diff options
Diffstat (limited to 'modules')
333 files changed, 8051 insertions, 4669 deletions
diff --git a/modules/Makefile.in b/modules/Makefile.in index 98436b00..9ac4d669 100644 --- a/modules/Makefile.in +++ b/modules/Makefile.in @@ -230,6 +230,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -242,11 +243,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -278,12 +281,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -306,6 +311,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -316,12 +322,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am index 5723dd59..8af2852a 100644 --- a/modules/pam_access/Makefile.am +++ b/modules/pam_access/Makefile.am @@ -15,11 +15,14 @@ dist_check_SCRIPTS = tst-pam_access TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ - -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_access/Makefile.in b/modules/pam_access/Makefile.in index 6f9abf45..9dadd2d3 100644 --- a/modules/pam_access/Makefile.in +++ b/modules/pam_access/Makefile.in @@ -431,6 +431,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,11 +444,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -479,12 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -507,6 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -517,12 +523,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -596,10 +606,10 @@ XMLS = README.xml access.conf.5.xml pam_access.8.xml dist_check_SCRIPTS = tst-pam_access TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ - -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_access.la diff --git a/modules/pam_access/README b/modules/pam_access/README index 26aad33e..891e7688 100644 --- a/modules/pam_access/README +++ b/modules/pam_access/README @@ -18,6 +18,20 @@ of parsing. This means that once a pattern is matched in some file no further files are parsed. If a config file is explicitly specified with the accessfile option the files in the above directory are not parsed. +By default rules for access management are taken from config file /etc/security +/access.conf or, if that one is not present, the file %vendordir%/security/ +access.conf. These settings can be overruled by setting in a config file +explicitly specified with the accessfile option. Then individual *.conf files +from the /etc/security/access.d/ and %vendordir%/security/access.d directories +are read. If /etc/security/access.d/@filename@.conf exists, then %vendordir%/ +security/access.d/@filename@.conf will not be used. All access.d/*.conf files +are sorted by their @filename@.conf in lexicographic order regardless of which +of the directories they reside in. The effect of the individual files is the +same as if all the files were concatenated together in the order of parsing. +This means that once a pattern is matched in some file no further files are +parsed. If a config file is explicitly specified with the accessfile option the +files in the above directories are not parsed. + If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc.). diff --git a/modules/pam_access/README.xml b/modules/pam_access/README.xml index 8c7d078b..408aed00 100644 --- a/modules/pam_access/README.xml +++ b/modules/pam_access/README.xml @@ -1,39 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_access.8.xml"> ---> -<!-- -<!ENTITY accessconf SYSTEM "access.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_access.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_access-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_access.8.xml" xpointer='xpointer(id("pam_access-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_access.8.xml" xpointer='xpointer(id("pam_access-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_access.8.xml" xpointer='xpointer(id("pam_access-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="access.conf.5.xml" xpointer='xpointer(id("access.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 index 3204aedf..774e5cd9 100644 --- a/modules/pam_access/access.conf.5 +++ b/modules/pam_access/access.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: access.conf .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: [FIXME: source] .\" Language: English .\" -.TH "ACCESS\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "ACCESS\&.CONF" "5" "05/07/2023" "[FIXME: source]" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -210,7 +210,7 @@ option, the spaces will become part of the actual item and the line will be most .PP \fBpam_access\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHORS" .PP Original diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index 8fdbc31d..e1e5531f 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -1,8 +1,4 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - -<refentry id="access.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="access.conf"> <refmeta> <refentrytitle>access.conf</refentrytitle> @@ -16,7 +12,7 @@ </refnamediv> - <refsect1 id='access.conf-description'> + <refsect1 xml:id="access.conf-description"> <title>DESCRIPTION</title> <para> The <filename>/etc/security/access.conf</filename> file specifies @@ -126,7 +122,7 @@ </refsect1> - <refsect1 id="access.conf-examples"> + <refsect1 xml:id="access.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -135,7 +131,7 @@ <para> User <emphasis>root</emphasis> should be allowed to get access via - <emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>, + <emphasis>cron</emphasis>, X11 terminal <emphasis remap="I">:0</emphasis>, <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>, <emphasis>tty6</emphasis>. </para> @@ -216,7 +212,7 @@ </refsect1> - <refsect1 id="access.conf-notes"> + <refsect1 xml:id="access.conf-notes"> <title>NOTES</title> <para> The default separators of list items in a field are space, ',', and tabulator @@ -228,16 +224,16 @@ </para> </refsect1> - <refsect1 id="access.conf-see_also"> + <refsect1 xml:id="access.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="access.conf-author"> + <refsect1 xml:id="access.conf-author"> <title>AUTHORS</title> <para> Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry> @@ -250,4 +246,4 @@ introduced by Mike Becher <mike.becher@lrz-muenchen.de>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_access/pam_access.8 b/modules/pam_access/pam_access.8 index 92de516d..5b0e1a3f 100644 --- a/modules/pam_access/pam_access.8 +++ b/modules/pam_access/pam_access.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_access .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ACCESS" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ACCESS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -51,25 +51,25 @@ option the files in the above directory are not parsed\&. If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc\&.)\&. .SH "OPTIONS" .PP -\fBaccessfile=\fR\fB\fI/path/to/access\&.conf\fR\fR +accessfile=/path/to/access\&.conf .RS 4 Indicate an alternative access\&.conf style configuration file to override the default\&. This can be useful when different services need different access lists\&. .RE .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is printed with \fBsyslog\fR(3)\&. .RE .PP -\fBnoaudit\fR +noaudit .RS 4 Do not report logins from disallowed hosts and ttys to the audit subsystem\&. .RE .PP -\fBfieldsep=\fR\fB\fIseparators\fR\fR +fieldsep=separators .RS 4 This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\&. For example: \fBfieldsep=|\fR @@ -78,14 +78,14 @@ will cause the default `:\*(Aq character to be treated as part of a field value item is likely to be of the form "hostname:0" which includes a `:\*(Aq character in its value\&. But you should not need this\&. .RE .PP -\fBlistsep=\fR\fB\fIseparators\fR\fR +listsep=separators .RS 4 This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\&. For example: \fBlistsep=,\fR will cause the default ` \*(Aq (space) and `\et\*(Aq (tab) characters to be treated as part of a list element value and `,\*(Aq becomes the only list element separator\&. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\&. .RE .PP -\fBnodefgroup\fR +nodefgroup .RS 4 User tokens which are not enclosed in parentheses will not be matched against the group database\&. The backwards compatible default is to try the group database match even for tokens not enclosed in parentheses\&. .RE @@ -133,7 +133,7 @@ Default configuration file .PP \fBaccess.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&. diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index 9a6556cc..cc01d5ca 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_access'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_access"> <refmeta> <refentrytitle>pam_access</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_access-name'> + <refnamediv xml:id="pam_access-name"> <refname>pam_access</refname> <refpurpose> PAM module for logdaemon style login access control @@ -20,31 +17,31 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_access-cmdsynopsis"> + <cmdsynopsis xml:id="pam_access-cmdsynopsis" sepchar=" "> <command>pam_access.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nodefgroup </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noaudit </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> accessfile=<replaceable>file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> fieldsep=<replaceable>sep</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> listsep=<replaceable>sep</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_access-description"> + <refsect1 xml:id="pam_access-description"> <title>DESCRIPTION</title> <para> The pam_access PAM module is mainly for access management. @@ -53,7 +50,7 @@ or on terminal line names, X <varname>$DISPLAY</varname> values, or PAM service names in case of non-networked logins. </para> - <para> + <para condition="without_vendordir"> By default rules for access management are taken from config file <filename>/etc/security/access.conf</filename> if you don't specify another file. @@ -66,19 +63,39 @@ If a config file is explicitly specified with the <option>accessfile</option> option the files in the above directory are not parsed. </para> + <para condition="with_vendordir"> + By default rules for access management are taken from config file + <filename>/etc/security/access.conf</filename> or, if that one is not + present, the file <filename>%vendordir%/security/access.conf</filename>. + These settings can be overruled by setting in a config file explicitly + specified with the <option>accessfile</option> option. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/access.d/</filename> and + <filename>%vendordir%/security/access.d</filename> directories are read. + If <filename>/etc/security/access.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/access.d/@filename@.conf</filename> will not be used. + All <filename>access.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. This means that once + a pattern is matched in some file no further files are parsed. + If a config file is explicitly specified with the <option>accessfile</option> + option the files in the above directories are not parsed. + </para> <para> If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc.). </para> </refsect1> - <refsect1 id="pam_access-options"> + <refsect1 xml:id="pam_access-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>accessfile=<replaceable>/path/to/access.conf</replaceable></option> + accessfile=/path/to/access.conf </term> <listitem> <para> @@ -91,7 +108,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -103,7 +120,7 @@ <varlistentry> <term> - <option>noaudit</option> + noaudit </term> <listitem> <para> @@ -114,19 +131,19 @@ <varlistentry> <term> - <option>fieldsep=<replaceable>separators</replaceable></option> + fieldsep=separators </term> <listitem> <para> This option modifies the field separator character that pam_access will recognize when parsing the access configuration file. For example: - <emphasis remap='B'>fieldsep=|</emphasis> will cause the + <emphasis remap="B">fieldsep=|</emphasis> will cause the default `:' character to be treated as part of a field value and `|' becomes the field separator. Doing this may be useful in conjunction with a system that wants to use pam_access with X based applications, since the - <emphasis remap='B'>PAM_TTY</emphasis> item is likely to be + <emphasis remap="B">PAM_TTY</emphasis> item is likely to be of the form "hostname:0" which includes a `:' character in its value. But you should not need this. </para> @@ -135,14 +152,14 @@ <varlistentry> <term> - <option>listsep=<replaceable>separators</replaceable></option> + listsep=separators </term> <listitem> <para> This option modifies the list separator character that pam_access will recognize when parsing the access configuration file. For example: - <emphasis remap='B'>listsep=,</emphasis> will cause the + <emphasis remap="B">listsep=,</emphasis> will cause the default ` ' (space) and `\t' (tab) characters to be treated as part of a list element value and `,' becomes the only list element separator. Doing this may be useful on a system @@ -155,7 +172,7 @@ <varlistentry> <term> - <option>nodefgroup</option> + nodefgroup </term> <listitem> <para> @@ -170,7 +187,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_access-types"> + <refsect1 xml:id="pam_access-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -178,7 +195,7 @@ </para> </refsect1> - <refsect1 id="pam_access-return_values"> + <refsect1 xml:id="pam_access-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -224,19 +241,26 @@ </variablelist> </refsect1> - <refsect1 id="pam_access-files"> + <refsect1 xml:id="pam_access-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/access.conf</filename></term> + <term>/etc/security/access.conf</term> <listitem> <para>Default configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/access.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/access.conf</filename> does not exist.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_access-see_also"> + <refsect1 xml:id="pam_access-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -246,12 +270,12 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_access-authors"> + <refsect1 xml:id="pam_access-authors"> <title>AUTHORS</title> <para> The logdaemon style login access control scheme was designed and implemented by @@ -262,4 +286,4 @@ was developed and provided by Mike Becher <mike.becher@lrz-muenchen.de>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 277192b9..f70b7e49 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -56,6 +56,13 @@ #include "pam_cc_compat.h" #include "pam_inline.h" +#define PAM_ACCESS_CONFIG (SCONFIGDIR "/access.conf") +#define ACCESS_CONF_GLOB (SCONFIGDIR "/access.d/*.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_PAM_ACCESS_CONFIG (VENDOR_SCONFIGDIR "/access.conf") +#define VENDOR_ACCESS_CONF_GLOB (VENDOR_SCONFIGDIR "/access.d/*.conf") +#endif + /* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */ /* @@ -151,6 +158,95 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, return 1; /* OK */ } +/* --- evaluting all files in VENDORDIR/security/access.d and /etc/security/access.d --- */ +static const char *base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (const char * const *) a), + base_name(* (const char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/access.d/@filename@.conf exists, then + * %vendordir%/security/access.d/@filename@.conf should not be used. + * - All files in both access.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char **read_access_dir(pam_handle_t *pamh) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_ACCESS_CONF_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_ACCESS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_ACCESS_CONF_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_ACCESS_CONF_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* --- static functions for checking whether the user should be let in --- */ typedef int match_func (pam_handle_t *, char *, struct login_info *); @@ -567,7 +663,7 @@ static int group_match (pam_handle_t *pamh, const char *tok, const char* usr, int debug) { - char grptok[BUFSIZ]; + char grptok[BUFSIZ] = {}; if (debug) pam_syslog (pamh, LOG_DEBUG, @@ -577,7 +673,6 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr, return NO; /* token is received under the format '(...)' */ - memset(grptok, 0, BUFSIZ); strncpy(grptok, tok + 1, strlen(tok) - 2); if (pam_modutil_user_in_group_nam_nam(pamh, usr, grptok)) @@ -637,7 +732,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) if ((str_len = strlen(string)) > tok_len && strcasecmp(tok, string + str_len - tok_len) == 0) return YES; - } else if (tok[tok_len - 1] == '.') { + } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ struct addrinfo hint; memset (&hint, '\0', sizeof (hint)); @@ -678,7 +773,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) return NO; } - /* Assume network/netmask with an IP of a host. */ + /* Assume network/netmask, IP address or hostname. */ return network_netmask_match(pamh, tok, string, item); } @@ -696,7 +791,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, /* * If the token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the string. - * "NONE" token matches NULL string. + * "NONE" token matches NULL string. */ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ @@ -714,7 +809,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, /* network_netmask_match - match a string against one token * where string is a hostname or ip (v4,v6) address and tok - * represents either a single ip (v4,v6) address or a network/netmask + * represents either a hostname, a single ip (v4,v6) address + * or a network/netmask */ static int network_netmask_match (pam_handle_t *pamh, @@ -723,10 +819,12 @@ network_netmask_match (pam_handle_t *pamh, char *netmask_ptr; char netmask_string[MAXHOSTNAMELEN + 1]; int addr_type; + struct addrinfo *ai = NULL; if (item->debug) - pam_syslog (pamh, LOG_DEBUG, + pam_syslog (pamh, LOG_DEBUG, "network_netmask_match: tok=%s, item=%s", tok, string); + /* OK, check if tok is of type addr/mask */ if ((netmask_ptr = strchr(tok, '/')) != NULL) { @@ -760,54 +858,108 @@ network_netmask_match (pam_handle_t *pamh, netmask_ptr = number_to_netmask(netmask, addr_type, netmask_string, MAXHOSTNAMELEN); } - } + + /* + * Construct an addrinfo list from the IP address. + * This should not fail as the input is a correct IP address... + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { + return NO; + } + } else - /* NO, then check if it is only an addr */ - if (isipaddr(tok, NULL, NULL) != YES) + { + /* + * It is either an IP address or a hostname. + * Let getaddrinfo sort everything out + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) { + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); + return NO; } + netmask_ptr = NULL; + } if (isipaddr(string, NULL, NULL) != YES) { - /* Assume network/netmask with a name of a host. */ struct addrinfo hint; + /* Assume network/netmask with a name of a host. */ memset (&hint, '\0', sizeof (hint)); hint.ai_flags = AI_CANONNAME; hint.ai_family = AF_UNSPEC; if (item->gai_rv != 0) + { + freeaddrinfo(ai); return NO; + } else if (!item->res && (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) + { + freeaddrinfo(ai); return NO; + } else { struct addrinfo *runp = item->res; + struct addrinfo *runp1; while (runp != NULL) { char buf[INET6_ADDRSTRLEN]; - DIAG_PUSH_IGNORE_CAST_ALIGN; - inet_ntop (runp->ai_family, - runp->ai_family == AF_INET - ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr - : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, - buf, sizeof (buf)); - DIAG_POP_IGNORE_CAST_ALIGN; + if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0) + { + freeaddrinfo(ai); + return NO; + } - if (are_addresses_equal(buf, tok, netmask_ptr)) + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) { - return YES; + char buf1[INET6_ADDRSTRLEN]; + + if (runp->ai_family != runp1->ai_family) + continue; + + if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0) + { + freeaddrinfo(ai); + return NO; + } + + if (are_addresses_equal (buf, buf1, netmask_ptr)) + { + freeaddrinfo(ai); + return YES; + } } runp = runp->ai_next; } } } else - return (are_addresses_equal(string, tok, netmask_ptr)); + { + struct addrinfo *runp1; + + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) + { + char buf1[INET6_ADDRSTRLEN]; + + (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); + + if (are_addresses_equal(string, buf1, netmask_ptr)) + { + freeaddrinfo(ai); + return YES; + } + } + } + + freeaddrinfo(ai); return NO; } @@ -828,7 +980,6 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, char hostname[MAXHOSTNAMELEN + 1]; int rv; - /* set username */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { @@ -853,6 +1004,18 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_ABORT; } +#ifdef VENDOR_PAM_ACCESS_CONFIG + if (loginfo.config_file == default_config) { + /* Check whether PAM_ACCESS_CONFIG file is available. + * If it does not exist, fall back to VENDOR_PAM_ACCESS_CONFIG file. */ + struct stat buffer; + if (stat(loginfo.config_file, &buffer) != 0 && errno == ENOENT) { + default_config = VENDOR_PAM_ACCESS_CONFIG; + loginfo.config_file = default_config; + } + } +#endif + /* remote host name */ if (pam_get_item(pamh, PAM_RHOST, &void_from) @@ -916,23 +1079,18 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, rv = login_access(pamh, &loginfo); if (rv == NOMATCH && loginfo.config_file == default_config) { - glob_t globbuf; - int i, glob_rv; - - /* We do not manipulate locale as setlocale() is not - * thread safe. We could use uselocale() in future. - */ - glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); - if (!glob_rv) { - /* Parse the *.conf files. */ - for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { - loginfo.config_file = globbuf.gl_pathv[i]; - rv = login_access(pamh, &loginfo); - if (rv != NOMATCH) - break; - } - globfree(&globbuf); - } + char **filename_list = read_access_dir(pamh); + if (filename_list != NULL) { + for (int i = 0; filename_list[i] != NULL; i++) { + loginfo.config_file = filename_list[i]; + rv = login_access(pamh, &loginfo); + if (rv != NOMATCH) + break; + } + for (int i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); + } } if (loginfo.gai_rv == 0 && loginfo.res) diff --git a/modules/pam_debug/Makefile.am b/modules/pam_debug/Makefile.am index 8aa63056..0333d9ba 100644 --- a/modules/pam_debug/Makefile.am +++ b/modules/pam_debug/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_debug TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_debug/Makefile.in b/modules/pam_debug/Makefile.in index ba2cc799..32fa197d 100644 --- a/modules/pam_debug/Makefile.in +++ b/modules/pam_debug/Makefile.in @@ -433,6 +433,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -445,11 +446,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -481,12 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,6 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -519,12 +525,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -598,7 +608,8 @@ XMLS = README.xml pam_debug.8.xml dist_check_SCRIPTS = tst-pam_debug TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_debug/README.xml b/modules/pam_debug/README.xml index ef41911b..cdcec7f4 100644 --- a/modules/pam_debug/README.xml +++ b/modules/pam_debug/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_debug.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_debug-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_debug.8.xml" xpointer='xpointer(id("pam_debug-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_debug/pam_debug.8 b/modules/pam_debug/pam_debug.8 index b3e68e21..2b2dee3b 100644 --- a/modules/pam_debug/pam_debug.8 +++ b/modules/pam_debug/pam_debug.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_debug .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_DEBUG" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_DEBUG" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_debug \- PAM module to debug the PAM stack The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating\&. This module returns what its module arguments tell it to return\&. .SH "OPTIONS" .PP -\fBauth=\fR\fB\fIvalue\fR\fR +auth=value .RS 4 The \fBpam_sm_authenticate\fR(3) @@ -45,7 +45,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBcred=\fR\fB\fIvalue\fR\fR +cred=value .RS 4 The \fBpam_sm_setcred\fR(3) @@ -53,7 +53,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBacct=\fR\fB\fIvalue\fR\fR +acct=value .RS 4 The \fBpam_sm_acct_mgmt\fR(3) @@ -61,7 +61,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBprechauthtok=\fR\fB\fIvalue\fR\fR +prechauthtok=value .RS 4 The \fBpam_sm_chauthtok\fR(3) @@ -72,7 +72,7 @@ if the flag is set\&. .RE .PP -\fBchauthtok=\fR\fB\fIvalue\fR\fR +chauthtok=value .RS 4 The \fBpam_sm_chauthtok\fR(3) @@ -85,7 +85,7 @@ flag is set\&. .RE .PP -\fBopen_session=\fR\fB\fIvalue\fR\fR +open_session=value .RS 4 The \fBpam_sm_open_session\fR(3) @@ -93,7 +93,7 @@ function will return \fIvalue\fR\&. .RE .PP -\fBclose_session=\fR\fB\fIvalue\fR\fR +close_session=value .RS 4 The \fBpam_sm_close_session\fR(3) @@ -138,7 +138,7 @@ auth sufficient pam_debug\&.so auth=success cred=success .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_debug was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_debug/pam_debug.8.xml b/modules/pam_debug/pam_debug.8.xml index 3d85f4d8..939c19bb 100644 --- a/modules/pam_debug/pam_debug.8.xml +++ b/modules/pam_debug/pam_debug.8.xml @@ -1,51 +1,48 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_debug"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_debug"> <refmeta> <refentrytitle>pam_debug</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_debug-name"> + <refnamediv xml:id="pam_debug-name"> <refname>pam_debug</refname> <refpurpose>PAM module to debug the PAM stack</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_debug-cmdsynopsis"> + <cmdsynopsis xml:id="pam_debug-cmdsynopsis" sepchar=" "> <command>pam_debug.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> auth=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> cred=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> acct=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> prechauthtok=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> chauthtok=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> auth=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> open_session=<replaceable>value</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> close_session=<replaceable>value</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_debug-description"> + <refsect1 xml:id="pam_debug-description"> <title>DESCRIPTION</title> <para> The pam_debug PAM module is intended as a debugging aide for @@ -54,12 +51,12 @@ </para> </refsect1> - <refsect1 id="pam_debug-options"> + <refsect1 xml:id="pam_debug-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>auth=<replaceable>value</replaceable></option> + auth=value </term> <listitem> <para> @@ -73,7 +70,7 @@ </varlistentry> <varlistentry> <term> - <option>cred=<replaceable>value</replaceable></option> + cred=value </term> <listitem> <para> @@ -87,7 +84,7 @@ </varlistentry> <varlistentry> <term> - <option>acct=<replaceable>value</replaceable></option> + acct=value </term> <listitem> <para> @@ -101,7 +98,7 @@ </varlistentry> <varlistentry> <term> - <option>prechauthtok=<replaceable>value</replaceable></option> + prechauthtok=value </term> <listitem> <para> @@ -116,7 +113,7 @@ </varlistentry> <varlistentry> <term> - <option>chauthtok=<replaceable>value</replaceable></option> + chauthtok=value </term> <listitem> <para> @@ -126,13 +123,13 @@ </citerefentry> function will return <replaceable>value</replaceable> if the <emphasis>PAM_PRELIM_CHECK</emphasis> flag is - <emphasis remap='B'>not</emphasis> set. + <emphasis remap="B">not</emphasis> set. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>open_session=<replaceable>value</replaceable></option> + open_session=value </term> <listitem> <para> @@ -146,7 +143,7 @@ </varlistentry> <varlistentry> <term> - <option>close_session=<replaceable>value</replaceable></option> + close_session=value </term> <listitem> <para> @@ -171,7 +168,7 @@ </para> </refsect1> - <refsect1 id="pam_debug-types"> + <refsect1 xml:id="pam_debug-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -179,7 +176,7 @@ </para> </refsect1> - <refsect1 id='pam_debug-return_values'> + <refsect1 xml:id="pam_debug-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -194,7 +191,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_debug-examples'> + <refsect1 xml:id="pam_debug-examples"> <title>EXAMPLES</title> <programlisting> auth requisite pam_permit.so @@ -206,7 +203,7 @@ auth sufficient pam_debug.so auth=success cred=success </programlisting> </refsect1> - <refsect1 id='pam_debug-see_also'> + <refsect1 xml:id="pam_debug-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -216,16 +213,16 @@ auth sufficient pam_debug.so auth=success cred=success <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_debug-author'> + <refsect1 xml:id="pam_debug-author"> <title>AUTHOR</title> <para> pam_debug was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_deny/Makefile.am b/modules/pam_deny/Makefile.am index fa9b9c8b..952df4d6 100644 --- a/modules/pam_deny/Makefile.am +++ b/modules/pam_deny/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_deny TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_deny/Makefile.in b/modules/pam_deny/Makefile.in index 612ee697..98bc5b1c 100644 --- a/modules/pam_deny/Makefile.in +++ b/modules/pam_deny/Makefile.in @@ -433,6 +433,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -445,11 +446,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -481,12 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,6 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -519,12 +525,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -598,7 +608,8 @@ XMLS = README.xml pam_deny.8.xml dist_check_SCRIPTS = tst-pam_deny TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_deny/README.xml b/modules/pam_deny/README.xml index ff2e82b0..d3ba53ce 100644 --- a/modules/pam_deny/README.xml +++ b/modules/pam_deny/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_deny.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_deny-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_deny.8.xml" xpointer='xpointer(id("pam_deny-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_deny/pam_deny.8 b/modules/pam_deny/pam_deny.8 index 7f474330..81d53435 100644 --- a/modules/pam_deny/pam_deny.8 +++ b/modules/pam_deny/pam_deny.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_deny .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_DENY" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_DENY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -96,7 +96,7 @@ other session required pam_deny\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_deny was written by Andrew G\&. Morgan <morgan@kernel\&.org> diff --git a/modules/pam_deny/pam_deny.8.xml b/modules/pam_deny/pam_deny.8.xml index a9283582..de41a597 100644 --- a/modules/pam_deny/pam_deny.8.xml +++ b/modules/pam_deny/pam_deny.