PP +\fBCase Change Only\fR +.RS 4 +Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. +.RE +.PP +\fBSimilar\fR +.RS 4 +Verifies that the new password isn\*(Aqt too much like the previous one\&. +.RE +.PP +\fBSimple\fR +.RS 4 +Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. +.RE +.PP +\fBRotated\fR +.RS 4 +Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") +.RE +.sp .RE .PP -\fBno_pass_expiry\fR +no_pass_expiry .RS 4 When set ignore password expiration as defined by the \fIshadow\fR @@ -241,9 +295,9 @@ auth required pam_unix\&.so # Ensure users account and password are still active account required pam_unix\&.so # Change the user\*(Aqs password, but at first check the strength -# with pam_cracklib(8) -password required pam_cracklib\&.so retry=3 minlen=6 difok=3 -password required pam_unix\&.so use_authtok nullok md5 +# with pam_passwdqc(8) +password required pam_passwdqc\&.so config=/etc/passwdqc\&.conf +password required pam_unix\&.so use_authtok nullok yescrypt session required pam_unix\&.so .fi @@ -256,7 +310,7 @@ session required pam_unix\&.so \fBlogin.defs\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_unix was written by various people\&. diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index 1b318f11..a025c0ef 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_unix"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_unix"> <refmeta> <refentrytitle>pam_unix</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_unix-name"> + <refnamediv xml:id="pam_unix-name"> <refname>pam_unix</refname> <refpurpose>Module for traditional password authentication</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_unix-cmdsynopsis"> + <cmdsynopsis xml:id="pam_unix-cmdsynopsis" sepchar=" "> <command>pam_unix.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ... </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_unix-description"> + <refsect1 xml:id="pam_unix-description"> <title>DESCRIPTION</title> @@ -42,7 +39,7 @@ <emphasis>shadow</emphasis> elements: expire, last_change, max_change, min_change, warn_change. In the case of the latter, it may offer advice to the user on changing their password or, through the - <emphasis remap='B'>PAM_AUTHTOKEN_REQD</emphasis> return, delay + <emphasis remap="B">PAM_AUTHTOKEN_REQD</emphasis> return, delay giving service to the user until they have established a new password. The entries listed above are documented in the <citerefentry> <refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum> @@ -89,7 +86,7 @@ <para> The password component of this module performs the task of updating the user's password. The default encryption hash is taken from the - <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from + <emphasis remap="B">ENCRYPT_METHOD</emphasis> variable from <emphasis>/etc/login.defs</emphasis> </para> @@ -107,13 +104,13 @@ </para> </refsect1> - <refsect1 id="pam_unix-options"> + <refsect1 xml:id="pam_unix-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -127,7 +124,7 @@ <varlistentry> <term> - <option>audit</option> + audit </term> <listitem> <para> @@ -138,7 +135,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -153,7 +150,7 @@ <varlistentry> <term> - <option>nullok</option> + nullok </term> <listitem> <para> @@ -165,7 +162,20 @@ </varlistentry> <varlistentry> <term> - <option>try_first_pass</option> + nullresetok + </term> + <listitem> + <para> + Allow users to authenticate with blank password if password reset + is enforced even if <option>nullok</option> is not set. If password + reset is not required and <option>nullok</option> is not set the + authentication with blank password will be denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + try_first_pass </term> <listitem> <para> @@ -177,7 +187,7 @@ </varlistentry> <varlistentry> <term> - <option>use_first_pass</option> + use_first_pass </term> <listitem> <para> @@ -190,7 +200,7 @@ </varlistentry> <varlistentry> <term> - <option>nodelay</option> + nodelay </term> <listitem> <para> @@ -203,21 +213,21 @@ </varlistentry> <varlistentry> <term> - <option>use_authtok</option> + use_authtok </term> <listitem> <para> When password changing enforce the module to set the new password to the one provided by a previously stacked <option>password</option> module (this is used in the - example of the stacking of the <command>pam_cracklib</command> + example of the stacking of the <command>pam_passwdqc</command> module documented below). </para> </listitem> </varlistentry> <varlistentry> <term> - <option>authtok_type=<replaceable>type</replaceable></option> + authtok_type=type </term> <listitem> <para> @@ -229,7 +239,7 @@ </varlistentry> <varlistentry> <term> - <option>nis</option> + nis </term> <listitem> <para> @@ -239,7 +249,7 @@ </varlistentry> <varlistentry> <term> - <option>remember=<replaceable>n</replaceable></option> + remember=n </term> <listitem> <para> @@ -256,7 +266,7 @@ </varlistentry> <varlistentry> <term> - <option>shadow</option> + shadow </term> <listitem> <para> @@ -266,7 +276,7 @@ </varlistentry> <varlistentry> <term> - <option>md5</option> + md5 </term> <listitem> <para> @@ -277,7 +287,7 @@ </varlistentry> <varlistentry> <term> - <option>bigcrypt</option> + bigcrypt </term> <listitem> <para> @@ -288,64 +298,90 @@ </varlistentry> <varlistentry> <term> - <option>sha256</option> + sha256 + </term> + <listitem> + <para> + When a user changes their password next, + encrypt it with the SHA256 algorithm. The + SHA256 algorithm must be supported by the <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + sha512 </term> <listitem> <para> When a user changes their password next, - encrypt it with the SHA256 algorithm. If the - SHA256 algorithm is not known to the <citerefentry> + encrypt it with the SHA512 algorithm. The + SHA512 algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>sha512</option> + blowfish </term> <listitem> <para> When a user changes their password next, - encrypt it with the SHA512 algorithm. If the - SHA512 algorithm is not known to the <citerefentry> + encrypt it with the blowfish algorithm. The + blowfish algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>blowfish</option> + gost_yescrypt </term> <listitem> <para> When a user changes their password next, - encrypt it with the blowfish algorithm. If the - blowfish algorithm is not known to the <citerefentry> + encrypt it with the gost-yescrypt algorithm. The + gost-yescrypt algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>rounds=<replaceable>n</replaceable></option> + yescrypt </term> <listitem> <para> - Set the optional number of rounds of the SHA256, SHA512 - and blowfish password hashing algorithms to + When a user changes their password next, + encrypt it with the yescrypt algorithm. The + yescrypt algorithm must be supported by the <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + rounds=n + </term> + <listitem> + <para> + Set the optional number of rounds of the SHA256, SHA512, + blowfish, gost-yescrypt, and yescrypt password hashing + algorithms to <replaceable>n</replaceable>. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>broken_shadow</option> + broken_shadow </term> <listitem> <para> @@ -356,19 +392,92 @@ </varlistentry> <varlistentry> <term> - <option>minlen=<replaceable>n</replaceable></option> + minlen=n </term> <listitem> <para> Set a minimum password length of <replaceable>n</replaceable> - characters. The max. for DES crypt based passwords are 8 - characters. + characters. The default value is 6. The maximum for DES + crypt-based passwords is 8 characters. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>obscure</option> + </term> + <listitem> + <para> + Enable some extra checks on password strength. These checks + are based on the "obscure" checks in the original shadow + package. The behavior is similar to the pam_cracklib + module, but for non-dictionary-based checks. The following + checks are implemented: + <variablelist> + <varlistentry> + <term> + <option>Palindrome</option> + </term> + <listitem> + <para> + Verifies that the new password is not a palindrome + of (i.e., the reverse of) the previous one. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Case Change Only</option> + </term> + <listitem> + <para> + Verifies that the new password isn't the same as the + old one with a change of case. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Similar</option> + </term> + <listitem> + <para> + Verifies that the new password isn't too much like + the previous one. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Simple</option> + </term> + <listitem> + <para> + Is the new password too simple? This is based on + the length of the password and the number of + different types of characters (alpha, numeric, etc.) + used. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Rotated</option> + </term> + <listitem> + <para> + Is the new password a rotated version of the old + password? (E.g., "billy" and "illyb") + </para> + </listitem> + </varlistentry> + </variablelist> </para> </listitem> </varlistentry> <varlistentry> <term> - <option>no_pass_expiry</option> + no_pass_expiry </term> <listitem> <para> @@ -379,9 +488,9 @@ meaning that other authentication source or method succeeded. The example can be public key authentication in <emphasis>sshd</emphasis>. The module will return - <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual - <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or - <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>. + <emphasis remap="B">PAM_SUCCESS</emphasis> instead of eventual + <emphasis remap="B">PAM_NEW_AUTHTOK_REQD</emphasis> or + <emphasis remap="B">PAM_AUTHTOK_EXPIRED</emphasis>. </para> </listitem> </varlistentry> @@ -393,7 +502,7 @@ </para> </refsect1> - <refsect1 id="pam_unix-types"> + <refsect1 xml:id="pam_unix-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -401,7 +510,7 @@ </para> </refsect1> - <refsect1 id='pam_unix-return_values'> + <refsect1 xml:id="pam_unix-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -415,7 +524,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_unix-examples'> + <refsect1 xml:id="pam_unix-examples"> <title>EXAMPLES</title> <para> An example usage for <filename>/etc/pam.d/login</filename> @@ -426,15 +535,15 @@ auth required pam_unix.so # Ensure users account and password are still active account required pam_unix.so # Change the user's password, but at first check the strength -# with pam_cracklib(8) -password required pam_cracklib.so retry=3 minlen=6 difok=3 -password required pam_unix.so use_authtok nullok md5 +# with pam_passwdqc(8) +password required pam_passwdqc.so config=/etc/passwdqc.conf +password required pam_unix.so use_authtok nullok yescrypt session required pam_unix.so </programlisting> </para> </refsect1> - <refsect1 id='pam_unix-see_also'> + <refsect1 xml:id="pam_unix-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -447,16 +556,16 @@ session required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_unix-author'> + <refsect1 xml:id="pam_unix-author"> <title>AUTHOR</title> <para> pam_unix was written by various people. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 88331149..8f5ed3e0 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -1,6 +1,8 @@ /* + * pam_unix account management + * * Copyright Elliot Lee, 1996. All rights reserved. - * Copyright Jan Rêkorajski, 1999. All rights reserved. + * Copyright Jan RÄ™korajski, 1999. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -51,18 +53,15 @@ #include <security/_pam_macros.h> -/* indicate that the following groups are defined */ - -#define PAM_SM_ACCOUNT - #include <security/pam_modules.h> #include <security/pam_ext.h> #include <security/pam_modutil.h> +#include "pam_cc_compat.h" #include "support.h" #include "passverify.h" -int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, +int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl, const char *user, int *daysleft) { int retval=0, child, fds[2]; @@ -127,7 +126,9 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, args[1] = user; args[2] = "chkexpiry"; + DIAG_PUSH_IGNORE_CAST_QUAL; execve(CHKPWD_HELPER, (char *const *) args, envp); + DIAG_POP_IGNORE_CAST_QUAL; pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m"); /* should not get here: exit with error */ @@ -185,12 +186,10 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { - unsigned int ctrl; + unsigned long long ctrl; const void *void_uname; const char *uname; - int retval, daysleft; - struct spwd *spent; - struct passwd *pwent; + int retval, daysleft = -1; char buf[256]; D(("called.")); @@ -207,29 +206,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_USER_UNKNOWN; } - retval = get_account_info(pamh, uname, &pwent, &spent); - if (retval == PAM_USER_UNKNOWN) { - pam_syslog(pamh, LOG_ERR, - "could not identify user (from getpwnam(%s))", - uname); - return retval; - } - - if (retval == PAM_SUCCESS && spent == NULL) - return PAM_SUCCESS; - - if (retval == PAM_UNIX_RUN_HELPER) { - retval = _unix_run_verify_binary(pamh, ctrl, uname, &daysleft); - if (retval == PAM_AUTHINFO_UNAVAIL && - on(UNIX_BROKEN_SHADOW, ctrl)) - return PAM_SUCCESS; - } else if (retval != PAM_SUCCESS) { - if (on(UNIX_BROKEN_SHADOW,ctrl)) - return PAM_SUCCESS; - else - return retval; - } else - retval = check_shadow_expiry(pamh, spent, &daysleft); + retval = _unix_verify_user(pamh, ctrl, uname, &daysleft); if (on(UNIX_NO_PASS_EXPIRY, ctrl)) { const void *pretval = NULL; @@ -250,7 +227,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) "account %s has expired (account expired)", uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("Your account has expired; please contact your system administrator")); + _("Your account has expired; please contact your system administrator.")); break; case PAM_NEW_AUTHTOK_REQD: if (daysleft == 0) { @@ -258,13 +235,13 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) "expired password for user %s (root enforced)", uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("You are required to change your password immediately (administrator enforced)")); + _("You are required to change your password immediately (administrator enforced).")); } else { pam_syslog(pamh, LOG_DEBUG, "expired password for user %s (password aged)", uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("You are required to change your password immediately (password expired)")); + _("You are required to change your password immediately (password expired).")); } break; case PAM_AUTHTOK_EXPIRED: @@ -272,9 +249,13 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) "account %s has expired (failed to change password)", uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("Your account has expired; please contact your system administrator")); + _("Your account has expired; please contact your system administrator.")); break; case PAM_AUTHTOK_ERR: + /* + * We ignore "password changed too early" error + * as it is relevant only for password change. + */ retval = PAM_SUCCESS; /* fallthrough */ case PAM_SUCCESS: @@ -285,19 +266,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) #if defined HAVE_DNGETTEXT && defined ENABLE_NLS snprintf (buf, sizeof (buf), dngettext(PACKAGE, - "Warning: your password will expire in %d day", - "Warning: your password will expire in %d days", + "Warning: your password will expire in %d day.", + "Warning: your password will expire in %d days.", daysleft), daysleft); #else if (daysleft == 1) snprintf(buf, sizeof (buf), - _("Warning: your password will expire in %d day"), + _("Warning: your password will expire in %d day."), daysleft); else snprintf(buf, sizeof (buf), /* TRANSLATORS: only used if dngettext is not supported */ - _("Warning: your password will expire in %d days"), + _("Warning: your password will expire in %d days."), daysleft); #endif _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf); diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index fce6bce1..4eccff8e 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -1,7 +1,9 @@ /* + * pam_unix authentication management + * * Copyright Alexander O. Yuriev, 1996. All rights reserved. * NIS+ support by Thorsten Kukuk <kukuk@weber.uni-paderborn.de> - * Copyright Jan Rêkorajski, 1999. All rights reserved. + * Copyright Jan RÄ™korajski, 1999. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -48,11 +50,6 @@ #include <sys/stat.h> #include <syslog.h> -/* indicate the following groups are defined */ - -#define PAM_SM_AUTH - -#define _PAM_EXTERN_FUNCTIONS #include <security/_pam_macros.h> #include <security/pam_modules.h> #include <security/pam_ext.h> @@ -74,8 +71,6 @@ * onto a normal UNIX authentication */ -#define _UNIX_AUTHTOK "-UN*X-PASS" - #define AUTH_RETURN \ do { \ D(("recording return code for next time [%d]", \ @@ -98,7 +93,7 @@ setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED) int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { - unsigned int ctrl; + unsigned long long ctrl; int retval, *ret_data = NULL; const char *name; const char *p; @@ -126,21 +121,22 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) * '+' or '-' as the first character of a user name. Don't * allow this characters here. */ - if (name == NULL || name[0] == '-' || name[0] == '+') { - pam_syslog(pamh, LOG_ERR, "bad username [%s]", name); + if (name[0] == '-' || name[0] == '+') { + pam_syslog(pamh, LOG_NOTICE, "bad username [%s]", name); retval = PAM_USER_UNKNOWN; AUTH_RETURN; } if (on(UNIX_DEBUG, ctrl)) - D(("username [%s] obtained", name)); + pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name); } else { - D(("trouble reading username")); if (retval == PAM_CONV_AGAIN) { D(("pam_get_user/conv() function is not ready yet")); /* it is safe to resume this function so we translate this * retval to the value that indicates we're happy to resume. */ retval = PAM_INCOMPLETE; + } else if (on(UNIX_DEBUG, ctrl)) { + pam_syslog(pamh, LOG_DEBUG, "could not obtain username"); } AUTH_RETURN; } @@ -148,7 +144,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) /* if this user does not have a password... */ if (_unix_blankpasswd(pamh, ctrl, name)) { - D(("user '%s' has blank passwd", name)); + pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name); name = NULL; retval = PAM_SUCCESS; AUTH_RETURN; @@ -196,7 +192,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, { int retval; const void *pretval = NULL; - unsigned int ctrl; + unsigned long long ctrl; D(("called.")); diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 9fdebefb..652f3c5a 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -1,7 +1,9 @@ /* + * pam_unix password management + * * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software. * Copyright (C) 1996. - * Copyright (c) Jan Rêkorajski, 1999. + * Copyright (c) Jan RÄ™korajski, 1999. * Copyright (c) Red Hat, Inc., 2007, 2008. * * Redistribution and use in source and binary forms, with or without @@ -56,48 +58,37 @@ #include <sys/stat.h> #include <signal.h> -#include <errno.h> #include <sys/wait.h> #include <sys/resource.h> #include <security/_pam_macros.h> - -/* indicate the following groups are defined */ - -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> #include <security/pam_ext.h> #include <security/pam_modutil.h> +#include "pam_inline.h" +#include "pam_cc_compat.h" #include "md5.h" #include "support.h" #include "passverify.h" #include "bigcrypt.h" -#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER -# define HAVE_NIS -#endif - #ifdef HAVE_NIS # include <rpc/rpc.h> - -# if HAVE_RPCSVC_YP_PROT_H -# include <rpcsvc/yp_prot.h> -# endif - -# if HAVE_RPCSVC_YPCLNT_H -# include <rpcsvc/ypclnt.h> -# endif +# include <rpcsvc/yp_prot.h> +# include <rpcsvc/ypclnt.h> # include "yppasswd.h" -# if !HAVE_DECL_GETRPCPORT &&!HAVE_RPCB_GETADDR +# if !defined(HAVE_DECL_GETRPCPORT) &&!defined(HAVE_RPCB_GETADDR) extern int getrpcport(const char *host, unsigned long prognum, unsigned long versnum, unsigned int proto); # endif /* GNU libc 2.1 */ #endif +extern const char *obscure_msg(const char *, const char *, const struct passwd *, + unsigned int); + /* How it works: Gets in username (has to be done) from the calling program @@ -106,11 +97,6 @@ extern int getrpcport(const char *host, unsigned long prognum, Sets it. */ -/* data tokens */ - -#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS" -#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS" - #define MAX_PASSWD_TRIES 3 #ifdef HAVE_NIS @@ -143,7 +129,7 @@ __taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf) } #endif -static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) +static char *getNISserver(pam_handle_t *pamh, unsigned long long ctrl) { char *master; char *domainname; @@ -238,7 +224,7 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) #ifdef WITH_SELINUX -static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, +static int _unix_run_update_binary(pam_handle_t *pamh, unsigned long long ctrl, const char *user, const char *fromwhat, const char *towhat, int remember) { int retval, child, fds[2]; @@ -298,7 +284,9 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const snprintf(buffer, sizeof(buffer), "%d", remember); args[4] = buffer; + DIAG_PUSH_IGNORE_CAST_QUAL; execve(UPDATE_HELPER, (char *const *) args, envp); + DIAG_POP_IGNORE_CAST_QUAL; /* should not get here: exit with error */ D(("helper binary is not available")); @@ -355,7 +343,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const static int check_old_password(const char *forwho, const char *newpass) { static char buf[16384]; - char *s_luser, *s_uid, *s_npas, *s_pas; + char *s_pas; int retval = PAM_SUCCESS; FILE *opwfile; size_t len = strlen(forwho); @@ -369,9 +357,9 @@ static int check_old_password(const char *forwho, const char *newpass) buf[len] == ',')) { char *sptr; buf[strlen(buf) - 1] = '\0'; - s_luser = strtok_r(buf, ":,", &sptr); - s_uid = strtok_r(NULL, ":,", &sptr); - s_npas = strtok_r(NULL, ":,", &sptr); + /* s_luser = */ strtok_r(buf, ":,", &sptr); + /* s_uid = */ strtok_r(NULL, ":,", &sptr); + /* s_npas = */ strtok_r(NULL, ":,", &sptr); s_pas = strtok_r(NULL, ":,", &sptr); while (s_pas != NULL) { char *md5pass = Goodcrypt_md5(newpass, s_pas); @@ -393,12 +381,11 @@ static int check_old_password(const char *forwho, const char *newpass) static int _do_setpass(pam_handle_t* pamh, const char *forwho, const char *fromwhat, - char *towhat, unsigned int ctrl, int remember) + char *towhat, unsigned long long ctrl, int remember) { struct passwd *pwd = NULL; int retval = 0; int unlocked = 0; - char *master = NULL; D(("called")); @@ -411,6 +398,8 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { #ifdef HAVE_NIS + char *master; + if ((master=getNISserver(pamh, ctrl)) != NULL) { struct timeval timeout; struct yppasswd yppwd; @@ -517,7 +506,7 @@ done: return retval; } -static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl) +static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned long long ctrl) { struct passwd *pwent = NULL; /* Password and shadow password */ struct spwd *spent = NULL; /* file entries for the user */ @@ -547,7 +536,7 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in } static int _pam_unix_approve_pass(pam_handle_t * pamh - ,unsigned int ctrl + ,unsigned long long ctrl ,const char *pass_old ,const char *pass_new, int pass_min_len) @@ -565,7 +554,8 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh pam_syslog(pamh, LOG_DEBUG, "bad authentication token"); } _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? - _("No password supplied") : _("Password unchanged")); + _("No password has been supplied.") : + _("The password has not been changed.")); return PAM_AUTHTOK_ERR; } /* @@ -580,9 +570,13 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh return PAM_AUTHTOK_ERR; } } - if (off(UNIX__IAMROOT, ctrl)) { - if (strlen(pass_new) < pass_min_len) - remark = _("You must choose a longer password"); + + if (strlen(pass_new) > PAM_MAX_RESP_SIZE) { + remark = _("You must choose a shorter password."); + D(("length exceeded [%s]", remark)); + } else if (off(UNIX__IAMROOT, ctrl)) { + if ((int)strlen(pass_new) < pass_min_len) + remark = _("You must choose a longer password."); D(("length check [%s]", remark)); if (on(UNIX_REMEMBER_PASSWD, ctrl)) { if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR) @@ -593,6 +587,11 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh return retval; } } + if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ + struct passwd *pwd; + pwd = pam_modutil_getpwnam(pamh, user); + remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ + } } if (remark) { _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); @@ -604,11 +603,11 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) { - unsigned int ctrl, lctrl; + unsigned long long ctrl, lctrl; int retval; int remember = -1; - int rounds = -1; - int pass_min_len = 0; + int rounds = 0; + int pass_min_len = 6; /* <DO NOT free() THESE> */ const char *user; @@ -631,8 +630,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) * '+' or '-' as the first character of a user name. Don't * allow them. */ - if (user == NULL || user[0] == '-' || user[0] == '+') { - pam_syslog(pamh, LOG_ERR, "bad username [%s]", user); + if (user[0] == '-' || user[0] == '+') { + pam_syslog(pamh, LOG_NOTICE, "bad username [%s]", user); return PAM_USER_UNKNOWN; } if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) @@ -719,7 +718,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval == PAM_AUTHTOK_ERR) { if (off(UNIX__IAMROOT, ctrl)) _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("You must wait longer to change your password")); + _("You must wait longer to change your password.")); else retval = PAM_SUCCESS; } diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index 03e7dcd9..3f6a8fb3 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -1,8 +1,8 @@ /* - * $Id$ + * pam_unix session management * * Copyright Alexander O. Yuriev, 1996. All rights reserved. - * Copyright Jan Rêkorajski, 1999. All rights reserved. + * Copyright Jan RÄ™korajski, 1999. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -47,10 +47,6 @@ #include <sys/types.h> #include <sys/stat.h> -/* indicate the following groups are defined */ - -#define PAM_SM_SESSION - #include <security/_pam_macros.h> #include <security/pam_modules.h> #include <security/pam_ext.h> @@ -67,9 +63,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *user_name, *service; - unsigned int ctrl; + unsigned long long ctrl; int retval; - const char *login_name; + const char *login_name; D(("called.")); @@ -78,24 +74,31 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, - "open_session - error recovering username"); + "open_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_CRIT, - "open_session - error recovering service"); + "open_session - error recovering service"); return PAM_SESSION_ERR; } login_name = pam_modutil_getlogin(pamh); if (login_name == NULL) { - login_name = ""; + login_name = ""; + } + if (off (UNIX_QUIET, ctrl)) { + char uid[32]; + struct passwd *pwd = pam_modutil_getpwnam (pamh, user_name); + if (pwd == NULL) { + snprintf (uid, 32, "getpwnam error"); + } + else { + snprintf (uid, 32, "%u", pwd->pw_uid); + } + pam_syslog(pamh, LOG_INFO, "session opened for user %s(uid=%s) by %s(uid=%lu)", user_name, uid, login_name, (unsigned long)getuid()); } - if (off (UNIX_QUIET, ctrl)) - pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)", - user_name, login_name, (unsigned long)getuid()); - return PAM_SUCCESS; } @@ -103,7 +106,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *user_name, *service; - unsigned int ctrl; + unsigned long long ctrl; int retval; D(("called.")); @@ -113,19 +116,19 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, - "close_session - error recovering username"); + "close_session - error recovering username"); return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */ } retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service); if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_CRIT, - "close_session - error recovering service"); + "close_session - error recovering service"); return PAM_SESSION_ERR; } if (off (UNIX_QUIET, ctrl)) - pam_syslog(pamh, LOG_INFO, "session closed for user %s", - user_name); + pam_syslog(pamh, LOG_INFO, "session closed for user %s", + user_name); return PAM_SUCCESS; } diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 9c1771e2..7ff8bf07 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -19,12 +19,12 @@ #include <sys/time.h> #include <sys/stat.h> #include <fcntl.h> -#ifdef HAVE_LIBXCRYPT -#include <xcrypt.h> -#elif defined(HAVE_CRYPT_H) +#ifdef HAVE_CRYPT_H #include <crypt.h> #endif +#include "pam_cc_compat.h" +#include "pam_inline.h" #include "md5.h" #include "bigcrypt.h" #include "passverify.h" @@ -65,8 +65,8 @@ strip_hpux_aging(char *hash) } } -int -verify_pwd_hash(const char *p, char *hash, unsigned int nullok) +PAMH_ARG_DECL(int verify_pwd_hash, + const char *p, char *hash, unsigned int nullok) { size_t hash_len; char *pp = NULL; @@ -87,7 +87,7 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) } else if (!p || *hash == '*' || *hash == '!') { retval = PAM_AUTH_ERR; } else { - if (!strncmp(hash, "$1$", 3)) { + if (pam_str_skip_prefix(hash, "$1$") != NULL) { pp = Goodcrypt_md5(p, hash); if (pp && strcmp(pp, hash) != 0) { _pam_delete(pp); @@ -96,20 +96,58 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) } else if (*hash != '$' && hash_len >= 13) { pp = bigcrypt(p, hash); if (pp && hash_len == 13 && strlen(pp) > hash_len) { - _pam_overwrite(pp + hash_len); + pam_overwrite_string(pp + hash_len); } } else { /* * Ok, we don't know the crypt algorithm, but maybe * libcrypt knows about it? We should try it. */ +#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE + /* Get the status of the hash from checksalt */ + int retval_checksalt = crypt_checksalt(hash); + + /* + * Check for hashing methods that are disabled by + * libcrypt configuration and/or system preset. + */ + if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) { + /* + * pam_syslog() needs a pam handle, + * but that's not available here. + */ + pam_syslog(pamh, LOG_ERR, + "The support for password hash \"%.6s\" " + "has been disabled in libcrypt " + "configuration.", + hash); + } + /* + * Check for malformed hashes, like descrypt hashes + * starting with "$2...", which might have been + * generated by unsafe base64 encoding functions + * as used in glibc <= 2.16. + * Such hashes are likely to be rejected by many + * recent implementations of libcrypt. + */ + if (retval_checksalt == CRYPT_SALT_INVALID) { + pam_syslog(pamh, LOG_ERR, + "The password hash \"%.6s\" is unknown to " + "libcrypt.", + hash); + } +#else +#ifndef HELPER_COMPILE + (void)pamh; +#endif +#endif #ifdef HAVE_CRYPT_R struct crypt_data *cdata; cdata = malloc(sizeof(*cdata)); if (cdata != NULL) { cdata->initialized = 0; pp = x_strdup(crypt_r(p, hash, cdata)); - memset(cdata, '\0', sizeof(*cdata)); + pam_overwrite_object(cdata); free(cdata); } #else @@ -166,25 +204,30 @@ PAMH_ARG_DECL(int get_account_info, save_euid = geteuid(); save_uid = getuid(); - if (save_uid == (*pwd)->pw_uid) - setreuid(save_euid, save_uid); - else { - setreuid(0, -1); - if (setreuid(-1, (*pwd)->pw_uid) == -1) { - setreuid(-1, 0); - setreuid(0, -1); - if(setreuid(-1, (*pwd)->pw_uid) == -1) + if (save_uid == (*pwd)->pw_uid) { + if (setreuid(save_euid, save_uid)) + return PAM_CRED_INSUFFICIENT; + } else { + if (setreuid(0, -1)) + return PAM_CRED_INSUFFICIENT; + if (setreuid(-1, (*pwd)->pw_uid)) { + if (setreuid(-1, 0) + || setreuid(0, -1) + || setreuid(-1, (*pwd)->pw_uid)) { return PAM_CRED_INSUFFICIENT; + } } } *spwdent = pam_modutil_getspnam(pamh, name); - if (save_uid == (*pwd)->pw_uid) - setreuid(save_uid, save_euid); - else { - setreuid(-1, 0); - setreuid(save_uid, -1); - setreuid(-1, save_euid); + if (save_uid == (*pwd)->pw_uid) { + if (setreuid(save_uid, save_euid)) + return PAM_CRED_INSUFFICIENT; + } else { + if (setreuid(-1, 0) + || setreuid(save_uid, -1) + || setreuid(-1, save_euid)) + return PAM_CRED_INSUFFICIENT; } if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) @@ -198,12 +241,15 @@ PAMH_ARG_DECL(int get_account_info, * ...and shadow password file entry for this user, * if shadowing is enabled */ + *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL) { #ifndef HELPER_COMPILE - if (geteuid() || SELINUX_ENABLED) + /* still a chance the user can authenticate */ return PAM_UNIX_RUN_HELPER; #endif - *spwdent = pam_modutil_getspnam(pamh, name); - if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } + if ((*spwdent)->sp_pwdp == NULL) return PAM_AUTHINFO_UNAVAIL; } } else { @@ -288,7 +334,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, #define PW_TMPFILE "/etc/npasswd" #define SH_TMPFILE "/etc/nshadow" -#define OPW_TMPFILE "/etc/security/nopasswd" +#define OPW_TMPFILE SCONFIGDIR "/nopasswd" /* * i64c - convert an integer to a radix 64 character @@ -372,11 +418,16 @@ crypt_md5_wrapper(const char *pass_new) } PAMH_ARG_DECL(char * create_password_hash, - const char *password, unsigned int ctrl, int rounds) + const char *password, unsigned long long ctrl, int rounds) { const char *algoid; +#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64 + /* Strings returned by crypt_gensalt_rn will be no longer than this. */ + char salt[CRYPT_GENSALT_OUTPUT_SIZE]; +#else char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */ - char *sp; +#endif + char *sp, *ret; #ifdef HAVE_CRYPT_R struct crypt_data *cdata = NULL; #endif @@ -384,15 +435,19 @@ PAMH_ARG_DECL(char * create_password_hash, if (on(UNIX_MD5_PASS, ctrl)) { /* algoid = "$1" */ return crypt_md5_wrapper(password); + } else if (on(UNIX_YESCRYPT_PASS, ctrl)) { + algoid = "$y$"; + } else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) { + algoid = "$gy$"; } else if (on(UNIX_BLOWFISH_PASS, ctrl)) { - algoid = "$2a$"; + algoid = "$2b$"; } else if (on(UNIX_SHA256_PASS, ctrl)) { algoid = "$5$"; } else if (on(UNIX_SHA512_PASS, ctrl)) { algoid = "$6$"; } else { /* must be crypt/bigcrypt */ char tmppass[9]; - char *crypted; + char *hashed; crypt_make_salt(salt, 2); if (off(UNIX_BIGCRYPT, ctrl) && strlen(password) > 8) { @@ -400,29 +455,25 @@ PAMH_ARG_DECL(char * create_password_hash, tmppass[sizeof(tmppass)-1] = '\0'; password = tmppass; } - crypted = bigcrypt(password, salt); - memset(tmppass, '\0', sizeof(tmppass)); + hashed = bigcrypt(password, salt); + pam_overwrite_array(tmppass); password = NULL; - return crypted; + return hashed; } -#ifdef HAVE_CRYPT_GENSALT_R - if (on(UNIX_BLOWFISH_PASS, ctrl)) { - char entropy[17]; - crypt_make_salt(entropy, sizeof(entropy) - 1); - sp = crypt_gensalt_r (algoid, rounds, - entropy, sizeof(entropy), - salt, sizeof(salt)); - } else { -#endif - sp = stpcpy(salt, algoid); - if (on(UNIX_ALGO_ROUNDS, ctrl)) { - sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds); - } - crypt_make_salt(sp, 16); -#ifdef HAVE_CRYPT_GENSALT_R +#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY + /* + * Any version of libcrypt supporting auto entropy is + * guaranteed to have crypt_gensalt_rn(). + */ + sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt)); +#else + sp = stpcpy(salt, algoid); + if (on(UNIX_ALGO_ROUNDS, ctrl)) { + sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds); } -#endif + crypt_make_salt(sp, 16); +#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */ #ifdef HAVE_CRYPT_R sp = NULL; cdata = malloc(sizeof(*cdata)); @@ -434,26 +485,30 @@ PAMH_ARG_DECL(char * create_password_hash, sp = crypt(password, salt); #endif if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { - /* libxcrypt/libc doesn't know the algorithm, use MD5 */ + /* libxcrypt/libc doesn't know the algorithm, error out */ pam_syslog(pamh, LOG_ERR, - "Algo %s not supported by the crypto backend, " - "falling back to MD5\n", + "Algo %s not supported by the crypto backend.