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_deny"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_deny"> <refmeta> <refentrytitle>pam_deny</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_deny-name"> + <refnamediv xml:id="pam_deny-name"> <refname>pam_deny</refname> <refpurpose>The locking-out PAM module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_deny-cmdsynopsis"> + <cmdsynopsis xml:id="pam_deny-cmdsynopsis" sepchar=" "> <command>pam_deny.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_deny-description"> + <refsect1 xml:id="pam_deny-description"> <title>DESCRIPTION</title> @@ -33,12 +30,12 @@ </refsect1> - <refsect1 id="pam_deny-options"> + <refsect1 xml:id="pam_deny-options"> <title>OPTIONS</title> <para>This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_deny-types"> + <refsect1 xml:id="pam_deny-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -46,7 +43,7 @@ </para> </refsect1> - <refsect1 id='pam_deny-return_values'> + <refsect1 xml:id="pam_deny-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -91,7 +88,7 @@ </para> </refsect1> - <refsect1 id='pam_deny-examples'> + <refsect1 xml:id="pam_deny-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -110,7 +107,7 @@ other session required pam_deny.so </programlisting> </refsect1> - <refsect1 id='pam_deny-see_also'> + <refsect1 xml:id="pam_deny-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -120,16 +117,16 @@ other session required pam_deny.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_deny-author'> + <refsect1 xml:id="pam_deny-author"> <title>AUTHOR</title> <para> pam_deny was written by Andrew G. Morgan <morgan@kernel.org> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_echo/Makefile.am b/modules/pam_echo/Makefile.am index b855e622..7d7ae983 100644 --- a/modules/pam_echo/Makefile.am +++ b/modules/pam_echo/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_echo TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_echo/Makefile.in b/modules/pam_echo/Makefile.in index 7b591fa3..f1b3f7ef 100644 --- a/modules/pam_echo/Makefile.in +++ b/modules/pam_echo/Makefile.in @@ -433,6 +433,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -445,11 +446,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -481,12 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,6 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -519,12 +525,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -598,7 +608,8 @@ XMLS = README.xml pam_echo.8.xml dist_check_SCRIPTS = tst-pam_echo TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_echo/README.xml b/modules/pam_echo/README.xml index b1556e38..ceecf9ef 100644 --- a/modules/pam_echo/README.xml +++ b/modules/pam_echo/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_echo.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_echo-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_echo.8.xml" xpointer='xpointer(id("pam_echo-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_echo/pam_echo.8 b/modules/pam_echo/pam_echo.8 index ba46e061..5f0712b9 100644 --- a/modules/pam_echo/pam_echo.8 +++ b/modules/pam_echo/pam_echo.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_echo .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ECHO" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ECHO" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -40,32 +40,32 @@ PAM module is for printing text messages to inform user about special things\&. \fI%\fR character are interpreted in the following way: .PP -\fI%H\fR +%H .RS 4 The name of the remote host (PAM_RHOST)\&. .RE .PP -\fI%h\fR +%h .RS 4 The name of the local host\&. .RE .PP -\fI%s\fR +%s .RS 4 The service name (PAM_SERVICE)\&. .RE .PP -\fI%t\fR +%t .RS 4 The name of the controlling terminal (PAM_TTY)\&. .RE .PP -\fI%U\fR +%U .RS 4 The remote user name (PAM_RUSER)\&. .RE .PP -\fI%u\fR +%u .RS 4 The local user name (PAM_USER)\&. .RE @@ -77,7 +77,7 @@ expands to the characters following the character\&. .SH "OPTIONS" .PP -\fBfile=\fR\fB\fI/path/message\fR\fR +file=/path/message .RS 4 The content of the file /path/message @@ -126,7 +126,7 @@ password required pam_unix\&.so .PP \fBpam.conf\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP Thorsten Kukuk <kukuk@thkukuk\&.de> diff --git a/modules/pam_echo/pam_echo.8.xml b/modules/pam_echo/pam_echo.8.xml index ef76b022..cf2d0062 100644 --- a/modules/pam_echo/pam_echo.8.xml +++ b/modules/pam_echo/pam_echo.8.xml @@ -1,15 +1,12 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_echo'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_echo"> <refmeta> <refentrytitle>pam_echo</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_echo-name'> + <refnamediv xml:id="pam_echo-name"> <refname>pam_echo</refname> <refpurpose>PAM module for printing text messages</refpurpose> </refnamediv> @@ -17,15 +14,15 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_echo-cmdsynopsis"> + <cmdsynopsis xml:id="pam_echo-cmdsynopsis" sepchar=" "> <command>pam_echo.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> file=<replaceable>/path/message</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id='pam_echo-description'> + <refsect1 xml:id="pam_echo-description"> <title>DESCRIPTION</title> <para> The <emphasis>pam_echo</emphasis> PAM module is for printing @@ -35,37 +32,37 @@ </para> <variablelist> <varlistentry> - <term><emphasis>%H</emphasis></term> + <term>%H</term> <listitem> <para>The name of the remote host (PAM_RHOST).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%h</emphasis></term> + <term>%h</term> <listitem> <para>The name of the local host.</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%s</emphasis></term> + <term>%s</term> <listitem> <para>The service name (PAM_SERVICE).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%t</emphasis></term> + <term>%t</term> <listitem> <para>The name of the controlling terminal (PAM_TTY).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%U</emphasis></term> + <term>%U</term> <listitem> <para>The remote user name (PAM_RUSER).</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis>%u</emphasis></term> + <term>%u</term> <listitem> <para>The local user name (PAM_USER).</para> </listitem> @@ -79,12 +76,12 @@ </para> </refsect1> - <refsect1 id='pam_echo-options'> + <refsect1 xml:id="pam_echo-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>file=<replaceable>/path/message</replaceable></option> + file=/path/message </term> <listitem> <para> @@ -96,7 +93,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_echo-types"> + <refsect1 xml:id="pam_echo-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -106,7 +103,7 @@ </refsect1> - <refsect1 id="pam_echo-return_values"> + <refsect1 xml:id="pam_echo-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -137,7 +134,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_echo-examples'> + <refsect1 xml:id="pam_echo-examples"> <title>EXAMPLES</title> <para> For an example of the use of this module, we show how it may be @@ -150,7 +147,7 @@ password required pam_unix.so </refsect1> - <refsect1 id='pam_echo-see_also'><title>SEE ALSO</title> + <refsect1 xml:id="pam_echo-see_also"><title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>8</manvolnum> @@ -159,12 +156,12 @@ password required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry></para> </refsect1> - <refsect1 id='pam_echo-author'> + <refsect1 xml:id="pam_echo-author"> <title>AUTHOR</title> <para>Thorsten Kukuk <kukuk@thkukuk.de></para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am index c66112d6..f988f109 100644 --- a/modules/pam_env/Makefile.am +++ b/modules/pam_env/Makefile.am @@ -12,20 +12,27 @@ dist_man_MANS = pam_env.conf.5 pam_env.8 environment.5 endif XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml dist_check_SCRIPTS = tst-pam_env -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) -DSYSCONFDIR=\"$(sysconfdir)\" $(ECONF_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_env.la -pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) + +check_PROGRAMS = tst-pam_env-retval +tst_pam_env_retval_LDADD = $(top_builddir)/libpam/libpam.la dist_secureconf_DATA = pam_env.conf dist_sysconf_DATA = environment diff --git a/modules/pam_env/Makefile.in b/modules/pam_env/Makefile.in index 255458f5..dd3fd05f 100644 --- a/modules/pam_env/Makefile.in +++ b/modules/pam_env/Makefile.in @@ -94,6 +94,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_env-retval$(EXEEXT) subdir = modules/pam_env ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -151,13 +152,18 @@ am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" \ "$(DESTDIR)$(sysconfdir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_env_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_env_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_env_la_SOURCES = pam_env.c pam_env_la_OBJECTS = pam_env.lo AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_env_retval_SOURCES = tst-pam_env-retval.c +tst_pam_env_retval_OBJECTS = tst-pam_env-retval.$(OBJEXT) +tst_pam_env_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -173,7 +179,8 @@ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/pam_env.Plo +am__depfiles_remade = ./$(DEPDIR)/pam_env.Plo \ + ./$(DEPDIR)/tst-pam_env-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -193,8 +200,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_env.c -DIST_SOURCES = pam_env.c +SOURCES = pam_env.c tst-pam_env-retval.c +DIST_SOURCES = pam_env.c tst-pam_env-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -433,6 +440,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -445,11 +453,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -481,12 +491,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,6 +521,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -519,12 +532,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -596,15 +613,17 @@ EXTRA_DIST = $(XMLS) @HAVE_DOC_TRUE@dist_man_MANS = pam_env.conf.5 pam_env.8 environment.5 XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml dist_check_SCRIPTS = tst-pam_env -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) -DSYSCONFDIR=\"$(sysconfdir)\" $(ECONF_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_env.la -pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) +tst_pam_env_retval_LDADD = $(top_builddir)/libpam/libpam.la dist_secureconf_DATA = pam_env.conf dist_sysconf_DATA = environment @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README @@ -642,6 +661,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -680,6 +708,10 @@ clean-securelibLTLIBRARIES: pam_env.la: $(pam_env_la_OBJECTS) $(pam_env_la_DEPENDENCIES) $(EXTRA_pam_env_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_env_la_OBJECTS) $(pam_env_la_LIBADD) $(LIBS) +tst-pam_env-retval$(EXEEXT): $(tst_pam_env_retval_OBJECTS) $(tst_pam_env_retval_DEPENDENCIES) $(EXTRA_tst_pam_env_retval_DEPENDENCIES) + @rm -f tst-pam_env-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_env_retval_OBJECTS) $(tst_pam_env_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -687,6 +719,7 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_env-retval.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -1021,7 +1054,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: $(dist_check_SCRIPTS) +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1031,7 +1064,7 @@ check-TESTS: $(dist_check_SCRIPTS) log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all $(dist_check_SCRIPTS) +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1049,6 +1082,13 @@ tst-pam_env.log: tst-pam_env --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_env-retval.log: tst-pam_env-retval$(EXEEXT) + @p='tst-pam_env-retval$(EXEEXT)'; \ + b='tst-pam_env-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1098,7 +1138,8 @@ distdir-am: $(DISTFILES) fi; \ done check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1143,11 +1184,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/pam_env.Plo + -rm -f ./$(DEPDIR)/tst-pam_env-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1195,6 +1237,7 @@ installcheck-am: maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/pam_env.Plo + -rm -f ./$(DEPDIR)/tst-pam_env-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1219,7 +1262,7 @@ uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ - check-am clean clean-generic clean-libtool \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ diff --git a/modules/pam_env/README b/modules/pam_env/README index a040caf7..f10a02b4 100644 --- a/modules/pam_env/README +++ b/modules/pam_env/README @@ -8,10 +8,38 @@ The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST. +Rules for (un)setting of variables can be defined in an own config file. The +path to this file can be specified with the conffile option. If this file does +not exist, the default rules are taken from the config files /etc/security/ +pam_env.conf and /etc/security/pam_env.conf.d/*.conf. If the file /etc/security +/pam_env.conf does not exist, the rules are taken from the files %vendordir%/ +security/pam_env.conf, %vendordir%/security/pam_env.conf.d/*.conf and /etc/ +security/pam_env.conf.d/*.conf in that order. + +By default rules for (un)setting of variables are taken from the config file / +etc/security/pam_env.conf. If this file does not exist %vendordir%/security/ +pam_env.conf is used. An alternate file can be specified with the conffile +option, which overrules all other files. + By default rules for (un)setting of variables are taken from the config file / etc/security/pam_env.conf. An alternate file can be specified with the conffile option. +Environment variables can be defined in a file with simple KEY=VAL pairs on +separate lines. The path to this file can be specified with the envfile option. +If this file has not been defined, the settings are read from the files /etc/ +security/environment and /etc/security/environment.d/*. If the file /etc/ +environment does not exist, the settings are read from the files %vendordir%/ +environment, %vendordir%/environment.d/* and /etc/environment.d/* in that +order. And last but not least, with the readenv option this mechanism can be +completely disabled. + +Second a file (/etc/environment by default) with simple KEY=VAL pairs on +separate lines will be read. If this file does not exist, %vendordir%/etc/ +environment is used. With the envfile option an alternate file can be +specified, which overrules all other files. And with the readenv option this +can be completely disabled. + Second a file (/etc/environment by default) with simple KEY=VAL pairs on separate lines will be read. With the envfile option an alternate file can be specified. And with the readenv option this can be completely disabled. diff --git a/modules/pam_env/README.xml b/modules/pam_env/README.xml index 21a9b855..8becf870 100644 --- a/modules/pam_env/README.xml +++ b/modules/pam_env/README.xml @@ -1,39 +1,21 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_env.8.xml"> ---> -<!-- -<!ENTITY accessconf SYSTEM "pam_env.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_env-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.8.xml" xpointer='xpointer(id("pam_env-name")/*)'/> </title> - - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.8.xml" xpointer='xpointer(id("pam_env-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.8.xml" xpointer='xpointer(id("pam_env-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_env.conf.5.xml" xpointer='xpointer(id("pam_env.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_env/environment.5 b/modules/pam_env/environment.5 index aa670e2e..415dfc1c 100644 --- a/modules/pam_env/environment.5 +++ b/modules/pam_env/environment.5 @@ -1 +1 @@ -.so man5/pam_env.conf.5 +.so pam_env.conf.5 diff --git a/modules/pam_env/pam_env.8 b/modules/pam_env/pam_env.8 index 8b0d5199..afef8b1b 100644 --- a/modules/pam_env/pam_env.8 +++ b/modules/pam_env/pam_env.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_env .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 09/13/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ENV" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_ENV" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -62,20 +62,20 @@ option\&. Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack\&. .SH "OPTIONS" .PP -\fBconffile=\fR\fB\fI/path/to/pam_env\&.conf\fR\fR +conffile=/path/to/pam_env\&.conf .RS 4 Indicate an alternative pam_env\&.conf style configuration file to override the default\&. This can be useful when different services need different environments\&. .RE .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is printed with \fBsyslog\fR(3)\&. .RE .PP -\fBenvfile=\fR\fB\fI/path/to/environment\fR\fR +envfile=/path/to/environment .RS 4 Indicate an alternative environment @@ -86,12 +86,12 @@ pairs on separate lines\&. The instruction can be specified for bash compatibility, but will be ignored\&. This can be useful when different services need different environments\&. .RE .PP -\fBreadenv=\fR\fB\fI0|1\fR\fR +readenv=0|1 .RS 4 Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\&. By default this option is on\&. .RE .PP -\fBuser_envfile=\fR\fB\fIfilename\fR\fR +user_envfile=filename .RS 4 Indicate an alternative \&.pam_environment @@ -99,7 +99,7 @@ file to override the default\&.The syntax is the same as for \fI/etc/security/pam_env\&.conf\fR\&. The filename is relative to the user home directory\&. This can be useful when different services need different environments\&. .RE .PP -\fBuser_readenv=\fR\fB\fI0|1\fR\fR +user_readenv=0|1 .RS 4 Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off as user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator\&. .sp @@ -153,7 +153,7 @@ User specific environment file .PP \fBpam_env.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBenviron\fR(7)\&. .SH "AUTHOR" .PP diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index 75ff862b..a720d37e 100644 --- a/modules/pam_env/pam_env.8.xml +++ b/modules/pam_env/pam_env.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_env'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_env"> <refmeta> <refentrytitle>pam_env</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_env-name'> + <refnamediv xml:id="pam_env-name"> <refname>pam_env</refname> <refpurpose> PAM module to set/unset environment variables @@ -20,31 +17,31 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_env-cmdsynopsis"> + <cmdsynopsis xml:id="pam_env-cmdsynopsis" sepchar=" "> <command>pam_env.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conffile=<replaceable>conf-file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> envfile=<replaceable>env-file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> readenv=<replaceable>0|1</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> user_envfile=<replaceable>env-file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> user_readenv=<replaceable>0|1</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_env-description"> + <refsect1 xml:id="pam_env-description"> <title>DESCRIPTION</title> <para> The pam_env PAM module allows the (un)setting of environment @@ -52,13 +49,55 @@ variables as well as <emphasis>PAM_ITEM</emphasis>s such as <emphasis>PAM_RHOST</emphasis>. </para> - <para> + <para condition="with_vendordir_and_with_econf"> + Rules for (un)setting of variables can be defined in an own config + file. The path to this file can be specified with the + <emphasis>conffile</emphasis> option. + If this file does not exist, the default rules are taken from the + config files <filename>/etc/security/pam_env.conf</filename> and + <filename>/etc/security/pam_env.conf.d/*.conf</filename>. + If the file <filename>/etc/security/pam_env.conf</filename> does not + exist, the rules are taken from the files + <filename>%vendordir%/security/pam_env.conf</filename>, + <filename>%vendordir%/security/pam_env.conf.d/*.conf</filename> and + <filename>/etc/security/pam_env.conf.d/*.conf</filename> in that order. + </para> + <para condition="with_vendordir_and_without_econf"> + By default rules for (un)setting of variables are taken from the + config file <filename>/etc/security/pam_env.conf</filename>. + If this file does not exist <filename>%vendordir%/security/pam_env.conf</filename> is used. + An alternate file can be specified with the <emphasis>conffile</emphasis> + option, which overrules all other files. + </para> + <para condition="without_vendordir"> By default rules for (un)setting of variables are taken from the config file <filename>/etc/security/pam_env.conf</filename>. An alternate file can be specified with the <emphasis>conffile</emphasis> option. </para> - <para> + <para condition="with_vendordir_and_with_econf"> + Environment variables can be defined in a file with simple <emphasis>KEY=VAL</emphasis> + pairs on separate lines. The path to this file can be specified with the + <emphasis>envfile</emphasis> option. + If this file has not been defined, the settings are read from the + files <filename>/etc/security/environment</filename> and + <filename>/etc/security/environment.d/*</filename>. + If the file <filename>/etc/environment</filename> does not exist, the + settings are read from the files <filename>%vendordir%/environment</filename>, + <filename>%vendordir%/environment.d/*</filename> and + <filename>/etc/environment.d/*</filename> in that order. + And last but not least, with the <emphasis>readenv</emphasis> option this mechanism can + be completely disabled. + </para> + <para condition="with_vendordir_and_without_econf"> + Second a file (<filename>/etc/environment</filename> by default) with simple + <emphasis>KEY=VAL</emphasis> pairs on separate lines will be read. + If this file does not exist, <filename>%vendordir%/etc/environment</filename> is used. + With the <emphasis>envfile</emphasis> option an alternate file can be specified, + which overrules all other files. + And with the <emphasis>readenv</emphasis> option this can be completely disabled. + </para> + <para condition="without_vendordir"> Second a file (<filename>/etc/environment</filename> by default) with simple <emphasis>KEY=VAL</emphasis> pairs on separate lines will be read. With the <emphasis>envfile</emphasis> option an alternate file can be specified. @@ -77,13 +116,13 @@ </para> </refsect1> - <refsect1 id="pam_env-options"> + <refsect1 xml:id="pam_env-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>conffile=<replaceable>/path/to/pam_env.conf</replaceable></option> + conffile=/path/to/pam_env.conf </term> <listitem> <para> @@ -96,7 +135,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -108,7 +147,7 @@ <varlistentry> <term> - <option>envfile=<replaceable>/path/to/environment</replaceable></option> + envfile=/path/to/environment </term> <listitem> <para> @@ -124,7 +163,7 @@ <varlistentry> <term> - <option>readenv=<replaceable>0|1</replaceable></option> + readenv=0|1 </term> <listitem> <para> @@ -137,7 +176,7 @@ <varlistentry> <term> - <option>user_envfile=<replaceable>filename</replaceable></option> + user_envfile=filename </term> <listitem> <para> @@ -153,7 +192,7 @@ <varlistentry> <term> - <option>user_readenv=<replaceable>0|1</replaceable></option> + user_readenv=0|1 </term> <listitem> <para> @@ -174,7 +213,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_env-types"> + <refsect1 xml:id="pam_env-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>session</option> module @@ -182,7 +221,7 @@ </para> </refsect1> - <refsect1 id="pam_env-return_values"> + <refsect1 xml:id="pam_env-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -220,23 +259,25 @@ </variablelist> </refsect1> - <refsect1 id="pam_env-files"> + <refsect1 xml:id="pam_env-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/pam_env.conf</filename></term> + <term condition="with_vendordir">%vendordir%/security/pam_env.conf</term> + <term>/etc/security/pam_env.conf</term> <listitem> <para>Default configuration file</para> </listitem> </varlistentry> <varlistentry> - <term><filename>/etc/environment</filename></term> + <term condition="with_vendordir">%vendordir%/environment</term> + <term>/etc/environment</term> <listitem> <para>Default environment file</para> </listitem> </varlistentry> <varlistentry> - <term><filename>$HOME/.pam_environment</filename></term> + <term>$HOME/.pam_environment</term> <listitem> <para>User specific environment file</para> </listitem> @@ -244,7 +285,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_env-see_also"> + <refsect1 xml:id="pam_env-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -254,7 +295,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum> @@ -262,10 +303,10 @@ </para> </refsect1> - <refsect1 id="pam_env-authors"> + <refsect1 xml:id="pam_env-authors"> <title>AUTHOR</title> <para> pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index f5f8cead..d2b4cb10 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -7,6 +7,9 @@ */ #define DEFAULT_ETC_ENVFILE "/etc/environment" +#ifdef VENDORDIR +#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") +#endif #define DEFAULT_READ_ENVFILE 1 #define DEFAULT_USER_ENVFILE ".pam_environment" @@ -25,6 +28,9 @@ #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> +#ifdef USE_ECONF +#include <libeconf.h> +#endif #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -41,6 +47,11 @@ typedef struct var { char *override; } VAR; +#define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf") +#endif + #define BUF_SIZE 8192 #define MAX_ENV 8192 @@ -51,18 +62,20 @@ typedef struct var { #define UNDEFINE_VAR 102 #define ILLEGAL_VAR 103 -static int _assemble_line(FILE *, char *, int); -static int _parse_line(const pam_handle_t *, const char *, VAR *); -static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */ -static void _clean_var(VAR *); -static int _expand_arg(pam_handle_t *, char **); -static const char * _pam_get_item_byname(pam_handle_t *, const char *); -static int _define_var(pam_handle_t *, int, VAR *); -static int _undefine_var(pam_handle_t *, int, VAR *); - /* This is a special value used to designate an empty string */ static char quote='\0'; +static void free_string_array(char **array) +{ + if (array == NULL) + return; + for (char **entry = array; *entry != NULL; ++entry) { + pam_overwrite_string(*entry); + free(*entry); + } + free(array); +} + /* argument parsing */ #define PAM_DEBUG_ARG 0x01 @@ -75,10 +88,10 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, int ctrl=0; *user_envfile = DEFAULT_USER_ENVFILE; - *envfile = DEFAULT_ETC_ENVFILE; + *envfile = NULL; *readenv = DEFAULT_READ_ENVFILE; *user_readenv = DEFAULT_USER_READ_ENVFILE; - *conffile = DEFAULT_CONF_FILE; + *conffile = NULL; /* step through arguments */ for (; argc-- > 0; ++argv) { @@ -126,166 +139,155 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, return ctrl; } -static int -_parse_config_file(pam_handle_t *pamh, int ctrl, const char *file) -{ - int retval; - char buffer[BUF_SIZE]; - FILE *conf; - VAR Var, *var=&Var; - - D(("Called.")); - - var->name=NULL; var->defval=NULL; var->override=NULL; - - D(("Config file name is: %s", file)); - - /* - * Lets try to open the config file, parse it and process - * any variables found. - */ - - if ((conf = fopen(file,"r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "Unable to open config file: %s: %m", file); - return PAM_IGNORE; - } - - /* _pam_assemble_line will provide a complete line from the config file, - * with all comments removed and any escaped newlines fixed up - */ - - while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) { - D(("Read line: %s", buffer)); - - if ((retval = _parse_line(pamh, buffer, var)) == GOOD_LINE) { - retval = _check_var(pamh, var); - - if (DEFINE_VAR == retval) { - retval = _define_var(pamh, ctrl, var); - - } else if (UNDEFINE_VAR == retval) { - retval = _undefine_var(pamh, ctrl, var); - } - } - if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval - && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; - - _clean_var(var); - - } /* while */ +#ifdef USE_ECONF - (void) fclose(conf); +#define ENVIRONMENT "environment" +#define PAM_ENV "pam_env" - /* tidy up */ - _clean_var(var); /* We could have got here prematurely, - * this is safe though */ - D(("Exit.")); - return (retval != 0 ? PAM_ABORT : PAM_SUCCESS); +static int +isDirectory(const char *path) { + struct stat statbuf; + if (stat(path, &statbuf) != 0) + return 0; + return S_ISDIR(statbuf.st_mode); } static int -_parse_env_file(pam_handle_t *pamh, int ctrl, const char *file) +econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim, + const char *name, const char *suffix, const char *subpath, + char ***lines) { - int retval=PAM_SUCCESS, i, t; - char buffer[BUF_SIZE], *key, *mark; - FILE *conf; - - D(("Env file name is: %s", file)); - - if ((conf = fopen(file,"r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %m", file); - return PAM_IGNORE; + econf_file *key_file = NULL; + econf_err error; + size_t key_number = 0; + char **keys = NULL; + const char *base_dir = ""; + + if (filename != NULL) { + if (isDirectory(filename)) { + /* Set base directory which can be different from root */ + D(("filename argument is a directory: %s", filename)); + base_dir = filename; + } else { + /* Read only one file */ + error = econf_readFile (&key_file, filename, delim, "#"); + D(("File name is: %s", filename)); + if (error != ECONF_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %s", filename, + econf_errString(error)); + if (error == ECONF_NOFILE) + return PAM_IGNORE; + else + return PAM_ABORT; + } + } } + if (filename == NULL || base_dir[0] != '\0') { + /* Read and merge all setting in e.g. /usr/etc and /etc */ + char *vendor_dir = NULL, *sysconf_dir; + if (subpath != NULL && subpath[0] != '\0') { +#ifdef VENDORDIR + if (asprintf(&vendor_dir, "%s%s/%s/", base_dir, VENDORDIR, subpath) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + return PAM_BUF_ERR; + } +#endif + if (asprintf(&sysconf_dir, "%s%s/%s/", base_dir, SYSCONFDIR, subpath) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + free(vendor_dir); + return PAM_BUF_ERR; + } + } else { +#ifdef VENDORDIR + if (asprintf(&vendor_dir, "%s%s/", base_dir, VENDORDIR) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + return PAM_BUF_ERR; + } +#endif + if (asprintf(&sysconf_dir, "%s%s/", base_dir, SYSCONFDIR) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + free(vendor_dir); + return PAM_BUF_ERR; + } + } - while (_assemble_line(conf, buffer, BUF_SIZE) > 0) { - D(("Read line: %s", buffer)); - key = buffer; - - /* skip leading white space */ - key += strspn(key, " \n\t"); - - /* skip blanks lines and comments */ - if (key[0] == '#') - continue; - - /* skip over "export " if present so we can be compat with - bash type declarations */ - if (strncmp(key, "export ", (size_t) 7) == 0) - key += 7; - - /* now find the end of value */ - mark = key; - while(mark[0] != '\n' && mark[0] != '#' && mark[0] != '\0') - mark++; - if (mark[0] != '\0') - mark[0] = '\0'; - - /* - * sanity check, the key must be alphanumeric - */ - - if (key[0] == '=') { - pam_syslog(pamh, LOG_ERR, - "missing key name '%s' in %s', ignoring", - key, file); - continue; + D(("Read configuration from directory %s and %s", vendor_dir, sysconf_dir)); + error = econf_readDirs (&key_file, vendor_dir, sysconf_dir, name, suffix, + delim, "#"); + free(vendor_dir); + free(sysconf_dir); + if (error != ECONF_SUCCESS) { + if (error == ECONF_NOFILE) { + pam_syslog(pamh, LOG_ERR, "Configuration file not found: %s%s", name, suffix); + return PAM_IGNORE; + } else { + char *error_filename = NULL; + uint64_t error_line = 0; + + econf_errLocation(&error_filename, &error_line); + pam_syslog(pamh, LOG_ERR, "Unable to read configuration file %s line %ld: %s", + error_filename, + error_line, + econf_errString(error)); + free(error_filename); + return PAM_ABORT; } + } + } - for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) - if (!isalnum(key[i]) && key[i] != '_') { - pam_syslog(pamh, LOG_ERR, - "non-alphanumeric key '%s' in %s', ignoring", - key, file); - break; - } - /* non-alphanumeric key, ignore this line */ - if (key[i] != '=' && key[i] != '\0') - continue; + error = econf_getKeys(key_file, NULL, &key_number, &keys); + if (error != ECONF_SUCCESS && error != ECONF_NOKEY) { + pam_syslog(pamh, LOG_ERR, "Unable to read keys: %s", + econf_errString(error)); + econf_freeFile(key_file); + return PAM_ABORT; + } - /* now we try to be smart about quotes around the value, - but not too smart, we can't get all fancy with escaped - values like bash */ - if (key[i] == '=' && (key[++i] == '\"' || key[i] == '\'')) { - for ( t = i+1 ; key[t] != '\0' ; t++) - if (key[t] != '\"' && key[t] != '\'') - key[i++] = key[t]; - else if (key[t+1] != '\0') - key[i++] = key[t]; - key[i] = '\0'; - } + *lines = malloc((key_number +1)* sizeof(char**)); + if (*lines == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); + econf_freeFile(key_file); + return PAM_BUF_ERR; + } - /* if this is a request to delete a variable, check that it's - actually set first, so we don't get a vague error back from - pam_putenv() */ - for (i = 0; key[i] != '=' && key[i] != '\0'; i++); + (*lines)[key_number] = 0; - if (key[i] == '\0' && !pam_getenv(pamh,key)) - continue; + for (size_t i = 0; i < key_number; i++) { + char *val; - /* set the env var, if it fails, we break out of the loop */ - retval = pam_putenv(pamh, key); - if (retval != PAM_SUCCESS) { - D(("error setting env \"%s\"", key)); - break; - } else if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "pam_putenv(\"%s\")", key); + error = econf_getStringValue (key_file, NULL, keys[i], &val); + if (error != ECONF_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Unable to get string from key %s: %s", + keys[i], + econf_errString(error)); + } else { + if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); + econf_freeFile(key_file); + (*lines)[i] = NULL; + free_string_array(*lines); + free (val); + return PAM_BUF_ERR; } + free (val); + } } - (void) fclose(conf); - - /* tidy up */ - D(("Exit.")); - return retval; + econf_free(keys); + econf_free(key_file); + return PAM_SUCCESS; } +#else + /* * This is where we read a line of the PAM config file. The line may be * preceded by lines of comments and also extended with "\\\n" */ - -static int _assemble_line(FILE *f, char *buffer, int buf_len) +static int +_assemble_line(FILE *f, char *buffer, int buf_len) { char *p = buffer; char *s, *os; @@ -373,8 +375,57 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len) return used; } +static int read_file(const pam_handle_t *pamh, const char*filename, char ***lines) +{ + FILE *conf; + char buffer[BUF_SIZE]; + + D(("Parsed file name is: %s", filename)); + + if ((conf = fopen(filename,"r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s", filename); + return PAM_IGNORE; + } + + size_t i = 0; + *lines = malloc((i + 1)* sizeof(char**)); + if (*lines == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + (void) fclose(conf); + return PAM_BUF_ERR; + } + (*lines)[i] = 0; + while (_assemble_line(conf, buffer, BUF_SIZE) > 0) { + char **tmp = NULL; + D(("Read line: %s", buffer)); + tmp = realloc(*lines, (++i + 1) * sizeof(char**)); + if (tmp == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + (void) fclose(conf); + free_string_array(*lines); + pam_overwrite_array(buffer); + return PAM_BUF_ERR; + } + *lines = tmp; + (*lines)[i-1] = strdup(buffer); + if ((*lines)[i-1] == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + (void) fclose(conf); + free_string_array(*lines); + pam_overwrite_array(buffer); + return PAM_BUF_ERR; + } + (*lines)[i] = 0; + } + + (void) fclose(conf); + pam_overwrite_array(buffer); + return PAM_SUCCESS; +} +#endif + static int -_parse_line (const pam_handle_t *pamh, const char *buffer, VAR *var) +_parse_line(const pam_handle_t *pamh, const char *buffer, VAR *var) { /* * parse buffer into var, legal syntax is @@ -454,7 +505,8 @@ _parse_line (const pam_handle_t *pamh, const char *buffer, VAR *var) } (void)strncpy(*valptr,ptr,length); (*valptr)[length]='\0'; - } else if (quoteflg--) { + } else if (quoteflg) { + quoteflg--; *valptr = "e; /* a quick hack to handle the empty string */ } ptr = tmpptr; /* Start the search where we stopped */ @@ -469,75 +521,57 @@ _parse_line (const pam_handle_t *pamh, const char *buffer, VAR *var) return GOOD_LINE; } -static int _check_var(pam_handle_t *pamh, VAR *var) +static const char * +_pam_get_item_byname(pam_handle_t *pamh, const char *name) { /* - * Examine the variable and determine what action to take. - * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take - * or a PAM_* error code if passed back from other routines - * - * if no DEFAULT provided, the empty string is assumed - * if no OVERRIDE provided, the empty string is assumed - * if DEFAULT= and OVERRIDE evaluates to the empty string, - * this variable should be undefined - * if DEFAULT="" and OVERRIDE evaluates to the empty string, - * this variable should be defined with no value - * if OVERRIDE=value and value turns into the empty string, DEFAULT is used - * - * If DEFINE_VAR is to be returned, the correct value to define will - * be pointed to by var->value + * This function just allows me to use names as given in the config + * file and translate them into the appropriate PAM_ITEM macro */ - int retval; + int item; + const void *itemval; D(("Called.")); - - /* - * First thing to do is to expand any arguments, but only - * if they are not the special quote values (cause expand_arg - * changes memory). - */ - - if (var->defval && ("e != var->defval) && - ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) { - return retval; - } - if (var->override && ("e != var->override) && - ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) { - return retval; + if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) { + item = PAM_USER; + } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { + item = PAM_USER_PROMPT; + } else if (strcmp(name, "PAM_TTY") == 0) { + item = PAM_TTY; + } else if (strcmp(name, "PAM_RUSER") == 0) { + item = PAM_RUSER; + } else if (strcmp(name, "PAM_RHOST") == 0) { + item = PAM_RHOST; + } else { + D(("Unknown PAM_ITEM: <%s>", name)); + pam_syslog (pamh, LOG_ERR, "Unknown PAM_ITEM: <%s>", name); + return NULL; } - /* Now its easy */ - - if (var->override && *(var->override)) { - /* if there is a non-empty string in var->override, we use it */ - D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); - var->value = var->override; - retval = DEFINE_VAR; - } else { + if (pam_get_item(pamh, item, &itemval) != PAM_SUCCESS) { + D(("pam_get_item failed")); + return NULL; /* let pam_get_item() log the error */ + } - var->value = var->defval; - if ("e == var->defval) { - /* - * This means that the empty string was given for defval value - * which indicates that a variable should be defined with no value - */ - D(("An empty variable: <%s>", var->name)); - retval = DEFINE_VAR; - } else if (var->defval) { - D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval)); - retval = DEFINE_VAR; - } else { - D(("UNDEFINE variable <%s>", var->name)); - retval = UNDEFINE_VAR; + if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) { + struct passwd *user_entry; + user_entry = pam_modutil_getpwnam (pamh, itemval); + if (!user_entry) { + pam_syslog(pamh, LOG_ERR, "No such user!?"); + return NULL; } + return (strcmp(name, "SHELL") == 0) ? + user_entry->pw_shell : + user_entry->pw_dir; } D(("Exit.")); - return retval; + return itemval; } -static int _expand_arg(pam_handle_t *pamh, char **value) +static int +_expand_arg(pam_handle_t *pamh, char **value) { const char *orig=*value, *tmpptr=NULL; char *ptr; /* @@ -550,12 +584,8 @@ static int _expand_arg(pam_handle_t *pamh, char **value) char type, tmpval[BUF_SIZE]; /* I know this shouldn't be hard-coded but it's so much easier this way */ - char tmp[MAX_ENV]; - size_t idx; - - D(("Remember to initialize tmp!")); - memset(tmp, 0, MAX_ENV); - idx = 0; + char tmp[MAX_ENV] = {}; + size_t idx = 0; /* * (possibly non-existent) environment variables can be used as values @@ -580,7 +610,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - return PAM_BUF_ERR; + goto buf_err; } continue; } @@ -605,7 +635,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Unterminated expandable variable: <%s>", orig-2)); pam_syslog(pamh, LOG_ERR, "Unterminated expandable variable: <%s>", orig-2); - return PAM_ABORT; + goto abort_err; } strncpy(tmpval, orig, sizeof(tmpval)); tmpval[sizeof(tmpval)-1] = '\0'; @@ -631,7 +661,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) default: D(("Impossible error, type == <%c>", type)); pam_syslog(pamh, LOG_CRIT, "Impossible error, type == <%c>", type); - return PAM_ABORT; + goto abort_err; } /* switch */ if (tmpptr) { @@ -644,7 +674,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - return PAM_BUF_ERR; + goto buf_err; } } } /* if ('{' != *orig++) */ @@ -656,7 +686,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); pam_syslog(pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - return PAM_BUF_ERR; + goto buf_err; } } } /* for (;*orig;) */ @@ -667,65 +697,118 @@ static int _expand_arg(pam_handle_t *pamh, char **value) D(("Couldn't malloc %d bytes for expanded var", idx + 1)); pam_syslog (pamh, LOG_CRIT, "Couldn't malloc %lu bytes for expanded var", (unsigned long)idx+1); - return PAM_BUF_ERR; + goto buf_err; } } strcpy(*value, tmp); - memset(tmp, '\0', sizeof(tmp)); + pam_overwrite_array(tmp); + pam_overwrite_array(tmpval); D(("Exit.")); return PAM_SUCCESS; +buf_err: + pam_overwrite_array(tmp); + pam_overwrite_array(tmpval); + return PAM_BUF_ERR; +abort_err: + pam_overwrite_array(tmp); + pam_overwrite_array(tmpval); + return PAM_ABORT; } -static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) +static int +_check_var(pam_handle_t *pamh, VAR *var) { /* - * This function just allows me to use names as given in the config - * file and translate them into the appropriate PAM_ITEM macro + * Examine the variable and determine what action to take. + * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take + * or a PAM_* error code if passed back from other routines + * + * if no DEFAULT provided, the empty string is assumed + * if no OVERRIDE provided, the empty string is assumed + * if DEFAULT= and OVERRIDE evaluates to the empty string, + * this variable should be undefined + * if DEFAULT="" and OVERRIDE evaluates to the empty string, + * this variable should be defined with no value + * if OVERRIDE=value and value turns into the empty string, DEFAULT is used + * + * If DEFINE_VAR is to be returned, the correct value to define will + * be pointed to by var->value */ - int item; - const void *itemval; + int retval; D(("Called.")); - if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) { - item = PAM_USER; - } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { - item = PAM_USER_PROMPT; - } else if (strcmp(name, "PAM_TTY") == 0) { - item = PAM_TTY; - } else if (strcmp(name, "PAM_RUSER") == 0) { - item = PAM_RUSER; - } else if (strcmp(name, "PAM_RHOST") == 0) { - item = PAM_RHOST; - } else { - D(("Unknown PAM_ITEM: <%s>", name)); - pam_syslog (pamh, LOG_ERR, "Unknown PAM_ITEM: <%s>", name); - return NULL; - } - if (pam_get_item(pamh, item, &itemval) != PAM_SUCCESS) { - D(("pam_get_item failed")); - return NULL; /* let pam_get_item() log the error */ + /* + * First thing to do is to expand any arguments, but only + * if they are not the special quote values (cause expand_arg + * changes memory). + */ + + if (var->defval && ("e != var->defval) && + ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) { + return retval; + } + if (var->override && ("e != var->override) && + ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) { + return retval; } - if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) { - struct passwd *user_entry; - user_entry = pam_modutil_getpwnam (pamh, itemval); - if (!user_entry) { - pam_syslog(pamh, LOG_ERR, "No such user!?"); - return NULL; + /* Now its easy */ + + if (var->override && *(var->override)) { + /* if there is a non-empty string in var->override, we use it */ + D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); + var->value = var->override; + retval = DEFINE_VAR; + } else { + + var->value = var->defval; + if ("e == var->defval) { + /* + * This means that the empty string was given for defval value + * which indicates that a variable should be defined with no value + */ + D(("An empty variable: <%s>", var->name)); + retval = DEFINE_VAR; + } else if (var->defval) { + D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval)); + retval = DEFINE_VAR; + } else { + D(("UNDEFINE variable <%s>", var->name)); + retval = UNDEFINE_VAR; } - return (strcmp(name, "SHELL") == 0) ? - user_entry->pw_shell : - user_entry->pw_dir; } D(("Exit.")); - return itemval; + return retval; +} + +static void +_clean_var(VAR *var) +{ + if (var->name) { + pam_overwrite_string(var->name); + free(var->name); + } + if (var->defval && ("e != var->defval)) { + pam_overwrite_string(var->defval); + free(var->defval); + } + if (var->override && ("e != var->override)) { + pam_overwrite_string(var->override); + free(var->override); + } + var->name = NULL; + var->value = NULL; /* never has memory specific to it */ + var->defval = NULL; + var->override = NULL; + return; } -static int _define_var(pam_handle_t *pamh, int ctrl, VAR *var) +static int +_define_var(pam_handle_t *pamh, int ctrl, VAR *var) { /* We have a variable to define, this is a simple function */ @@ -747,7 +830,8 @@ static int _define_var(pam_handle_t *pamh, int ctrl, VAR *var) return retval; } -static int _undefine_var(pam_handle_t *pamh, int ctrl, VAR *var) +static int +_undefine_var(pam_handle_t *pamh, int ctrl, VAR *var) { /* We have a variable to undefine, this is a simple function */ @@ -758,25 +842,175 @@ static int _undefine_var(pam_handle_t *pamh, int ctrl, VAR *var) return pam_putenv(pamh, var->name); } -static void _clean_var(VAR *var) +static int +_parse_config_file(pam_handle_t *pamh, int ctrl, const char *file) { - if (var->name) { - free(var->name); - } - if (var->defval && ("e != var->defval)) { - free(var->defval); - } - if (var->override && ("e != var->override)) { - free(var->override); + int retval; + VAR Var, *var=&Var; + char **conf_list = NULL; + + var->name=NULL; var->defval=NULL; var->override=NULL; + + D(("Called.")); + +#ifdef USE_ECONF + /* If "file" is not NULL, only this file will be parsed. */ + retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list); +#else + /* Only one file will be parsed. So, file has to be set. */ + if (file == NULL) /* No filename has been set via argv. */ + file = DEFAULT_CONF_FILE; +#ifdef VENDOR_DEFAULT_CONF_FILE + /* + * Check whether file is available. + * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. + */ + struct stat stat_buffer; + if (stat(file, &stat_buffer) != 0 && errno == ENOENT) { + file = VENDOR_DEFAULT_CONF_FILE; } - var->name = NULL; - var->value = NULL; /* never has memory specific to it */ - var->defval = NULL; - var->override = NULL; - return; +#endif + retval = read_file(pamh, file, &conf_list); +#endif + + if (retval != PAM_SUCCESS) + return retval; + + for (char **conf = conf_list; *conf != NULL; ++conf) { + if ((retval = _parse_line(pamh, *conf, var)) == GOOD_LINE) { + retval = _check_var(pamh, var); + + if (DEFINE_VAR == retval) { + retval = _define_var(pamh, ctrl, var); + + } else if (UNDEFINE_VAR == retval) { + retval = _undefine_var(pamh, ctrl, var); + } + } + if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval + && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; + + _clean_var(var); + + } /* for */ + + /* tidy up */ + free_string_array(conf_list); + _clean_var(var); /* We could have got here prematurely, + * this is safe though */ + D(("Exit.")); + return (retval != 0 ? PAM_ABORT : PAM_SUCCESS); } +static int +_parse_env_file(pam_handle_t *pamh, int ctrl, const char *file) +{ + int retval=PAM_SUCCESS, i, t; + char *key, *mark; + char **env_list = NULL; + +#ifdef USE_ECONF + retval = econf_read_file(pamh, file, "=", ENVIRONMENT, "", "", &env_list); +#else + /* Only one file will be parsed. So, file has to be set. */ + if (file == NULL) /* No filename has been set via argv. */ + file = DEFAULT_ETC_ENVFILE; +#ifdef VENDOR_DEFAULT_ETC_ENVFILE + /* + * Check whether file is available. + * If it does not exist, fall back to VENDOR_DEFAULT_ETC_ENVFILE; file. + */ + struct stat stat_buffer; + if (stat(file, &stat_buffer) != 0 && errno == ENOENT) { + file = VENDOR_DEFAULT_ETC_ENVFILE; + } +#endif + retval = read_file(pamh, file, &env_list); +#endif + + if (retval != PAM_SUCCESS) + return retval == PAM_IGNORE ? PAM_SUCCESS : retval; + + for (char **env = env_list; *env != NULL; ++env) { + key = *env; + + /* skip leading white space */ + key += strspn(key, " \n\t"); + + /* skip blanks lines and comments */ + if (key[0] == '#') + continue; + + /* skip over "export " if present so we can be compat with + bash type declarations */ + if (strncmp(key, "export ", (size_t) 7) == 0) + key += 7; + + /* now find the end of value */ + mark = key; + while(mark[0] != '\n' && mark[0] != '#' && mark[0] != '\0') + mark++; + if (mark[0] != '\0') + mark[0] = '\0'; + + /* + * sanity check, the key must be alphanumeric + */ + + if (key[0] == '=') { + pam_syslog(pamh, LOG_ERR, + "missing key name '%s' in %s', ignoring", + key, file); + continue; + } + for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) + if (!isalnum(key[i]) && key[i] != '_') { + pam_syslog(pamh, LOG_ERR, + "non-alphanumeric key '%s' in %s', ignoring", + key, file); + break; + } + /* non-alphanumeric key, ignore this line */ + if (key[i] != '=' && key[i] != '\0') + continue; + + /* now we try to be smart about quotes around the value, + but not too smart, we can't get all fancy with escaped + values like bash */ + if (key[i] == '=' && (key[++i] == '\"' || key[i] == '\'')) { + for ( t = i+1 ; key[t] != '\0' ; t++) + if (key[t] != '\"' && key[t] != '\'') + key[i++] = key[t]; + else if (key[t+1] != '\0') + key[i++] = key[t]; + key[i] = '\0'; + } + + /* if this is a request to delete a variable, check that it's + actually set first, so we don't get a vague error back from + pam_putenv() */ + for (i = 0; key[i] != '=' && key[i] != '\0'; i++); + + if (key[i] == '\0' && !pam_getenv(pamh,key)) + continue; + + /* set the env var, if it fails, we break out of the loop */ + retval = pam_putenv(pamh, key); + if (retval != PAM_SUCCESS) { + D(("error setting env \"%s\"", key)); + break; + } else if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "pam_putenv(\"%s\")", key); + } + } + + /* tidy up */ + free_string_array(env_list); + D(("Exit.")); + return retval; +} /* --- authentication management functions (only) --- */ diff --git a/modules/pam_env/pam_env.conf.5 b/modules/pam_env/pam_env.conf.5 index 40fd118b..9d9af676 100644 --- a/modules/pam_env/pam_env.conf.5 +++ b/modules/pam_env/pam_env.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_env.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ENV\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ENV\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -36,7 +36,7 @@ The file specifies the environment variables to be set, unset or modified by \fBpam_env\fR(8)\&. When someone logs in, this file is read and the environment variables are set according\&. .PP -Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE\&. DEFAULT allows an administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed\&. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use\&. OVERRIDE is not used, "" is assumed and no override will be done\&. +Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE\&. DEFAULT allows an administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed\&. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use\&. When OVERRIDE is not used, "" is assumed and no override will be done\&. .PP \fIVARIABLE\fR [\fIDEFAULT=[value]\fR] [\fIOVERRIDE=[value]\fR] @@ -125,7 +125,7 @@ Silly examples of escaped variables, just to show how they work\&. .PP \fBpam_env\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBenviron\fR(7) .SH "AUTHOR" .PP diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml index fca046fe..38bc5fd6 100644 --- a/modules/pam_env/pam_env.conf.5.xml +++ b/modules/pam_env/pam_env.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_env.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_env.conf"> <refmeta> <refentrytitle>pam_env.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -17,10 +14,18 @@ </refnamediv> - <refsect1 id='pam_env.conf-description'> + <refsect1 xml:id="pam_env.conf-description"> <title>DESCRIPTION</title> - <para> + <para condition="with_vendordir"> + The <filename>%vendordir%/security/pam_env.conf</filename> and + <filename>/etc/security/pam_env.conf</filename> files specify + the environment variables to be set, unset or modified by + <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + When someone logs in, these files are read and the environment + variables are set according. + </para> + <para condition="without_vendordir"> The <filename>/etc/security/pam_env.conf</filename> file specifies the environment variables to be set, unset or modified by <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>. @@ -33,7 +38,7 @@ administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value - (overriding the default value) if there is one to use. OVERRIDE is + (overriding the default value) if there is one to use. When OVERRIDE is not used, "" is assumed and no override will be done. </para> <para> @@ -61,7 +66,15 @@ at front) can be used to mark this line as a comment line. </para> - <para> + <para condition="with_vendordir"> + The <filename>%vendordir%/environment</filename> and <filename>/etc/environment</filename> files specify + the environment variables to be set. These files must consist of simple + <emphasis>NAME=VALUE</emphasis> pairs on separate lines. + The <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry> + module will read these files after the <filename>pam_env.conf</filename> + file. + </para> + <para condition="without_vendordir"> The <filename>/etc/environment</filename> file specifies the environment variables to be set. The file must consist of simple <emphasis>NAME=VALUE</emphasis> pairs on separate lines. @@ -71,7 +84,7 @@ </para> </refsect1> - <refsect1 id="pam_env.conf-examples"> + <refsect1 xml:id="pam_env.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -117,17 +130,17 @@ </programlisting> </refsect1> - <refsect1 id="pam_env.conf-see_also"> + <refsect1 xml:id="pam_env.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="pam_env.conf-author"> + <refsect1 xml:id="pam_env.conf-author"> <title>AUTHOR</title> <para> pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. diff --git a/modules/pam_env/tst-pam_env-retval.c b/modules/pam_env/tst-pam_env-retval.c new file mode 100644 index 00000000..23ad10b9 --- /dev/null +++ b/modules/pam_env/tst-pam_env-retval.c @@ -0,0 +1,287 @@ +/* + * Check pam_env return values. + * + * Copyright (c) 2020-2022 Dmitry V. Levin <ldv@altlinux.org> + * Copyright (c) 2022 Stefan Schubert <schubi@suse.de> + */ + +#include "test_assert.h" + +#include <errno.h> +#include <libgen.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/stat.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_env" +#define TEST_NAME "tst-" MODULE_NAME "-retval" +#define TEST_NAME_DIR TEST_NAME ".dir" + +static const char service_file[] = TEST_NAME ".service"; +static const char missing_file[] = TEST_NAME ".missing"; +static const char my_conf[] = TEST_NAME ".conf"; +static const char my_env[] = TEST_NAME ".env"; +#ifdef VENDORDIR +static const char dir_usr_etc_security[] = TEST_NAME_DIR VENDOR_SCONFIGDIR; +static const char usr_env[] = TEST_NAME_DIR VENDORDIR "/environment"; +static const char usr_conf[] = TEST_NAME_DIR VENDOR_SCONFIGDIR "/pam_env.conf"; +#endif + +static struct pam_conv conv; + +#ifdef VENDORDIR +static void +mkdir_p(const char *pathname, mode_t mode) +{ + if (mkdir(pathname, mode) == 0 || errno == EEXIST) + return; + ASSERT_EQ(errno, ENOENT); + + char *buf; + ASSERT_NE(NULL, buf = strdup(pathname)); + mkdir_p(dirname(buf), mode); + free(buf); + + ASSERT_EQ(0, mkdir(pathname, mode)); +} + +static void +rmdir_p(const char *pathname) +{ + if (rmdir(pathname) != 0) + return; + + char *buf; + ASSERT_NE(NULL, buf = strdup(pathname)); + rmdir_p(dirname(buf)); + free(buf); +} +#endif + +static void +setup(void) +{ + FILE *fp; + + ASSERT_NE(NULL, fp = fopen(my_conf, "w")); + ASSERT_LT(0, fprintf(fp, + "EDITOR\tDEFAULT=vim\n" + "PAGER\tDEFAULT=more\n")); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_NE(NULL, fp = fopen(my_env, "w")); + ASSERT_LT(0, fprintf(fp, + "test_value=foo\n" + "test2_value=bar\n")); + ASSERT_EQ(0, fclose(fp)); + +#ifdef VENDORDIR + mkdir_p(dir_usr_etc_security, 0755); + + ASSERT_NE(NULL, fp = fopen(usr_env, "w")); + ASSERT_LT(0, fprintf(fp, + "usr_etc_test=foo\n" + "usr_etc_test2=bar\n")); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_NE(NULL, fp = fopen(usr_conf, "w")); + ASSERT_LT(0, fprintf(fp, + "PAGER DEFAULT=emacs\n" + "MANPAGER DEFAULT=less\n")); + ASSERT_EQ(0, fclose(fp)); +#endif +} + +static void +cleanup(void) +{ + ASSERT_EQ(0, unlink(my_conf)); + ASSERT_EQ(0, unlink(my_env)); +#ifdef VENDORDIR + ASSERT_EQ(0, unlink(usr_env)); + ASSERT_EQ(0, unlink(usr_conf)); + rmdir_p(dir_usr_etc_security); +#endif +} + +static void +check_array(const char **array1, char **array2) +{ + for (const char **a1 = array1; *a1 != NULL; ++a1) { + char **a2; + for (a2 = array2; *a2 != NULL; ++a2) { + if (strcmp(*a1, *a2) == 0) + break; + } + ASSERT_NE(NULL, *a2); + } +} + +static void +check_env(const char **list) +{ + pam_handle_t *pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + + char **env_list = pam_getenvlist(pamh); + ASSERT_NE(NULL, env_list); + + check_array(list, env_list); + + for (char **e = env_list; *e != NULL; ++e) + free(*e); + free(env_list); + + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); +} + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + setup(); + + /* + * When conffile= specifies a missing file, all methods except + * pam_sm_acct_mgmt and pam_sm_chauthtok return PAM_IGNORE. + * The return code of the stack where every module returns PAM_IGNORE + * is PAM_PERM_DENIED. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conffile=%s/%s\n" + "account required %s/.libs/%s.so conffile=%s/%s\n" + "password required %s/.libs/%s.so conffile=%s/%s\n" + "session required %s/.libs/%s.so conffile=%s/%s\n", + cwd, MODULE_NAME, cwd, missing_file, + cwd, MODULE_NAME, cwd, missing_file, + cwd, MODULE_NAME, cwd, missing_file, + cwd, MODULE_NAME, cwd, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * When conffile= specifies a missing file, all methods except + * pam_sm_acct_mgmt and pam_sm_chauthtok return PAM_IGNORE. + * pam_permit is added after pam_env to convert PAM_IGNORE to PAM_SUCCESS. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conffile=%s/%s\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so conffile=%s/%s\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so conffile=%s/%s\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so conffile=%s/%s\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, cwd, missing_file, cwd, + cwd, MODULE_NAME, cwd, missing_file, cwd, + cwd, MODULE_NAME, cwd, missing_file, cwd, + cwd, MODULE_NAME, cwd, missing_file, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * conffile= specifies an existing file, + * envfile= specifies an empty file. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s/%s envfile=%s\n", + cwd, MODULE_NAME, + cwd, my_conf, "/dev/null")); + ASSERT_EQ(0, fclose(fp)); + + const char *env1[] = { "EDITOR=vim", "PAGER=more", NULL }; + check_env(env1); + + /* + * conffile= specifies an empty file, + * envfile= specifies an existing file. + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s envfile=%s/%s\n", + cwd, MODULE_NAME, + "/dev/null", cwd, my_env)); + ASSERT_EQ(0, fclose(fp)); + + const char *env2[] = { "test_value=foo", "test2_value=bar", NULL }; + check_env(env2); + +#if defined (USE_ECONF) && defined (VENDORDIR) + + /* envfile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s envfile=%s/%s/\n", + cwd, MODULE_NAME, + "/dev/null", + cwd, TEST_NAME_DIR)); + ASSERT_EQ(0, fclose(fp)); + + const char *env3[] = {"usr_etc_test=foo", "usr_etc_test2=bar", NULL}; + check_env(env3); + + /* conffile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "session required %s/.libs/%s.so" + " conffile=%s/%s/ envfile=%s\n", + cwd, MODULE_NAME, + cwd, TEST_NAME_DIR, + "/dev/null")); + ASSERT_EQ(0, fclose(fp)); + + const char *env4[] = {"PAGER=emacs", "MANPAGER=less", NULL}; + check_env(env4); + +#endif + + /* cleanup */ + cleanup(); + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_exec/Makefile.am b/modules/pam_exec/Makefile.am index 713de6af..a0582226 100644 --- a/modules/pam_exec/Makefile.am +++ b/modules/pam_exec/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_exec TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_exec/Makefile.in b/modules/pam_exec/Makefile.in index a312387a..f738998d 100644 --- a/modules/pam_exec/Makefile.in +++ b/modules/pam_exec/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_exec.8.xml dist_check_SCRIPTS = tst-pam_exec TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_exec/README.xml b/modules/pam_exec/README.xml index 5e76cab3..1928d7f9 100644 --- a/modules/pam_exec/README.xml +++ b/modules/pam_exec/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_exec.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_exec-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8 index 71087918..bfa49f8e 100644 --- a/modules/pam_exec/pam_exec.8 +++ b/modules/pam_exec/pam_exec.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_exec .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_EXEC" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_EXEC" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -57,12 +57,12 @@ Commands called by pam_exec need to be aware of that the user can have control o .