\n", + on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" : + on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" : on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : on(UNIX_SHA256_PASS, ctrl) ? "sha256" : on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); if(sp) { - memset(sp, '\0', strlen(sp)); + pam_overwrite_string(sp); } #ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); free(cdata); #endif - return crypt_md5_wrapper(password); + return NULL; } - sp = x_strdup(sp); + ret = strdup(sp); + pam_overwrite_string(sp); #ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); free(cdata); #endif - return sp; + return ret; } #ifdef WITH_SELINUX @@ -581,7 +636,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, struct stat st; size_t len = strlen(forwho); #ifdef WITH_SELINUX - security_context_t prev_context=NULL; + char *prev_context_raw = NULL; #endif if (howmany < 0) { @@ -596,20 +651,20 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, #ifdef WITH_SELINUX if (SELINUX_ENABLED) { - security_context_t passwd_context=NULL; - if (getfilecon("/etc/passwd",&passwd_context)<0) { + char *passwd_context_raw = NULL; + if (getfilecon_raw("/etc/passwd",&passwd_context_raw)<0) { return PAM_AUTHTOK_ERR; }; - if (getfscreatecon(&prev_context)<0) { - freecon(passwd_context); + if (getfscreatecon_raw(&prev_context_raw)<0) { + freecon(passwd_context_raw); return PAM_AUTHTOK_ERR; } - if (setfscreatecon(passwd_context)) { - freecon(passwd_context); - freecon(prev_context); + if (setfscreatecon_raw(passwd_context_raw)) { + freecon(passwd_context_raw); + freecon(prev_context_raw); return PAM_AUTHTOK_ERR; } - freecon(passwd_context); + freecon(passwd_context_raw); } #endif pwfile = fopen(OPW_TMPFILE, "w"); @@ -727,12 +782,12 @@ done: } #ifdef WITH_SELINUX if (SELINUX_ENABLED) { - if (setfscreatecon(prev_context)) { + if (setfscreatecon_raw(prev_context_raw)) { err = 1; } - if (prev_context) - freecon(prev_context); - prev_context=NULL; + if (prev_context_raw) + freecon(prev_context_raw); + prev_context_raw = NULL; } #endif if (!err) { @@ -749,29 +804,29 @@ PAMH_ARG_DECL(int unix_update_passwd, struct passwd *tmpent = NULL; struct stat st; FILE *pwfile, *opwfile; - int err = 1; + int err = 1, found = 0; int oldmask; #ifdef WITH_SELINUX - security_context_t prev_context=NULL; + char *prev_context_raw = NULL; #endif oldmask = umask(077); #ifdef WITH_SELINUX if (SELINUX_ENABLED) { - security_context_t passwd_context=NULL; - if (getfilecon("/etc/passwd",&passwd_context)<0) { + char *passwd_context_raw = NULL; + if (getfilecon_raw("/etc/passwd",&passwd_context_raw)<0) { return PAM_AUTHTOK_ERR; }; - if (getfscreatecon(&prev_context)<0) { - freecon(passwd_context); + if (getfscreatecon_raw(&prev_context_raw)<0) { + freecon(passwd_context_raw); return PAM_AUTHTOK_ERR; } - if (setfscreatecon(passwd_context)) { - freecon(passwd_context); - freecon(prev_context); + if (setfscreatecon_raw(passwd_context_raw)) { + freecon(passwd_context_raw); + freecon(prev_context_raw); return PAM_AUTHTOK_ERR; } - freecon(passwd_context); + freecon(passwd_context_raw); } #endif pwfile = fopen(PW_TMPFILE, "w"); @@ -820,6 +875,7 @@ PAMH_ARG_DECL(int unix_update_passwd, tmpent->pw_passwd = assigned_passwd.charp; err = 0; + found = 1; } if (putpwent(tmpent, pwfile)) { D(("error writing entry to password file: %m")); @@ -850,19 +906,19 @@ done: } #ifdef WITH_SELINUX if (SELINUX_ENABLED) { - if (setfscreatecon(prev_context)) { + if (setfscreatecon_raw(prev_context_raw)) { err = 1; } - if (prev_context) - freecon(prev_context); - prev_context=NULL; + if (prev_context_raw) + freecon(prev_context_raw); + prev_context_raw = NULL; } #endif if (!err) { return PAM_SUCCESS; } else { unlink(PW_TMPFILE); - return PAM_AUTHTOK_ERR; + return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; } } @@ -876,27 +932,27 @@ PAMH_ARG_DECL(int unix_update_shadow, int oldmask; int wroteentry = 0; #ifdef WITH_SELINUX - security_context_t prev_context=NULL; + char *prev_context_raw = NULL; #endif oldmask = umask(077); #ifdef WITH_SELINUX if (SELINUX_ENABLED) { - security_context_t shadow_context=NULL; - if (getfilecon("/etc/shadow",&shadow_context)<0) { + char *shadow_context_raw = NULL; + if (getfilecon_raw("/etc/shadow",&shadow_context_raw)<0) { return PAM_AUTHTOK_ERR; }; - if (getfscreatecon(&prev_context)<0) { - freecon(shadow_context); + if (getfscreatecon_raw(&prev_context_raw)<0) { + freecon(shadow_context_raw); return PAM_AUTHTOK_ERR; } - if (setfscreatecon(shadow_context)) { - freecon(shadow_context); - freecon(prev_context); + if (setfscreatecon_raw(shadow_context_raw)) { + freecon(shadow_context_raw); + freecon(prev_context_raw); return PAM_AUTHTOK_ERR; } - freecon(shadow_context); + freecon(shadow_context_raw); } #endif pwfile = fopen(SH_TMPFILE, "w"); @@ -958,7 +1014,9 @@ PAMH_ARG_DECL(int unix_update_shadow, fclose(opwfile); if (!wroteentry && !err) { + DIAG_PUSH_IGNORE_CAST_QUAL; spwdent.sp_namp = (char *)forwho; + DIAG_POP_IGNORE_CAST_QUAL; spwdent.sp_pwdp = towhat; spwdent.sp_lstchg = time(NULL) / (60 * 60 * 24); if (spwdent.sp_lstchg == 0) @@ -994,12 +1052,12 @@ PAMH_ARG_DECL(int unix_update_shadow, #ifdef WITH_SELINUX if (SELINUX_ENABLED) { - if (setfscreatecon(prev_context)) { + if (setfscreatecon_raw(prev_context_raw)) { err = 1; } - if (prev_context) - freecon(prev_context); - prev_context=NULL; + if (prev_context_raw) + freecon(prev_context_raw); + prev_context_raw = NULL; } #endif @@ -1017,21 +1075,27 @@ int helper_verify_password(const char *name, const char *p, int nullok) { struct passwd *pwd = NULL; - char *salt = NULL; + char *hash = NULL; int retval; - retval = get_pwd_hash(name, &pwd, &salt); + retval = get_pwd_hash(name, &pwd, &hash); - if (pwd == NULL || salt == NULL) { + if (pwd == NULL || hash == NULL) { helper_log_err(LOG_NOTICE, "check pass; user unknown"); retval = PAM_USER_UNKNOWN; + } else if (p[0] == '\0' && nullok) { + if (hash[0] == '\0') { + retval = PAM_SUCCESS; + } else { + retval = PAM_AUTH_ERR; + } } else { - retval = verify_pwd_hash(p, salt, nullok); + retval = verify_pwd_hash(p, hash, nullok); } - if (salt) { - _pam_overwrite(salt); - _pam_drop(salt); + if (hash) { + pam_overwrite_string(hash); + _pam_drop(hash); } p = NULL; /* no longer needed here */ @@ -1040,6 +1104,7 @@ helper_verify_password(const char *name, const char *p, int nullok) } void +PAM_FORMAT((printf, 2, 3)) helper_log_err(int err, const char *format, ...) { va_list args; @@ -1109,52 +1174,9 @@ getuidname(uid_t uid) return username; } -int -read_passwords(int fd, int npass, char **passwords) -{ - /* The passwords array must contain npass preallocated - * buffers of length MAXPASS + 1 - */ - int rbytes = 0; - int offset = 0; - int i = 0; - char *pptr; - while (npass > 0) { - rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); - - if (rbytes < 0) { - if (errno == EINTR) continue; - break; - } - if (rbytes == 0) - break; - - while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes)) - != NULL) { - rbytes -= pptr - (passwords[i]+offset) + 1; - i++; - offset = 0; - npass--; - if (rbytes > 0) { - if (npass > 0) - memcpy(passwords[i], pptr+1, rbytes); - memset(pptr+1, '\0', rbytes); - } - } - offset += rbytes; - } - - /* clear up */ - if (offset > 0 && npass > 0) { - memset(passwords[i], '\0', offset); - } - - return i; -} - #endif /* ****************************************************************** * - * Copyright (c) Jan Rêkorajski 1999. + * Copyright (c) Jan RÄ™korajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h index caf7ae8a..463ef185 100644 --- a/modules/pam_unix/passverify.h +++ b/modules/pam_unix/passverify.h @@ -8,12 +8,7 @@ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT -#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ - -#define OLD_PASSWORDS_FILE "/etc/security/opasswd" - -int -verify_pwd_hash(const char *p, char *hash, unsigned int nullok); +#define OLD_PASSWORDS_FILE SCONFIGDIR "/opasswd" int is_pwd_shadowed(const struct passwd *pwd); @@ -53,8 +48,6 @@ setup_signals(void); char * getuidname(uid_t uid); -int -read_passwords(int fd, int npass, char **passwords); #endif #ifdef HELPER_COMPILE @@ -65,8 +58,11 @@ read_passwords(int fd, int npass, char **passwords); #define PAMH_ARG(...) pamh, __VA_ARGS__ #endif +PAMH_ARG_DECL(int verify_pwd_hash, + const char *p, char *hash, unsigned int nullok); + PAMH_ARG_DECL(char * create_password_hash, - const char *password, unsigned int ctrl, int rounds); + const char *password, unsigned long long ctrl, int rounds); PAMH_ARG_DECL(int get_account_info, const char *name, struct passwd **pwd, struct spwd **spwdent); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index f2e28d35..043273d2 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -19,7 +19,7 @@ #include <ctype.h> #include <syslog.h> #include <sys/resource.h> -#ifdef HAVE_RPCSVC_YPCLNT_H +#ifdef HAVE_NIS #include <rpcsvc/ypclnt.h> #endif @@ -28,86 +28,14 @@ #include <security/pam_ext.h> #include <security/pam_modutil.h> +#include "pam_cc_compat.h" +#include "pam_inline.h" #include "support.h" #include "passverify.h" -static char * -search_key (const char *key, const char *filename) -{ - FILE *fp; - char *buf = NULL; - size_t buflen = 0; - char *retval = NULL; - - fp = fopen (filename, "r"); - if (NULL == fp) - return NULL; - - while (!feof (fp)) - { - char *tmp, *cp; -#if defined(HAVE_GETLINE) - ssize_t n = getline (&buf, &buflen, fp); -#elif defined (HAVE_GETDELIM) - ssize_t n = getdelim (&buf, &buflen, '\n', fp); -#else - ssize_t n; - - if (buf == NULL) - { - buflen = BUF_SIZE; - buf = malloc (buflen); - if (buf == NULL) { - fclose (fp); - return NULL; - } - } - buf[0] = '\0'; - if (fgets (buf, buflen - 1, fp) == NULL) - break; - else if (buf != NULL) - n = strlen (buf); - else - n = 0; -#endif /* HAVE_GETLINE / HAVE_GETDELIM */ - cp = buf; - - if (n < 1) - break; - - tmp = strchr (cp, '#'); /* remove comments */ - if (tmp) - *tmp = '\0'; - while (isspace ((int)*cp)) /* remove spaces and tabs */ - ++cp; - if (*cp == '\0') /* ignore empty lines */ - continue; - - if (cp[strlen (cp) - 1] == '\n') - cp[strlen (cp) - 1] = '\0'; - - tmp = strsep (&cp, " \t="); - if (cp != NULL) - while (isspace ((int)*cp) || *cp == '=') - ++cp; - - if (strcasecmp (tmp, key) == 0) - { - retval = strdup (cp); - break; - } - } - fclose (fp); - - free (buf); - - return retval; -} - - /* this is a front-end for module-application conversations */ -int _make_remark(pam_handle_t * pamh, unsigned int ctrl, +int _make_remark(pam_handle_t * pamh, unsigned long long ctrl, int type, const char *text) { int retval = PAM_SUCCESS; @@ -122,10 +50,11 @@ int _make_remark(pam_handle_t * pamh, unsigned int ctrl, * set the control flags for the UNIX module. */ -int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, - int *pass_min_len, int argc, const char **argv) +unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember, + int *rounds, int *pass_min_len, int argc, + const char **argv) { - unsigned int ctrl; + unsigned long long ctrl; char *val; int j; @@ -153,7 +82,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, } /* preset encryption method with value from /etc/login.defs */ - val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); + val = pam_modutil_search_key(pamh, LOGIN_DEFS, "ENCRYPT_METHOD"); if (val) { for (j = 0; j < UNIX_CTRLS_; ++j) { if (unix_args[j].token && unix_args[j].is_hash_algo @@ -171,10 +100,11 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, /* read number of rounds for crypt algo */ if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { - val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); + val = pam_modutil_search_key(pamh, LOGIN_DEFS, "SHA_CRYPT_MAX_ROUNDS"); if (val) { *rounds = strtol(val, NULL, 10); + set(UNIX_ALGO_ROUNDS, ctrl); free (val); } } @@ -183,17 +113,20 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, /* now parse the arguments to this module */ for (; argc-- > 0; ++argv) { + const char *str = NULL; D(("pam_unix arg: %s", *argv)); for (j = 0; j < UNIX_CTRLS_; ++j) { if (unix_args[j].token - && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { + && (str = pam_str_skip_prefix_len(*argv, + unix_args[j].token, + strlen(unix_args[j].token))) != NULL) { break; } } - if (j >= UNIX_CTRLS_) { + if (str == NULL) { pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", *argv); } else { @@ -204,7 +137,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, "option remember not allowed for this module type"); continue; } - *remember = strtol(*argv + 9, NULL, 10); + *remember = strtol(str, NULL, 10); if ((*remember == INT_MIN) || (*remember == INT_MAX)) *remember = -1; if (*remember > 400) @@ -215,14 +148,14 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, "option minlen not allowed for this module type"); continue; } - *pass_min_len = atoi(*argv + 7); + *pass_min_len = atoi(str); } else if (j == UNIX_ALGO_ROUNDS) { if (rounds == NULL) { pam_syslog(pamh, LOG_ERR, "option rounds not allowed for this module type"); continue; } - *rounds = strtol(*argv + 7, NULL, 10); + *rounds = strtol(str, NULL, 10); } ctrl &= unix_args[j].mask; /* for turning things off */ @@ -242,23 +175,33 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, set(UNIX__NONULL, ctrl); } - /* Set default rounds for blowfish */ - if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { - *rounds = 5; - set(UNIX_ALGO_ROUNDS, ctrl); + /* Set default rounds for blowfish, gost-yescrypt and yescrypt */ + if (off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { + if (on(UNIX_BLOWFISH_PASS, ctrl) || + on(UNIX_GOST_YESCRYPT_PASS, ctrl) || + on(UNIX_YESCRYPT_PASS, ctrl)) { + *rounds = 5; + set(UNIX_ALGO_ROUNDS, ctrl); + } } /* Enforce sane "rounds" values */ if (on(UNIX_ALGO_ROUNDS, ctrl)) { - if (on(UNIX_BLOWFISH_PASS, ctrl)) { + if (on(UNIX_GOST_YESCRYPT_PASS, ctrl) || + on(UNIX_YESCRYPT_PASS, ctrl)) { + if (*rounds < 3 || *rounds > 11) + *rounds = 5; + } else if (on(UNIX_BLOWFISH_PASS, ctrl)) { if (*rounds < 4 || *rounds > 31) *rounds = 5; } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { - if ((*rounds < 1000) || (*rounds == INT_MAX)) + if ((*rounds < 1000) || (*rounds == INT_MAX)) { /* don't care about bogus values */ + *rounds = 0; unset(UNIX_ALGO_ROUNDS, ctrl); - if (*rounds >= 10000000) + } else if (*rounds >= 10000000) { *rounds = 9999999; + } } } @@ -273,11 +216,6 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, return ctrl; } -static void _cleanup(pam_handle_t * pamh UNUSED, void *x, int error_status UNUSED) -{ - _pam_delete(x); -} - /* ************************************************************** * * Useful non-trivial functions * * ************************************************************** */ @@ -417,7 +355,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, } #else /* we don't have NIS support, make compiler happy. */ - nis = 0; + (void) nis; #endif if (matched && (ret != NULL)) { @@ -529,7 +467,7 @@ int _unix_comesfromsource(pam_handle_t *pamh, #include <sys/wait.h> static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, - unsigned int ctrl, const char *user) + unsigned long long ctrl, const char *user) { int retval, child, fds[2]; struct sigaction newsa, oldsa; @@ -593,7 +531,9 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, args[2]="nonull"; } + DIAG_PUSH_IGNORE_CAST_QUAL; execve(CHKPWD_HELPER, (char *const *) args, envp); + DIAG_POP_IGNORE_CAST_QUAL; /* should not get here: exit with error */ D(("helper binary is not available")); @@ -655,11 +595,15 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, */ int -_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) +_unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name) { struct passwd *pwd = NULL; char *salt = NULL; + int daysleft; int retval; + int blank = 0; + int execloop; + int nonexistent_check = 1; D(("called")); @@ -669,45 +613,58 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) * else (CG) */ + if (on(UNIX_NULLRESETOK, ctrl)) { + retval = _unix_verify_user(pamh, ctrl, name, &daysleft); + if (retval == PAM_NEW_AUTHTOK_REQD) { + /* password reset is enforced, allow authentication with empty password */ + pam_syslog(pamh, LOG_DEBUG, "user [%s] has expired blank password, enabling nullok", name); + set(UNIX__NULLOK, ctrl); + } + } + if (on(UNIX__NONULL, ctrl)) return 0; /* will fail but don't let on yet */ /* UNIX passwords area */ - retval = get_pwd_hash(pamh, name, &pwd, &salt); - - if (retval == PAM_UNIX_RUN_HELPER) { - /* salt will not be set here so we can return immediately */ - if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) - return 1; - else - return 0; - } + /* + * Execute this loop twice: one checking the password hash of an existing + * user and another one for a non-existing user. This way the runtimes + * are equal, making it more difficult to differentiate existing from + * non-existing users. + */ + for (execloop = 0; execloop < 2; ++execloop) { + retval = get_pwd_hash(pamh, name, &pwd, &salt); - /* Does this user have a password? */ - if (salt == NULL) { - retval = 0; - } else { - if (strlen(salt) == 0) - retval = 1; - else - retval = 0; + if (retval == PAM_UNIX_RUN_HELPER) { + if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) + blank = nonexistent_check; + } else if (retval == PAM_USER_UNKNOWN) { + name = "root"; + nonexistent_check = 0; + continue; + } else if (salt != NULL) { + if (strlen(salt) == 0) + blank = nonexistent_check; + } + name = "pam_unix_non_existent:"; + /* non-existent user check will not affect the blank value */ } /* tidy up */ - if (salt) _pam_delete(salt); - return retval; + return blank; } int _unix_verify_password(pam_handle_t * pamh, const char *name - ,const char *p, unsigned int ctrl) + ,const char *p, unsigned long long ctrl) { struct passwd *pwd = NULL; char *salt = NULL; char *data_name; + char pw[PAM_MAX_RESP_SIZE + 1]; int retval; @@ -734,6 +691,11 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name); } + if (p != NULL && strlen(p) > PAM_MAX_RESP_SIZE) { + memset(pw, 0, sizeof(pw)); + p = strncpy(pw, p, sizeof(pw) - 1); + } + if (retval != PAM_SUCCESS) { if (retval == PAM_UNIX_RUN_HELPER) { D(("running helper binary")); @@ -758,7 +720,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name } } } else { - retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); + retval = verify_pwd_hash(pamh, p, salt, off(UNIX__NONULL, ctrl)); } if (retval == PAM_SUCCESS) { @@ -843,6 +805,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name } cleanup: + pam_overwrite_array(pw); /* clear memory of the password */ if (data_name) _pam_delete(data_name); if (salt) @@ -853,8 +816,45 @@ cleanup: return retval; } +int +_unix_verify_user(pam_handle_t *pamh, + unsigned long long ctrl, + const char *name, + int *daysleft) +{ + int retval; + struct spwd *spent; + struct passwd *pwent; + + retval = get_account_info(pamh, name, &pwent, &spent); + if (retval == PAM_USER_UNKNOWN) { + pam_syslog(pamh, LOG_ERR, + "could not identify user (from getpwnam(%s))", + name); + return retval; + } + + if (retval == PAM_SUCCESS && spent == NULL) + return PAM_SUCCESS; + + if (retval == PAM_UNIX_RUN_HELPER) { + retval = _unix_run_verify_binary(pamh, ctrl, name, daysleft); + if (retval == PAM_AUTHINFO_UNAVAIL && + on(UNIX_BROKEN_SHADOW, ctrl)) + return PAM_SUCCESS; + } else if (retval != PAM_SUCCESS) { + if (on(UNIX_BROKEN_SHADOW,ctrl)) + return PAM_SUCCESS; + else + return retval; + } else + retval = check_shadow_expiry(pamh, spent, daysleft); + + return retval; +} + /* ****************************************************************** * - * Copyright (c) Jan Rêkorajski 1999. + * Copyright (c) Jan RÄ™korajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index b4c279c3..9c065c5c 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -6,6 +6,7 @@ #define _PAM_UNIX_SUPPORT_H #include <pwd.h> +#include "libpam/include/pam_inline.h" /* * File to read value of ENCRYPT_METHOD from. @@ -22,8 +23,8 @@ typedef struct { const char *token; - unsigned int mask; /* shall assume 32 bits of flags */ - unsigned int flag; + unsigned long long mask; /* shall assume 64 bits of flags */ + unsigned long long flag; unsigned int is_hash_algo; } UNIX_Ctrls; @@ -48,7 +49,7 @@ typedef struct { /* the generic mask */ -#define _ALL_ON_ (~0U) +#define _ALL_ON_ (~0ULL) /* end of macro definitions definitions for the control flags */ @@ -98,80 +99,89 @@ typedef struct { #define UNIX_QUIET 28 /* Don't print informational messages */ #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */ #define UNIX_DES 30 /* DES, default */ +#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */ +#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ +#define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ +#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ +#define UNIX_NULLOK_SECURE 35 /* deprecated alias for nullok */ /* -------------- */ -#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ +#define UNIX_CTRLS_ 36 /* number of ctrl arguments defined */ -#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) +#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = { -/* symbol token name ctrl mask ctrl * - * ----------------------- ------------------- --------------------- -------- */ - -/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, -/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, -/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, -/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, -/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0}, -/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0}, -/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, -/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, -/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, -/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, -/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, -/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, -/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1}, -/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0}, -/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, -/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, -/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, -/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1}, -/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, -/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, -/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, -/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, -/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1}, -/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1}, -/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, -/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, -/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, -/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, -/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, -/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, +/* symbol