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBexpose_authtok\fR +expose_authtok .RS 4 During authentication the calling command can read the password from \fBstdin\fR(3)\&. Only first @@ -70,18 +70,18 @@ During authentication the calling command can read the password from bytes of a password are provided to the command\&. .RE .PP -\fBlog=\fR\fB\fIfile\fR\fR +log=file .RS 4 The output of the command is appended to file .RE .PP -\fBtype=\fR\fB\fItype\fR\fR +type=type .RS 4 Only run the command if the module type matches the given type\&. .RE .PP -\fBstdout\fR +stdout .RS 4 Per default the output of the executed command is written to /dev/null\&. With this option, the stdout output of the executed command is redirected to the calling application\&. It\*(Aqs in the responsibility of this application what happens with the output\&. The @@ -89,17 +89,17 @@ Per default the output of the executed command is written to option is ignored\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Per default pam_exec\&.so will echo the exit status of the external command if it fails\&. Specifying this option will suppress the message\&. .RE .PP -\fBquiet_log\fR +quiet_log .RS 4 Per default pam_exec\&.so will log the exit status of the external command if it fails\&. Specifying this option will suppress the log message\&. .RE .PP -\fBseteuid\fR +seteuid .RS 4 Per default pam_exec\&.so will execute the external command with the real user ID of the calling process\&. Specifying this option means the command is run with the effective user ID\&. .RE @@ -182,7 +182,7 @@ with effective user ID\&. .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_exec was written by Thorsten Kukuk <kukuk@thkukuk\&.de> and Josh Triplett <josh@joshtriplett\&.org>\&. diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml index 7e89943c..2eedb285 100644 --- a/modules/pam_exec/pam_exec.8.xml +++ b/modules/pam_exec/pam_exec.8.xml @@ -1,57 +1,54 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_exec"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_exec"> <refmeta> <refentrytitle>pam_exec</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_exec-name"> + <refnamediv xml:id="pam_exec-name"> <refname>pam_exec</refname> <refpurpose>PAM module which calls an external command</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_exec-cmdsynopsis"> + <cmdsynopsis xml:id="pam_exec-cmdsynopsis" sepchar=" "> <command>pam_exec.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> expose_authtok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> seteuid </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> quiet </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> quiet_log </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> stdout </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> log=<replaceable>file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> type=<replaceable>type</replaceable> </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> <replaceable>command</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>...</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_exec-description"> + <refsect1 xml:id="pam_exec-description"> <title>DESCRIPTION</title> @@ -83,7 +80,7 @@ </refsect1> - <refsect1 id="pam_exec-options"> + <refsect1 xml:id="pam_exec-options"> <title>OPTIONS</title> <para> @@ -91,7 +88,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -102,7 +99,7 @@ <varlistentry> <term> - <option>expose_authtok</option> + expose_authtok </term> <listitem> <para> @@ -117,7 +114,7 @@ <varlistentry> <term> - <option>log=<replaceable>file</replaceable></option> + log=file </term> <listitem> <para> @@ -129,7 +126,7 @@ <varlistentry> <term> - <option>type=<replaceable>type</replaceable></option> + type=type </term> <listitem> <para> @@ -140,7 +137,7 @@ <varlistentry> <term> - <option>stdout</option> + stdout </term> <listitem> <para> @@ -151,7 +148,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -164,7 +161,7 @@ <varlistentry> <term> - <option>quiet_log</option> + quiet_log </term> <listitem> <para> @@ -177,7 +174,7 @@ <varlistentry> <term> - <option>seteuid</option> + seteuid </term> <listitem> <para> @@ -194,7 +191,7 @@ </para> </refsect1> - <refsect1 id="pam_exec-types"> + <refsect1 xml:id="pam_exec-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -202,7 +199,7 @@ </para> </refsect1> - <refsect1 id='pam_exec-return_values'> + <refsect1 xml:id="pam_exec-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -278,7 +275,7 @@ </para> </refsect1> - <refsect1 id='pam_exec-examples'> + <refsect1 xml:id="pam_exec-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/passwd</filename> to @@ -293,7 +290,7 @@ </para> </refsect1> - <refsect1 id='pam_exec-see_also'> + <refsect1 xml:id="pam_exec-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -303,12 +300,12 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_exec-author'> + <refsect1 xml:id="pam_exec-author"> <title>AUTHOR</title> <para> pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and @@ -316,4 +313,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 05dec167..9d2145dc 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -48,6 +48,7 @@ #include <sys/wait.h> #include <sys/stat.h> #include <sys/types.h> +#include <signal.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -105,6 +106,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, FILE *stdout_file = NULL; int retval; const char *name; + struct sigaction newsa, oldsa; if (argc < 1) { pam_syslog (pamh, LOG_ERR, @@ -182,6 +184,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (retval != PAM_SUCCESS) { + pam_overwrite_string (resp); _pam_drop (resp); if (retval == PAM_CONV_AGAIN) retval = PAM_INCOMPLETE; @@ -192,6 +195,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, { pam_set_item (pamh, PAM_AUTHTOK, resp); strncpy (authtok, resp, sizeof(authtok) - 1); + pam_overwrite_string (resp); _pam_drop (resp); } } @@ -200,6 +204,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (pipe(fds) != 0) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "Could not create pipe: %m"); return PAM_SYSTEM_ERR; } @@ -210,25 +215,38 @@ call_exec (const char *pam_type, pam_handle_t *pamh, { if (pipe(stdout_fds) != 0) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "Could not create pipe: %m"); return PAM_SYSTEM_ERR; } stdout_file = fdopen(stdout_fds[0], "r"); if (!stdout_file) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "Could not fdopen pipe: %m"); return PAM_SYSTEM_ERR; } } if (optargc >= argc) { + pam_overwrite_array(authtok); pam_syslog (pamh, LOG_ERR, "No path given as argument"); return PAM_SERVICE_ERR; } + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_overwrite_array(authtok); + pam_syslog(pamh, LOG_ERR, "failed to reset SIGCHLD handler: %m"); + return PAM_SYSTEM_ERR; + } + pid = fork(); - if (pid == -1) + if (pid == -1) { + pam_overwrite_array(authtok); return PAM_SYSTEM_ERR; + } if (pid > 0) /* parent */ { int status = 0; @@ -246,6 +264,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, close(fds[1]); } + pam_overwrite_array(authtok); + if (use_stdout) { char buf[4096]; @@ -263,6 +283,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, while ((rc = waitpid (pid, &status, 0)) == -1 && errno == EINTR); + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ if (rc == (pid_t)-1) { pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m"); @@ -305,9 +326,9 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } else /* child */ { - char **arggv; + const char **arggv; int i; - char **envlist, **tmp; + char **envlist; int envlen, nitems; char *envstr; enum pam_modutil_redirect_fd redirect_stdin = @@ -315,6 +336,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, enum pam_modutil_redirect_fd redirect_stdout = (use_stdout || logfile) ? PAM_MODUTIL_IGNORE_FD : PAM_MODUTIL_NULL_FD; + pam_overwrite_array(authtok); + /* First, move all the pipes off of stdin, stdout, and stderr, to ensure * that calls to dup2 won't close them. */ @@ -418,7 +441,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, _exit (ENOMEM); for (i = 0; i < (argc - optargc); i++) - arggv[i] = strdup(argv[i+optargc]); + arggv[i] = argv[i+optargc]; arggv[i] = NULL; /* @@ -430,14 +453,12 @@ call_exec (const char *pam_type, pam_handle_t *pamh, /* nothing */ ; nitems = PAM_ARRAY_SIZE(env_items); /* + 2 because of PAM_TYPE and NULL entry */ - tmp = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist)); - if (tmp == NULL) + envlist = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist)); + if (envlist == NULL) { - free(envlist); pam_syslog (pamh, LOG_CRIT, "realloc environment failed: %m"); _exit (ENOMEM); } - envlist = tmp; for (i = 0; i < nitems; ++i) { const void *item; @@ -446,7 +467,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, continue; if (asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item) < 0) { - free(envlist); pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m"); _exit (ENOMEM); } @@ -456,7 +476,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (asprintf(&envstr, "PAM_TYPE=%s", pam_type) < 0) { - free(envlist); pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m"); _exit (ENOMEM); } @@ -466,10 +485,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (debug) pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]); - execve (arggv[0], arggv, envlist); + DIAG_PUSH_IGNORE_CAST_QUAL; + execve (arggv[0], (char **) arggv, envlist); + DIAG_POP_IGNORE_CAST_QUAL; i = errno; pam_syslog (pamh, LOG_ERR, "execve(%s,...) failed: %m", arggv[0]); - free(envlist); _exit (i); } return PAM_SYSTEM_ERR; /* will never be reached. */ diff --git a/modules/pam_faildelay/Makefile.am b/modules/pam_faildelay/Makefile.am index 3a49a117..0ca59c52 100644 --- a/modules/pam_faildelay/Makefile.am +++ b/modules/pam_faildelay/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_faildelay TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_faildelay/Makefile.in b/modules/pam_faildelay/Makefile.in index f06712a5..3f526dfb 100644 --- a/modules/pam_faildelay/Makefile.in +++ b/modules/pam_faildelay/Makefile.in @@ -434,6 +434,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -446,11 +447,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -482,12 +485,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -510,6 +515,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -520,12 +526,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -599,7 +609,8 @@ XMLS = README.xml pam_faildelay.8.xml dist_check_SCRIPTS = tst-pam_faildelay TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_faildelay/README.xml b/modules/pam_faildelay/README.xml index 64d4accc..8530a3d0 100644 --- a/modules/pam_faildelay/README.xml +++ b/modules/pam_faildelay/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" -"http://www.docbook.org/xml/4.4/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_faildelay.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faildelay-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faildelay.8.xml" xpointer='xpointer(id("pam_faildelay-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_faildelay/pam_faildelay.8 b/modules/pam_faildelay/pam_faildelay.8 index 5a29b6ea..0e798cd3 100644 --- a/modules/pam_faildelay/pam_faildelay.8 +++ b/modules/pam_faildelay/pam_faildelay.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_faildelay .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_FAILDELAY" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FAILDELAY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -42,12 +42,12 @@ is given, pam_faildelay will use the value of FAIL_DELAY from /etc/login\&.defs\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging messages sent to syslog\&. .RE .PP -\fBdelay=\fR\fB\fIN\fR\fR +delay=N .RS 4 Set the delay on failure to N microseconds\&. .RE @@ -87,7 +87,7 @@ auth optional pam_faildelay\&.so delay=10000000 \fBpam_fail_delay\fR(3), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_faildelay was written by Darren Tucker <dtucker@zip\&.com\&.au>\&. diff --git a/modules/pam_faildelay/pam_faildelay.8.xml b/modules/pam_faildelay/pam_faildelay.8.xml index 57107203..49ec46f7 100644 --- a/modules/pam_faildelay/pam_faildelay.8.xml +++ b/modules/pam_faildelay/pam_faildelay.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - -<refentry id="pam_faildelay"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_faildelay"> <refmeta> <refentrytitle>pam_faildelay</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_faildelay-name"> + <refnamediv xml:id="pam_faildelay-name"> <refname>pam_faildelay</refname> <refpurpose>Change the delay on failure per-application</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_faildelay-cmdsynopsis"> + <cmdsynopsis xml:id="pam_faildelay-cmdsynopsis" sepchar=" "> <command>pam_faildelay.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> delay=<replaceable>microseconds</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_faildelay-description"> + <refsect1 xml:id="pam_faildelay-description"> <title>DESCRIPTION</title> @@ -41,13 +38,13 @@ </para> </refsect1> - <refsect1 id="pam_faildelay-options"> + <refsect1 xml:id="pam_faildelay-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -57,7 +54,7 @@ </varlistentry> <varlistentry> <term> - <option>delay=<replaceable>N</replaceable></option> + delay=N </term> <listitem> <para> @@ -68,14 +65,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_faildelay-types"> + <refsect1 xml:id="pam_faildelay-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_faildelay-return_values'> + <refsect1 xml:id="pam_faildelay-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -97,7 +94,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_faildelay-examples'> + <refsect1 xml:id="pam_faildelay-examples"> <title>EXAMPLES</title> <para> The following example will set the delay on failure to @@ -108,7 +105,7 @@ auth optional pam_faildelay.so delay=10000000 </para> </refsect1> - <refsect1 id='pam_faildelay-see_also'> + <refsect1 xml:id="pam_faildelay-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -121,16 +118,16 @@ auth optional pam_faildelay.so delay=10000000 <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_faildelay-author'> + <refsect1 xml:id="pam_faildelay-author"> <title>AUTHOR</title> <para> pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_faillock/Makefile.am b/modules/pam_faillock/Makefile.am index 44a49660..ec61aeb0 100644 --- a/modules/pam_faillock/Makefile.am +++ b/modules/pam_faillock/Makefile.am @@ -15,12 +15,16 @@ endif XMLS = README.xml pam_faillock.8.xml faillock.8.xml faillock.conf.5.xml dist_check_SCRIPTS = tst-pam_faillock -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif -noinst_HEADERS = faillock.h +noinst_HEADERS = faillock.h faillock_config.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) @@ -33,6 +37,9 @@ if HAVE_VERSIONING pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif +check_PROGRAMS = tst-pam_faillock-retval +tst_pam_faillock_retval_LDADD = $(top_builddir)/libpam/libpam.la + faillock_LDFLAGS = @EXE_LDFLAGS@ faillock_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) @@ -41,8 +48,8 @@ dist_secureconf_DATA = faillock.conf securelib_LTLIBRARIES = pam_faillock.la sbin_PROGRAMS = faillock -pam_faillock_la_SOURCES = pam_faillock.c faillock.c -faillock_SOURCES = main.c faillock.c +pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c +faillock_SOURCES = main.c faillock.c faillock_config.c if ENABLE_REGENERATE_MAN dist_noinst_DATA = README diff --git a/modules/pam_faillock/Makefile.in b/modules/pam_faillock/Makefile.in index 9070f173..e9b62c30 100644 --- a/modules/pam_faillock/Makefile.in +++ b/modules/pam_faillock/Makefile.in @@ -98,6 +98,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_faillock-retval$(EXEEXT) sbin_PROGRAMS = faillock$(EXEEXT) subdir = modules/pam_faillock ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -160,7 +161,8 @@ LTLIBRARIES = $(securelib_LTLIBRARIES) am__DEPENDENCIES_1 = pam_faillock_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ $(am__DEPENDENCIES_1) -am_pam_faillock_la_OBJECTS = pam_faillock.lo faillock.lo +am_pam_faillock_la_OBJECTS = pam_faillock.lo faillock.lo \ + faillock_config.lo pam_faillock_la_OBJECTS = $(am_pam_faillock_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -171,13 +173,17 @@ pam_faillock_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_CFLAGS) $(CFLAGS) $(pam_faillock_la_LDFLAGS) $(LDFLAGS) \ -o $@ am_faillock_OBJECTS = faillock-main.$(OBJEXT) \ - faillock-faillock.$(OBJEXT) + faillock-faillock.$(OBJEXT) faillock-faillock_config.$(OBJEXT) faillock_OBJECTS = $(am_faillock_OBJECTS) faillock_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ $(am__DEPENDENCIES_1) faillock_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(faillock_CFLAGS) \ $(CFLAGS) $(faillock_LDFLAGS) $(LDFLAGS) -o $@ +tst_pam_faillock_retval_SOURCES = tst-pam_faillock-retval.c +tst_pam_faillock_retval_OBJECTS = tst-pam_faillock-retval.$(OBJEXT) +tst_pam_faillock_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -194,8 +200,10 @@ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles am__depfiles_remade = ./$(DEPDIR)/faillock-faillock.Po \ + ./$(DEPDIR)/faillock-faillock_config.Po \ ./$(DEPDIR)/faillock-main.Po ./$(DEPDIR)/faillock.Plo \ - ./$(DEPDIR)/pam_faillock.Plo + ./$(DEPDIR)/faillock_config.Plo ./$(DEPDIR)/pam_faillock.Plo \ + ./$(DEPDIR)/tst-pam_faillock-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -215,8 +223,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(pam_faillock_la_SOURCES) $(faillock_SOURCES) -DIST_SOURCES = $(pam_faillock_la_SOURCES) $(faillock_SOURCES) +SOURCES = $(pam_faillock_la_SOURCES) $(faillock_SOURCES) \ + tst-pam_faillock-retval.c +DIST_SOURCES = $(pam_faillock_la_SOURCES) $(faillock_SOURCES) \ + tst-pam_faillock-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -455,6 +465,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -467,11 +478,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -503,12 +516,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -531,6 +546,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -541,12 +557,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -618,10 +638,11 @@ EXTRA_DIST = $(XMLS) @HAVE_DOC_TRUE@dist_man_MANS = pam_faillock.8 faillock.8 faillock.conf.5 XMLS = README.xml pam_faillock.8.xml faillock.8.xml faillock.conf.5.xml dist_check_SCRIPTS = tst-pam_faillock -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) -noinst_HEADERS = faillock.h +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) +noinst_HEADERS = faillock.h faillock_config.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) @@ -629,12 +650,13 @@ faillock_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) pam_faillock_la_LIBADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) +tst_pam_faillock_retval_LDADD = $(top_builddir)/libpam/libpam.la faillock_LDFLAGS = @EXE_LDFLAGS@ faillock_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) dist_secureconf_DATA = faillock.conf securelib_LTLIBRARIES = pam_faillock.la -pam_faillock_la_SOURCES = pam_faillock.c faillock.c -faillock_SOURCES = main.c faillock.c +pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c +faillock_SOURCES = main.c faillock.c faillock_config.c @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -669,6 +691,15 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ @@ -761,6 +792,10 @@ faillock$(EXEEXT): $(faillock_OBJECTS) $(faillock_DEPENDENCIES) $(EXTRA_faillock @rm -f faillock$(EXEEXT) $(AM_V_CCLD)$(faillock_LINK) $(faillock_OBJECTS) $(faillock_LDADD) $(LIBS) +tst-pam_faillock-retval$(EXEEXT): $(tst_pam_faillock_retval_OBJECTS) $(tst_pam_faillock_retval_DEPENDENCIES) $(EXTRA_tst_pam_faillock_retval_DEPENDENCIES) + @rm -f tst-pam_faillock-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_faillock_retval_OBJECTS) $(tst_pam_faillock_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -768,9 +803,12 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock-faillock.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock-faillock_config.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock-main.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/faillock_config.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_faillock.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_faillock-retval.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -827,6 +865,20 @@ faillock-faillock.obj: faillock.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-faillock.obj `if test -f 'faillock.c'; then $(CYGPATH_W) 'faillock.c'; else $(CYGPATH_W) '$(srcdir)/faillock.c'; fi` +faillock-faillock_config.o: faillock_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-faillock_config.o -MD -MP -MF $(DEPDIR)/faillock-faillock_config.Tpo -c -o faillock-faillock_config.o `test -f 'faillock_config.c' || echo '$(srcdir)/'`faillock_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-faillock_config.Tpo $(DEPDIR)/faillock-faillock_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='faillock_config.c' object='faillock-faillock_config.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-faillock_config.o `test -f 'faillock_config.c' || echo '$(srcdir)/'`faillock_config.c + +faillock-faillock_config.obj: faillock_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -MT faillock-faillock_config.obj -MD -MP -MF $(DEPDIR)/faillock-faillock_config.Tpo -c -o faillock-faillock_config.obj `if test -f 'faillock_config.c'; then $(CYGPATH_W) 'faillock_config.c'; else $(CYGPATH_W) '$(srcdir)/faillock_config.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/faillock-faillock_config.Tpo $(DEPDIR)/faillock-faillock_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='faillock_config.c' object='faillock-faillock_config.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(faillock_CFLAGS) $(CFLAGS) -c -o faillock-faillock_config.obj `if test -f 'faillock_config.c'; then $(CYGPATH_W) 'faillock_config.c'; else $(CYGPATH_W) '$(srcdir)/faillock_config.c'; fi` + mostlyclean-libtool: -rm -f *.lo @@ -1112,7 +1164,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: $(dist_check_SCRIPTS) +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1122,7 +1174,7 @@ check-TESTS: $(dist_check_SCRIPTS) log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all $(dist_check_SCRIPTS) +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1140,6 +1192,13 @@ tst-pam_faillock.log: tst-pam_faillock --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_faillock-retval.log: tst-pam_faillock-retval$(EXEEXT) + @p='tst-pam_faillock-retval$(EXEEXT)'; \ + b='tst-pam_faillock-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1189,7 +1248,8 @@ distdir-am: $(DISTFILES) fi; \ done check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) @@ -1234,14 +1294,17 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/faillock-faillock.Po + -rm -f ./$(DEPDIR)/faillock-faillock_config.Po -rm -f ./$(DEPDIR)/faillock-main.Po -rm -f ./$(DEPDIR)/faillock.Plo + -rm -f ./$(DEPDIR)/faillock_config.Plo -rm -f ./$(DEPDIR)/pam_faillock.Plo + -rm -f ./$(DEPDIR)/tst-pam_faillock-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1289,9 +1352,12 @@ installcheck-am: maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/faillock-faillock.Po + -rm -f ./$(DEPDIR)/faillock-faillock_config.Po -rm -f ./$(DEPDIR)/faillock-main.Po -rm -f ./$(DEPDIR)/faillock.Plo + -rm -f ./$(DEPDIR)/faillock_config.Plo -rm -f ./$(DEPDIR)/pam_faillock.Plo + -rm -f ./$(DEPDIR)/tst-pam_faillock-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1316,9 +1382,9 @@ uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ - check-am clean clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dist_secureconfDATA install-dvi \ diff --git a/modules/pam_faillock/README b/modules/pam_faillock/README index 3b63c6bb..574b37bd 100644 --- a/modules/pam_faillock/README +++ b/modules/pam_faillock/README @@ -48,6 +48,10 @@ conf=/path/to/config-file Use another configuration file instead of the default /etc/security/ faillock.conf. + Use another configuration file instead of the default which is to use the + file /etc/security/faillock.conf or, if that one is not present, the file + %vendordir%/security/faillock.conf. + The options for configuring the module behavior are described in the faillock.conf(5) manual page. The options specified on the module command line override the values from the configuration file. diff --git a/modules/pam_faillock/README.xml b/modules/pam_faillock/README.xml index f0654dbe..a62c917a 100644 --- a/modules/pam_faillock/README.xml +++ b/modules/pam_faillock/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-notes")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_faillock.8.xml" xpointer='xpointer(id("pam_faillock-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_faillock/faillock.8 b/modules/pam_faillock/faillock.8 index 55443532..5d9c5db8 100644 --- a/modules/pam_faillock/faillock.8 +++ b/modules/pam_faillock/faillock.8 @@ -1,13 +1,13 @@ '\" t .\" Title: faillock .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "FAILLOCK" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "FAILLOCK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -48,18 +48,27 @@ or clear the tally files of all or individual \fIusernames\fR\&. .SH "OPTIONS" .PP -\fB\-\-dir \fR\fB\fI/path/to/tally\-directory\fR\fR +\-\-conf /path/to/config\-file .RS 4 -The directory where the user files with the failure records are kept\&. The default is -/var/run/faillock\&. +The file where the configuration is located\&. The default is +/etc/security/faillock\&.conf\&. .RE .PP -\fB\-\-user \fR\fB\fIusername\fR\fR +\-\-dir /path/to/tally\-directory +.RS 4 +The directory where the user files with the failure records are kept\&. +.sp +The priority to set this option is to use the value provided from the command line\&. If this isn\*(Aqt provided, then the value from the configuration file is used\&. Finally, if neither of them has been provided, then +/var/run/faillock +is used\&. +.RE +.PP +\-\-user username .RS 4 The user whose failure records should be displayed or cleared\&. .RE .PP -\fB\-\-reset\fR +\-\-reset .RS 4 Instead of displaying the user\*(Aqs failure records, clear them\&. .RE diff --git a/modules/pam_faillock/faillock.8.xml b/modules/pam_faillock/faillock.8.xml index 6c20593c..74440fc8 100644 --- a/modules/pam_faillock/faillock.8.xml +++ b/modules/pam_faillock/faillock.8.xml @@ -1,36 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="faillock"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="faillock"> <refmeta> <refentrytitle>faillock</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_faillock-name"> + <refnamediv xml:id="pam_faillock-name"> <refname>faillock</refname> <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="faillock-cmdsynopsis"> + <cmdsynopsis xml:id="faillock-cmdsynopsis" sepchar=" "> <command>faillock</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> --dir <replaceable>/path/to/tally-directory</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> --user <replaceable>username</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> --reset </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="faillock-description"> + <refsect1 xml:id="faillock-description"> <title>DESCRIPTION</title> @@ -51,24 +48,41 @@ </para> </refsect1> - <refsect1 id="faillock-options"> + <refsect1 xml:id="faillock-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>--dir <replaceable>/path/to/tally-directory</replaceable></option> + --conf /path/to/config-file </term> <listitem> <para> - The directory where the user files with the failure records are kept. The - default is <filename>/var/run/faillock</filename>. + The file where the configuration is located. The default is + <filename>/etc/security/faillock.conf</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + --dir /path/to/tally-directory + </term> + <listitem> + <para> + The directory where the user files with the failure records are kept. + </para> + <para> + The priority to set this option is to use the value provided + from the command line. If this isn't provided, then the value + from the configuration file is used. Finally, if neither of + them has been provided, then + <filename>/var/run/faillock</filename> is used. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>--user <replaceable>username</replaceable></option> + --user username </term> <listitem> <para> @@ -78,7 +92,7 @@ </varlistentry> <varlistentry> <term> - <option>--reset</option> + --reset </term> <listitem> <para> @@ -89,11 +103,11 @@ </variablelist> </refsect1> - <refsect1 id="faillock-files"> + <refsect1 xml:id="faillock-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/faillock/*</filename></term> + <term>/var/run/faillock/*</term> <listitem> <para>the files logging the authentication failures for users</para> </listitem> @@ -101,7 +115,7 @@ </variablelist> </refsect1> - <refsect1 id='faillock-see_also'> + <refsect1 xml:id="faillock-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -113,11 +127,11 @@ </para> </refsect1> - <refsect1 id='faillock-author'> + <refsect1 xml:id="faillock-author"> <title>AUTHOR</title> <para> faillock was written by Tomas Mraz. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_faillock/faillock.conf.5 b/modules/pam_faillock/faillock.conf.5 index 7b4ddb55..fd257b08 100644 --- a/modules/pam_faillock/faillock.conf.5 +++ b/modules/pam_faillock/faillock.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: faillock.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "FAILLOCK\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "FAILLOCK\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -47,54 +47,58 @@ character\&. The whitespace at the beginning of line, end of line, and around th sign is ignored\&. .SH "OPTIONS" .PP -\fBdir=\fR\fB\fI/path/to/tally\-directory\fR\fR +dir=/path/to/tally\-directory .RS 4 The directory where the user files with the failure records are kept\&. The default is /var/run/faillock\&. +.sp +Note: These files will disappear after reboot on systems configured with directory +/var/run/faillock +mounted on virtual memory\&. .RE .PP -\fBaudit\fR +audit .RS 4 Will log the user name into the system log if the user is not found\&. .RE .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt print informative messages to the user\&. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non\-existing users\&. .RE .PP -\fBno_log_info\fR +no_log_info .RS 4 Don\*(Aqt log informative messages via \fBsyslog\fR(3)\&. .RE .PP -\fBlocal_users_only\fR +local_users_only .RS 4 Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc\&.) users\&. The \fBfaillock\fR(8) command will also no longer track user failed authentication attempts\&. Enabling this option will prevent a double\-lockout scenario where a user is locked out locally and in the centralized mechanism\&. .RE .PP -\fBnodelay\fR +nodelay .RS 4 Don\*(Aqt enforce a delay after authentication failures\&. .RE .PP -\fBdeny=\fR\fB\fIn\fR\fR +deny=n .RS 4 Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds \fIn\fR\&. The default is 3\&. .RE .PP -\fBfail_interval=\fR\fB\fIn\fR\fR +fail_interval=n .RS 4 The length of the interval during which the consecutive authentication failures must happen for the user account lock out is \fIn\fR seconds\&. The default is 900 (15 minutes)\&. .RE .PP -\fBunlock_time=\fR\fB\fIn\fR\fR +unlock_time=n .RS 4 The access will be re\-enabled after \fIn\fR @@ -113,12 +117,12 @@ option\&. Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers\&. .RE .PP -\fBeven_deny_root\fR +even_deny_root .RS 4 Root account can become locked as well as regular accounts\&. .RE .PP -\fBroot_unlock_time=\fR\fB\fIn\fR\fR +root_unlock_time=n .RS 4 This option implies \fBeven_deny_root\fR @@ -129,7 +133,7 @@ seconds to root account after the account is locked\&. In case the option is not option\&. .RE .PP -\fBadmin_group=\fR\fB\fIname\fR\fR +admin_group=name .RS 4 If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options \fBeven_deny_root\fR diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml index 04a84107..cc750fbf 100644 --- a/modules/pam_faillock/faillock.conf.5.xml +++ b/modules/pam_faillock/faillock.conf.5.xml @@ -1,25 +1,22 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="faillock.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="faillock.conf"> <refmeta> <refentrytitle>faillock.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="faillock.conf-name"> + <refnamediv xml:id="faillock.conf-name"> <refname>faillock.conf</refname> <refpurpose>pam_faillock configuration file</refpurpose> </refnamediv> - <refsect1 id="faillock.conf-description"> + <refsect1 xml:id="faillock.conf-description"> <title>DESCRIPTION</title> <para> - <emphasis remap='B'>faillock.conf</emphasis> provides a way to configure the + <emphasis remap="B">faillock.conf</emphasis> provides a way to configure the default settings for locking the user after multiple failed authentication attempts. This file is read by the <emphasis>pam_faillock</emphasis> module and is the preferred method over configuring <emphasis>pam_faillock</emphasis> directly. @@ -31,24 +28,28 @@ </para> </refsect1> - <refsect1 id="faillock.conf-options"> + <refsect1 xml:id="faillock.conf-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>dir=<replaceable>/path/to/tally-directory</replaceable></option> + dir=/path/to/tally-directory </term> <listitem> <para> The directory where the user files with the failure records are kept. The default is <filename>/var/run/faillock</filename>. </para> + <para> + Note: These files will disappear after reboot on systems configured with + directory <filename>/var/run/faillock</filename> mounted on virtual memory. + </para> </listitem> </varlistentry> <varlistentry> <term> - <option>audit</option> + audit </term> <listitem> <para> @@ -58,7 +59,7 @@ </varlistentry> <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -70,7 +71,7 @@ </varlistentry> <varlistentry> <term> - <option>no_log_info</option> + no_log_info </term> <listitem> <para> @@ -80,7 +81,7 @@ </varlistentry> <varlistentry> <term> - <option>local_users_only</option> + local_users_only </term> <listitem> <para> @@ -96,7 +97,7 @@ </varlistentry> <varlistentry> <term> - <option>nodelay</option> + nodelay </term> <listitem> <para> @@ -106,7 +107,7 @@ </varlistentry> <varlistentry> <term> - <option>deny=<replaceable>n</replaceable></option> + deny=n </term> <listitem> <para> @@ -118,7 +119,7 @@ </varlistentry> <varlistentry> <term> - <option>fail_interval=<replaceable>n</replaceable></option> + fail_interval=n </term> <listitem> <para> @@ -131,7 +132,7 @@ </varlistentry> <varlistentry> <term> - <option>unlock_time=<replaceable>n</replaceable></option> + unlock_time=n </term> <listitem> <para> @@ -159,7 +160,7 @@ </varlistentry> <varlistentry> <term> - <option>even_deny_root</option> + even_deny_root </term> <listitem> <para> @@ -169,7 +170,7 @@ </varlistentry> <varlistentry> <term> - <option>root_unlock_time=<replaceable>n</replaceable></option> + root_unlock_time=n </term> <listitem> <para> @@ -183,7 +184,7 @@ </varlistentry> <varlistentry> <term> - <option>admin_group=<replaceable>name</replaceable></option> + admin_group=name </term> <listitem> <para> @@ -198,7 +199,7 @@ </variablelist> </refsect1> - <refsect1 id='faillock.conf-examples'> + <refsect1 xml:id="faillock.conf-examples"> <title>EXAMPLES</title> <para> /etc/security/faillock.conf file example: @@ -210,11 +211,11 @@ silent </programlisting> </refsect1> - <refsect1 id="faillock.conf-files"> + <refsect1 xml:id="faillock.conf-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/faillock.conf</filename></term> + <term>/etc/security/faillock.conf</term> <listitem> <para>the config file for custom options</para> </listitem> @@ -222,7 +223,7 @@ silent </variablelist> </refsect1> - <refsect1 id='faillock.conf-see_also'> + <refsect1 xml:id="faillock.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -243,11 +244,11 @@ silent </para> </refsect1> - <refsect1 id='faillock.conf-author'> + <refsect1 xml:id="faillock.conf-author"> <title>AUTHOR</title> <para> pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h index b22a9dfb..0ea0ffba 100644 --- a/modules/pam_faillock/faillock.h +++ b/modules/pam_faillock/faillock.h @@ -67,7 +67,6 @@ struct tally_data { }; #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" -#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf" int open_tally(const char *dir, const char *user, uid_t uid, int create); int read_tally(int fd, struct tally_data *tallies); diff --git a/modules/pam_faillock/faillock_config.c b/modules/pam_faillock/faillock_config.c new file mode 100644 index 00000000..0d14aad1 --- /dev/null +++ b/modules/pam_faillock/faillock_config.c @@ -0,0 +1,266 @@ +/* + * Copyright (c) 2022 Tomas Mraz <tm@t8m.info> + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <ctype.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> + +#include <security/pam_modules.h> + +#include "faillock_config.h" +#include "faillock.h" + +#define FAILLOCK_DEFAULT_CONF SCONFIGDIR "/faillock.conf" +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_FAILLOCK_DEFAULT_CONF VENDOR_SCONFIGDIR "/faillock.conf" +#endif + +static void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3)) +config_log(const pam_handle_t *pamh, int priority, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + if (pamh) { + pam_vsyslog(pamh, priority, fmt, args); + } else { + char *buf = NULL; + + if (vasprintf(&buf, fmt, args) < 0) { + fprintf(stderr, "vasprintf: %m"); + va_end(args); + return; + } + fprintf(stderr, "%s\n", buf); + free(buf); + } + va_end(args); +} + +/* parse a single configuration file */ +int +read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile) +{ + char linebuf[FAILLOCK_CONF_MAX_LINELEN+1]; + const char *fname = (cfgfile != NULL) ? cfgfile : FAILLOCK_DEFAULT_CONF; + FILE *f = fopen(fname, "r"); + +#ifdef VENDOR_FAILLOCK_DEFAULT_CONF + if (f == NULL && errno == ENOENT && cfgfile == NULL) { + /* + * If the default configuration file in /etc does not exist, + * try the vendor configuration file as fallback. + */ + f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r"); + } +#endif /* VENDOR_FAILLOCK_DEFAULT_CONF */ + + if (f == NULL) { + /* ignore non-existent default config file */ + if (errno == ENOENT && cfgfile == NULL) + return PAM_SUCCESS; + return PAM_SERVICE_ERR; + } + + while (fgets(linebuf, sizeof(linebuf), f) != NULL) { + size_t len; + char *ptr; + char *name; + int eq; + + len = strlen(linebuf); + /* len cannot be 0 unless there is a bug in fgets */ + if (len && linebuf[len - 1] != '\n' && !feof(f)) { + (void) fclose(f); + return PAM_SERVICE_ERR; + } + + if ((ptr=strchr(linebuf, '#')) != NULL) { + *ptr = '\0'; + } else { + ptr = linebuf + len; + } + + /* drop terminating whitespace including the \n */ + while (ptr > linebuf) { + if (!isspace(*(ptr-1))) { + *ptr = '\0'; + break; + } + --ptr; + } + + /* skip initial whitespace */ + for (ptr = linebuf; isspace(*ptr); ptr++); + if (*ptr == '\0') + continue; + + /* grab the key name */ + eq = 0; + name = ptr; + while (*ptr != '\0') { + if (isspace(*ptr) || *ptr == '=') { + eq = *ptr == '='; + *ptr = '\0'; + ++ptr; + break; + } + ++ptr; + } + + /* grab the key value */ + while (*ptr != '\0') { + if (*ptr != '=' || eq) { + if (!isspace(*ptr)) { + break; + } + } else { + eq = 1; + } + ++ptr; + } + + /* set the key:value pair on opts */ + set_conf_opt(pamh, opts, name, ptr); + } + + (void)fclose(f); + return PAM_SUCCESS; +} + +void +set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, + const char *value) +{ + if (strcmp(name, "dir") == 0) { + if (value[0] != '/') { + config_log(pamh, LOG_ERR, + "Tally directory is not absolute path (%s); keeping value", + value); + } else { + free(opts->dir); + opts->dir = strdup(value); + if (opts->dir == NULL) { + opts->fatal_error = 1; + config_log(pamh, LOG_CRIT, "Error allocating memory: %m"); + } + } + } + else if (strcmp(name, "deny") == 0) { + if (sscanf(value, "%hu", &opts->deny) != 1) { + config_log(pamh, LOG_ERR, + "Bad number supplied for deny argument"); + } + } + else if (strcmp(name, "fail_interval") == 0) { + unsigned int temp; + if (sscanf(value, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + config_log(pamh, LOG_ERR, + "Bad number supplied for fail_interval argument"); + } else { + opts->fail_interval = temp; + } + } + else if (strcmp(name, "unlock_time") == 0) { + unsigned int temp; + + if (strcmp(value, "never") == 0) { + opts->unlock_time = 0; + } + else if (sscanf(value, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + config_log(pamh, LOG_ERR, + "Bad number supplied for unlock_time argument"); + } + else { + opts->unlock_time = temp; + } + } + else if (strcmp(name, "root_unlock_time") == 0) { + unsigned int temp; + + if (strcmp(value, "never") == 0) { + opts->root_unlock_time = 0; + } + else if (sscanf(value, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + config_log(pamh, LOG_ERR, + "Bad number supplied for root_unlock_time argument"); + } else { + opts->root_unlock_time = temp; + } + } + else if (strcmp(name, "admin_group") == 0) { + free(opts->admin_group); + opts->admin_group = strdup(value); + if (opts->admin_group == NULL) { + opts->fatal_error = 1; + config_log(pamh, LOG_CRIT, "Error allocating memory: %m"); + } + } + else if (strcmp(name, "even_deny_root") == 0) { + opts->flags |= FAILLOCK_FLAG_DENY_ROOT; + } + else if (strcmp(name, "audit") == 0) { + opts->flags |= FAILLOCK_FLAG_AUDIT; + } + else if (strcmp(name, "silent") == 0) { + opts->flags |= FAILLOCK_FLAG_SILENT; + } + else if (strcmp(name, "no_log_info") == 0) { + opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; + } + else if (strcmp(name, "local_users_only") == 0) { + opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY; + } + else if (strcmp(name, "nodelay") == 0) { + opts->flags |= FAILLOCK_FLAG_NO_DELAY; + } + else { + config_log(pamh, LOG_ERR, "Unknown option: %s", name); + } +} + +const char *get_tally_dir(const struct options *opts) +{ + return (opts->dir != NULL) ? opts->dir : FAILLOCK_DEFAULT_TALLYDIR; +} diff --git a/modules/pam_faillock/faillock_config.h b/modules/pam_faillock/faillock_config.h new file mode 100644 index 00000000..04bc699b --- /dev/null +++ b/modules/pam_faillock/faillock_config.h @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2022 Tomas Mraz <tm@t8m.info> + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * faillock_config.h - load configuration options from file + * + */ + +#ifndef _FAILLOCK_CONFIG_H +#define _FAILLOCK_CONFIG_H + +#include <limits.h> +#include <stdint.h> +#include <sys/types.h> + +#include <security/pam_ext.h> + +#define FAILLOCK_FLAG_DENY_ROOT 0x1 +#define FAILLOCK_FLAG_AUDIT 0x2 +#define FAILLOCK_FLAG_SILENT 0x4 +#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 +#define FAILLOCK_FLAG_UNLOCKED 0x10 +#define FAILLOCK_FLAG_LOCAL_ONLY 0x20 +#define FAILLOCK_FLAG_NO_DELAY 0x40 + +#define FAILLOCK_CONF_MAX_LINELEN 1023 +#define MAX_TIME_INTERVAL 604800 /* 7 days */ + +struct options { + unsigned int action; + unsigned int flags; + unsigned short deny; + unsigned int fail_interval; + unsigned int unlock_time; + unsigned int root_unlock_time; + char *dir; + const char *user; + char *admin_group; + int failures; + uint64_t latest_time; + uid_t uid; + int is_admin; + uint64_t now; + int fatal_error; + + unsigned int reset; + const char *progname; + int legacy_output; /* show failure info in pam_tally2 style */ +}; + +int read_config_file(pam_handle_t *pamh, struct options *opts, + const char *cfgfile); +void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, + const char *value); +const char *get_tally_dir(const struct options *opts); + +#endif /* _FAILLOCK_CONFIG_H */ diff --git a/modules/pam_faillock/main.c b/modules/pam_faillock/main.c index f62e1bb2..136be834 100644 --- a/modules/pam_faillock/main.c +++ b/modules/pam_faillock/main.c @@ -51,32 +51,40 @@ #define AUDIT_NO_ID ((unsigned int) -1) #endif +#include "pam_inline.h" #include "faillock.h" - -struct options { - unsigned int reset; - const char *dir; - const char *user; - const char *progname; -}; +#include "faillock_config.h" static int args_parse(int argc, char **argv, struct options *opts) { int i; + int rv; + const char *dir = NULL; + const char *conf = NULL; + memset(opts, 0, sizeof(*opts)); - opts->dir = FAILLOCK_DEFAULT_TALLYDIR; opts->progname = argv[0]; for (i = 1; i < argc; ++i) { - if (strcmp(argv[i], "--dir") == 0) { + if (strcmp(argv[i], "--conf") == 0) { + ++i; + if (i >= argc || strlen(argv[i]) == 0) { + fprintf(stderr, "%s: No configuration file supplied.\n", + argv[0]); + return -1; + } + conf = argv[i]; + } + else if (strcmp(argv[i], "--dir") == 0) { ++i; if (i >= argc || strlen(argv[i]) == 0) { - fprintf(stderr, "%s: No directory supplied.\n", argv[0]); + fprintf(stderr, "%s: No records directory supplied.\n", + argv[0]); return -1; } - opts->dir = argv[i]; + dir = argv[i]; } else if (strcmp(argv[i], "--user") == 0) { ++i; @@ -89,19 +97,113 @@ args_parse(int argc, char **argv, struct options *opts) else if (strcmp(argv[i], "--reset") == 0) { opts->reset = 1; } + else if (!strcmp(argv[i], "--legacy-output")) { + opts->legacy_output = 1; + } else { fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); return -1; } } + + if ((rv = read_config_file(NULL, opts, conf)) != PAM_SUCCESS) { + fprintf(stderr, "Configuration file missing or broken"); + return rv; + } + + if (dir != NULL) { + free(opts->dir); + opts->dir = strdup(dir); + if (opts->dir == NULL) { + fprintf(stderr, "Error allocating memory: %m"); + return -1; + } + } + return 0; } static void usage(const char *progname) { - fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"), - progname); + fprintf(stderr, + _("Usage: %s [--dir /path/to/tally-directory]" + " [--user username] [--reset] [--legacy-output]\n"), progname); + +} + +static int +get_local_time(time_t when, char *timebuf, size_t timebuf_size) +{ + struct tm *tm; + + tm = localtime(&when); + if (tm == NULL) { + return -1; + } + strftime(timebuf, timebuf_size, "%Y-%m-%d %H:%M:%S", tm); + return 0; +} + +static void +print_in_new_format(struct options *opts, const struct tally_data *tallies, const char *user) +{ + uint32_t i; + + printf("%s:\n", user); + printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); + + for (i = 0; i < tallies->count; i++) { + uint16_t status; + char timebuf[80]; + + if (get_local_time(tallies->records[i].time, timebuf, sizeof(timebuf)) != 0) { + fprintf(stderr, "%s: Invalid timestamp in the tally record\n", + opts->progname); + continue; + } + + status = tallies->records[i].status; + + printf("%-19s %-5s %-52.52s %s\n", timebuf, + status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), + tallies->records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); + } +} + +static void +print_in_legacy_format(struct options *opts, const struct tally_data *tallies, const char *user) +{ + uint32_t tally_count; + static uint32_t pr_once; + + if (pr_once == 0) { + printf(_("Login Failures Latest failure From\n")); + pr_once = 1; + } + + printf("%-15.15s ", user); + + tally_count = tallies->count; + + if (tally_count > 0) { + uint32_t i; + char timebuf[80]; + + i = tally_count - 1; + + if (get_local_time(tallies->records[i].time, timebuf, sizeof(timebuf)) != 0) { + fprintf(stderr, "%s: Invalid timestamp in the tally record\n", + opts->progname); + return; + } + + printf("%5u %25s %s\n", + tally_count, timebuf, tallies->records[i].source); + } + else { + printf("%5u\n", tally_count); + } } static int @@ -111,10 +213,15 @@ do_user(struct options *opts, const char *user) int rv; struct tally_data tallies; struct passwd *pwd; + const char *dir = get_tally_dir(opts); pwd = getpwnam(user); + if (pwd == NULL) { + fprintf(stderr, "%s: Error no such user: %s\n", opts->progname, user); + return 1; + } - fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); + fd = open_tally(dir, user, pwd->pw_uid, 1); if (fd == -1) { if (errno == ENOENT) { @@ -153,8 +260,6 @@ do_user(struct options *opts, const char *user) } } else { - unsigned int i; - memset(&tallies, 0, sizeof(tallies)); if (read_tally(fd, &tallies) == -1) { fprintf(stderr, "%s: Error reading the tally file for %s:", @@ -164,21 +269,13 @@ do_user(struct options *opts, const char *user) return 5; } - printf("%s:\n", user); - printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); - - for (i = 0; i < tallies.count; i++) { - struct tm *tm; - char timebuf[80]; - uint16_t status = tallies.records[i].status; - time_t when = tallies.records[i].time; - - tm = localtime(&when); - strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm); - printf("%-19s %-5s %-52.52s %s\n", timebuf, - status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), - tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); + if (opts->legacy_output == 0) { + print_in_new_format(opts, &tallies, user); } + else { + print_in_legacy_format(opts, &tallies, user); + } + free(tallies.records); } close(fd); @@ -190,8 +287,9 @@ do_allusers(struct options *opts) { struct dirent **userlist; int rv, i; + const char *dir = get_tally_dir(opts); - rv = scandir(opts->dir, &userlist, NULL, alphasort); + rv = scandir(dir, &userlist, NULL, alphasort); if (rv < 0) { fprintf(stderr, "%s: Error reading tally directory: %m\n", opts->progname); return 2; diff --git a/modules/pam_faillock/pam_faillock.8 b/modules/pam_faillock/pam_faillock.8 index cec02ea2..b4854ff5 100644 --- a/modules/pam_faillock/pam_faillock.8 +++ b/modules/pam_faillock/pam_faillock.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_faillock .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: [FIXME: source] .\" Language: English .\" -.TH "PAM_FAILLOCK" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FAILLOCK" "8" "05/07/2023" "[FIXME: source]" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -49,7 +49,7 @@ cause the root account to become blocked, to prevent denial\-of\-service: if you or at the machine console (not telnet/rsh, etc), this is safe\&. .SH "OPTIONS" .PP -\fB{preauth|authfail|authsucc}\fR +{preauth|authfail|authsucc} .RS 4 This argument must be set accordingly to the position of this module instance in the PAM stack\&. .sp @@ -74,7 +74,7 @@ as an account module\&. In such configuration the module must be also called in stage\&. .RE .PP -\fBconf=/path/to/config\-file\fR +conf=/path/to/config\-file .RS 4 Use another configuration file instead of the default /etc/security/faillock\&.conf\&. @@ -244,6 +244,13 @@ session required pam_selinux\&.so open /var/run/faillock/* .RS 4 the files logging the authentication failures for users +.sp +Note: These files will disappear after reboot on systems configured with directory +/var/run/faillock +mounted on virtual memory\&. For persistent storage use the option +\fIdir=\fR +in file +/etc/security/faillock\&.conf\&. .RE .PP /etc/security/faillock\&.conf diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml index 58c16442..ce0ae050 100644 --- a/modules/pam_faillock/pam_faillock.8.xml +++ b/modules/pam_faillock/pam_faillock.8.xml @@ -1,8 +1,4 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_faillock"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_faillock"> <refmeta> <refentrytitle>pam_faillock</refentrytitle> @@ -10,63 +6,63 @@ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_faillock-name"> + <refnamediv xml:id="pam_faillock-name"> <refname>pam_faillock</refname> <refpurpose>Module counting authentication failures during a specified interval</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_faillock-cmdsynopsisauth"> + <cmdsynopsis xml:id="pam_faillock-cmdsynopsisauth" sepchar=" "> <command>auth ... pam_faillock.so</command> - <arg choice="req"> + <arg choice="req" rep="norepeat"> preauth|authfail|authsucc </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conf=<replaceable>/path/to/config-file</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> dir=<replaceable>/path/to/tally-directory</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> even_deny_root </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> deny=<replaceable>n</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> fail_interval=<replaceable>n</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unlock_time=<replaceable>n</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> root_unlock_time=<replaceable>n</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> admin_group=<replaceable>name</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> audit </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> silent </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> no_log_info </arg> </cmdsynopsis> - <cmdsynopsis id="pam_faillock-cmdsynopsisacct"> + <cmdsynopsis xml:id="pam_faillock-cmdsynopsisacct" sepchar=" "> <command>account ... pam_faillock.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> dir=<replaceable>/path/to/tally-directory</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> no_log_info </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_faillock-description"> + <refsect1 xml:id="pam_faillock-description"> <title>DESCRIPTION</title> @@ -78,20 +74,20 @@ </para> <para> Normally, failed attempts to authenticate <emphasis>root</emphasis> will - <emphasis remap='B'>not</emphasis> cause the root account to become + <emphasis remap="B">not</emphasis> cause the root account to become blocked, to prevent denial-of-service: if your users aren't given shell accounts and root may only login via <command>su</command> or at the machine console (not telnet/rsh, etc), this is safe. </para> </refsect1> - <refsect1 id="pam_faillock-options"> + <refsect1 xml:id="pam_faillock-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>{preauth|authfail|authsucc}</option> + {preauth|authfail|authsucc} </term> <listitem> <para> @@ -131,13 +127,20 @@ </varlistentry> <varlistentry> <term> - <option>conf=/path/to/config-file</option> + conf=/path/to/config-file </term> <listitem> - <para> + <para condition="without_vendordir"> Use another configuration file instead of the default <filename>/etc/security/faillock.conf</filename>. </para> + <para condition="with_vendordir"> + Use another configuration file instead of the default + which is to use the file + <filename>/etc/security/faillock.conf</filename> or, + if that one is not present, the file + <filename>%vendordir%/security/faillock.conf</filename>. + </para> </listitem> </varlistentry> </variablelist> @@ -149,7 +152,7 @@ </para> </refsect1> - <refsect1 id="pam_faillock-types"> + <refsect1 xml:id="pam_faillock-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> module types are @@ -157,7 +160,7 @@ </para> </refsect1> - <refsect1 id='pam_faillock-return_values'> + <refsect1 xml:id="pam_faillock-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -215,7 +218,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_faillock-notes'> + <refsect1 xml:id="pam_faillock-notes"> <title>NOTES</title> <para> Configuring options on the module command line is not recommend. The @@ -227,7 +230,7 @@ </para> <para> Individual files with the failure records are created as owned by - the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module + the user. This allows <emphasis remap="B">pam_faillock.so</emphasis> module to work correctly when it is called from a screensaver. </para> <para> @@ -242,7 +245,7 @@ </para> </refsect1> - <refsect1 id='pam_faillock-examples'> + <refsect1 xml:id="pam_faillock-examples"> <title>EXAMPLES</title> <para> Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>. @@ -313,25 +316,40 @@ session required pam_selinux.so open </programlisting> </refsect1> - <refsect1 id="pam_faillock-files"> + <refsect1 xml:id="pam_faillock-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/faillock/*</filename></term> + <term>/var/run/faillock/*</term> <listitem> <para>the files logging the authentication failures for users</para> + <para> + Note: These files will disappear after reboot on systems configured with + directory <filename>/var/run/faillock</filename> mounted on virtual memory. + For persistent storage use the option <emphasis>dir=</emphasis> in + file <filename>/etc/security/faillock.conf</filename>. + </para> </listitem> </varlistentry> <varlistentry> - <term><filename>/etc/security/faillock.conf</filename></term> + <term>/etc/security/faillock.conf</term> <listitem> <para>the config file for pam_faillock options</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/faillock.conf</term> + <listitem> + <para> + the config file for pam_faillock options. It will be used if + <filename>/etc/security/faillock.conf</filename> does not exist. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id='pam_faillock-see_also'> + <refsect1 xml:id="pam_faillock-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -352,11 +370,11 @@ session required pam_selinux.so open </para> </refsect1> - <refsect1 id='pam_faillock-author'> + <refsect1 xml:id="pam_faillock-author"> <title>AUTHOR</title> <para> pam_faillock was written by Tomas Mraz. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c index 8328fbae..ca1c7035 100644 --- a/modules/pam_faillock/pam_faillock.c +++ b/modules/pam_faillock/pam_faillock.c @@ -38,7 +38,6 @@ #include <stdio.h> #include <string.h> #include <unistd.h> -#include <stdint.h> #include <stdlib.h> #include <errno.h> #include <time.h> @@ -56,55 +55,12 @@ #include "pam_inline.h" #include "faillock.h" +#include "faillock_config.h" #define FAILLOCK_ACTION_PREAUTH 0 #define FAILLOCK_ACTION_AUTHSUCC 1 #define FAILLOCK_ACTION_AUTHFAIL 2 -#define FAILLOCK_FLAG_DENY_ROOT 0x1 -#define FAILLOCK_FLAG_AUDIT 0x2 -#define FAILLOCK_FLAG_SILENT 0x4 -#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 -#define FAILLOCK_FLAG_UNLOCKED 0x10 -#define FAILLOCK_FLAG_LOCAL_ONLY 0x20 -#define FAILLOCK_FLAG_NO_DELAY 0x40 - -#define MAX_TIME_INTERVAL 604800 /* 7 days */ -#define FAILLOCK_CONF_MAX_LINELEN 1023 - -static const char default_faillock_conf[] = FAILLOCK_DEFAULT_CONF; - -struct options { - unsigned int action; - unsigned int flags; - unsigned short deny; - unsigned int fail_interval; - unsigned int unlock_time; - unsigned int root_unlock_time; - char *dir; - const char *user; - char *admin_group; - int failures; - uint64_t latest_time; - uid_t uid; - int is_admin; - uint64_t now; - int fatal_error; -}; - -static int read_config_file( - pam_handle_t *pamh, - struct options *opts, - const char *cfgfile -); - -static void set_conf_opt( - pam_handle_t *pamh, - struct options *opts, - const char *name, - const char *value -); - static int args_parse(pam_handle_t *pamh, int argc, const char **argv, int flags, struct options *opts) @@ -112,11 +68,10 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv, int i; int config_arg_index = -1; int rv; - const char *conf = default_faillock_conf; + const char *conf = NULL; memset(opts, 0, sizeof(*opts)); - opts->dir = strdup(FAILLOCK_DEFAULT_TALLYDIR); opts->deny = 3; opts->fail_interval = 900; opts->unlock_time = 600; @@ -174,185 +129,11 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv, if (flags & PAM_SILENT) opts->flags |= FAILLOCK_FLAG_SILENT; - if (opts->dir == NULL) { - pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m"); - opts->fatal_error = 1; - } - if (opts->fatal_error) return PAM_BUF_ERR; return PAM_SUCCESS; } -/* parse a single configuration file */ -static int -read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile) -{ - FILE *f; - char linebuf[FAILLOCK_CONF_MAX_LINELEN+1]; - - f = fopen(cfgfile, "r"); - if (f == NULL) { - /* ignore non-existent default config file */ - if (errno == ENOENT && cfgfile == default_faillock_conf) - return PAM_SUCCESS; - return PAM_SERVICE_ERR; - } - - while (fgets(linebuf, sizeof(linebuf), f) != NULL) { - size_t len; - char *ptr; - char *name; - int eq; - - len = strlen(linebuf); - /* len cannot be 0 unless there is a bug in fgets */ - if (len && linebuf[len - 1] != '\n' && !feof(f)) { - (void) fclose(f); - return PAM_SERVICE_ERR; - } - - if ((ptr=strchr(linebuf, '#')) != NULL) { - *ptr = '\0'; - } else { - ptr = linebuf + len; - } - - /* drop terminating whitespace including the \n */ - while (ptr > linebuf) { - if (!isspace(*(ptr-1))) { - *ptr = '\0'; - break; - } - --ptr; - } - - /* skip initial whitespace */ - for (ptr = linebuf; isspace(*ptr); ptr++); - if (*ptr == '\0') - continue; - - /* grab the key name */ - eq = 0; - name = ptr; - while (*ptr != '\0') { - if (isspace(*ptr) || *ptr == '=') { - eq = *ptr == '='; - *ptr = '\0'; - ++ptr; - break; - } - ++ptr; - } - - /* grab the key value */ - while (*ptr != '\0') { - if (*ptr != '=' || eq) { - if (!isspace(*ptr)) { - break; - } - } else { - eq = 1; - } - ++ptr; - } - - /* set the key:value pair on opts */ - set_conf_opt(pamh, opts, name, ptr); - } - - (void)fclose(f); - return PAM_SUCCESS; -} - -static void -set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const char *value) -{ - if (strcmp(name, "dir") == 0) { - if (value[0] != '/') { - pam_syslog(pamh, LOG_ERR, - "Tally directory is not absolute path (%s); keeping default", value); - } else { - free(opts->dir); - opts->dir = strdup(value); - } - } - else if (strcmp(name, "deny") == 0) { - if (sscanf(value, "%hu", &opts->deny) != 1) { - pam_syslog(pamh, LOG_ERR, - "Bad number supplied for deny argument"); - } - } - else if (strcmp(name, "fail_interval") == 0) { - unsigned int temp; - if (sscanf(value, "%u", &temp) != 1 || - temp > MAX_TIME_INTERVAL) { - pam_syslog(pamh, LOG_ERR, - "Bad number supplied for fail_interval argument"); - } else { - opts->fail_interval = temp; - } - } - else if (strcmp(name, "unlock_time") == 0) { - unsigned int temp; - - if (strcmp(value, "never") == 0) { - opts->unlock_time = 0; - } - else if (sscanf(value, "%u", &temp) != 1 || - temp > MAX_TIME_INTERVAL) { - pam_syslog(pamh, LOG_ERR, - "Bad number supplied for unlock_time argument"); - } - else { - opts->unlock_time = temp; - } - } - else if (strcmp(name, "root_unlock_time") == 0) { - unsigned int temp; - - if (strcmp(value, "never") == 0) { - opts->root_unlock_time = 0; - } - else if (sscanf(value, "%u", &temp) != 1 || - temp > MAX_TIME_INTERVAL) { - pam_syslog(pamh, LOG_ERR, - "Bad number supplied for root_unlock_time argument"); - } else { - opts->root_unlock_time = temp; - } - } - else if (strcmp(name, "admin_group") == 0) { - free(opts->admin_group); - opts->admin_group = strdup(value); - if (opts->admin_group == NULL) { - opts->fatal_error = 1; - pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m"); - } - } - else if (strcmp(name, "even_deny_root") == 0) { - opts->flags |= FAILLOCK_FLAG_DENY_ROOT; - } - else if (strcmp(name, "audit") == 0) { - opts->flags |= FAILLOCK_FLAG_AUDIT; - } - else if (strcmp(name, "silent") == 0) { - opts->flags |= FAILLOCK_FLAG_SILENT; - } - else if (strcmp(name, "no_log_info") == 0) { - opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; - } - else if (strcmp(name, "local_users_only") == 0) { - opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY; - } - else if (strcmp(name, "nodelay") == 0) { - opts->flags |= FAILLOCK_FLAG_NO_DELAY; - } - else { - pam_syslog(pamh, LOG_ERR, "Unknown option: %s", name); - } -} - static int check_local_user (pam_handle_t *pamh, const char *user) { @@ -406,10 +187,11 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies unsigned int i; uint64_t latest_time; int failures; + const char *dir = get_tally_dir(opts); opts->now = time(NULL); - tfd = open_tally(opts->dir, opts->user, opts->uid, 0); + tfd = open_tally(dir, opts->user, opts->uid, 0); *fd = tfd; @@ -483,9 +265,10 @@ static void reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) { int rv; + const char *dir = get_tally_dir(opts); if (*fd == -1) { - *fd = open_tally(opts->dir, opts->user, opts->uid, 1); + *fd = open_tally(dir, opts->user, opts->uid, 1); } else { while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); @@ -504,9 +287,10 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies unsigned int oldest; uint64_t oldtime; const void *source = NULL; + const char *dir = get_tally_dir(opts); if (*fd == -1) { - *fd = open_tally(opts->dir, opts->user, opts->uid, 1); + *fd = open_tally(dir, opts->user, opts->uid, 1); } if (*fd == -1) { if (errno == EACCES) { @@ -590,9 +374,11 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies } close(audit_fd); #endif - if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { - pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", - opts->user); + if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO) && + ((opts->flags & FAILLOCK_FLAG_DENY_ROOT) || (opts->uid != 0))) { + pam_syslog(pamh, LOG_INFO, + "Consecutive login failures for user %s account temporarily locked", + opts->user); } } diff --git a/modules/pam_faillock/tst-pam_faillock-retval.c b/modules/pam_faillock/tst-pam_faillock-retval.c new file mode 100644 index 00000000..133026cb --- /dev/null +++ b/modules/pam_faillock/tst-pam_faillock-retval.c @@ -0,0 +1,119 @@ +/* + * Check pam_faillock return values. + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_faillock" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char config_filename[] = TEST_NAME ".conf"; +static const char user_name[] = "root"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + ASSERT_NE(NULL, fp = fopen(config_filename, "w")); + ASSERT_LT(0, fprintf(fp, + "deny = 2\n" + "unlock_time = 5\n" + "root_unlock_time = 5\n")); + ASSERT_EQ(0, fclose(fp)); + + /* root has access */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "auth required %s/.libs/%s.so authsucc even_deny_root dir=%s conf=%s\n" + "account required %s/.libs/%s.so dir=%s\n" + "password required %s/.libs/%s.so dir=%s\n" + "session required %s/.libs/%s.so dir=%s\n", + cwd, + cwd, MODULE_NAME, cwd, config_filename, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd, + cwd, MODULE_NAME, cwd)); + + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + ASSERT_EQ(0, unlink(service_file)); + pamh = NULL; + + /* root tries to login 2 times without success*/ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth requisite %s/.libs/%s.so dir=%s preauth even_deny_root conf=%s\n" + "auth [success=1 default=bad] %s/../pam_debug/.libs/pam_debug.so auth=perm_denied cred=success\n" + "auth [default=die] %s/.libs/%s.so dir=%s authfail even_deny_root conf=%s\n" + "auth sufficient %s/.libs/%s.so dir=%s authsucc even_deny_root conf=%s\n", + cwd, MODULE_NAME, cwd, config_filename, + cwd, + cwd, MODULE_NAME, cwd, config_filename, + cwd, MODULE_NAME, cwd, config_filename)); + + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + pamh = NULL; + ASSERT_EQ(0, unlink(service_file)); + + /* root is locked for 5 sec*/ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth requisite %s/.libs/%s.so dir=%s preauth even_deny_root conf=%s\n" + "auth [success=1 default=bad] %s/../pam_debug/.libs/pam_debug.so auth=success cred=success\n" + "auth [default=die] %s/.libs/%s.so dir=%s authfail even_deny_root conf=%s\n" + "auth sufficient %s/.libs/%s.so dir=%s authsucc even_deny_root conf=%s\n", + cwd, MODULE_NAME, cwd, config_filename, + cwd, + cwd, MODULE_NAME, cwd, config_filename, + cwd, MODULE_NAME, cwd, config_filename)); + + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_AUTH_ERR, pam_authenticate(pamh, 0)); + + /* waiting at least 5 sec --> login is working again*/ + sleep(6); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + ASSERT_EQ(0, unlink(service_file)); + pamh = NULL; + + ASSERT_EQ(0,unlink(user_name)); + ASSERT_EQ(0,unlink(config_filename)); + + return 0; +} diff --git a/modules/pam_filter/Makefile.am b/modules/pam_filter/Makefile.am index 4d75e843..d43177c8 100644 --- a/modules/pam_filter/Makefile.am +++ b/modules/pam_filter/Makefile.am @@ -17,7 +17,11 @@ dist_check_SCRIPTS = tst-pam_filter TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_filter/Makefile.in b/modules/pam_filter/Makefile.in index 76b17653..33a3de48 100644 --- a/modules/pam_filter/Makefile.in +++ b/modules/pam_filter/Makefile.in @@ -473,6 +473,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -485,11 +486,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -521,12 +524,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -549,6 +554,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -559,12 +565,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -639,7 +649,8 @@ XMLS = README.xml pam_filter.8.xml dist_check_SCRIPTS = tst-pam_filter TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_filter/README.xml b/modules/pam_filter/README.xml index b76cb743..ab053174 100644 --- a/modules/pam_filter/README.xml +++ b/modules/pam_filter/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_filter.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_filter-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_filter.8.xml" xpointer='xpointer(id("pam_filter-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_filter/pam_filter.8 b/modules/pam_filter/pam_filter.8 index d804faf9..c9b2ee7d 100644 --- a/modules/pam_filter/pam_filter.8 +++ b/modules/pam_filter/pam_filter.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_filter .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_FILTER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FILTER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -48,12 +48,12 @@ that of the user\&. For this reason it cannot usually be killed by the user with .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBnew_term\fR +new_term .RS 4 The default action of the filter is to set the \fIPAM_TTY\fR @@ -62,14 +62,14 @@ item to indicate the terminal that the user is using to connect to the applicati to the filtered pseudo\-terminal\&. .RE .PP -\fBnon_term\fR +non_term .RS 4 don\*(Aqt try to set the \fIPAM_TTY\fR item\&. .RE .PP -\fBrunX\fR +runX .RS 4 In order that the module can invoke a filter it should know when to invoke it\&. This argument is required to tell the filter when to do this\&. .sp @@ -122,7 +122,7 @@ is used to indicate that the filter is run on the second occasion (the phase)\&. .RE .PP -\fBfilter\fR +filter .RS 4 The full pathname of the filter to be run and any command line arguments that the filter might expect\&. .RE @@ -166,7 +166,7 @@ to see how to configure login to transpose upper and lower case letters once the .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_filter was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_filter/pam_filter.8.xml b/modules/pam_filter/pam_filter.8.xml index 7309c352..0b85e82c 100644 --- a/modules/pam_filter/pam_filter.8.xml +++ b/modules/pam_filter/pam_filter.8.xml @@ -1,45 +1,42 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_filter"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_filter"> <refmeta> <refentrytitle>pam_filter</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_filter-name"> + <refnamediv xml:id="pam_filter-name"> <refname>pam_filter</refname> <refpurpose>PAM filter module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_filter-cmdsynopsis"> + <cmdsynopsis xml:id="pam_filter-cmdsynopsis" sepchar=" "> <command>pam_filter.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> new_term </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> non_term </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> run1|run2 </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> <replaceable>filter</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>...</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_filter-description"> + <refsect1 xml:id="pam_filter-description"> <title>DESCRIPTION</title> @@ -66,7 +63,7 @@ </para> </refsect1> - <refsect1 id="pam_filter-options"> + <refsect1 xml:id="pam_filter-options"> <title>OPTIONS</title> <para> @@ -74,7 +71,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -85,7 +82,7 @@ <varlistentry> <term> - <option>new_term</option> + new_term </term> <listitem> <para> @@ -101,7 +98,7 @@ <varlistentry> <term> - <option>non_term</option> + non_term </term> <listitem> <para> @@ -112,7 +109,7 @@ <varlistentry> <term> - <option>runX</option> + runX </term> <listitem> <para> @@ -174,7 +171,7 @@ <varlistentry> <term> - <option>filter</option> + filter </term> <listitem> <para> @@ -188,7 +185,7 @@ </para> </refsect1> - <refsect1 id="pam_filter-types"> + <refsect1 xml:id="pam_filter-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -196,7 +193,7 @@ </para> </refsect1> - <refsect1 id='pam_filter-return_values'> + <refsect1 xml:id="pam_filter-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -223,7 +220,7 @@ </para> </refsect1> - <refsect1 id='pam_filter-examples'> + <refsect1 xml:id="pam_filter-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -236,7 +233,7 @@ </para> </refsect1> - <refsect1 id='pam_filter-see_also'> + <refsect1 xml:id="pam_filter-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -246,16 +243,16 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_filter-author'> + <refsect1 xml:id="pam_filter-author"> <title>AUTHOR</title> <para> pam_filter was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_filter/upperLOWER/Makefile.in b/modules/pam_filter/upperLOWER/Makefile.in index 3046fe82..c25f53e2 100644 --- a/modules/pam_filter/upperLOWER/Makefile.in +++ b/modules/pam_filter/upperLOWER/Makefile.in @@ -216,6 +216,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -228,11 +229,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -264,12 +267,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -292,6 +297,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -302,12 +308,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ diff --git a/modules/pam_ftp/Makefile.am b/modules/pam_ftp/Makefile.am index abfa98a8..18bb52c4 100644 --- a/modules/pam_ftp/Makefile.am +++ b/modules/pam_ftp/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_ftp TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_ftp/Makefile.in b/modules/pam_ftp/Makefile.in index 7788d6e3..442fb494 100644 --- a/modules/pam_ftp/Makefile.in +++ b/modules/pam_ftp/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_ftp.8.xml dist_check_SCRIPTS = tst-pam_ftp TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_ftp/README.xml b/modules/pam_ftp/README.xml index 65de28e3..f4606bee 100644 --- a/modules/pam_ftp/README.xml +++ b/modules/pam_ftp/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_ftp.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_ftp-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_ftp.8.xml" xpointer='xpointer(id("pam_ftp-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_ftp/pam_ftp.8 b/modules/pam_ftp/pam_ftp.8 index 28e1af89..c705ea1b 100644 --- a/modules/pam_ftp/pam_ftp.8 +++ b/modules/pam_ftp/pam_ftp.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_ftp .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_FTP" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_FTP" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -54,17 +54,17 @@ This module is not safe and easily spoofable\&. .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBignore\fR +ignore .RS 4 Pay no attention to the email address of the user (if supplied)\&. .RE .PP -\fBftp=\fR\fB\fIXXX,YYY,\&.\&.\&.\fR\fR +ftp=XXX,YYY,\&.\&.\&. .RS 4 Instead of \fIftp\fR @@ -119,7 +119,7 @@ auth required pam_listfile\&.so \e .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_ftp was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_ftp/pam_ftp.8.xml b/modules/pam_ftp/pam_ftp.8.xml index 6f11f570..90079d30 100644 --- a/modules/pam_ftp/pam_ftp.8.xml +++ b/modules/pam_ftp/pam_ftp.8.xml @@ -1,36 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_ftp"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_ftp"> <refmeta> <refentrytitle>pam_ftp</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_ftp-name"> + <refnamediv xml:id="pam_ftp-name"> <refname>pam_ftp</refname> <refpurpose>PAM module for anonymous access module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_ftp-cmdsynopsis"> + <cmdsynopsis xml:id="pam_ftp-cmdsynopsis" sepchar=" "> <command>pam_ftp.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore </arg> - <arg choice="opt" rep='repeat'> + <arg choice="opt" rep="repeat"> users=<replaceable>XXX,YYY,</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_ftp-description"> + <refsect1 xml:id="pam_ftp-description"> <title>DESCRIPTION</title> @@ -54,7 +51,7 @@ </para> </refsect1> - <refsect1 id="pam_ftp-options"> + <refsect1 xml:id="pam_ftp-options"> <title>OPTIONS</title> <para> @@ -62,7 +59,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -73,7 +70,7 @@ <varlistentry> <term> - <option>ignore</option> + ignore </term> <listitem> <para> @@ -85,7 +82,7 @@ <varlistentry> <term> - <option>ftp=<replaceable>XXX,YYY,...</replaceable></option> + ftp=XXX,YYY,... </term> <listitem> <para> @@ -105,14 +102,14 @@ </para> </refsect1> - <refsect1 id="pam_ftp-types"> + <refsect1 xml:id="pam_ftp-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_ftp-return_values'> + <refsect1 xml:id="pam_ftp-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -139,7 +136,7 @@ </para> </refsect1> - <refsect1 id='pam_ftp-examples'> + <refsect1 xml:id="pam_ftp-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/ftpd</filename> to @@ -158,7 +155,7 @@ auth required pam_listfile.so \ </para> </refsect1> - <refsect1 id='pam_ftp-see_also'> + <refsect1 xml:id="pam_ftp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -168,16 +165,16 @@ auth required pam_listfile.so \ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_ftp-author'> + <refsect1 xml:id="pam_ftp-author"> <title>AUTHOR</title> <para> pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 441f2bba..41fb9f48 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -157,7 +157,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, GUEST_LOGIN_PROMPT); if (retval != PAM_SUCCESS) { - _pam_overwrite (resp); + pam_overwrite_string (resp); _pam_drop (resp); return ((retval == PAM_CONV_AGAIN) ? PAM_INCOMPLETE:PAM_AUTHINFO_UNAVAIL); @@ -196,7 +196,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } /* clean up */ - _pam_overwrite(resp); + pam_overwrite_string(resp); _pam_drop(resp); /* success or failure */ diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am index a9a0a1ef..af8df4eb 100644 --- a/modules/pam_group/Makefile.am +++ b/modules/pam_group/Makefile.am @@ -15,10 +15,14 @@ dist_check_SCRIPTS = tst-pam_group TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_group/Makefile.in b/modules/pam_group/Makefile.in index 6d916f1a..66e4ed95 100644 --- a/modules/pam_group/Makefile.in +++ b/modules/pam_group/Makefile.in @@ -431,6 +431,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,11 +444,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -479,12 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -507,6 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -517,12 +523,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -596,9 +606,10 @@ XMLS = README.xml group.conf.5.xml pam_group.8.xml dist_check_SCRIPTS = tst-pam_group TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_GROUP_CONF=\"$(SCONFIGDIR)/group.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_group.la diff --git a/modules/pam_group/README b/modules/pam_group/README index 9d6d0970..5e2d01e0 100644 --- a/modules/pam_group/README +++ b/modules/pam_group/README @@ -12,6 +12,9 @@ applying for. By default rules for group memberships are taken from config file /etc/security /group.conf. +If /etc/security/group.conf does not exist, %vendordir%/security/group.conf is +used. + This module's usefulness relies on the file-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership. Later, when the diff --git a/modules/pam_group/README.xml b/modules/pam_group/README.xml index 387d6987..8ccd55d0 100644 --- a/modules/pam_group/README.xml +++ b/modules/pam_group/README.xml @@ -1,34 +1,19 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamgroup SYSTEM "pam_group.8.xml"> ---> -<!-- -<!ENTITY groupconf SYSTEM "group.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_group.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_group-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_group.8.xml" xpointer='xpointer(id("pam_group-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_group.8.xml" xpointer='xpointer(id("pam_group-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="group.conf.5.xml" xpointer='xpointer(id("group.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_group/group.conf.5 b/modules/pam_group/group.conf.5 index bbbe307a..96bb061c 100644 --- a/modules/pam_group/group.conf.5 +++ b/modules/pam_group/group.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: group.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "GROUP\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "GROUP\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -115,7 +115,7 @@ xsh; tty* ;%admin;Al0000\-2400;plugdev .PP \fBpam_group\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_group/group.conf.5.xml b/modules/pam_group/group.conf.5.xml index 2b7fb345..8d5b2d4f 100644 --- a/modules/pam_group/group.conf.5.xml +++ b/modules/pam_group/group.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="group.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="group.conf"> <refmeta> <refentrytitle>group.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_group module</refpurpose> </refnamediv> - <refsect1 id='group.conf-description'> + <refsect1 xml:id="group.conf-description"> <title>DESCRIPTION</title> <para> @@ -98,7 +95,7 @@ </para> </refsect1> - <refsect1 id="group.conf-examples"> + <refsect1 xml:id="group.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -129,19 +126,19 @@ xsh; tty* ;%admin;Al0000-2400;plugdev </refsect1> - <refsect1 id="group.conf-see_also"> + <refsect1 xml:id="group.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_group</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="group.conf-author"> + <refsect1 xml:id="group.conf-author"> <title>AUTHOR</title> <para> pam_group was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_group/pam_group.8 b/modules/pam_group/pam_group.8 index 77c73419..1553f207 100644 --- a/modules/pam_group/pam_group.8 +++ b/modules/pam_group/pam_group.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_group .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_GROUP" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_GROUP" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -103,7 +103,7 @@ Default configuration file .PP \fBgroup.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP pam_group was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_group/pam_group.8.xml b/modules/pam_group/pam_group.8.xml index 2c1c9058..292ee1cb 100644 --- a/modules/pam_group/pam_group.8.xml +++ b/modules/pam_group/pam_group.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_group'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_group"> <refmeta> <refentrytitle>pam_group</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_group-name'> + <refnamediv xml:id="pam_group-name"> <refname>pam_group</refname> <refpurpose> PAM module for group access @@ -20,13 +17,13 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_group-cmdsynopsis"> + <cmdsynopsis xml:id="pam_group-cmdsynopsis" sepchar=" "> <command>pam_group.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_group-description"> + <refsect1 xml:id="pam_group-description"> <title>DESCRIPTION</title> <para> The pam_group PAM module does not authenticate the user, but instead @@ -38,6 +35,10 @@ By default rules for group memberships are taken from config file <filename>/etc/security/group.conf</filename>. </para> + <para condition="with_vendordir"> + If <filename>/etc/security/group.conf</filename> does not exist, + <filename>%vendordir%/security/group.conf</filename> is used. + </para> <para> This module's usefulness relies on the file-systems accessible to the user. The point being that once granted the @@ -60,19 +61,19 @@ </para> </refsect1> - <refsect1 id="pam_group-options"> + <refsect1 xml:id="pam_group-options"> <title>OPTIONS</title> <para>This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_group-types"> + <refsect1 xml:id="pam_group-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id="pam_group-return_values"> + <refsect1 xml:id="pam_group-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -126,11 +127,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_group-files"> + <refsect1 xml:id="pam_group-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/group.conf</filename></term> + <term>/etc/security/group.conf</term> <listitem> <para>Default configuration file</para> </listitem> @@ -138,7 +139,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_group-see_also"> + <refsect1 xml:id="pam_group-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -148,15 +149,15 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_group-authors"> + <refsect1 xml:id="pam_group-authors"> <title>AUTHORS</title> <para> pam_group was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index d9a35ea6..7d11f590 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -16,6 +16,7 @@ #include <time.h> #include <syslog.h> #include <string.h> +#include <errno.h> #include <grp.h> #include <sys/types.h> @@ -23,6 +24,10 @@ #include <fcntl.h> #include <netdb.h> +#define PAM_GROUP_CONF SCONFIGDIR "/group.conf" +#ifdef VENDOR_SCONFIGDIR +# define VENDOR_PAM_GROUP_CONF VENDOR_SCONFIGDIR "/group.conf" +#endif #define PAM_GROUP_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ @@ -39,6 +44,7 @@ typedef enum { AND, OR } operator; #include <security/_pam_macros.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* --- static functions for checking whether the user should be let in --- */ @@ -48,7 +54,7 @@ shift_buf(char *mem, int from) char *start = mem; while ((*mem = mem[from]) != '\0') ++mem; - memset(mem, '\0', PAM_GROUP_BUFLEN - (mem - start)); + pam_overwrite_n(mem, PAM_GROUP_BUFLEN - (mem - start)); return mem; } @@ -70,7 +76,8 @@ trim_spaces(char *buf, char *from) #define STATE_EOF 3 /* end of file or error */ static int -read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) +read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state, + const char *conf_filename) { char *to; char *src; @@ -89,9 +96,9 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) } *from = 0; *state = STATE_NL; - fd = open(PAM_GROUP_CONF, O_RDONLY); + fd = open(conf_filename, O_RDONLY); if (fd < 0) { - pam_syslog(pamh, LOG_ERR, "error opening %s: %m", PAM_GROUP_CONF); + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", conf_filename); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -106,9 +113,9 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) while (fd != -1 && to - *buf < PAM_GROUP_BUFLEN) { i = pam_modutil_read(fd, to, PAM_GROUP_BUFLEN - (to - *buf)); if (i < 0) { - pam_syslog(pamh, LOG_ERR, "error reading %s: %m", PAM_GROUP_CONF); + pam_syslog(pamh, LOG_ERR, "error reading %s: %m", conf_filename); close(fd); - memset(*buf, 0, PAM_GROUP_BUFLEN); + pam_overwrite_n(*buf, PAM_GROUP_BUFLEN); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -127,7 +134,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) return -1; } - memset(to, '\0', PAM_GROUP_BUFLEN - (to - *buf)); + pam_overwrite_n(to, PAM_GROUP_BUFLEN - (to - *buf)); to = *buf; onspace = 1; /* delete any leading spaces */ @@ -573,6 +580,18 @@ static int check_account(pam_handle_t *pamh, const char *service, int retval=PAM_SUCCESS; gid_t *grps; int no_grps; + const char *conf_filename = PAM_GROUP_CONF; + +#ifdef VENDOR_PAM_GROUP_CONF + /* + * Check whether PAM_GROUP_CONF file is available. + * If it does not exist, fall back to VENDOR_PAM_GROUP_CONF file. + */ + struct stat stat_buffer; + if (stat(conf_filename, &stat_buffer) != 0 && errno == ENOENT) { + conf_filename = VENDOR_PAM_GROUP_CONF; + } +#endif /* * first we get the current list of groups - the application @@ -611,7 +630,7 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the service name field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (!buffer || !buffer[0]) { /* empty line .. ? */ continue; @@ -621,7 +640,7 @@ static int check_account(pam_handle_t *pamh, const char *service, if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } @@ -630,10 +649,10 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the terminal name field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } good &= logic_field(pamh,tty, buffer, count, is_same); @@ -641,10 +660,10 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the username field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } /* If buffer starts with @, we are using netgroups */ @@ -663,20 +682,20 @@ static int check_account(pam_handle_t *pamh, const char *service, /* here we get the time field */ - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state != STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: malformed rule #%d", PAM_GROUP_CONF, count); + "%s: malformed rule #%d", conf_filename, count); continue; } good &= logic_field(pamh,&here_and_now, buffer, count, check_time); D(("with time: %s", good ? "passes":"fails" )); - fd = read_field(pamh, fd, &buffer, &from, &state); + fd = read_field(pamh, fd, &buffer, &from, &state, conf_filename); if (state == STATE_FIELD) { pam_syslog(pamh, LOG_ERR, - "%s: poorly terminated rule #%d", PAM_GROUP_CONF, count); + "%s: poorly terminated rule #%d", conf_filename, count); continue; } @@ -726,7 +745,7 @@ static int check_account(pam_handle_t *pamh, const char *service, } if (grps) { /* tidy up */ - memset(grps, 0, sizeof(gid_t) * blk_size(no_grps)); + pam_overwrite_n(grps, sizeof(gid_t) * blk_size(no_grps)); _pam_drop(grps); no_grps = 0; } @@ -754,9 +773,12 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, unsigned setting; /* only interested in establishing credentials */ + /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED. + Some people just pass PAM_SILENT, so cope with it, too. */ setting = flags; - if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) { + if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED)) + && (setting != 0) && (setting != PAM_SILENT)) { D(("ignoring call - not for establishing credentials")); return PAM_SUCCESS; /* don't fail because of this */ } diff --git a/modules/pam_issue/Makefile.am b/modules/pam_issue/Makefile.am index 1b26c31e..1ab2b2ce 100644 --- a/modules/pam_issue/Makefile.am +++ b/modules/pam_issue/Makefile.am @@ -15,17 +15,21 @@ dist_check_SCRIPTS = tst-pam_issue TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(LOGIND_CFLAGS) $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_issue.la -pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) if ENABLE_REGENERATE_MAN dist_noinst_DATA = README diff --git a/modules/pam_issue/Makefile.in b/modules/pam_issue/Makefile.in index 91627c5c..02a3cc16 100644 --- a/modules/pam_issue/Makefile.in +++ b/modules/pam_issue/Makefile.in @@ -148,7 +148,9 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_issue_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_issue_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_issue_la_SOURCES = pam_issue.c pam_issue_la_OBJECTS = pam_issue.lo AM_V_lt = $(am__v_lt_@AM_V@) @@ -428,6 +430,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +443,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +481,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +511,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +522,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,13 +605,14 @@ XMLS = README.xml pam_issue.8.xml dist_check_SCRIPTS = tst-pam_issue TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(LOGIND_CFLAGS) $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_issue.la -pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am diff --git a/modules/pam_issue/README.xml b/modules/pam_issue/README.xml index b5b61c3a..36742c77 100644 --- a/modules/pam_issue/README.xml +++ b/modules/pam_issue/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_issue.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_issue-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_issue.8.xml" xpointer='xpointer(id("pam_issue-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_issue/pam_issue.8 b/modules/pam_issue/pam_issue.8 index 810406ed..745cc421 100644 --- a/modules/pam_issue/pam_issue.8 +++ b/modules/pam_issue/pam_issue.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_issue .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ISSUE" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ISSUE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -38,69 +38,69 @@ pam_issue is a PAM module to prepend an issue file to the username prompt\&. It .PP Recognized escapes: .PP -\fB\ed\fR +\ed .RS 4 current day .RE .PP -\fB\el\fR +\el .RS 4 name of this tty .RE .PP -\fB\em\fR +\em .RS 4 machine architecture (uname \-m) .RE .PP -\fB\en\fR +\en .RS 4 machine\*(Aqs network node hostname (uname \-n) .RE .PP -\fB\eo\fR +\eo .RS 4 domain name of this system .RE .PP -\fB\er\fR +\er .RS 4 release number of operating system (uname \-r) .RE .PP -\fB\et\fR +\et .RS 4 current time .RE .PP -\fB\es\fR +\es .RS 4 operating system name (uname \-s) .RE .PP -\fB\eu\fR +\eu .RS 4 number of users currently logged in .RE .PP -\fB\eU\fR +\eU .RS 4 same as \eu except it is suffixed with "user" or "users" (eg\&. "1 user" or "10 users") .RE .PP -\fB\ev\fR +\ev .RS 4 operating system version and build date (uname \-v) .RE .SH "OPTIONS" .PP .PP -\fBnoesc\fR +noesc .RS 4 Turns off escape code parsing\&. .RE .PP -\fBissue=\fR\fB\fIissue\-file\-name\fR\fR +issue=issue\-file\-name .RS 4 The file to output if not using the default\&. .RE @@ -152,7 +152,7 @@ to set the user specific issue at login: .