token name ctrl mask ctrl * + * --------------------------- -------------------- ------------------------- ------------ */ + +/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, +/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, +/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, +/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, +/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0}, +/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0}, +/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0}, +/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0}, +/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0}, +/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, +/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, +/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, +/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, +/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1}, +/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0}, +/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, +/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, +/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, +/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1}, +/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, +/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, +/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, +/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, +/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1}, +/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1}, +/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, +/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1}, +/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, +/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0}, +/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0}, +/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1}, +/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1}, +/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, +/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, +/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200ULL), 0, 0}, }; #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) /* use this to free strings. ESPECIALLY password strings */ -#define _pam_delete(xx) \ -{ \ - _pam_overwrite(xx); \ - _pam_drop(xx); \ +#define _pam_delete(xx) \ +{ \ + pam_overwrite_string(xx); \ + _pam_drop(xx); \ } -extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl - ,int type, const char *text); -extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds, - int *pass_min_len, int argc, const char **argv); +extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl, + int type, const char *text); +extern unsigned long long _set_ctrl(pam_handle_t * pamh, int flags, + int *remember, int *rounds, + int *pass_min_len, + int argc, const char **argv); extern int _unix_getpwnam (pam_handle_t *pamh, const char *name, int files, int nis, struct passwd **ret); extern int _unix_comesfromsource (pam_handle_t *pamh, const char *name, int files, int nis); -extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl, +extern int _unix_blankpasswd(pam_handle_t *pamh, unsigned long long ctrl, const char *name); -extern int _unix_verify_password(pam_handle_t * pamh, const char *name - ,const char *p, unsigned int ctrl); -extern int _unix_read_password(pam_handle_t * pamh - ,unsigned int ctrl - ,const char *comment - ,const char *prompt1 - ,const char *prompt2 - ,const char *data_name - ,const void **pass); +extern int _unix_verify_password(pam_handle_t * pamh, const char *name, + const char *p, unsigned long long ctrl); + +extern int _unix_verify_user(pam_handle_t *pamh, unsigned long long ctrl, + const char *name, int *daysleft); extern int _unix_run_verify_binary(pam_handle_t *pamh, - unsigned int ctrl, const char *user, int *daysleft); + unsigned long long ctrl, + const char *user, int *daysleft); #endif /* _PAM_UNIX_SUPPORT_H */ diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8 index 46048995..7c1963b3 100644 --- a/modules/pam_unix/unix_chkpwd.8 +++ b/modules/pam_unix/unix_chkpwd.8 @@ -1,13 +1,13 @@ '\" t .\" Title: unix_chkpwd .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "UNIX_CHKPWD" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "UNIX_CHKPWD" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_unix/unix_chkpwd.8.xml b/modules/pam_unix/unix_chkpwd.8.xml index a10dbe33..ca0fa109 100644 --- a/modules/pam_unix/unix_chkpwd.8.xml +++ b/modules/pam_unix/unix_chkpwd.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="unix_chkpwd"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="unix_chkpwd"> <refmeta> <refentrytitle>unix_chkpwd</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="unix_chkpwd-name"> + <refnamediv xml:id="unix_chkpwd-name"> <refname>unix_chkpwd</refname> <refpurpose>Helper binary that verifies the password of the current user</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="unix_chkpwd-cmdsynopsis"> + <cmdsynopsis xml:id="unix_chkpwd-cmdsynopsis" sepchar=" "> <command>unix_chkpwd</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ... </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="unix_chkpwd-description"> + <refsect1 xml:id="unix_chkpwd-description"> <title>DESCRIPTION</title> @@ -48,7 +45,7 @@ </para> </refsect1> - <refsect1 id='unix_chkpwd-see_also'> + <refsect1 xml:id="unix_chkpwd-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -57,11 +54,11 @@ </para> </refsect1> - <refsect1 id='unix_chkpwd-author'> + <refsect1 xml:id="unix_chkpwd-author"> <title>AUTHOR</title> <para> Written by Andrew Morgan and other various people. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 39c84dbf..5e7b571e 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -2,7 +2,7 @@ * This program is designed to run setuid(root) or with sufficient * privilege to read all of the unix password databases. It is designed * to provide a mechanism for the current user (defined by this - * process' uid) to verify their own password. + * process's uid) to verify their own password. * * The password is read from the standard input. The exit status of * this program indicates whether the user is authenticated or not. @@ -33,6 +33,7 @@ #include <security/_pam_macros.h> #include "passverify.h" +#include "pam_inline.h" static int _check_expiry(const char *uname) { @@ -89,7 +90,7 @@ static int _audit_log(int type, const char *uname, int rc) int main(int argc, char *argv[]) { - char pass[MAXPASS + 1]; + char pass[PAM_MAX_RESP_SIZE + 1]; char *option; int npass, nullok; int blankpass = 0; @@ -136,10 +137,11 @@ int main(int argc, char *argv[]) user = getuidname(getuid()); /* if the caller specifies the username, verify that user matches it */ - if (strcmp(user, argv[1])) { + if (user == NULL || strcmp(user, argv[1])) { + gid_t gid = getgid(); user = argv[1]; /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) + if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) return PAM_AUTH_ERR; } } @@ -162,7 +164,7 @@ int main(int argc, char *argv[]) } /* read the password from stdin (a pipe from the pam_unix module) */ - npass = read_passwords(STDIN_FILENO, 1, passwords); + npass = pam_read_passwords(STDIN_FILENO, 1, passwords); if (npass != 1) { /* is it a valid password? */ helper_log_err(LOG_DEBUG, "no password supplied"); @@ -175,7 +177,7 @@ int main(int argc, char *argv[]) retval = helper_verify_password(user, pass, nullok); - memset(pass, '\0', MAXPASS); /* clear memory of the password */ + pam_overwrite_array(pass); /* clear memory of the password */ /* return pass or fail */ @@ -188,7 +190,14 @@ int main(int argc, char *argv[]) #endif helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user); } - return PAM_AUTH_ERR; + /* if helper_verify_password() returned PAM_USER_UNKNOWN, the + most appropriate error to propagate to + _unix_verify_password() is PAM_AUTHINFO_UNAVAIL; otherwise + return general failure */ + if (retval == PAM_USER_UNKNOWN) + return PAM_AUTHINFO_UNAVAIL; + else + return PAM_AUTH_ERR; } else { if (getuid() != 0) { #ifdef HAVE_LIBAUDIT diff --git a/modules/pam_unix/unix_update.8 b/modules/pam_unix/unix_update.8 index c5eab08c..b3b7a28f 100644 --- a/modules/pam_unix/unix_update.8 +++ b/modules/pam_unix/unix_update.8 @@ -1,13 +1,13 @@ '\" t .\" Title: unix_update .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "UNIX_UPDATE" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "UNIX_UPDATE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_unix/unix_update.8.xml b/modules/pam_unix/unix_update.8.xml index 6c7467b9..1a968652 100644 --- a/modules/pam_unix/unix_update.8.xml +++ b/modules/pam_unix/unix_update.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="unix_update"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="unix_update"> <refmeta> <refentrytitle>unix_update</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="unix_update-name"> + <refnamediv xml:id="unix_update-name"> <refname>unix_update</refname> <refpurpose>Helper binary that updates the password of a given user</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="unix_update-cmdsynopsis"> + <cmdsynopsis xml:id="unix_update-cmdsynopsis" sepchar=" "> <command>unix_update</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ... </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="unix_update-description"> + <refsect1 xml:id="unix_update-description"> <title>DESCRIPTION</title> @@ -48,7 +45,7 @@ </para> </refsect1> - <refsect1 id='unix_update-see_also'> + <refsect1 xml:id="unix_update-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -57,11 +54,11 @@ </para> </refsect1> - <refsect1 id='unix_update-author'> + <refsect1 xml:id="unix_update-author"> <title>AUTHOR</title> <para> Written by Tomas Mraz and other various people. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 6ea7ea51..49a70ff3 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -32,14 +32,15 @@ #include <security/_pam_macros.h> #include "passverify.h" +#include "pam_inline.h" static int set_password(const char *forwho, const char *shadow, const char *remember) { struct passwd *pwd = NULL; int retval; - char pass[MAXPASS + 1]; - char towhat[MAXPASS + 1]; + char pass[PAM_MAX_RESP_SIZE + 1]; + char towhat[PAM_MAX_RESP_SIZE + 1]; int npass = 0; /* we don't care about number format errors because the helper should be called internally only */ @@ -49,20 +50,23 @@ set_password(const char *forwho, const char *shadow, const char *remember) /* read the password from stdin (a pipe from the pam_unix module) */ - npass = read_passwords(STDIN_FILENO, 2, passwords); + npass = pam_read_passwords(STDIN_FILENO, 2, passwords); if (npass != 2) { /* is it a valid password? */ if (npass == 1) { helper_log_err(LOG_DEBUG, "no new password supplied"); - memset(pass, '\0', MAXPASS); + pam_overwrite_array(pass); } else { helper_log_err(LOG_DEBUG, "no valid passwords supplied"); } return PAM_AUTHTOK_ERR; } - if (lock_pwdf() != PAM_SUCCESS) + if (lock_pwdf() != PAM_SUCCESS) { + pam_overwrite_array(pass); + pam_overwrite_array(towhat); return PAM_AUTHTOK_LOCK_BUSY; + } pwd = getpwnam(forwho); @@ -97,8 +101,8 @@ set_password(const char *forwho, const char *shadow, const char *remember) } done: - memset(pass, '\0', MAXPASS); - memset(towhat, '\0', MAXPASS); + pam_overwrite_array(pass); + pam_overwrite_array(towhat); unlock_pwdf(); diff --git a/modules/pam_unix/yppasswd.h b/modules/pam_unix/yppasswd.h index 5f947071..dc686cd7 100644 --- a/modules/pam_unix/yppasswd.h +++ b/modules/pam_unix/yppasswd.h @@ -1,28 +1,20 @@ /* - * yppasswdd - * Copyright 1994, 1995, 1996 Olaf Kirch, <okir@lst.de> - * - * This program is covered by the GNU General Public License, version 2 - * or later. It is provided in the hope that it is useful. However, the author - * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details. - * - * This file was generated automatically by rpcgen from yppasswd.x, and - * editied manually. + * Please do not edit this file. + * It was generated using rpcgen. */ -#ifndef _YPPASSWD_H_ -#define _YPPASSWD_H_ +#ifndef _YPPASSWD_H_RPCGEN +#define _YPPASSWD_H_RPCGEN -#define YPPASSWDPROG ((u_long)100009) -#define YPPASSWDVERS ((u_long)1) -#define YPPASSWDPROC_UPDATE ((u_long)1) +#include <rpc/rpc.h> -/* - * The password struct passed by the update call. I renamed it to - * xpasswd to avoid a type clash with the one defined in <pwd.h>. - */ -#ifndef __sgi -typedef struct xpasswd { + +#ifdef __cplusplus +extern "C" { +#endif + + +struct xpasswd { char *pw_name; char *pw_passwd; int pw_uid; @@ -30,22 +22,45 @@ typedef struct xpasswd { char *pw_gecos; char *pw_dir; char *pw_shell; -} xpasswd; - -#else -#include <pwd.h> +}; typedef struct xpasswd xpasswd; -#endif -/* The updated password information, plus the old password. - */ -typedef struct yppasswd { +struct yppasswd { char *oldpass; xpasswd newpw; -} yppasswd; +}; +typedef struct yppasswd yppasswd; -/* XDR encoding/decoding routines */ -bool_t xdr_xpasswd(XDR * xdrs, xpasswd * objp); -bool_t xdr_yppasswd(XDR * xdrs, yppasswd * objp); +#define YPPASSWDPROG 100009 +#define YPPASSWDVERS 1 + +#if defined(__STDC__) || defined(__cplusplus) +#define YPPASSWDPROC_UPDATE 1 +extern int * yppasswdproc_update_1(yppasswd *, CLIENT *); +extern int * yppasswdproc_update_1_svc(yppasswd *, struct svc_req *); +extern int yppasswdprog_1_freeresult (SVCXPRT *, xdrproc_t, caddr_t); + +#else /* K&R C */ +#define YPPASSWDPROC_UPDATE 1 +extern int * yppasswdproc_update_1(); +extern int * yppasswdproc_update_1_svc(); +extern int yppasswdprog_1_freeresult (); +#endif /* K&R C */ + +/* the xdr functions */ + +#if defined(__STDC__) || defined(__cplusplus) +extern bool_t xdr_passwd (XDR *, xpasswd*); +extern bool_t xdr_yppasswd (XDR *, yppasswd*); + +#else /* K&R C */ +extern bool_t xdr_passwd (); +extern bool_t xdr_yppasswd (); + +#endif /* K&R C */ + +#ifdef __cplusplus +} +#endif -#endif /* _YPPASSWD_H_ */ +#endif /* !_YPPASSWD_H_RPCGEN */ diff --git a/modules/pam_unix/yppasswd_xdr.c b/modules/pam_unix/yppasswd_xdr.c index f2b86a56..0523d523 100644 --- a/modules/pam_unix/yppasswd_xdr.c +++ b/modules/pam_unix/yppasswd_xdr.c @@ -1,40 +1,36 @@ /* - * yppasswdd - * Copyright 1994, 1995, 1996 Olaf Kirch, <okir@lst.de> - * - * This program is covered by the GNU General Public License, version 2 - * or later. It is provided in the hope that it is useful. However, the author - * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details. - * - * This file was generated automatically by rpcgen from yppasswd.x, and - * editied manually. + * Please do not edit this file. + * It was generated using rpcgen. */ -#include "config.h" - -#ifdef HAVE_RPC_RPC_H - -#include <rpc/rpc.h> #include "yppasswd.h" bool_t -xdr_xpasswd(XDR * xdrs, xpasswd * objp) +xdr_passwd (XDR *xdrs, xpasswd *objp) { - return xdr_string(xdrs, &objp->pw_name, ~0) - && xdr_string(xdrs, &objp->pw_passwd, ~0) - && xdr_int(xdrs, &objp->pw_uid) - && xdr_int(xdrs, &objp->pw_gid) - && xdr_string(xdrs, &objp->pw_gecos, ~0) - && xdr_string(xdrs, &objp->pw_dir, ~0) - && xdr_string(xdrs, &objp->pw_shell, ~0); + if (!xdr_string (xdrs, &objp->pw_name, ~0)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_passwd, ~0)) + return FALSE; + if (!xdr_int (xdrs, &objp->pw_uid)) + return FALSE; + if (!xdr_int (xdrs, &objp->pw_gid)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_gecos, ~0)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_dir, ~0)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_shell, ~0)) + return FALSE; + return TRUE; } - bool_t -xdr_yppasswd(XDR * xdrs, yppasswd * objp) +xdr_yppasswd (XDR *xdrs, yppasswd *objp) { - return xdr_string(xdrs, &objp->oldpass, ~0) - && xdr_xpasswd(xdrs, &objp->newpw); + if (!xdr_string (xdrs, &objp->oldpass, ~0)) + return FALSE; + if (!xdr_passwd (xdrs, &objp->newpw)) + return FALSE; + return TRUE; } - -#endif diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am index 047b1009..e31d9ccc 100644 --- a/modules/pam_userdb/Makefile.am +++ b/modules/pam_userdb/Makefile.am @@ -5,33 +5,35 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_userdb.8 create.pl tst-pam_userdb +EXTRA_DIST = $(XMLS) create.pl -if HAVE_LIBDB - man_MANS = pam_userdb.8 - TESTS = tst-pam_userdb +if HAVE_DOC +dist_man_MANS = pam_userdb.8 endif - XMLS = README.xml pam_userdb.8.xml +dist_check_SCRIPTS = tst-pam_userdb +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module @LIBDB@ @LIBCRYPT@ if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_LIBDB - securelib_LTLIBRARIES = pam_userdb.la - pam_userdb_la_LIBADD = $(top_builddir)/libpam/libpam.la -endif +securelib_LTLIBRARIES = pam_userdb.la +pam_userdb_la_LIBADD = $(top_builddir)/libpam/libpam.la noinst_HEADERS = pam_userdb.h if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_userdb.8 -README: pam_userdb.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_userdb/Makefile.in b/modules/pam_userdb/Makefile.in index 60fd6ade..c19b4231 100644 --- a/modules/pam_userdb/Makefile.in +++ b/modules/pam_userdb/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,7 +21,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -86,24 +96,27 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_userdb -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(noinst_HEADERS) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -137,15 +150,13 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -@HAVE_LIBDB_TRUE@pam_userdb_la_DEPENDENCIES = \ -@HAVE_LIBDB_TRUE@ $(top_builddir)/libpam/libpam.la +pam_userdb_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la pam_userdb_la_SOURCES = pam_userdb.c pam_userdb_la_OBJECTS = pam_userdb.lo AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -@HAVE_LIBDB_TRUE@am_pam_userdb_la_rpath = -rpath $(securelibdir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -160,7 +171,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_userdb.