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_issue was written by Ben Collins <bcollins@debian\&.org>\&. diff --git a/modules/pam_issue/pam_issue.8.xml b/modules/pam_issue/pam_issue.8.xml index fb9b7377..02b31f6f 100644 --- a/modules/pam_issue/pam_issue.8.xml +++ b/modules/pam_issue/pam_issue.8.xml @@ -1,110 +1,107 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_issue"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_issue"> <refmeta> <refentrytitle>pam_issue</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_issue-name"> + <refnamediv xml:id="pam_issue-name"> <refname>pam_issue</refname> <refpurpose>PAM module to add issue file to user prompt</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_issue-cmdsynopsis"> + <cmdsynopsis xml:id="pam_issue-cmdsynopsis" sepchar=" "> <command>pam_issue.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noesc </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> issue=<replaceable>issue-file-name</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_issue-description"> + <refsect1 xml:id="pam_issue-description"> <title>DESCRIPTION</title> <para> pam_issue is a PAM module to prepend an issue file to the username prompt. It also by default parses escape codes in the issue file - similar to some common getty's (using \x format). + similar to some common getty's (using \x format). </para> <para> Recognized escapes: </para> <variablelist> <varlistentry> - <term><emphasis remap='B'>\d</emphasis></term> + <term>\d</term> <listitem> <para>current day</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\l</emphasis></term> + <term>\l</term> <listitem> <para>name of this tty</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\m</emphasis></term> + <term>\m</term> <listitem> <para>machine architecture (uname -m)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\n</emphasis></term> + <term>\n</term> <listitem> <para>machine's network node hostname (uname -n)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\o</emphasis></term> + <term>\o</term> <listitem> <para>domain name of this system</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\r</emphasis></term> + <term>\r</term> <listitem> <para>release number of operating system (uname -r)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\t</emphasis></term> + <term>\t</term> <listitem> <para>current time</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\s</emphasis></term> + <term>\s</term> <listitem> <para>operating system name (uname -s)</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\u</emphasis></term> + <term>\u</term> <listitem> <para>number of users currently logged in</para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\U</emphasis></term> + <term>\U</term> <listitem> <para> - same as \u except it is suffixed with "user" or + same as \u except it is suffixed with "user" or "users" (eg. "1 user" or "10 users") </para> </listitem> </varlistentry> <varlistentry> - <term><emphasis remap='B'>\v</emphasis></term> + <term>\v</term> <listitem> <para>operating system version and build date (uname -v)</para> </listitem> @@ -113,7 +110,7 @@ </refsect1> - <refsect1 id="pam_issue-options"> + <refsect1 xml:id="pam_issue-options"> <title>OPTIONS</title> <para> @@ -121,7 +118,7 @@ <varlistentry> <term> - <option>noesc</option> + noesc </term> <listitem> <para> @@ -132,7 +129,7 @@ <varlistentry> <term> - <option>issue=<replaceable>issue-file-name</replaceable></option> + issue=issue-file-name </term> <listitem> <para> @@ -146,14 +143,14 @@ </para> </refsect1> - <refsect1 id="pam_issue-types"> + <refsect1 xml:id="pam_issue-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_issue-return_values'> + <refsect1 xml:id="pam_issue-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -198,7 +195,7 @@ </para> </refsect1> - <refsect1 id='pam_issue-examples'> + <refsect1 xml:id="pam_issue-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -209,7 +206,7 @@ </para> </refsect1> - <refsect1 id='pam_issue-see_also'> + <refsect1 xml:id="pam_issue-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -219,16 +216,16 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_issue-author'> + <refsect1 xml:id="pam_issue-author"> <title>AUTHOR</title> <para> pam_issue was written by Ben Collins <bcollins@debian.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c index 5b6a4669..c08f90c3 100644 --- a/modules/pam_issue/pam_issue.c +++ b/modules/pam_issue/pam_issue.c @@ -25,10 +25,15 @@ #include <fcntl.h> #include <unistd.h> #include <sys/utsname.h> -#include <utmp.h> #include <time.h> #include <syslog.h> +#ifdef USE_LOGIND +#include <systemd/sd-login.h> +#else +#include <utmp.h> +#endif + #include <security/_pam_macros.h> #include <security/pam_modules.h> #include <security/pam_ext.h> @@ -36,98 +41,6 @@ static int _user_prompt_set = 0; -static int read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt); -static int read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt); - -/* --- authentication management functions (only) --- */ - -int -pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int retval = PAM_SERVICE_ERR; - FILE *fp; - const char *issue_file = NULL; - int parse_esc = 1; - const void *item = NULL; - const char *cur_prompt; - char *issue_prompt = NULL; - - /* If we've already set the prompt, don't set it again */ - if(_user_prompt_set) - return PAM_IGNORE; - - /* We set this here so if we fail below, we won't get further - than this next time around (only one real failure) */ - _user_prompt_set = 1; - - for ( ; argc-- > 0 ; ++argv ) { - const char *str; - - if ((str = pam_str_skip_prefix(*argv, "issue=")) != NULL) { - issue_file = str; - D(("set issue_file to: %s", issue_file)); - } else if (!strcmp(*argv,"noesc")) { - parse_esc = 0; - D(("turning off escape parsing by request")); - } else - D(("unknown option passed: %s", *argv)); - } - - if (issue_file == NULL) - issue_file = "/etc/issue"; - - if ((fp = fopen(issue_file, "r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "error opening %s: %m", issue_file); - return PAM_SERVICE_ERR; - } - - if ((retval = pam_get_item(pamh, PAM_USER_PROMPT, &item)) != PAM_SUCCESS) { - fclose(fp); - return retval; - } - - cur_prompt = item; - if (cur_prompt == NULL) - cur_prompt = ""; - - if (parse_esc) - retval = read_issue_quoted(pamh, fp, &issue_prompt); - else - retval = read_issue_raw(pamh, fp, &issue_prompt); - - fclose(fp); - - if (retval != PAM_SUCCESS) - goto out; - - { - size_t size = strlen(issue_prompt) + strlen(cur_prompt) + 1; - char *new_prompt = realloc(issue_prompt, size); - - if (new_prompt == NULL) { - pam_syslog(pamh, LOG_CRIT, "out of memory"); - retval = PAM_BUF_ERR; - goto out; - } - issue_prompt = new_prompt; - } - - strcat(issue_prompt, cur_prompt); - retval = pam_set_item(pamh, PAM_USER_PROMPT, - (const void *) issue_prompt); - out: - _pam_drop(issue_prompt); - return (retval == PAM_SUCCESS) ? PAM_IGNORE : retval; -} - -int -pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - return PAM_IGNORE; -} - static int read_issue_raw(pam_handle_t *pamh, FILE *fp, char **prompt) { @@ -251,6 +164,18 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) case 'U': { unsigned int users = 0; +#ifdef USE_LOGIND + int sessions = sd_get_sessions(NULL); + + if (sessions < 0) { + pam_syslog(pamh, LOG_ERR, "logind error: %s", + strerror(-sessions)); + _pam_drop(issue); + return PAM_SERVICE_ERR; + } else { + users = sessions; + } +#else struct utmp *ut; setutent(); while ((ut = getutent())) { @@ -258,6 +183,7 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) ++users; } endutent(); +#endif if (c == 'U') snprintf (buf, sizeof buf, "%u %s", users, (users == 1) ? "user" : "users"); @@ -303,4 +229,91 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) return PAM_SUCCESS; } -/* end of module definition */ +/* --- authentication management functions (only) --- */ + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int retval = PAM_SERVICE_ERR; + FILE *fp; + const char *issue_file = NULL; + int parse_esc = 1; + const void *item = NULL; + const char *cur_prompt; + char *issue_prompt = NULL; + + /* If we've already set the prompt, don't set it again */ + if(_user_prompt_set) + return PAM_IGNORE; + + /* We set this here so if we fail below, we won't get further + than this next time around (only one real failure) */ + _user_prompt_set = 1; + + for ( ; argc-- > 0 ; ++argv ) { + const char *str; + + if ((str = pam_str_skip_prefix(*argv, "issue=")) != NULL) { + issue_file = str; + D(("set issue_file to: %s", issue_file)); + } else if (!strcmp(*argv,"noesc")) { + parse_esc = 0; + D(("turning off escape parsing by request")); + } else + D(("unknown option passed: %s", *argv)); + } + + if (issue_file == NULL) + issue_file = "/etc/issue"; + + if ((fp = fopen(issue_file, "r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", issue_file); + return PAM_SERVICE_ERR; + } + + if ((retval = pam_get_item(pamh, PAM_USER_PROMPT, &item)) != PAM_SUCCESS) { + fclose(fp); + return retval; + } + + cur_prompt = item; + if (cur_prompt == NULL) + cur_prompt = ""; + + if (parse_esc) + retval = read_issue_quoted(pamh, fp, &issue_prompt); + else + retval = read_issue_raw(pamh, fp, &issue_prompt); + + fclose(fp); + + if (retval != PAM_SUCCESS) + goto out; + + { + size_t size = strlen(issue_prompt) + strlen(cur_prompt) + 1; + char *new_prompt = realloc(issue_prompt, size); + + if (new_prompt == NULL) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + retval = PAM_BUF_ERR; + goto out; + } + issue_prompt = new_prompt; + } + + strcat(issue_prompt, cur_prompt); + retval = pam_set_item(pamh, PAM_USER_PROMPT, + (const void *) issue_prompt); + out: + _pam_drop(issue_prompt); + return (retval == PAM_SUCCESS) ? PAM_IGNORE : retval; +} + +int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am index e1953312..e1806a41 100644 --- a/modules/pam_keyinit/Makefile.am +++ b/modules/pam_keyinit/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_keyinit TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_keyinit/Makefile.in b/modules/pam_keyinit/Makefile.in index 600c19cb..7da83525 100644 --- a/modules/pam_keyinit/Makefile.in +++ b/modules/pam_keyinit/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_keyinit.8.xml dist_check_SCRIPTS = tst-pam_keyinit TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_keyinit/README.xml b/modules/pam_keyinit/README.xml index 47659e89..33059c7e 100644 --- a/modules/pam_keyinit/README.xml +++ b/modules/pam_keyinit/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_keyinit.8.xml" xpointer='xpointer(id("pam_keyinit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 index 01bfa529..50e4fe66 100644 --- a/modules/pam_keyinit/pam_keyinit.8 +++ b/modules/pam_keyinit/pam_keyinit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_keyinit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_KEYINIT" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_KEYINIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -61,18 +61,18 @@ The keyutils package is used to manipulate keys more directly\&. This can be obt \m[blue]\fBKeyutils\fR\m[]\&\s-2\u[1]\d\s+2 .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Log debug information with \fBsyslog\fR(3)\&. .RE .PP -\fBforce\fR +force .RS 4 Causes the session keyring of the invoking process to be replaced unconditionally\&. .RE .PP -\fBrevoke\fR +revoke .RS 4 Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. .RE @@ -137,7 +137,7 @@ This will prevent keys from one session leaking into another session for the sam .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBkeyctl\fR(1) .SH "AUTHOR" .PP diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml index ff1e7d00..0bab0866 100644 --- a/modules/pam_keyinit/pam_keyinit.8.xml +++ b/modules/pam_keyinit/pam_keyinit.8.xml @@ -1,36 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_keyinit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_keyinit"> <refmeta> <refentrytitle>pam_keyinit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_keyinit-name"> + <refnamediv xml:id="pam_keyinit-name"> <refname>pam_keyinit</refname> <refpurpose>Kernel session keyring initialiser module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_keyinit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_keyinit-cmdsynopsis" sepchar=" "> <command>pam_keyinit.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> force </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> revoke </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_keyinit-description"> + <refsect1 xml:id="pam_keyinit-description"> <title>DESCRIPTION</title> <para> The pam_keyinit PAM module ensures that the invoking process has a @@ -71,7 +68,7 @@ </para> <para> This module should not, generally, be invoked by programs like - <emphasis remap='B'>su</emphasis>, since it is usually desirable for the + <emphasis remap="B">su</emphasis>, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this. </para> @@ -80,18 +77,18 @@ can be obtained from: </para> <para> - <ulink url="http://people.redhat.com/~dhowells/keyutils/"> + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://people.redhat.com/~dhowells/keyutils/"> Keyutils - </ulink> + </link> </para> </refsect1> - <refsect1 id="pam_keyinit-options"> + <refsect1 xml:id="pam_keyinit-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -104,7 +101,7 @@ <varlistentry> <term> - <option>force</option> + force </term> <listitem> <para> @@ -116,7 +113,7 @@ <varlistentry> <term> - <option>revoke</option> + revoke </term> <listitem> <para> @@ -130,14 +127,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_keyinit-types"> + <refsect1 xml:id="pam_keyinit-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_keyinit-return_values'> + <refsect1 xml:id="pam_keyinit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -207,7 +204,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_keyinit-examples'> + <refsect1 xml:id="pam_keyinit-examples"> <title>EXAMPLES</title> <para> Add this line to your login entries to start each login session with its @@ -222,7 +219,7 @@ session required pam_keyinit.so </para> </refsect1> - <refsect1 id='pam_keyinit-see_also'> + <refsect1 xml:id="pam_keyinit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -232,7 +229,7 @@ session required pam_keyinit.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum> @@ -240,11 +237,11 @@ session required pam_keyinit.so </para> </refsect1> - <refsect1 id='pam_keyinit-author'> + <refsect1 xml:id="pam_keyinit-author"> <title>AUTHOR</title> <para> pam_keyinit was written by David Howells, <dhowells@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index 92e4953b..df9804b9 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -21,6 +21,7 @@ #include <security/pam_modutil.h> #include <security/pam_ext.h> #include <sys/syscall.h> +#include <stdatomic.h> #define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */ #define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */ @@ -31,12 +32,12 @@ #define KEYCTL_REVOKE 3 /* revoke a key */ #define KEYCTL_LINK 8 /* link a key into a keyring */ -static int my_session_keyring = 0; -static int session_counter = 0; -static int do_revoke = 0; -static uid_t revoke_as_uid; -static gid_t revoke_as_gid; -static int xdebug = 0; +static _Thread_local int my_session_keyring = 0; +static _Atomic int session_counter = 0; +static _Thread_local int do_revoke = 0; +static _Thread_local uid_t revoke_as_uid; +static _Thread_local gid_t revoke_as_gid; +static _Thread_local int xdebug = 0; static void debug(pam_handle_t *pamh, const char *fmt, ...) __attribute__((format(printf, 2, 3))); @@ -64,6 +65,33 @@ static void error(pam_handle_t *pamh, const char *fmt, ...) va_end(va); } +static int pam_setreuid(uid_t ruid, uid_t euid) +{ +#if defined(SYS_setreuid32) + return syscall(SYS_setreuid32, ruid, euid); +#else + return syscall(SYS_setreuid, ruid, euid); +#endif +} + +static int pam_setregid(gid_t rgid, gid_t egid) +{ +#if defined(SYS_setregid32) + return syscall(SYS_setregid32, rgid, egid); +#else + return syscall(SYS_setregid, rgid, egid); +#endif +} + +static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid) +{ +#if defined(SYS_setresuid32) + return syscall(SYS_setresuid32, ruid, euid, suid); +#else + return syscall(SYS_setresuid, ruid, euid, suid); +#endif +} + /* * initialise the session keyring for this process */ @@ -140,14 +168,14 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret) /* switch to the real UID and GID so that we have permission to * revoke the key */ - if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) { + if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0) { error(pamh, "Unable to change GID to %d temporarily\n", revoke_as_gid); return error_ret; } - if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0) { + if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0) { error(pamh, "Unable to change UID to %d temporarily\n", revoke_as_uid); - if (getegid() != old_gid && setregid(-1, old_gid) < 0) + if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0) error(pamh, "Unable to change GID back to %d\n", old_gid); return error_ret; } @@ -157,12 +185,12 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret) } /* return to the original UID and GID (probably root) */ - if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) { + if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0) { error(pamh, "Unable to change UID back to %d\n", old_uid); ret = error_ret; } - if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) { + if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0) { error(pamh, "Unable to change GID back to %d\n", old_gid); ret = error_ret; } @@ -215,14 +243,14 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error /* switch to the real UID and GID so that the keyring ends up owned by * the right user */ - if (gid != old_gid && setregid(gid, -1) < 0) { + if (gid != old_gid && pam_setregid(gid, -1) < 0) { error(pamh, "Unable to change GID to %d temporarily\n", gid); return error_ret; } - if (uid != old_uid && setreuid(uid, -1) < 0) { + if (uid != old_uid && pam_setreuid(uid, -1) < 0) { error(pamh, "Unable to change UID to %d temporarily\n", uid); - if (setregid(old_gid, -1) < 0) + if (pam_setregid(old_gid, -1) < 0) error(pamh, "Unable to change GID back to %d\n", old_gid); return error_ret; } @@ -230,12 +258,12 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error ret = init_keyrings(pamh, force, error_ret); /* return to the original UID and GID (probably root) */ - if (uid != old_uid && setreuid(old_uid, -1) < 0) { + if (uid != old_uid && pam_setreuid(old_uid, -1) < 0) { error(pamh, "Unable to change UID back to %d\n", old_uid); ret = error_ret; } - if (gid != old_gid && setregid(old_gid, -1) < 0) { + if (gid != old_gid && pam_setregid(old_gid, -1) < 0) { error(pamh, "Unable to change GID back to %d\n", old_gid); ret = error_ret; } diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index dc0c7c4c..e48038d8 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_lastlog TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_lastlog/Makefile.in b/modules/pam_lastlog/Makefile.in index 16baea83..0811a233 100644 --- a/modules/pam_lastlog/Makefile.in +++ b/modules/pam_lastlog/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_lastlog.8.xml dist_check_SCRIPTS = tst-pam_lastlog TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_lastlog/README.xml b/modules/pam_lastlog/README.xml index 7fe70339..6b312435 100644 --- a/modules/pam_lastlog/README.xml +++ b/modules/pam_lastlog/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_lastlog.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_lastlog-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_lastlog.8.xml" xpointer='xpointer(id("pam_lastlog-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8 index 325456e8..3c161fff 100644 --- a/modules/pam_lastlog/pam_lastlog.8 +++ b/modules/pam_lastlog/pam_lastlog.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_lastlog .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LASTLOG" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LASTLOG" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -51,63 +51,63 @@ If the module is called in the auth or account phase, the accounts that were not value\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt inform the user about any previous login, just update the /var/log/lastlog file\&. This option does not affect display of bad login attempts\&. .RE .PP -\fBnever\fR +never .RS 4 If the /var/log/lastlog file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\&. .RE .PP -\fBnodate\fR +nodate .RS 4 Don\*(Aqt display the date of the last login\&. .RE .PP -\fBnoterm\fR +noterm .RS 4 Don\*(Aqt display the terminal name on which the last login was attempted\&. .RE .PP -\fBnohost\fR +nohost .RS 4 Don\*(Aqt indicate from which host the last login was attempted\&. .RE .PP -\fBnowtmp\fR +nowtmp .RS 4 Don\*(Aqt update the wtmp entry\&. .RE .PP -\fBnoupdate\fR +noupdate .RS 4 Don\*(Aqt update any file\&. .RE .PP -\fBshowfailed\fR +showfailed .RS 4 Display number of failed login attempts and the date of the last failed attempt from btmp\&. The date is not displayed when \fBnodate\fR is specified\&. .RE .PP -\fBinactive=<days>\fR +inactive=<days> .RS 4 This option is specific for the auth or account phase\&. It specifies the number of days after the last login of the user when the user will be locked out by the module\&. The default value is 90\&. .RE .PP -\fBunlimited\fR +unlimited .RS 4 If the \fIfsize\fR @@ -189,7 +189,7 @@ Lastlog logging file \fBlimits.conf\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index bada2ea0..7c15b93c 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -1,60 +1,57 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_lastlog"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_lastlog"> <refmeta> <refentrytitle>pam_lastlog</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_lastlog-name"> + <refnamediv xml:id="pam_lastlog-name"> <refname>pam_lastlog</refname> <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_lastlog-cmdsynopsis"> + <cmdsynopsis xml:id="pam_lastlog-cmdsynopsis" sepchar=" "> <command>pam_lastlog.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> silent </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> never </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nodate </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nohost </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noterm </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nowtmp </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noupdate </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> showfailed </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> inactive=<days> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unlimited </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_lastlog-description"> + <refsect1 xml:id="pam_lastlog-description"> <title>DESCRIPTION</title> @@ -83,13 +80,13 @@ </para> </refsect1> - <refsect1 id="pam_lastlog-options"> + <refsect1 xml:id="pam_lastlog-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -99,7 +96,7 @@ </varlistentry> <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -111,7 +108,7 @@ </varlistentry> <varlistentry> <term> - <option>never</option> + never </term> <listitem> <para> @@ -124,7 +121,7 @@ </varlistentry> <varlistentry> <term> - <option>nodate</option> + nodate </term> <listitem> <para> @@ -134,7 +131,7 @@ </varlistentry> <varlistentry> <term> - <option>noterm</option> + noterm </term> <listitem> <para> @@ -145,7 +142,7 @@ </varlistentry> <varlistentry> <term> - <option>nohost</option> + nohost </term> <listitem> <para> @@ -156,7 +153,7 @@ </varlistentry> <varlistentry> <term> - <option>nowtmp</option> + nowtmp </term> <listitem> <para> @@ -166,7 +163,7 @@ </varlistentry> <varlistentry> <term> - <option>noupdate</option> + noupdate </term> <listitem> <para> @@ -176,7 +173,7 @@ </varlistentry> <varlistentry> <term> - <option>showfailed</option> + showfailed </term> <listitem> <para> @@ -188,7 +185,7 @@ </varlistentry> <varlistentry> <term> - <option>inactive=<days></option> + inactive=<days> </term> <listitem> <para> @@ -201,7 +198,7 @@ </varlistentry> <varlistentry> <term> - <option>unlimited</option> + unlimited </term> <listitem> <para> @@ -214,7 +211,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_lastlog-types"> + <refsect1 xml:id="pam_lastlog-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> module type @@ -225,7 +222,7 @@ </para> </refsect1> - <refsect1 id='pam_lastlog-return_values'> + <refsect1 xml:id="pam_lastlog-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -282,7 +279,7 @@ </para> </refsect1> - <refsect1 id='pam_lastlog-examples'> + <refsect1 xml:id="pam_lastlog-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -300,11 +297,11 @@ </programlisting> </refsect1> - <refsect1 id="pam_lastlog-files"> + <refsect1 xml:id="pam_lastlog-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/log/lastlog</filename></term> + <term>/var/log/lastlog</term> <listitem> <para>Lastlog logging file</para> </listitem> @@ -312,7 +309,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_lastlog-see_also'> + <refsect1 xml:id="pam_lastlog-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -325,12 +322,12 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_lastlog-author'> + <refsect1 xml:id="pam_lastlog-author"> <title>AUTHOR</title> <para> pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. @@ -340,4 +337,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index abd048df..ec515f56 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -57,14 +57,13 @@ struct lastlog { # define PATH_LOGIN_DEFS "/etc/login.defs" #endif -/* XXX - time before ignoring lock. Is 1 sec enough? */ -#define LASTLOG_IGNORE_LOCK_TIME 1 - #define DEFAULT_HOST "" /* "[no.where]" */ #define DEFAULT_TERM "" /* "tt???" */ #define DEFAULT_INACTIVE_DAYS 90 #define MAX_INACTIVE_DAYS 100000 +#define LOCK_RETRIES 3 /* number of file lock retries */ +#define LOCK_RETRY_DELAY 1 /* seconds to wait between lock attempts */ #include <security/pam_modules.h> #include <security/_pam_macros.h> @@ -266,6 +265,7 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t { struct flock last_lock; struct lastlog last_login; + int lock_retries = LOCK_RETRIES; int retval = PAM_SUCCESS; char the_time[256]; char *date = NULL; @@ -278,11 +278,19 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t last_lock.l_start = sizeof(last_login) * (off_t) uid; last_lock.l_len = sizeof(last_login); - if (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + while (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + if (0 == --lock_retries) { + /* read lock failed, proceed anyway to avoid possible DoS */ + D(("locking %s failed", _PATH_LASTLOG)); + pam_syslog(pamh, LOG_INFO, + "file %s is locked/read, proceeding anyway", + _PATH_LASTLOG); + break; + } D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - pam_syslog(pamh, LOG_WARNING, - "file %s is locked/read", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); + pam_syslog(pamh, LOG_INFO, + "file %s is locked/read, retrying", _PATH_LASTLOG); + sleep(LOCK_RETRY_DELAY); } if (pam_modutil_read(last_fd, (char *) &last_login, @@ -358,11 +366,11 @@ last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t /* cleanup */ cleanup: - memset(&last_login, 0, sizeof(last_login)); - _pam_overwrite(date); - _pam_overwrite(host); + pam_overwrite_object(&last_login); + pam_overwrite_string(date); + pam_overwrite_string(host); _pam_drop(host); - _pam_overwrite(line); + pam_overwrite_string(line); _pam_drop(line); return retval; @@ -380,6 +388,7 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, int setrlimit_res; struct flock last_lock; struct lastlog last_login; + int lock_retries = LOCK_RETRIES; time_t ll_time; const void *void_remote_host = NULL; const char *remote_host; @@ -426,10 +435,17 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, last_lock.l_start = sizeof(last_login) * (off_t) uid; last_lock.l_len = sizeof(last_login); - if (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + while (fcntl(last_fd, F_SETLK, &last_lock) < 0) { + if (0 == --lock_retries) { + D(("locking %s failed", _PATH_LASTLOG)); + pam_syslog(pamh, LOG_ERR, + "file %s is locked/write", _PATH_LASTLOG); + return PAM_SERVICE_ERR; + } D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - pam_syslog(pamh, LOG_WARNING, "file %s is locked/write", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); + pam_syslog(pamh, LOG_INFO, + "file %s is locked/write, retrying", _PATH_LASTLOG); + sleep(LOCK_RETRY_DELAY); } /* @@ -486,7 +502,7 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, } /* cleanup */ - memset(&last_login, 0, sizeof(last_login)); + pam_overwrite_object(&last_login); return retval; } @@ -573,12 +589,12 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt time_t lf_time; lf_time = utuser.ut_tv.tv_sec; - tm = localtime_r (&lf_time, &tm_buf); - strftime (the_time, sizeof (the_time), - /* TRANSLATORS: "strftime options for date of last login" */ - _(" %a %b %e %H:%M:%S %Z %Y"), tm); - - date = the_time; + if ((tm = localtime_r (&lf_time, &tm_buf)) != NULL) { + strftime (the_time, sizeof (the_time), + /* TRANSLATORS: "strftime options for date of last login" */ + _(" %a %b %e %H:%M:%S %Z %Y"), tm); + date = the_time; + } } /* we want & have the host? */ diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am index 911b07b3..3a3b5e01 100644 --- a/modules/pam_limits/Makefile.am +++ b/modules/pam_limits/Makefile.am @@ -15,12 +15,16 @@ dist_check_SCRIPTS = tst-pam_limits TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif limits_conf_dir = $(SCONFIGDIR)/limits.d AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DLIMITS_FILE_DIR=\"$(limits_conf_dir)/*.conf\" \ - -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\" $(WARN_CFLAGS) + -DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_limits/Makefile.in b/modules/pam_limits/Makefile.in index ac265081..7b515b83 100644 --- a/modules/pam_limits/Makefile.in +++ b/modules/pam_limits/Makefile.in @@ -431,6 +431,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,11 +444,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -479,12 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -507,6 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -517,12 +523,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -596,11 +606,12 @@ XMLS = README.xml limits.conf.5.xml pam_limits.8.xml dist_check_SCRIPTS = tst-pam_limits TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) limits_conf_dir = $(SCONFIGDIR)/limits.d AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DLIMITS_FILE_DIR=\"$(limits_conf_dir)/*.conf\" \ - -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\" $(WARN_CFLAGS) + -DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_limits.la diff --git a/modules/pam_limits/README b/modules/pam_limits/README index ed104d62..dc560eff 100644 --- a/modules/pam_limits/README +++ b/modules/pam_limits/README @@ -15,6 +15,18 @@ concatenated together in the order of parsing. If a config file is explicitly specified with a module option then the files in the above directory are not parsed. +By default limits are taken from the /etc/security/limits.conf config file or, +if that one is not present, the file %vendordir%/security/limits.conf. Then +individual *.conf files from the /etc/security/limits.d/ and %vendordir%/ +security/limits.d directories are read. If /etc/security/limits.d/ +@filename@.conf exists, then %vendordir%/security/limits.d/@filename@.conf will +not be used. All limits.d/*.conf files are sorted by their @filename@.conf in +lexicographic order regardless of which of the directories they reside in. The +effect of the individual files is the same as if all the files were +concatenated together in the order of parsing. If a config file is explicitly +specified with the config option the files in the above directories are not +parsed. + The module must not be called by a multithreaded application. If Linux PAM is compiled with audit support the module will report when it @@ -56,6 +68,7 @@ These are some example lines which might be specified in /etc/security/ limits.conf. * soft core 0 +root hard core 100000 * hard nofile 512 @student hard nproc 20 @faculty soft nproc 20 diff --git a/modules/pam_limits/README.xml b/modules/pam_limits/README.xml index 964a5a21..25a463cc 100644 --- a/modules/pam_limits/README.xml +++ b/modules/pam_limits/README.xml @@ -1,39 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamlimits SYSTEM "pam_limits.8.xml"> ---> -<!