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -189,8 +201,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -366,6 +379,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -388,6 +402,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -407,24 +424,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -438,7 +464,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -457,11 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -484,8 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -496,11 +523,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -543,7 +577,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -551,9 +584,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -563,25 +593,30 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_userdb.8 create.pl tst-pam_userdb -@HAVE_LIBDB_TRUE@man_MANS = pam_userdb.8 -@HAVE_LIBDB_TRUE@TESTS = tst-pam_userdb +EXTRA_DIST = $(XMLS) create.pl +@HAVE_DOC_TRUE@dist_man_MANS = pam_userdb.8 XMLS = README.xml pam_userdb.8.xml +dist_check_SCRIPTS = tst-pam_userdb +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module @LIBDB@ @LIBCRYPT@ \ $(am__append_1) -@HAVE_LIBDB_TRUE@securelib_LTLIBRARIES = pam_userdb.la -@HAVE_LIBDB_TRUE@pam_userdb_la_LIBADD = $(top_builddir)/libpam/libpam.la +securelib_LTLIBRARIES = pam_userdb.la +pam_userdb_la_LIBADD = $(top_builddir)/libpam/libpam.la noinst_HEADERS = pam_userdb.h -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_userdb.8 +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -598,14 +633,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_userdb/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_userdb/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -653,7 +687,7 @@ clean-securelibLTLIBRARIES: } pam_userdb.la: $(pam_userdb_la_OBJECTS) $(pam_userdb_la_DEPENDENCIES) $(EXTRA_pam_userdb_la_DEPENDENCIES) - $(AM_V_CCLD)$(LINK) $(am_pam_userdb_la_rpath) $(pam_userdb_la_OBJECTS) $(pam_userdb_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_userdb_la_OBJECTS) $(pam_userdb_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -661,21 +695,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_userdb.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_userdb.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -689,10 +729,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -727,7 +767,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -815,7 +855,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -892,7 +932,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -905,7 +945,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -915,7 +955,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -948,7 +988,10 @@ tst-pam_userdb.log: tst-pam_userdb @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -979,6 +1022,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) @@ -1027,7 +1071,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_userdb.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1073,7 +1117,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_userdb.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1096,15 +1140,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1112,7 +1157,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_userdb.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_userdb/README b/modules/pam_userdb/README index 1765591b..9d931bb5 100644 --- a/modules/pam_userdb/README +++ b/modules/pam_userdb/README @@ -25,7 +25,8 @@ db=/path/database debug - Print debug information. + Print debug information. Note that password hashes, both from db and + computed, will be printed to syslog. dump diff --git a/modules/pam_userdb/README.xml b/modules/pam_userdb/README.xml index b22c09e7..4e8f8ee7 100644 --- a/modules/pam_userdb/README.xml +++ b/modules/pam_userdb/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_userdb.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_userdb-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_userdb/pam_userdb.8 b/modules/pam_userdb/pam_userdb.8 index 7f8fd358..a2493b50 100644 --- a/modules/pam_userdb/pam_userdb.8 +++ b/modules/pam_userdb/pam_userdb.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_userdb .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_USERDB" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_USERDB" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_userdb \- PAM module to authenticate against a db database The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\&. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\&. .SH "OPTIONS" .PP -\fBcrypt=[crypt|none]\fR +crypt=[crypt|none] .RS 4 Indicates whether encrypted or plaintext passwords are stored in the database\&. If it is \fBcrypt\fR, passwords should be stored in the database in @@ -47,7 +47,7 @@ form\&. If is selected, passwords should be stored in the database as plaintext\&. .RE .PP -\fBdb=\fR\fB\fI/path/database\fR\fR +db=/path/database .RS 4 Use the /path/database @@ -58,37 +58,37 @@ if no database is provided\&. Note that the path to the database file should be suffix\&. .RE .PP -\fBdebug\fR +debug .RS 4 -Print debug information\&. +Print debug information\&. Note that password hashes, both from db and computed, will be printed to syslog\&. .RE .PP -\fBdump\fR +dump .RS 4 Dump all the entries in the database to the log\&. Don\*(Aqt do this by default! .RE .PP -\fBicase\fR +icase .RS 4 Make the password verification to be case insensitive (ie when working with registration numbers and such)\&. Only works with plaintext password storage\&. .RE .PP -\fBtry_first_pass\fR +try_first_pass .RS 4 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will try to converse\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. .RE .PP -\fBuse_first_pass\fR +use_first_pass .RS 4 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will fail\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. .RE .PP -\fBunknown_ok\fR +unknown_ok .RS 4 Do not return error when checking for a user that is not in the database\&. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\&. .RE .PP -\fBkey_only\fR +key_only .RS 4 The username and password are concatenated together in the database hash as \*(Aqusername\-password\*(Aq with a random value\&. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\&. this is useful in cases where the username may not be unique but the username and password pair are\&. .RE @@ -152,7 +152,7 @@ auth sufficient pam_userdb\&.so icase db=/etc/dbtest \fBcrypt\fR(3), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml index fa628ada..86ba895a 100644 --- a/modules/pam_userdb/pam_userdb.8.xml +++ b/modules/pam_userdb/pam_userdb.8.xml @@ -1,54 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_userdb"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_userdb"> <refmeta> <refentrytitle>pam_userdb</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_userdb-name"> + <refnamediv xml:id="pam_userdb-name"> <refname>pam_userdb</refname> <refpurpose>PAM module to authenticate against a db database</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_userdb-cmdsynopsis"> + <cmdsynopsis xml:id="pam_userdb-cmdsynopsis" sepchar=" "> <command>pam_userdb.so</command> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> db=<replaceable>/path/database</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> crypt=[crypt|none] </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> icase </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> dump </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> try_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unknown_ok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> key_only </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_userdb-description"> + <refsect1 xml:id="pam_userdb-description"> <title>DESCRIPTION</title> @@ -60,13 +57,13 @@ </para> </refsect1> - <refsect1 id="pam_userdb-options"> + <refsect1 xml:id="pam_userdb-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>crypt=[crypt|none]</option> + crypt=[crypt|none] </term> <listitem> <para> @@ -82,13 +79,13 @@ </varlistentry> <varlistentry> <term> - <option>db=<replaceable>/path/database</replaceable></option> + db=/path/database </term> <listitem> <para> Use the <filename>/path/database</filename> database for performing lookup. There is no default; the module will - return <emphasis remap='B'>PAM_IGNORE</emphasis> if no + return <emphasis remap="B">PAM_IGNORE</emphasis> if no database is provided. Note that the path to the database file should be specified without the <filename>.db</filename> suffix. </para> @@ -96,17 +93,18 @@ </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> - Print debug information. + Print debug information. Note that password hashes, both from db + and computed, will be printed to syslog. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>dump</option> + dump </term> <listitem> <para> @@ -117,7 +115,7 @@ </varlistentry> <varlistentry> <term> - <option>icase</option> + icase </term> <listitem> <para> @@ -130,7 +128,7 @@ <varlistentry> <term> - <option>try_first_pass</option> + try_first_pass </term> <listitem> <para> @@ -145,7 +143,7 @@ </varlistentry> <varlistentry> <term> - <option>use_first_pass</option> + use_first_pass </term> <listitem> <para> @@ -160,7 +158,7 @@ </varlistentry> <varlistentry> <term> - <option>unknown_ok</option> + unknown_ok </term> <listitem> <para> @@ -173,7 +171,7 @@ </varlistentry> <varlistentry> <term> - <option>key_only</option> + key_only </term> <listitem> <para> @@ -190,7 +188,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_userdb-types"> + <refsect1 xml:id="pam_userdb-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> module @@ -198,7 +196,7 @@ </para> </refsect1> - <refsect1 id='pam_userdb-return_values'> + <refsect1 xml:id="pam_userdb-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -258,14 +256,14 @@ </variablelist> </refsect1> - <refsect1 id='pam_userdb-examples'> + <refsect1 xml:id="pam_userdb-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_userdb.so icase db=/etc/dbtest </programlisting> </refsect1> - <refsect1 id='pam_userdb-see_also'> + <refsect1 xml:id="pam_userdb-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -278,16 +276,16 @@ auth sufficient pam_userdb.so icase db=/etc/dbtest <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_userdb-author'> + <refsect1 xml:id="pam_userdb-author"> <title>AUTHOR</title> <para> pam_userdb was written by Cristian Gafton >gafton@redhat.com<. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index cab37b30..297403b0 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -1,6 +1,6 @@ -/* pam_userdb module */ - /* + * pam_userdb module + * * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10 * See the end of the file for Copyright Information */ @@ -17,9 +17,7 @@ #include <sys/stat.h> #include <fcntl.h> #include <errno.h> -#ifdef HAVE_LIBXCRYPT -#include <xcrypt.h> -#elif defined(HAVE_CRYPT_H) +#ifdef HAVE_CRYPT_H #include <crypt.h> #endif @@ -37,19 +35,10 @@ # endif #endif -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include <security/pam_modules.h> #include <security/pam_ext.h> #include <security/_pam_macros.h> +#include "pam_inline.h" /* * Conversation function to obtain the user's password @@ -73,7 +62,7 @@ obtain_authtok(pam_handle_t *pamh) retval = pam_set_item(pamh, PAM_AUTHTOK, resp); /* clean it up */ - _pam_overwrite(resp); + pam_overwrite_string(resp); _pam_drop(resp); if ( (retval != PAM_SUCCESS) || @@ -97,6 +86,8 @@ _pam_parse (pam_handle_t *pamh, int argc, const char **argv, /* step through arguments */ for (ctrl = 0; argc-- > 0; ++argv) { + const char *str; + /* generic options */ if (!strcmp(*argv,"debug")) @@ -113,18 +104,18 @@ _pam_parse (pam_handle_t *pamh, int argc, const char **argv, ctrl |= PAM_USE_FPASS_ARG; else if (!strcasecmp(*argv, "try_first_pass")) ctrl |= PAM_TRY_FPASS_ARG; - else if (!strncasecmp(*argv,"db=", 3)) + else if ((str = pam_str_skip_icase_prefix(*argv, "db=")) != NULL) { - *database = (*argv) + 3; + *database = str; if (**database == '\0') { *database = NULL; pam_syslog(pamh, LOG_ERR, "db= specification missing argument - ignored"); } } - else if (!strncasecmp(*argv,"crypt=", 6)) + else if ((str = pam_str_skip_icase_prefix(*argv, "crypt=")) != NULL) { - *cryptmode = (*argv) + 6; + *cryptmode = str; if (**cryptmode == '\0') pam_syslog(pamh, LOG_ERR, "crypt= specification missing argument - ignored"); @@ -140,7 +131,7 @@ _pam_parse (pam_handle_t *pamh, int argc, const char **argv, /* - * Looks up an user name in a database and checks the password + * Looks up a user name in a database and checks the password * * return values: * 1 = User not found @@ -190,7 +181,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, if (key.dptr) { data = dbm_fetch(dbm, key); - memset(key.dptr, 0, key.dsize); + pam_overwrite_n(key.dptr, key.dsize); free(key.dptr); } @@ -201,7 +192,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, } if (data.dptr != NULL) { - int compare = 0; + int compare = -2; if (ctrl & PAM_KEY_ONLY_ARG) { @@ -209,43 +200,58 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, return 0; /* found it, data contents don't matter */ } - if (cryptmode && strncasecmp(cryptmode, "crypt", 5) == 0) { + if (cryptmode && pam_str_skip_icase_prefix(cryptmode, "crypt") != NULL) { /* crypt(3) password storage */ char *cryptpw = NULL; if (data.dsize < 13) { - compare = -2; + /* hash is too short */ + pam_syslog(pamh, LOG_INFO, "password hash in database is too short"); } else if (ctrl & PAM_ICASE_ARG) { - compare = -2; + pam_syslog(pamh, LOG_INFO, + "case-insensitive comparison only works with plaintext passwords"); } else { + /* libdb is not guaranteed to produce null terminated strings */ + char *pwhash = strndup(data.dptr, data.dsize); + + if (pwhash == NULL) { + pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr"); + } else { #ifdef HAVE_CRYPT_R - struct crypt_data *cdata = NULL; - cdata = malloc(sizeof(*cdata)); - if (cdata != NULL) { - cdata->initialized = 0; - cryptpw = crypt_r(pass, data.dptr, cdata); - } + struct crypt_data *cdata = NULL; + cdata = malloc(sizeof(*cdata)); + if (cdata == NULL) { + pam_syslog(pamh, LOG_CRIT, "malloc failed: struct crypt_data"); + } else { + cdata->initialized = 0; + cryptpw = crypt_r(pass, pwhash, cdata); + } #else - cryptpw = crypt (pass, data.dptr); + cryptpw = crypt (pass, pwhash); #endif - if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { - compare = memcmp(data.dptr, cryptpw, data.dsize); - } else { - compare = -2; - if (ctrl & PAM_DEBUG_ARG) { - if (cryptpw) - pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); - else - pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { + compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + if (ctrl & PAM_DEBUG_ARG) { + if (cryptpw) { + pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); + pam_syslog(pamh, LOG_INFO, "computed hash: %s", cryptpw); + } else { + pam_syslog(pamh, LOG_ERR, "crypt() returned NULL"); + } + } } - } #ifdef HAVE_CRYPT_R - free(cdata); + free(cdata); #endif + } + pam_overwrite_string(pwhash); + free(pwhash); } + pam_overwrite_string(cryptpw); } else { /* Unknown password encryption method - @@ -260,7 +266,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, compare = strncmp(data.dptr, pass, data.dsize); } - if (cryptmode && strncasecmp(cryptmode, "none", 4) + if (cryptmode && pam_str_skip_icase_prefix(cryptmode, "none") == NULL && (ctrl & PAM_DEBUG_ARG)) { pam_syslog(pamh, LOG_INFO, "invalid value for crypt parameter: %s", cryptmode); @@ -353,8 +359,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { - pam_syslog(pamh, LOG_ERR, "can not get the username"); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_SERVICE_ERR; } @@ -444,8 +451,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { - pam_syslog(pamh, LOG_ERR,"can not get the username"); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_SERVICE_ERR; } diff --git a/modules/pam_cracklib/Makefile.am b/modules/pam_usertype/Makefile.am index 77b89d16..e6d35e48 100644 --- a/modules/pam_cracklib/Makefile.am +++ b/modules/pam_usertype/Makefile.am @@ -1,35 +1,38 @@ # # Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2020 Red Hat, Inc. # CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(XMLS) pam_cracklib.8 tst-pam_cracklib +EXTRA_DIST = $(XMLS) -if HAVE_LIBCRACK - TESTS = tst-pam_cracklib - man_MANS = pam_cracklib.8 +if HAVE_DOC +dist_man_MANS = pam_usertype.8 endif - -XMLS = README.xml pam_cracklib.8.xml +XMLS = README.xml pam_usertype.8.xml +dist_check_SCRIPTS = tst-pam_usertype +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -pam_cracklib_la_LIBADD = $(top_builddir)/libpam/libpam.la \ - @LIBCRACK@ @LIBCRYPT@ -if HAVE_LIBCRACK - securelib_LTLIBRARIES = pam_cracklib.la -endif + +securelib_LTLIBRARIES = pam_usertype.la +pam_usertype_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README pam_cracklib.8 -README: pam_cracklib.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_tally/Makefile.in b/modules/pam_usertype/Makefile.in index 1a0fd20d..28b96739 100644 --- a/modules/pam_tally/Makefile.in +++ b/modules/pam_usertype/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,14 +15,23 @@ @SET_MAKE@ # -# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2020 Red Hat, Inc. # - - VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -86,26 +95,27 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map -sbin_PROGRAMS = pam_tally$(EXEEXT) -subdir = modules/pam_tally -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(noinst_HEADERS) \ - $(top_srcdir)/build-aux/test-driver README +subdir = modules/pam_usertype ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -137,23 +147,15 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ - "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_tally_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la -pam_tally_la_SOURCES = pam_tally.c -pam_tally_la_OBJECTS = pam_tally.lo +pam_usertype_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pam_usertype_la_SOURCES = pam_usertype.c +pam_usertype_la_OBJECTS = pam_usertype.lo AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = -pam_tally_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(pam_tally_la_LDFLAGS) $(LDFLAGS) -o $@ -PROGRAMS = $(sbin_PROGRAMS) -am_pam_tally_OBJECTS = pam_tally_app.$(OBJEXT) -pam_tally_OBJECTS = $(am_pam_tally_OBJECTS) -pam_tally_LDADD = $(LDADD) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -168,7 +170,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_usertype.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -188,8 +191,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_tally.c $(pam_tally_SOURCES) -DIST_SOURCES = pam_tally.c $(pam_tally_SOURCES) +SOURCES = pam_usertype.c +DIST_SOURCES = pam_usertype.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -197,9 +200,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) -HEADERS = $(noinst_HEADERS) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -374,6 +377,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -396,6 +400,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -415,24 +422,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -446,7 +462,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -465,11 +480,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -492,8 +510,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -504,11 +521,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -551,7 +575,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -559,9 +582,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -571,26 +591,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally -man_MANS = pam_tally.8 -XMLS = README.xml pam_tally.8.xml -TESTS = tst-pam_tally +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_usertype.8 +XMLS = README.xml pam_usertype.8.xml +dist_check_SCRIPTS = tst-pam_usertype +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -noinst_HEADERS = faillog.h -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -pam_tally_la_LDFLAGS = -no-undefined -avoid-version -module \ - $(am__append_1) -pam_tally_la_LIBADD = $(top_builddir)/libpam/libpam.la -securelib_LTLIBRARIES = pam_tally.la -pam_tally_SOURCES = pam_tally_app.c -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + +AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) +securelib_LTLIBRARIES = pam_usertype.la +pam_usertype_la_LIBADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -604,17 +626,16 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_tally/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_usertype/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu modules/pam_tally/Makefile -.PRECIOUS: Makefile + $(AUTOMAKE) --gnu modules/pam_usertype/Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -661,61 +682,8 @@ clean-securelibLTLIBRARIES: rm -f $${locs}; \ } -pam_tally.la: $(pam_tally_la_OBJECTS) $(pam_tally_la_DEPENDENCIES) $(EXTRA_pam_tally_la_DEPENDENCIES) - $(AM_V_CCLD)$(pam_tally_la_LINK) -rpath $(securelibdir) $(pam_tally_la_OBJECTS) $(pam_tally_la_LIBADD) $(LIBS) -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ - fi; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p \ - || test -f $$p1 \ - ; then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' \ - -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' \ - `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(sbindir)" && rm -f $$files - -clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list - -pam_tally$(EXEEXT): $(pam_tally_OBJECTS) $(pam_tally_DEPENDENCIES) $(EXTRA_pam_tally_DEPENDENCIES) - @rm -f pam_tally$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(pam_tally_OBJECTS) $(pam_tally_LDADD) $(LIBS) +pam_usertype.la: $(pam_usertype_la_OBJECTS) $(pam_usertype_la_DEPENDENCIES) $(EXTRA_pam_usertype_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_usertype_la_OBJECTS) $(pam_usertype_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -723,22 +691,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally_app.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_usertype.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -752,10 +725,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -790,7 +763,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -878,7 +851,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -955,7 +928,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -968,7 +941,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -978,7 +951,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -989,9 +962,9 @@ recheck: all am__force_recheck=am--force-recheck \ TEST_LOGS="$$log_list"; \ exit $$? -tst-pam_tally.log: tst-pam_tally - @p='tst-pam_tally'; \ - b='tst-pam_tally'; \ +tst-pam_usertype.log: tst-pam_usertype + @p='tst-pam_usertype'; \ + b='tst-pam_usertype'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1011,7 +984,10 @@ tst-pam_tally.log: tst-pam_tally @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1042,11 +1018,12 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1086,11 +1063,11 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES mostlyclean-am +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_usertype.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1113,7 +1090,7 @@ install-dvi: install-dvi-am install-dvi-am: -install-exec-am: install-sbinPROGRAMS +install-exec-am: install-html: install-html-am @@ -1136,7 +1113,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_usertype.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1153,15 +1130,14 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ - uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-sbinPROGRAMS \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ @@ -1169,16 +1145,16 @@ uninstall-man: uninstall-man8 install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ recheck tags tags-am uninstall uninstall-am uninstall-man \ - uninstall-man8 uninstall-sbinPROGRAMS \ - uninstall-securelibLTLIBRARIES + uninstall-man8 uninstall-securelibLTLIBRARIES + +.PRECIOUS: Makefile -@ENABLE_REGENERATE_MAN_TRUE@README: pam_tally.8.xml @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_usertype/README b/modules/pam_usertype/README new file mode 100644 index 00000000..290a8fe1 --- /dev/null +++ b/modules/pam_usertype/README @@ -0,0 +1,48 @@ +pam_usertype — check if the authenticated user is a system or regular account + +â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + +DESCRIPTION + +pam_usertype.so is designed to succeed or fail authentication based on type of +the account of the authenticated user. The type of the account is decided with +help of SYS_UID_MAX settings in /etc/login.defs. One use is to select whether +to load other modules based on this test. + +The module should be given only one condition as module argument. +Authentication will succeed only if the condition is met. + +OPTIONS + +The following flags are supported: + +use_uid + + Evaluate conditions using the account of the user whose UID the application + is running under instead of the user being authenticated. + +audit + + Log unknown users to the system log. + +Available conditions are: + +issystem + + Succeed if the user is a system user. + +isregular + + Succeed if the user is a regular user. + +EXAMPLES + +Skip remaining modules if the user is a system user: + +account sufficient pam_usertype.so issystem + + +AUTHOR + +Pavel BÅ™ezina <pbrezina@redhat.com> + diff --git a/modules/pam_usertype/README.xml b/modules/pam_usertype/README.xml new file mode 100644 index 00000000..7faf549e --- /dev/null +++ b/modules/pam_usertype/README.xml @@ -0,0 +1,27 @@ +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-name")/*)'/> + </title> + + </info> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-description")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-options")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-examples")/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-author")/*)'/> + </section> + +</article>
\ No newline at end of file diff --git a/modules/pam_usertype/pam_usertype.8 b/modules/pam_usertype/pam_usertype.8 new file mode 100644 index 00000000..4bc8652e --- /dev/null +++ b/modules/pam_usertype/pam_usertype.8 @@ -0,0 +1,133 @@ +'\" t +.\" Title: pam_usertype +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PAM_USERTYPE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_usertype \- check if the authenticated user is a system or regular account +.SH "SYNOPSIS" +.HP \w'\fBpam_usertype\&.so\fR\ 'u +\fBpam_usertype\&.so\fR [\fIflag\fR...] {\fIcondition\fR} +.SH "DESCRIPTION" +.PP +pam_usertype\&.so is designed to succeed or fail authentication based on type of the account of the authenticated user\&. The type of the account is decided with help of +\fISYS_UID_MAX\fR +settings in +\fI/etc/login\&.defs\fR\&. One use is to select whether to load other modules based on this test\&. +.PP +The module should be given only one condition as module argument\&. Authentication will succeed only if the condition is met\&. +.SH "OPTIONS" +.PP +The following +\fIflag\fRs are supported: +.PP +use_uid +.RS 4 +Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&. +.RE +.PP +audit +.RS 4 +Log unknown users to the system log\&. +.RE +.PP +Available +\fIcondition\fRs are: +.PP +issystem +.RS 4 +Succeed if the user is a system user\&. +.RE +.PP +isregular +.RS 4 +Succeed if the user is a regular user\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +All module types (\fBaccount\fR, +\fBauth\fR, +\fBpassword\fR +and +\fBsession\fR) are provided\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +The condition was true\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP +PAM_INCOMPLETE +.RS 4 +The conversation method supplied by the application returned PAM_CONV_AGAIN\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +The condition was false\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +A service error occurred or the arguments can\*(Aqt be parsed correctly\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User was not found\&. +.RE +.SH "EXAMPLES" +.PP +Skip remaining modules if the user is a system user: +.sp +.if n \{\ +.RS 4 +.\} +.nf +account sufficient pam_usertype\&.so issystem + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +\fBlogin.defs\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +Pavel Březina <pbrezina@redhat\&.com> diff --git a/modules/pam_usertype/pam_usertype.8.xml b/modules/pam_usertype/pam_usertype.8.xml new file mode 100644 index 00000000..87ad0796 --- /dev/null +++ b/modules/pam_usertype/pam_usertype.8.xml @@ -0,0 +1,195 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_usertype"> + <refmeta> + <refentrytitle>pam_usertype</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pam_usertype-name"> + <refname>pam_usertype</refname> + <refpurpose>check if the authenticated user is a system or regular account</refpurpose> + </refnamediv> + + + <refsynopsisdiv> + <cmdsynopsis xml:id="pam_usertype-cmdsynopsis" sepchar=" "> + <command>pam_usertype.so</command> + <arg choice="opt" rep="repeat"><replaceable>flag</replaceable></arg> + <arg choice="req" rep="norepeat"><replaceable>condition</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 xml:id="pam_usertype-description"> + <title>DESCRIPTION</title> + <para> + pam_usertype.so is designed to succeed or fail authentication + based on type of the account of the authenticated user. + The type of the account is decided with help of + <emphasis>SYS_UID_MAX</emphasis> + settings in <emphasis>/etc/login.defs</emphasis>. One use is to select + whether to load other modules based on this test. + </para> + + <para> + The module should be given only one condition as module argument. + Authentication will succeed only if the condition is met. + </para> + </refsect1> + + <refsect1 xml:id="pam_usertype-options"> + <title>OPTIONS</title> + <para> + The following <emphasis>flag</emphasis>s are supported: + </para> + + <variablelist> + <varlistentry> + <term>use_uid</term> + <listitem> + <para> + Evaluate conditions using the account of the user whose UID + the application is running under instead of the user being + authenticated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>audit</term> + <listitem> + <para> + Log unknown users to the system log. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + Available <emphasis>condition</emphasis>s are: + </para> + + <variablelist> + <varlistentry> + <term>issystem</term> + <listitem> + <para>Succeed if the user is a system user.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>isregular</term> + <listitem> + <para>Succeed if the user is a regular user.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pam_usertype-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + All module types (<option>account</option>, <option>auth</option>, + <option>password</option> and <option>session</option>) are provided. + </para> + </refsect1> + + <refsect1 xml:id="pam_usertype-return_values"> + <title>RETURN VALUES</title> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The condition was true. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the application + failed to obtain the username. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + The conversation method supplied by the application + returned PAM_CONV_AGAIN. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The condition was false. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A service error occurred or the arguments can't be + parsed correctly. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User was not found. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1 xml:id="pam_usertype-examples"> + <title>EXAMPLES</title> + <para> + Skip remaining modules if the user is a system user: + </para> + <programlisting> +account sufficient pam_usertype.so issystem + </programlisting> + </refsect1> + + <refsect1 xml:id="pam_usertype-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="pam_usertype-author"> + <title>AUTHOR</title> + <para>Pavel Březina <pbrezina@redhat.com></para> + </refsect1> +</refentry>
\ No newline at end of file diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c new file mode 100644 index 00000000..cfd9c8bb --- /dev/null +++ b/modules/pam_usertype/pam_usertype.c @@ -0,0 +1,308 @@ +/****************************************************************************** + * Check user type based on login.defs. + * + * Copyright (c) 2020 Red Hat, Inc. + * Written by Pavel Březina <pbrezina@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#include <sys/types.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <unistd.h> +#include <pwd.h> +#include <ctype.h> +#include <errno.h> + +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#define LOGIN_DEFS "/etc/login.defs" + +enum pam_usertype_op { + OP_IS_SYSTEM, + OP_IS_REGULAR, + + OP_SENTINEL +}; + +struct pam_usertype_opts { + enum pam_usertype_op op; + int use_uid; + int audit; +}; + +static int +pam_usertype_parse_args(struct pam_usertype_opts *opts, + pam_handle_t *pamh, + int argc, + const char **argv) +{ + int i; + + memset(opts, 0, sizeof(struct pam_usertype_opts)); + opts->op = OP_SENTINEL; + + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "use_uid") == 0) { + opts->use_uid = 1; + } else if (strcmp(argv[i], "audit") == 0) { + opts->audit = 1; + } else if (strcmp(argv[i], "issystem") == 0) { + opts->op = OP_IS_SYSTEM; + } else if (strcmp(argv[i], "isregular") == 0) { + opts->op = OP_IS_REGULAR; + } else { + pam_syslog(pamh, LOG_WARNING, "Unknown argument: %s", argv[i]); + /* Just continue. */ + } + } + + if (opts->op == OP_SENTINEL) { + pam_syslog(pamh, LOG_ERR, "Operation not specified"); + return PAM_SERVICE_ERR; + } + + return PAM_SUCCESS; +} + +static int +pam_usertype_get_uid(struct pam_usertype_opts *opts, + pam_handle_t *pamh, + uid_t *_uid) +{ + struct passwd *pwd; + const char *username; + int ret; + + /* Get uid of user that runs the application. */ + if (opts->use_uid) { + pwd = pam_modutil_getpwuid(pamh, getuid()); + if (pwd == NULL) { + pam_syslog(pamh, LOG_ERR, + "error retrieving information about user %lu", + (unsigned long)getuid()); + return PAM_USER_UNKNOWN; + } + + *_uid = pwd->pw_uid; + return PAM_SUCCESS; + } + + /* Get uid of user that is being authenticated. */ + ret = pam_get_user(pamh, &username, NULL); + if (ret != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, ret)); + return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : ret; + } + + pwd = pam_modutil_getpwnam(pamh, username); + if (pwd == NULL) { + if (opts->audit) { + pam_syslog(pamh, LOG_NOTICE, + "error retrieving information about user %s", username); + } + + pam_modutil_getpwnam(pamh, "root"); + + return PAM_USER_UNKNOWN; + } + pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:"); + + *_uid = pwd->pw_uid; + + return PAM_SUCCESS; +} + +#define MAX_UID_VALUE 0xFFFFFFFFUL + +static uid_t +pam_usertype_get_id(pam_handle_t *pamh, + const char *key, + uid_t default_value) +{ + unsigned long ul; + char *value; + char *ep; + uid_t uid; + + value = pam_modutil_search_key(pamh, LOGIN_DEFS, key); + if (value == NULL) { + return default_value; + } + + /* taken from get_lastlog_uid_max() */ + ep = value + strlen(value); + while (ep > value && isspace(*(--ep))) { + *ep = '\0'; + } + + errno = 0; + ul = strtoul(value, &ep, 10); + if (!(ul >= MAX_UID_VALUE + || (uid_t)ul >= MAX_UID_VALUE + || (errno != 0 && ul == 0) + || value == ep + || *ep != '\0')) { + uid = (uid_t)ul; + } else { + uid = default_value; + } + + free(value); + + return uid; +} + +static int +pam_usertype_is_system(pam_handle_t *pamh, uid_t uid) +{ + uid_t uid_min; + uid_t sys_max; + + if (uid == (uid_t)-1) { + pam_syslog(pamh, LOG_WARNING, "invalid uid"); + return PAM_USER_UNKNOWN; + } + + if (uid == PAM_USERTYPE_OVERFLOW_UID) { + /* nobody */ + return PAM_SUCCESS; + } + + uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN); + sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1); + + if (uid <= sys_max && uid < uid_min) { + return PAM_SUCCESS; + } + + return PAM_AUTH_ERR; +} + +static int +pam_usertype_is_regular(pam_handle_t *pamh, uid_t uid) +{ + int ret; + + ret = pam_usertype_is_system(pamh, uid); + switch (ret) { + case PAM_SUCCESS: + return PAM_AUTH_ERR; + case PAM_USER_UNKNOWN: + return PAM_USER_UNKNOWN; + default: + return PAM_SUCCESS; + } +} + +static int +pam_usertype_evaluate(struct pam_usertype_opts *opts, + pam_handle_t *pamh, + uid_t uid) +{ + switch (opts->op) { + case OP_IS_SYSTEM: + return pam_usertype_is_system(pamh, uid); + case OP_IS_REGULAR: + return pam_usertype_is_regular(pamh, uid); + default: + pam_syslog(pamh, LOG_ERR, "Unknown operation: %d", opts->op); + return PAM_SERVICE_ERR; + } +} + +/** + * Arguments: + * - issystem: uid less than SYS_UID_MAX + * - isregular: not issystem + * - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if) + * - audit: log unknown users to syslog + */ +int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + struct pam_usertype_opts opts; + uid_t uid = -1; + int ret; + + ret = pam_usertype_parse_args(&opts, pamh, argc, argv); + if (ret != PAM_SUCCESS) { + return ret; + } + + ret = pam_usertype_get_uid(&opts, pamh, &uid); + if (ret != PAM_SUCCESS) { + return ret; + } + + return pam_usertype_evaluate(&opts, pamh, uid); +} + +int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} diff --git a/modules/pam_usertype/tst-pam_usertype b/modules/pam_usertype/tst-pam_usertype new file mode 100755 index 00000000..a21f8fe7 --- /dev/null +++ b/modules/pam_usertype/tst-pam_usertype @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_usertype.so diff --git a/modules/pam_warn/Makefile.am b/modules/pam_warn/Makefile.am index 40c5bb6b..5e13f8f2 100644 --- a/modules/pam_warn/Makefile.am +++ b/modules/pam_warn/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_warn +EXTRA_DIST = $(XMLS) -man_MANS = pam_warn.8 +if HAVE_DOC +dist_man_MANS = pam_warn.8 +endif XMLS = README.xml pam_warn.8.xml - -TESTS = tst-pam_warn +dist_check_SCRIPTS = tst-pam_warn +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -24,8 +31,10 @@ endif securelib_LTLIBRARIES = pam_warn.la pam_warn_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_warn-retval +tst_pam_warn_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_warn.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_warn/Makefile.in b/modules/pam_warn/Makefile.in index 54a3b77f..aff1ee54 100644 --- a/modules/pam_warn/Makefile.in +++ b/modules/pam_warn/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -84,25 +94,28 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_warn-retval$(EXEEXT) subdir = modules/pam_warn -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -143,6 +156,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_warn_retval_SOURCES = tst-pam_warn-retval.c +tst_pam_warn_retval_OBJECTS = tst-pam_warn-retval.$(OBJEXT) +tst_pam_warn_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -157,7 +173,9 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_warn.Plo \ + ./$(DEPDIR)/tst-pam_warn-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -177,8 +195,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_warn.c -DIST_SOURCES = pam_warn.c +SOURCES = pam_warn.c tst-pam_warn-retval.c +DIST_SOURCES = pam_warn.c tst-pam_warn-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -186,8 +204,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +381,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +404,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +426,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +466,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +525,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +579,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +586,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +595,29 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_warn -man_MANS = pam_warn.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_warn.8 XMLS = README.xml pam_warn.8.xml -TESTS = tst-pam_warn +dist_check_SCRIPTS = tst-pam_warn +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_warn.la pam_warn_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +tst_pam_warn_retval_LDADD = $(top_builddir)/libpam/libpam.la +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +634,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_warn/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_warn/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -611,6 +652,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -649,27 +699,38 @@ clean-securelibLTLIBRARIES: pam_warn.la: $(pam_warn_la_OBJECTS) $(pam_warn_la_DEPENDENCIES) $(EXTRA_pam_warn_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_warn_la_OBJECTS) $(pam_warn_la_LIBADD) $(LIBS) +tst-pam_warn-retval$(EXEEXT): $(tst_pam_warn_retval_OBJECTS) $(tst_pam_warn_retval_DEPENDENCIES) $(EXTRA_tst_pam_warn_retval_DEPENDENCIES) + @rm -f tst-pam_warn-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_warn_retval_OBJECTS) $(tst_pam_warn_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_warn.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_warn.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_warn-retval.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +744,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +782,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +870,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +947,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +960,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +970,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -927,6 +988,13 @@ tst-pam_warn.log: tst-pam_warn --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_warn-retval.log: tst-pam_warn-retval$(EXEEXT) + @p='tst-pam_warn-retval$(EXEEXT)'; \ + b='tst-pam_warn-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -942,7 +1010,10 @@ tst-pam_warn.log: tst-pam_warn @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1044,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1017,11 +1090,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_warn.Plo + -rm -f ./$(DEPDIR)/tst-pam_warn-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1141,8 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_warn.Plo + -rm -f ./$(DEPDIR)/tst-pam_warn-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1165,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1182,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_warn.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_warn/README.xml b/modules/pam_warn/README.xml index 4367c28f..56093f80 100644 --- a/modules/pam_warn/README.xml +++ b/modules/pam_warn/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_warn.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_warn-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_warn/pam_warn.8 b/modules/pam_warn/pam_warn.8 index 26eac145..0138c707 100644 --- a/modules/pam_warn/pam_warn.8 +++ b/modules/pam_warn/pam_warn.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_warn .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_WARN" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WARN" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -83,7 +83,7 @@ other session required pam_deny\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_warn was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_warn/pam_warn.8.xml b/modules/pam_warn/pam_warn.8.xml index 1764ec92..a69e1d69 100644 --- a/modules/pam_warn/pam_warn.8.xml +++ b/modules/pam_warn/pam_warn.8.xml @@ -1,25 +1,22 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_warn"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_warn"> <refmeta> <refentrytitle>pam_warn</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_warn-name"> + <refnamediv xml:id="pam_warn-name"> <refname>pam_warn</refname> <refpurpose>PAM module which logs all PAM items if called</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_warn-cmdsynopsis"> + <cmdsynopsis xml:id="pam_warn-cmdsynopsis" sepchar=" "> <command>pam_warn.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_warn-description"> + <refsect1 xml:id="pam_warn-description"> <title>DESCRIPTION</title> <para> pam_warn is a PAM module that logs the service, terminal, user, @@ -28,17 +25,17 @@ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> </citerefentry>. The items are not probed for, but instead obtained from the standard PAM items. The module always returns - <emphasis remap='B'>PAM_IGNORE</emphasis>, indicating that it + <emphasis remap="B">PAM_IGNORE</emphasis>, indicating that it does not want to affect the authentication process. </para> </refsect1> - <refsect1 id="pam_warn-options"> + <refsect1 xml:id="pam_warn-options"> <title>OPTIONS</title> <para>This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_warn-types"> + <refsect1 xml:id="pam_warn-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option>, <option>account</option>, @@ -47,7 +44,7 @@ </para> </refsect1> - <refsect1 id='pam_warn-return_values'> + <refsect1 xml:id="pam_warn-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -61,7 +58,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_warn-examples'> + <refsect1 xml:id="pam_warn-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -80,7 +77,7 @@ other session required pam_deny.so </programlisting> </refsect1> - <refsect1 id='pam_warn-see_also'> + <refsect1 xml:id="pam_warn-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -90,16 +87,16 @@ other session required pam_deny.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_warn-author'> + <refsect1 xml:id="pam_warn-author"> <title>AUTHOR</title> <para> pam_warn was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_warn/pam_warn.c b/modules/pam_warn/pam_warn.c index 1d196ad3..d91c3e9f 100644 --- a/modules/pam_warn/pam_warn.c +++ b/modules/pam_warn/pam_warn.c @@ -1,7 +1,5 @@ -/* pam_warn module */ - /* - * $Id$ + * pam_warn module * * Written by Andrew Morgan <morgan@linux.kernel.org> 1996/3/11 */ @@ -13,16 +11,6 @@ #include <syslog.h> #include <stdarg.h> -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> #include <security/pam_ext.h> diff --git a/modules/pam_warn/tst-pam_warn-retval.c b/modules/pam_warn/tst-pam_warn-retval.c new file mode 100644 index 00000000..49d6524e --- /dev/null +++ b/modules/pam_warn/tst-pam_warn-retval.c @@ -0,0 +1,88 @@ +/* + * Check pam_warn return values. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_warn" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_IGNORE -> PAM_PERM_DENIED */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_IGNORE -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_wheel/Makefile.am b/modules/pam_wheel/Makefile.am index 0042ca82..4d9084e0 100644 --- a/modules/pam_wheel/Makefile.am +++ b/modules/pam_wheel/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel +EXTRA_DIST = $(XMLS) -man_MANS = pam_wheel.8 +if HAVE_DOC +dist_man_MANS = pam_wheel.8 +endif XMLS = README.xml pam_wheel.8.xml - -TESTS = tst-pam_wheel +dist_check_SCRIPTS = tst-pam_wheel +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,7 +32,6 @@ securelib_LTLIBRARIES = pam_wheel.la pam_wheel_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_wheel.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_wheel/Makefile.in b/modules/pam_wheel/Makefile.in index 8dc8809d..d9ea36d3 100644 --- a/modules/pam_wheel/Makefile.in +++ b/modules/pam_wheel/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_wheel -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_wheel.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_wheel -man_MANS = pam_wheel.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_wheel.8 XMLS = README.xml pam_wheel.8.xml -TESTS = tst-pam_wheel +dist_check_SCRIPTS = tst-pam_wheel +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_wheel.la pam_wheel_la_LIBADD = $(top_builddir)/libpam/libpam.la -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_wheel/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_wheel/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_wheel.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_wheel.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_wheel.log: tst-pam_wheel @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_wheel.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_wheel.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_wheel.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index ce123574..ec9e7d7e 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -5,7 +5,7 @@ pam_wheel — Only permit root access to members of group wheel DESCRIPTION The pam_wheel PAM module is used to enforce the so-called wheel group. By -default it permits root access to the system if the applicant user is a member +default it permits access to the target user if the applicant user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0. @@ -39,12 +39,6 @@ trust modules the wheel members may be able to su to root without being prompted for a passwd). -use_uid - - The check for wheel membership will be done against the current uid instead - of the original one (useful when jumping with su from one account to - another for example). - EXAMPLES The root account gains access by default (rootok), only wheel members can diff --git a/modules/pam_wheel/README.xml b/modules/pam_wheel/README.xml index 9e33d7ff..e40c46e8 100644 --- a/modules/pam_wheel/README.xml +++ b/modules/pam_wheel/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_wheel.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_wheel-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 index d59ee467..ca687e59 100644 --- a/modules/pam_wheel/pam_wheel.8 +++ b/modules/pam_wheel/pam_wheel.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_wheel .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 09/13/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_WHEEL" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WHEEL" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,23 +31,23 @@ pam_wheel \- Only permit root access to members of group wheel .SH "SYNOPSIS" .HP \w'\fBpam_wheel\&.so\fR\ 'u -\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] +\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] .SH "DESCRIPTION" .PP The pam_wheel PAM module is used to enforce the so\-called \fIwheel\fR -group\&. By default it permits root access to the system if the applicant user is a member of the +group\&. By default it permits access to the target user if the applicant user is a member of the \fIwheel\fR group\&. If no group with this name exist, the module is using the group with the group\-ID \fB0\fR\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBdeny\fR +deny .RS 4 Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the \fBgroup\fR @@ -56,27 +56,22 @@ option), deny access\&. Conversely, if the user is not in the group, return PAM_ was also specified, in which case we return PAM_SUCCESS)\&. .RE .PP -\fBgroup=\fR\fB\fIname\fR\fR +group=name .RS 4 Instead of checking the wheel or GID 0 groups, use the \fB\fIname\fR\fR group to perform the authentication\&. .RE .PP -\fBroot_only\fR +root_only .RS 4 The check for wheel membership is done only when the target user UID is 0\&. .RE .PP -\fBtrust\fR +trust .RS 4 The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. .RE -.PP -\fBuse_uid\fR -.RS 4 -The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&. -.RE .SH "MODULE TYPES PROVIDED" .PP The @@ -141,7 +136,7 @@ su auth required pam_unix\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&. diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml index c8d93773..86f2828a 100644 --- a/modules/pam_wheel/pam_wheel.8.xml +++ b/modules/pam_wheel/pam_wheel.8.xml @@ -1,62 +1,56 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_wheel"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_wheel"> <refmeta> <refentrytitle>pam_wheel</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_wheel-name"> + <refnamediv xml:id="pam_wheel-name"> <refname>pam_wheel</refname> <refpurpose>Only permit root access to members of group wheel</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_wheel-cmdsynopsis"> + <cmdsynopsis xml:id="pam_wheel-cmdsynopsis" sepchar=" "> <command>pam_wheel.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> deny </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> group=<replaceable>name</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> root_only </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> trust </arg> - <arg choice="opt"> - use_uid - </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_wheel-description"> + <refsect1 xml:id="pam_wheel-description"> <title>DESCRIPTION</title> <para> The pam_wheel PAM module is used to enforce the so-called - <emphasis>wheel</emphasis> group. By default it permits root - access to the system if the applicant user is a member of the + <emphasis>wheel</emphasis> group. By default it permits + access to the target user if the applicant user is a member of the <emphasis>wheel</emphasis> group. If no group with this name exist, the module is using the group with the group-ID - <emphasis remap='B'>0</emphasis>. + <emphasis remap="B">0</emphasis>. </para> </refsect1> - <refsect1 id="pam_wheel-options"> + <refsect1 xml:id="pam_wheel-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -66,7 +60,7 @@ </varlistentry> <varlistentry> <term> - <option>deny</option> + deny </term> <listitem> <para> @@ -81,7 +75,7 @@ </varlistentry> <varlistentry> <term> - <option>group=<replaceable>name</replaceable></option> + group=name </term> <listitem> <para> @@ -93,7 +87,7 @@ </varlistentry> <varlistentry> <term> - <option>root_only</option> + root_only </term> <listitem> <para> @@ -104,7 +98,7 @@ </varlistentry> <varlistentry> <term> - <option>trust</option> + trust </term> <listitem> <para> @@ -116,30 +110,18 @@ </para> </listitem> </varlistentry> - <varlistentry> - <term> - <option>use_uid</option> - </term> - <listitem> - <para> - The check for wheel membership will be done against - the current uid instead of the original one (useful when - jumping with su from one account to another for example). - </para> - </listitem> - </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_wheel-types"> + <refsect1 xml:id="pam_wheel-types"> <title>MODULE TYPES PROVIDED</title> <para> - The <emphasis remap='B'>auth</emphasis> and - <emphasis remap='B'>account</emphasis> module types are provided. + The <emphasis remap="B">auth</emphasis> and + <emphasis remap="B">account</emphasis> module types are provided. </para> </refsect1> - <refsect1 id='pam_wheel-return_values'> + <refsect1 xml:id="pam_wheel-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -204,7 +186,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_wheel-examples'> + <refsect1 xml:id="pam_wheel-examples"> <title>EXAMPLES</title> <para> The root account gains access by default (rootok), only wheel @@ -218,7 +200,7 @@ su auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_wheel-see_also'> + <refsect1 xml:id="pam_wheel-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -228,12 +210,12 @@ su auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_wheel-author'> + <refsect1 xml:id="pam_wheel-author"> <title>AUTHOR</title> <para> pam_wheel was written by Cristian Gafton <gafton@redhat.com>. diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 6ea7b847..5eb7b82f 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -1,6 +1,6 @@ -/* pam_wheel module */ - /* + * pam_wheel module + * * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10 * See the end of the file for Copyright Information * @@ -39,30 +39,16 @@ * modules include file to define the function prototypes. */ -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> - -/* checks if a user is on a list of members of the GID 0 group */ -static int is_on_list(char * const *list, const char *member) -{ - while (list && *list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} +#include "pam_inline.h" /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 -#define PAM_USE_UID_ARG 0x0002 -#define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 +#define PAM_TRUST_ARG 0x0002 +#define PAM_DENY_ARG 0x0004 #define PAM_ROOT_ONLY_ARG 0x0020 static int @@ -75,21 +61,21 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, /* step through arguments */ for (ctrl=0; argc-- > 0; ++argv) { + const char *str; /* generic options */ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; - else if (!strcmp(*argv,"use_uid")) - ctrl |= PAM_USE_UID_ARG; + else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ else if (!strcmp(*argv,"trust")) ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) ctrl |= PAM_DENY_ARG; else if (!strcmp(*argv,"root_only")) ctrl |= PAM_ROOT_ONLY_ARG; - else if (!strncmp(*argv,"group=",6)) - strncpy(use_group,*argv+6,group_length-1); + else if ((str = pam_str_skip_prefix(*argv, "group=")) != NULL) + strncpy(use_group, str, group_length - 1); else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -108,9 +94,10 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) int retval = PAM_AUTH_ERR; retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { + if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, "can not get the username"); + pam_syslog(pamh, LOG_DEBUG, "cannot determine user name: %s", + pam_strerror(pamh, retval)); } return PAM_SERVICE_ERR; } @@ -129,27 +116,14 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) } } - if (ctrl & PAM_USE_UID_ARG) { - tpwd = pam_modutil_getpwuid (pamh, getuid()); - if (!tpwd) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; - } else { - fromsu = pam_modutil_getlogin(pamh); - if (fromsu) { - tpwd = pam_modutil_getpwnam (pamh, fromsu); - } - if (!fromsu || !tpwd) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } + tpwd = pam_modutil_getpwuid (pamh, getuid()); + if (tpwd == NULL) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } + return PAM_SERVICE_ERR; } + fromsu = tpwd->pw_name; /* * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu @@ -163,7 +137,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) grp = pam_modutil_getgrnam (pamh, use_group); } - if (!grp || (!grp->gr_mem && (tpwd->pw_gid != grp->gr_gid))) { + if (grp == NULL) { if (ctrl & PAM_DEBUG_ARG) { if (!use_group[0]) { pam_syslog(pamh, LOG_NOTICE, "no members in a GID 0 group"); @@ -188,7 +162,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) * user has the "wheel" (sic) group as its primary group. */ - if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) { + if (pam_modutil_user_in_group_uid_gid(pamh, tpwd->pw_uid, grp->gr_gid)) { if (ctrl & PAM_DENY_ARG) { retval = PAM_PERM_DENIED; diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am index 0735d13b..bf736abe 100644 --- a/modules/pam_xauth/Makefile.am +++ b/modules/pam_xauth/Makefile.am @@ -5,17 +5,24 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_xauth +EXTRA_DIST = $(XMLS) -man_MANS = pam_xauth.8 +if HAVE_DOC +dist_man_MANS = pam_xauth.8 +endif XMLS = README.xml pam_xauth.8.xml - -TESTS = tst-pam_xauth +dist_check_SCRIPTS = tst-pam_xauth +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -25,7 +32,6 @@ securelib_LTLIBRARIES = pam_xauth.la pam_xauth_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_xauth.8.xml +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_xauth/Makefile.in b/modules/pam_xauth/Makefile.in index be7fbe6f..4d3a6b79 100644 --- a/modules/pam_xauth/Makefile.in +++ b/modules/pam_xauth/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -85,24 +95,26 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map subdir = modules/pam_xauth -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp \ - $(top_srcdir)/build-aux/test-driver README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ - $(top_srcdir)/m4/japhar_grep_cflags.m4 \ +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ - $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -157,7 +169,8 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_xauth.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -186,8 +199,9 @@ am__can_run_installinfo = \ esac man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(noinst_DATA) +MANS = $(dist_man_MANS) +am__dist_noinst_DATA_DIST = README +DATA = $(dist_noinst_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +376,7 @@ am__set_TESTS_bases = \ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -384,6 +399,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log) TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -403,24 +421,33 @@ CC_FOR_BUILD = @CC_FOR_BUILD@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -434,7 +461,6 @@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBAUDIT = @LIBAUDIT@ -LIBCRACK = @LIBCRACK@ LIBCRYPT = @LIBCRYPT@ LIBDB = @LIBDB@ LIBDL = @LIBDL@ @@ -453,11 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -480,8 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ -PIE_CFLAGS = @PIE_CFLAGS@ -PIE_LDFLAGS = @PIE_LDFLAGS@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -492,11 +520,18 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -539,7 +574,6 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -libc_cv_fpie = @libc_cv_fpie@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ @@ -547,9 +581,6 @@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ -pam_cv_ld_O1 = @pam_cv_ld_O1@ -pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ -pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ pam_xauth_path = @pam_xauth_path@ pdfdir = @pdfdir@ prefix = @prefix@ @@ -559,23 +590,28 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README ${MANS} $(XMLS) tst-pam_xauth -man_MANS = pam_xauth.8 +EXTRA_DIST = $(XMLS) +@HAVE_DOC_TRUE@dist_man_MANS = pam_xauth.8 XMLS = README.xml pam_xauth.8.xml -TESTS = tst-pam_xauth +dist_check_SCRIPTS = tst-pam_xauth +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_xauth.la pam_xauth_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am .SUFFIXES: @@ -592,14 +628,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_xauth/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu modules/pam_xauth/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -655,21 +690,27 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_xauth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_xauth.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -683,10 +724,10 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -721,7 +762,7 @@ uninstall-man8: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ @@ -809,7 +850,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) if test -n "$$am__remaking_logs"; then \ echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ "recursion detected" >&2; \ - else \ + elif test -n "$$redo_logs"; then \ am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ fi; \ if $(am__make_dryrun); then :; else \ @@ -886,7 +927,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -899,7 +940,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -909,7 +950,7 @@ check-TESTS: log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all +recheck: all $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -942,7 +983,10 @@ tst-pam_xauth.log: tst-pam_xauth @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -973,6 +1017,7 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1021,7 +1066,7 @@ clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_xauth.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1067,7 +1112,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_xauth.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1090,15 +1135,16 @@ uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ - clean-generic clean-libtool clean-securelibLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-generic clean-libtool \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ @@ -1106,7 +1152,8 @@ uninstall-man: uninstall-man8 recheck tags tags-am uninstall uninstall-am uninstall-man \ uninstall-man8 uninstall-securelibLTLIBRARIES -@ENABLE_REGENERATE_MAN_TRUE@README: pam_xauth.8.xml +.PRECIOUS: Makefile + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/modules/pam_xauth/README.xml b/modules/pam_xauth/README.xml index adefbd98..04fc2468 100644 --- a/modules/pam_xauth/README.xml +++ b/modules/pam_xauth/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_xauth.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_xauth-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-implementation"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-implementation")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 index 86f8cc13..e6f23c10 100644 --- a/modules/pam_xauth/pam_xauth.8 +++ b/modules/pam_xauth/pam_xauth.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_xauth .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 05/18/2017 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_XAUTH" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_XAUTH" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -76,12 +76,12 @@ Both the import and export files support wildcards (such as \fI*\fR)\&. Both the import and export files can be empty, signifying that no users are allowed\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR +xauthpath=/path/to/xauth .RS 4 Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth, @@ -90,12 +90,12 @@ Specify the path the xauth program (it is expected in by default)\&. .RE .PP -\fBsystemuser=\fR\fB\fIUID\fR\fR +systemuser=UID .RS 4 Specify the highest UID which will be assumed to belong to a "system" user\&. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\&. .RE .PP -\fBtargetuser=\fR\fB\fIUID\fR\fR +targetuser=UID .RS 4 Specify a single target UID which is exempt from the systemuser check\&. .RE @@ -177,7 +177,7 @@ XXX .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&. diff --git a/modules/pam_xauth/pam_xauth.8.xml b/modules/pam_xauth/pam_xauth.8.xml index 08c06cf8..214226ba 100644 --- a/modules/pam_xauth/pam_xauth.8.xml +++ b/modules/pam_xauth/pam_xauth.8.xml @@ -1,39 +1,36 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_xauth"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_xauth"> <refmeta> <refentrytitle>pam_xauth</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_xauth-name"> + <refnamediv xml:id="pam_xauth-name"> <refname>pam_xauth</refname> <refpurpose>PAM module to forward xauth keys between users</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_xauth-cmdsynopsis"> + <cmdsynopsis xml:id="pam_xauth-cmdsynopsis" sepchar=" "> <command>pam_xauth.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> xauthpath=<replaceable>/path/to/xauth</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> systemuser=<replaceable>UID</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> targetuser=<replaceable>UID</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_xauth-description"> + <refsect1 xml:id="pam_xauth-description"> <title>DESCRIPTION</title> <para> The pam_xauth PAM module is designed to forward xauth keys @@ -81,25 +78,25 @@ If a user has a <filename>.xauth/export</filename> file, the user will only forward cookies to users listed in the file. If there is no <filename>~/.xauth/export</filename> file, and the invoking user is - not <emphasis remap='B'>root</emphasis>, the user will forward cookies + not <emphasis remap="B">root</emphasis>, the user will forward cookies to any other user. If there is no <filename>~/.xauth/export</filename> - file, and the invoking user is <emphasis remap='B'>root</emphasis>, - the user will <emphasis remap='I'>not</emphasis> forward cookies to + file, and the invoking user is <emphasis remap="B">root</emphasis>, + the user will <emphasis remap="I">not</emphasis> forward cookies to other users. </para> <para> Both the import and export files support wildcards (such as - <emphasis remap='I'>*</emphasis>). Both the import and export files + <emphasis remap="I">*</emphasis>). Both the import and export files can be empty, signifying that no users are allowed. </para> </refsect1> - <refsect1 id="pam_xauth-options"> + <refsect1 xml:id="pam_xauth-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -109,7 +106,7 @@ </varlistentry> <varlistentry> <term> - <option>xauthpath=<replaceable>/path/to/xauth</replaceable></option> + xauthpath=/path/to/xauth </term> <listitem> <para> @@ -122,7 +119,7 @@ </varlistentry> <varlistentry> <term> - <option>systemuser=<replaceable>UID</replaceable></option> + systemuser=UID </term> <listitem> <para> @@ -135,7 +132,7 @@ </varlistentry> <varlistentry> <term> - <option>targetuser=<replaceable>UID</replaceable></option> + targetuser=UID </term> <listitem> <para> @@ -147,14 +144,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_xauth-types"> + <refsect1 xml:id="pam_xauth-types"> <title>MODULE TYPES PROVIDED</title> <para> - Only the <emphasis remap='B'>session</emphasis> type is provided. + Only the <emphasis remap="B">session</emphasis> type is provided. </para> </refsect1> - <refsect1 id='pam_xauth-return_values'> + <refsect1 xml:id="pam_xauth-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -205,7 +202,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_xauth-examples'> + <refsect1 xml:id="pam_xauth-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/su</filename> to @@ -216,10 +213,10 @@ session optional pam_xauth.so </para> </refsect1> - <refsect1 id="pam_xauth-implementation"> + <refsect1 xml:id="pam_xauth-implementation"> <title>IMPLEMENTATION DETAILS</title> <para> - pam_xauth will work <emphasis remap='I'>only</emphasis> if it is + pam_xauth will work <emphasis remap="I">only</emphasis> if it is used from a setuid application in which the <function>getuid</function>() call returns the id of the user running the application, and for which PAM can supply the name @@ -247,17 +244,17 @@ session optional pam_xauth.so </para> </refsect1> - <refsect1 id="pam_lastlog-files"> + <refsect1 xml:id="pam_lastlog-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>~/.xauth/import</filename></term> + <term>~/.xauth/import</term> <listitem> <para>XXX</para> </listitem> </varlistentry> <varlistentry> - <term><filename>~/.xauth/export</filename></term> + <term>~/.xauth/export</term> <listitem> <para>XXX</para> </listitem> @@ -266,7 +263,7 @@ session optional pam_xauth.so </refsect1> - <refsect1 id='pam_xauth-see_also'> + <refsect1 xml:id="pam_xauth-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -276,12 +273,12 @@ session optional pam_xauth.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_xauth-author'> + <refsect1 xml:id="pam_xauth-author"> <title>AUTHOR</title> <para> pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, @@ -290,4 +287,4 @@ session optional pam_xauth.so </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index 3339def8..f3e2a40d 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -1,4 +1,6 @@ /* + * pam_xauth module + * * Copyright 2001-2003 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without @@ -50,9 +52,7 @@ #include <stdlib.h> #include <string.h> #include <syslog.h> -#include <unistd.h> - -#define PAM_SM_SESSION +#include <signal.h> #include <security/pam_modules.h> #include <security/_pam_macros.h> @@ -62,9 +62,11 @@ #ifdef WITH_SELINUX #include <selinux/selinux.h> #include <selinux/label.h> -#include <sys/stat.h> #endif +#include "pam_cc_compat.h" +#include "pam_inline.h" + #define DATANAME "pam_xauth_cookie_file" #define XAUTHENV "XAUTHORITY" #define HOMEENV "HOME" @@ -98,6 +100,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, char *buffer = NULL; size_t buffer_size = 0; va_list ap; + struct sigaction newsa, oldsa; *output = NULL; @@ -113,6 +116,17 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, return -1; } + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(pamh, LOG_ERR, "failed to reset SIGCHLD handler: %m"); + close(ipipe[0]); + close(ipipe[1]); + close(opipe[0]); + close(opipe[1]); + return -1; + } + /* Fork off a child. */ child = fork(); if (child == -1) { @@ -127,7 +141,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, if (child == 0) { /* We're the child. */ size_t j; - const char *args[10]; + const char *args[10] = {}; /* Drop privileges. */ if (setgid(gid) == -1) { @@ -167,19 +181,19 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, PAM_MODUTIL_NULL_FD) < 0) { _exit(1); } - /* Initialize the argument list. */ - memset(args, 0, sizeof(args)); /* Convert the varargs list into a regular array of strings. */ va_start(ap, command); args[0] = command; - for (j = 1; j < ((sizeof(args) / sizeof(args[0])) - 1); j++) { + for (j = 1; j < PAM_ARRAY_SIZE(args) - 1; j++) { args[j] = va_arg(ap, const char*); if (args[j] == NULL) { break; } } /* Run the command. */ + DIAG_PUSH_IGNORE_CAST_QUAL; execv(command, (char *const *) args); + DIAG_POP_IGNORE_CAST_QUAL; /* Never reached. */ _exit(1); } @@ -206,6 +220,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, } close(opipe[0]); waitpid(child, NULL, 0); + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ return -1; } /* Save the new buffer location, copy the newly-read data into @@ -222,6 +237,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, close(opipe[0]); *output = buffer; waitpid(child, NULL, 0); + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ return 0; } @@ -361,17 +377,19 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Parse arguments. We don't understand many, so no sense in breaking * this into a separate function. */ for (i = 0; i < argc; i++) { + const char *str; + if (strcmp(argv[i], "debug") == 0) { debug = 1; continue; } - if (strncmp(argv[i], "xauthpath=", 10) == 0) { - xauth = argv[i] + 10; + if ((str = pam_str_skip_prefix(argv[i], "xauthpath=")) != NULL) { + xauth = str; continue; } - if (strncmp(argv[i], "targetuser=", 11) == 0) { - long l = strtol(argv[i] + 11, &tmp, 10); - if ((strlen(argv[i] + 11) > 0) && (*tmp == '\0')) { + if ((str = pam_str_skip_prefix(argv[i], "targetuser=")) != NULL) { + long l = strtol(str, &tmp, 10); + if ((*str != '\0') && (*tmp == '\0')) { targetuser = l; } else { pam_syslog(pamh, LOG_WARNING, @@ -380,9 +398,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, } continue; } - if (strncmp(argv[i], "systemuser=", 11) == 0) { - long l = strtol(argv[i] + 11, &tmp, 10); - if ((strlen(argv[i] + 11) > 0) && (*tmp == '\0')) { + if ((str = pam_str_skip_prefix(argv[i], "systemuser=")) != NULL) { + long l = strtol(str, &tmp, 10); + if ((*str != '\0') && (*tmp == '\0')) { systemuser = l; } else { pam_syslog(pamh, LOG_WARNING, @@ -397,7 +415,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, if (xauth == NULL) { size_t j; - for (j = 0; j < sizeof(xauthpaths)/sizeof(xauthpaths[0]); j++) { + for (j = 0; j < PAM_ARRAY_SIZE(xauthpaths); j++) { if (access(xauthpaths[j], X_OK) == 0) { xauth = xauthpaths[j]; break; @@ -420,8 +438,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Read the target user's name. */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, - "error determining target user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); retval = PAM_SESSION_ERR; goto cleanup; } @@ -437,7 +454,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, * on the xauthority file we create later on. */ tpwd = pam_modutil_getpwnam(pamh, user); if (tpwd == NULL) { - pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_NOTICE, "error determining target user's UID"); retval = PAM_SESSION_ERR; goto cleanup; @@ -528,14 +545,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, xauth, "-f", cookiefile, "nlist", display, NULL) == 0) { #ifdef WITH_SELINUX - security_context_t context = NULL; + char *context_raw = NULL; #endif PAM_MODUTIL_DEF_PRIVS(privs); /* Check that we got a cookie. If not, we get creative. */ if (((cookie == NULL) || (strlen(cookie) == 0)) && - ((strncmp(display, "localhost:", 10) == 0) || - (strncmp(display, "localhost/unix:", 15) == 0))) { + (pam_str_skip_prefix(display, "localhost:") != NULL || + pam_str_skip_prefix(display, "localhost/unix:") != NULL)) { char *t, *screen; size_t tlen, slen; /* Free the useless cookie string. */ @@ -545,9 +562,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, } /* Allocate enough space to hold an adjusted name. */ tlen = strlen(display) + LINE_MAX + 1; - t = malloc(tlen); + t = calloc(1, tlen); if (t != NULL) { - memset(t, 0, tlen); if (gethostname(t, tlen - 1) != -1) { /* Append the protocol and then the * screen number. */ @@ -622,16 +638,16 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, if (is_selinux_enabled() > 0) { struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); if (ctx != NULL) { - if (selabel_lookup(ctx, &context, - xauthority + sizeof(XAUTHENV), S_IFREG) != 0) { + if (selabel_lookup_raw(ctx, &context_raw, + xauthority + sizeof(XAUTHENV), S_IFREG) != 0) { pam_syslog(pamh, LOG_WARNING, "could not get SELinux label for '%s'", xauthority + sizeof(XAUTHENV)); } selabel_close(ctx); - if (setfscreatecon(context)) { + if (setfscreatecon_raw(context_raw)) { pam_syslog(pamh, LOG_WARNING, - "setfscreatecon(%s) failed: %m", context); + "setfscreatecon_raw(%s) failed: %m", context_raw); } } } @@ -642,9 +658,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, "error creating temporary file `%s': %m", xauthority + sizeof(XAUTHENV)); #ifdef WITH_SELINUX - if (context != NULL) { - free(context); - setfscreatecon(NULL); + if (context_raw != NULL) { + free(context_raw); + setfscreatecon_raw(NULL); } #endif /* WITH_SELINUX */ if (fd >= 0) @@ -766,23 +782,22 @@ pam_sm_close_session (pam_handle_t *pamh, int flags UNUSED, debug = 1; continue; } - if (strncmp(argv[i], "xauthpath=", 10) == 0) + if (pam_str_skip_prefix(argv[i], "xauthpath=") != NULL) continue; - if (strncmp(argv[i], "systemuser=", 11) == 0) + if (pam_str_skip_prefix(argv[i], "systemuser=") != NULL) continue; - if (strncmp(argv[i], "targetuser=", 11) == 0) + if (pam_str_skip_prefix(argv[i], "targetuser=") != NULL) continue; pam_syslog(pamh, LOG_WARNING, "unrecognized option `%s'", argv[i]); } if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, - "error determining target user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_SESSION_ERR; } if (!(tpwd = pam_modutil_getpwnam(pamh, user))) { - pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_NOTICE, "error determining target user's UID"); return PAM_SESSION_ERR; } |