-- -<!ENTITY limitsconf SYSTEM "limits.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_limits.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_limits-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_limits.8.xml" xpointer='xpointer(id("pam_limits-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_limits.8.xml" xpointer='xpointer(id("pam_limits-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_limits.8.xml" xpointer='xpointer(id("pam_limits-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="limits.conf.5.xml" xpointer='xpointer(id("limits.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf index e8a746cc..6b3865cb 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf @@ -22,6 +22,9 @@ # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, <domain> must be +# the literal username root. # #<type> can have the two values: # - "soft" for enforcing the soft limits @@ -46,16 +49,19 @@ # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) # #<domain> <type> <item> <value> # #* soft core 0 +#root hard core 100000 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 +#ftp - chroot /ftp #@student - maxlogins 4 # End of file diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 index a4a0ed31..c9c41876 100644 --- a/modules/pam_limits/limits.conf.5 +++ b/modules/pam_limits/limits.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: limits.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "LIMITS\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "LIMITS\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -50,7 +50,7 @@ The syntax of the lines is as follows: .PP The fields listed above should be filled as follows: .PP -\fB<domain>\fR +<domain> .RS 4 .sp .RS 4 @@ -145,19 +145,23 @@ a gid specified as \fB%:\fR\fI<gid>\fR applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. .RE +.sp +\fBNOTE:\fR +group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username +\fBroot\fR\&. .RE .PP -\fB<type>\fR +<type> .RS 4 .PP -\fBhard\fR +hard .RS 4 for enforcing \fBhard\fR resource limits\&. These limits are set by the superuser and enforced by the Kernel\&. The user cannot raise his requirement of system resources above such values\&. .RE .PP -\fBsoft\fR +soft .RS 4 for enforcing \fBsoft\fR @@ -168,7 +172,7 @@ limits\&. The values specified with this token can be thought of as values, for normal system usage\&. .RE .PP -\fB\-\fR +\- .RS 4 for enforcing both \fBsoft\fR @@ -180,105 +184,110 @@ Note, if you specify a type of \*(Aq\-\*(Aq but neglect to supply the item and v .RE .RE .PP -\fB<item>\fR +<item> .RS 4 .PP -\fBcore\fR +core .RS 4 limits the core file size (KB) .RE .PP -\fBdata\fR +data .RS 4 maximum data size (KB) .RE .PP -\fBfsize\fR +fsize .RS 4 maximum filesize (KB) .RE .PP -\fBmemlock\fR +memlock .RS 4 maximum locked\-in\-memory address space (KB) .RE .PP -\fBnofile\fR +nofile .RS 4 maximum number of open file descriptors .RE .PP -\fBrss\fR +rss .RS 4 maximum resident set size (KB) (Ignored in Linux 2\&.4\&.30 and higher) .RE .PP -\fBstack\fR +stack .RS 4 maximum stack size (KB) .RE .PP -\fBcpu\fR +cpu .RS 4 maximum CPU time (minutes) .RE .PP -\fBnproc\fR +nproc .RS 4 maximum number of processes .RE .PP -\fBas\fR +as .RS 4 address space limit (KB) .RE .PP -\fBmaxlogins\fR +maxlogins .RS 4 maximum number of logins for this user (this limit does not apply to user with \fIuid=0\fR) .RE .PP -\fBmaxsyslogins\fR +maxsyslogins .RS 4 maximum number of all logins on system; user is not allowed to log\-in if total number of all user logins is greater than specified number (this limit does not apply to user with \fIuid=0\fR) .RE .PP -\fBnonewprivs\fR +nonewprivs .RS 4 value of 0 or 1; if set to 1 disables acquiring new privileges by invoking prctl(PR_SET_NO_NEW_PRIVS) .RE .PP -\fBpriority\fR +priority .RS 4 the priority to run user process with (negative values boost process priority) .RE .PP -\fBlocks\fR +locks .RS 4 maximum locked files (Linux 2\&.4 and higher) .RE .PP -\fBsigpending\fR +sigpending .RS 4 maximum number of pending signals (Linux 2\&.6 and higher) .RE .PP -\fBmsgqueue\fR +msgqueue .RS 4 maximum memory used by POSIX message queues (bytes) (Linux 2\&.6 and higher) .RE .PP -\fBnice\fR +nice .RS 4 maximum nice priority allowed to raise to (Linux 2\&.6\&.12 and higher) values: [\-20,19] .RE .PP -\fBrtprio\fR +rtprio .RS 4 maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) .RE +.PP +\fBchroot\fR +.RS 4 +the directory to chroot the user to +.RE .RE .PP All items support the values @@ -322,6 +331,7 @@ These are some example lines which might be specified in .\} .nf * soft core 0 +root hard core 100000 * hard nofile 512 @student hard nproc 20 @faculty soft nproc 20 @@ -341,7 +351,7 @@ ftp hard nproc 0 .PP \fBpam_limits\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBgetrlimit\fR(2), \fBgetrlimit\fR(3p) .SH "AUTHOR" diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index c5bd6768..d3893350 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="limits.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="limits.conf"> <refmeta> <refentrytitle>limits.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_limits module</refpurpose> </refnamediv> - <refsect1 id='limits.conf-description'> + <refsect1 xml:id="limits.conf-description"> <title>DESCRIPTION</title> <para> The <emphasis>pam_limits.so</emphasis> module applies ulimit limits, @@ -38,7 +35,7 @@ <variablelist> <varlistentry> <term> - <option><domain></option> + <domain> </term> <listitem> <itemizedlist> @@ -49,38 +46,35 @@ </listitem> <listitem> <para> - a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + a groupname, with <emphasis remap="B">@group</emphasis> syntax. This should not be confused with netgroups. </para> </listitem> <listitem> <para> - the wildcard <emphasis remap='B'>*</emphasis>, for default entry. + the wildcard <emphasis remap="B">*</emphasis>, for default entry. </para> </listitem> <listitem> <para> - the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only, - can also be used with <emphasis remap='B'>%group</emphasis> syntax. If the - <emphasis remap='B'>%</emphasis> wildcard is used alone it is identical - to using <emphasis remap='B'>*</emphasis> with maxsyslogins limit. With - a group specified after <emphasis remap='B'>%</emphasis> it limits the total + the wildcard <emphasis remap="B">%</emphasis>, for maxlogins limit only, + can also be used with <emphasis remap="B">%group</emphasis> syntax. If the + <emphasis remap="B">%</emphasis> wildcard is used alone it is identical + to using <emphasis remap="B">*</emphasis> with maxsyslogins limit. With + a group specified after <emphasis remap="B">%</emphasis> it limits the total number of logins of all users that are member of the group. </para> </listitem> <listitem> <para> - an uid range specified as <replaceable><min_uid></replaceable><emphasis - remap='B'>:</emphasis><replaceable><max_uid></replaceable>. If min_uid + an uid range specified as <replaceable><min_uid></replaceable><emphasis remap="B">:</emphasis><replaceable><max_uid></replaceable>. If min_uid is omitted, the match is exact for the max_uid. If max_uid is omitted, all uids greater than or equal min_uid match. </para> </listitem> <listitem> <para> - a gid range specified as <emphasis - remap='B'>@</emphasis><replaceable><min_gid></replaceable><emphasis - remap='B'>:</emphasis><replaceable><max_gid></replaceable>. If min_gid + a gid range specified as <emphasis remap="B">@</emphasis><replaceable><min_gid></replaceable><emphasis remap="B">:</emphasis><replaceable><max_gid></replaceable>. If min_gid is omitted, the match is exact for the max_gid. If max_gid is omitted, all gids greater than or equal min_gid match. For the exact match all groups including the user's supplementary groups are examined. For the range matches only @@ -89,50 +83,54 @@ </listitem> <listitem> <para> - a gid specified as <emphasis - remap='B'>%:</emphasis><replaceable><gid></replaceable> applicable + a gid specified as <emphasis remap="B">%:</emphasis><replaceable><gid></replaceable> applicable to maxlogins limit only. It limits the total number of logins of all users that are member of the group with the specified gid. </para> </listitem> </itemizedlist> + <para> + <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not + applied to the root user. To set a limit for the root user, this field + must contain the literal username <emphasis remap='B'>root</emphasis>. + </para> </listitem> </varlistentry> <varlistentry> <term> - <option><type></option> + <type> </term> <listitem> <variablelist> <varlistentry> - <term><option>hard</option></term> + <term>hard</term> <listitem> <para> - for enforcing <emphasis remap='B'>hard</emphasis> resource limits. + for enforcing <emphasis remap="B">hard</emphasis> resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. </para> </listitem> </varlistentry> <varlistentry> - <term><option>soft</option></term> + <term>soft</term> <listitem> <para> - for enforcing <emphasis remap='B'>soft</emphasis> resource limits. + for enforcing <emphasis remap="B">soft</emphasis> resource limits. These limits are ones that the user can move up or down within the - permitted range by any pre-existing <emphasis remap='B'>hard</emphasis> + permitted range by any pre-existing <emphasis remap="B">hard</emphasis> limits. The values specified with this token can be thought of as <emphasis>default</emphasis> values, for normal system usage. </para> </listitem> </varlistentry> <varlistentry> - <term><option>-</option></term> + <term>-</term> <listitem> <para> - for enforcing both <emphasis remap='B'>soft</emphasis> and - <emphasis remap='B'>hard</emphasis> resource limits together. + for enforcing both <emphasis remap="B">soft</emphasis> and + <emphasis remap="B">hard</emphasis> resource limits together. </para> <para> Note, if you specify a type of '-' but neglect to supply the @@ -147,79 +145,79 @@ <varlistentry> <term> - <option><item></option> + <item> </term> <listitem> <variablelist> <varlistentry> - <term><option>core</option></term> + <term>core</term> <listitem> <para>limits the core file size (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>data</option></term> + <term>data</term> <listitem> <para>maximum data size (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>fsize</option></term> + <term>fsize</term> <listitem> <para>maximum filesize (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>memlock</option></term> + <term>memlock</term> <listitem> <para>maximum locked-in-memory address space (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>nofile</option></term> + <term>nofile</term> <listitem> <para>maximum number of open file descriptors</para> </listitem> </varlistentry> <varlistentry> - <term><option>rss</option></term> + <term>rss</term> <listitem> <para>maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>stack</option></term> + <term>stack</term> <listitem> <para>maximum stack size (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>cpu</option></term> + <term>cpu</term> <listitem> <para>maximum CPU time (minutes)</para> </listitem> </varlistentry> <varlistentry> - <term><option>nproc</option></term> + <term>nproc</term> <listitem> <para>maximum number of processes</para> </listitem> </varlistentry> <varlistentry> - <term><option>as</option></term> + <term>as</term> <listitem> <para>address space limit (KB)</para> </listitem> </varlistentry> <varlistentry> - <term><option>maxlogins</option></term> + <term>maxlogins</term> <listitem> <para>maximum number of logins for this user (this limit does not apply to user with <emphasis>uid=0</emphasis>)</para> </listitem> </varlistentry> <varlistentry> - <term><option>maxsyslogins</option></term> + <term>maxsyslogins</term> <listitem> <para>maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is @@ -228,51 +226,57 @@ </listitem> </varlistentry> <varlistentry> - <term><option>nonewprivs</option></term> + <term>nonewprivs</term> <listitem> <para>value of 0 or 1; if set to 1 disables acquiring new privileges by invoking prctl(PR_SET_NO_NEW_PRIVS)</para> </listitem> </varlistentry> <varlistentry> - <term><option>priority</option></term> + <term>priority</term> <listitem> <para>the priority to run user process with (negative values boost process priority)</para> </listitem> </varlistentry> <varlistentry> - <term><option>locks</option></term> + <term>locks</term> <listitem> <para>maximum locked files (Linux 2.4 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>sigpending</option></term> + <term>sigpending</term> <listitem> <para>maximum number of pending signals (Linux 2.6 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>msgqueue</option></term> + <term>msgqueue</term> <listitem> <para>maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)</para> </listitem> </varlistentry> <varlistentry> - <term><option>nice</option></term> + <term>nice</term> <listitem> <para>maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]</para> </listitem> </varlistentry> <varlistentry> - <term><option>rtprio</option></term> + <term>rtprio</term> <listitem> <para>maximum realtime priority allowed for non-privileged processes (Linux 2.6.12 and higher)</para> </listitem> </varlistentry> + <varlistentry> + <term><option>chroot</option></term> + <listitem> + <para>the directory to chroot the user to</para> + </listitem> + </varlistentry> </variablelist> </listitem> </varlistentry> @@ -281,9 +285,9 @@ <para> All items support the values <emphasis>-1</emphasis>, <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit, - except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>, - and <emphasis remap='B'>nonewprivs</emphasis>. - If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values, + except for <emphasis remap="B">priority</emphasis>, <emphasis remap="B">nice</emphasis>, + and <emphasis remap="B">nonewprivs</emphasis>. + If <emphasis remap="B">nofile</emphasis> is to be set to one of these values, it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)). </para> <para> @@ -309,7 +313,7 @@ </para> <para> In the <emphasis>limits</emphasis> configuration file, the - '<emphasis remap='B'>#</emphasis>' character introduces a comment + '<emphasis remap="B">#</emphasis>' character introduces a comment - after which the rest of the line is ignored. </para> <para> @@ -319,7 +323,7 @@ </para> </refsect1> - <refsect1 id="limits.conf-examples"> + <refsect1 xml:id="limits.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -327,6 +331,7 @@ </para> <programlisting> * soft core 0 +root hard core 100000 * hard nofile 512 @student hard nproc 20 @faculty soft nproc 20 @@ -340,21 +345,21 @@ ftp hard nproc 0 </programlisting> </refsect1> - <refsect1 id="limits.conf-see_also"> + <refsect1 xml:id="limits.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="limits.conf-author"> + <refsect1 xml:id="limits.conf-author"> <title>AUTHOR</title> <para> pam_limits was initially written by Cristian Gafton <gafton@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_limits/pam_limits.8 b/modules/pam_limits/pam_limits.8 index 50e9a100..f971b64c 100644 --- a/modules/pam_limits/pam_limits.8 +++ b/modules/pam_limits/pam_limits.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_limits .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LIMITS" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_LIMITS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -49,27 +49,27 @@ The module must not be called by a multithreaded application\&. If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\&. .SH "OPTIONS" .PP -\fBconf=\fR\fB\fI/path/to/limits\&.conf\fR\fR +conf=/path/to/limits\&.conf .RS 4 Indicate an alternative limits\&.conf style configuration file to override the default\&. .RE .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBset_all\fR +set_all .RS 4 Set the limits for which no value is specified in the configuration file to the one from the process with the PID 1\&. Please note that if the init process is systemd these limits will not be the kernel default limits and this option should not be used\&. .RE .PP -\fButmp_early\fR +utmp_early .RS 4 Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\&. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\&.conf file\&. .RE .PP -\fBnoaudit\fR +noaudit .RS 4 Do not report exceeded maximum logins count to the audit subsystem\&. .RE @@ -146,7 +146,7 @@ Replace "login" for each service you are using this module\&. .PP \fBlimits.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com> diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml index bc46cbf4..8f026f0a 100644 --- a/modules/pam_limits/pam_limits.8.xml +++ b/modules/pam_limits/pam_limits.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_limits'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_limits"> <refmeta> <refentrytitle>pam_limits</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_limits-name'> + <refnamediv xml:id="pam_limits-name"> <refname>pam_limits</refname> <refpurpose> PAM module to limit resources @@ -20,35 +17,35 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_limits-cmdsynopsis"> + <cmdsynopsis xml:id="pam_limits-cmdsynopsis" sepchar=" "> <command>pam_limits.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conf=<replaceable>/path/to/limits.conf</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> set_all </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> utmp_early </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noaudit </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_limits-description"> + <refsect1 xml:id="pam_limits-description"> <title>DESCRIPTION</title> <para> The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of <emphasis>uid=0</emphasis> are affected by this limits, too. </para> - <para> + <para condition="without_vendordir"> By default limits are taken from the <filename>/etc/security/limits.conf</filename> config file. Then individual *.conf files from the <filename>/etc/security/limits.d/</filename> directory are read. The files are parsed one after another in the order of "C" locale. @@ -57,6 +54,23 @@ If a config file is explicitly specified with a module option then the files in the above directory are not parsed. </para> + <para condition="with_vendordir"> + By default limits are taken from the <filename>/etc/security/limits.conf</filename> + config file or, if that one is not present, the file + <filename>%vendordir%/security/limits.conf</filename>. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/limits.d/</filename> and + <filename>%vendordir%/security/limits.d</filename> directories are read. + If <filename>/etc/security/limits.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/limits.d/@filename@.conf</filename> will not be used. + All <filename>limits.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. + If a config file is explicitly specified with the <option>config</option> + option the files in the above directories are not parsed. + </para> <para> The module must not be called by a multithreaded application. </para> @@ -67,12 +81,12 @@ </para> </refsect1> - <refsect1 id="pam_limits-options"> + <refsect1 xml:id="pam_limits-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>conf=<replaceable>/path/to/limits.conf</replaceable></option> + conf=/path/to/limits.conf </term> <listitem> <para> @@ -83,7 +97,7 @@ </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -93,7 +107,7 @@ </varlistentry> <varlistentry> <term> - <option>set_all</option> + set_all </term> <listitem> <para> @@ -107,7 +121,7 @@ </varlistentry> <varlistentry> <term> - <option>utmp_early</option> + utmp_early </term> <listitem> <para> @@ -122,7 +136,7 @@ </varlistentry> <varlistentry> <term> - <option>noaudit</option> + noaudit </term> <listitem> <para> @@ -133,14 +147,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_limits-types"> + <refsect1 xml:id="pam_limits-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id="pam_limits-return_values"> + <refsect1 xml:id="pam_limits-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -202,19 +216,26 @@ </variablelist> </refsect1> - <refsect1 id="pam_limits-files"> + <refsect1 xml:id="pam_limits-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/limits.conf</filename></term> + <term>/etc/security/limits.conf</term> <listitem> <para>Default configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/limits.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/limits.conf</filename> does not exist.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id='pam_limits-examples'> + <refsect1 xml:id="pam_limits-examples"> <title>EXAMPLES</title> <para> For the services you need resources limits (login for example) put a @@ -233,7 +254,7 @@ session required pam_limits.so </para> </refsect1> - <refsect1 id="pam_limits-see_also"> + <refsect1 xml:id="pam_limits-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -243,15 +264,15 @@ session required pam_limits.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_limits-authors"> + <refsect1 xml:id="pam_limits-authors"> <title>AUTHORS</title> <para> pam_limits was initially written by Cristian Gafton <gafton@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index 7cc45d77..da83b705 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -13,7 +13,7 @@ * See end for Copyright information */ -#if !defined(linux) && !defined(__linux) +#ifndef __linux__ #warning THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! #endif @@ -47,6 +47,19 @@ #include <libaudit.h> #endif + +#ifndef PR_SET_NO_NEW_PRIVS +# define PR_SET_NO_NEW_PRIVS 38 /* from <linux/prctl.h> */ +#endif + +#ifndef MLOCK_LIMIT +#ifdef __FreeBSD_kernel__ +#define MLOCK_LIMIT RLIM_INFINITY +#else +#define MLOCK_LIMIT (64*1024) +#endif +#endif + /* Module defines */ #define LINE_LENGTH 1024 @@ -84,12 +97,14 @@ struct user_limits_struct { /* internal data */ struct pam_limit_s { + int root; /* running as root? */ int login_limit; /* the max logins limit */ int login_limit_def; /* which entry set the login limit */ int flag_numsyslogins; /* whether to limit logins only for a specific user or to count all logins */ int priority; /* the priority to run user process with */ int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ + char chroot_dir[8092]; /* directory to chroot into */ struct user_limits_struct limits[RLIM_NLIMITS]; const char *conf_file; int utmp_after_pam_call; @@ -101,6 +116,7 @@ struct pam_limit_s { #define LIMIT_PRI RLIM_NLIMITS+3 #define LIMIT_NONEWPRIVS RLIM_NLIMITS+4 +#define LIMIT_CHROOT RLIM_NLIMITS+5 #define LIMIT_SOFT 1 #define LIMIT_HARD 2 @@ -119,9 +135,14 @@ struct pam_limit_s { #define PAM_SET_ALL 0x0010 /* Limits from globbed files. */ -#define LIMITS_CONF_GLOB LIMITS_FILE_DIR +#define LIMITS_CONF_GLOB (LIMITS_FILE_DIR "/*.conf") -#define CONF_FILE (pl->conf_file != NULL)?pl->conf_file:LIMITS_FILE +#define LIMITS_FILE (SCONFIGDIR "/limits.conf") + +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_LIMITS_FILE (VENDOR_SCONFIGDIR "/limits.conf") +#define VENDOR_LIMITS_CONF_GLOB (VENDOR_SCONFIGDIR "/limits.d/*.conf") +#endif static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, @@ -274,8 +295,8 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, } if (!pl->flag_numsyslogins) { char user[sizeof(ut->UT_USER) + 1]; - user[0] = '\0'; - strncat(user, ut->UT_USER, sizeof(ut->UT_USER)); + memcpy(user, ut->UT_USER, sizeof(ut->UT_USER)); + user[sizeof(ut->UT_USER)] = '\0'; if (((pl->login_limit_def == LIMITS_DEF_USER) || (pl->login_limit_def == LIMITS_DEF_GROUP) @@ -440,15 +461,32 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int pl->limits[i].src_hard = LIMITS_DEF_KERNEL; } fclose(limitsfile); + + /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE + * since larger values can cause problems with fd_set overflow and + * systemd sets itself higher. */ + if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL && + pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) { + pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE; + } } static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) { int i; int retval = PAM_SUCCESS; + static int mlock_limit = 0; D(("called.")); + pl->root = 0; + + if (mlock_limit == 0) { + mlock_limit = sysconf(_SC_PAGESIZE); + if (mlock_limit < MLOCK_LIMIT) + mlock_limit = MLOCK_LIMIT; + } + for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { @@ -464,18 +502,68 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) } #ifdef __linux__ - if (ctrl & PAM_SET_ALL) { - parse_kernel_limits(pamh, pl, ctrl); + parse_kernel_limits(pamh, pl, ctrl); +#endif - for(i = 0; i < RLIM_NLIMITS; i++) { + for(i = 0; i < RLIM_NLIMITS; i++) { if (pl->limits[i].supported && (pl->limits[i].src_soft == LIMITS_DEF_NONE || pl->limits[i].src_hard == LIMITS_DEF_NONE)) { - pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); +#ifdef __linux__ + pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); +#endif + pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; + pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; + switch(i) { + case RLIMIT_CPU: + case RLIMIT_FSIZE: + case RLIMIT_DATA: + case RLIMIT_RSS: + case RLIMIT_NPROC: +#ifdef RLIMIT_AS + case RLIMIT_AS: +#endif +#ifdef RLIMIT_LOCKS + case RLIMIT_LOCKS: +#endif + pl->limits[i].limit.rlim_cur = RLIM_INFINITY; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + case RLIMIT_MEMLOCK: + pl->limits[i].limit.rlim_cur = mlock_limit; + pl->limits[i].limit.rlim_max = mlock_limit; + break; +#ifdef RLIMIT_SIGPENDING + case RLIMIT_SIGPENDING: + pl->limits[i].limit.rlim_cur = 16382; + pl->limits[i].limit.rlim_max = 16382; + break; +#endif +#ifdef RLIMIT_MSGQUEUE + case RLIMIT_MSGQUEUE: + pl->limits[i].limit.rlim_cur = 819200; + pl->limits[i].limit.rlim_max = 819200; + break; +#endif + case RLIMIT_CORE: + pl->limits[i].limit.rlim_cur = 0; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + case RLIMIT_STACK: + pl->limits[i].limit.rlim_cur = 8192*1024; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + case RLIMIT_NOFILE: + pl->limits[i].limit.rlim_cur = 1024; + pl->limits[i].limit.rlim_max = 1024; + break; + default: + pl->limits[i].src_soft = LIMITS_DEF_NONE; + pl->limits[i].src_hard = LIMITS_DEF_NONE; + break; + } } - } } -#endif errno = 0; pl->priority = getpriority (PRIO_PROCESS, 0); @@ -484,6 +572,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) pl->login_limit = -2; pl->login_limit_def = LIMITS_DEF_NONE; + pl->chroot_dir[0] = '\0'; + return retval; } @@ -591,6 +681,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, limit_item = LIMIT_PRI; } else if (strcmp(lim_item, "nonewprivs") == 0) { limit_item = LIMIT_NONEWPRIVS; + } else if (strcmp(lim_item, "chroot") == 0) { + limit_item = LIMIT_CHROOT; } else { pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); return; @@ -640,9 +732,9 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, pam_syslog(pamh, LOG_DEBUG, "wrong limit value '%s' for limit type '%s'", lim_value, lim_type); - return; + return; } - } else { + } else if (limit_item != LIMIT_CHROOT) { #ifdef __USE_FILE_OFFSET64 rlimit_value = strtoull (lim_value, &endptr, 10); #else @@ -717,7 +809,11 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, break; } - if ( (limit_item != LIMIT_LOGIN) + if (limit_item == LIMIT_CHROOT) { + strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1); + pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0'; + } + else if ( (limit_item != LIMIT_LOGIN) && (limit_item != LIMIT_NUMSYSLOGINS) && (limit_item != LIMIT_PRI) && (limit_item != LIMIT_NONEWPRIVS) ) { @@ -806,18 +902,22 @@ parse_uid_range(pam_handle_t *pamh, const char *domain, static int parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, - int ctrl, struct pam_limit_s *pl) + int ctrl, struct pam_limit_s *pl, const int conf_file_set_by_user) { FILE *fil; char buf[LINE_LENGTH]; - /* check for the LIMITS_FILE */ + /* check for the conf_file */ if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE); - fil = fopen(CONF_FILE, "r"); + pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", pl->conf_file); + fil = fopen(pl->conf_file, "r"); if (fil == NULL) { - pam_syslog (pamh, LOG_WARNING, - "cannot read settings from %s: %m", CONF_FILE); + if (errno == ENOENT && !conf_file_set_by_user) + return PAM_SUCCESS; /* file is not there and it has not been set by the conf= argument */ + + pam_syslog(pamh, LOG_WARNING, + "cannot read settings from %s: %s", pl->conf_file, + strerror(errno)); return PAM_SERVICE_ERR; } @@ -872,7 +972,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, if (strcmp(uname, domain) == 0) /* this user have a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); - else if (domain[0]=='@') { + else if (domain[0]=='@' && !pl->root) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", @@ -898,7 +998,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); } - } else if (domain[0]=='%') { + } else if (domain[0]=='%' && !pl->root) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", @@ -932,7 +1032,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, } else { switch(rngtype) { case LIMIT_RANGE_NONE: - if (strcmp(domain, "*") == 0) + if (strcmp(domain, "*") == 0 && !pl->root) process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); break; @@ -1031,9 +1131,21 @@ static int setup_limits(pam_handle_t *pamh, if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; res = setrlimit(i, &pl->limits[i].limit); - if (res != 0) - pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", - rlimit2str(i)); + if (res != 0 && (i != RLIMIT_NOFILE + || pl->limits[i].limit.rlim_cur != RLIM_INFINITY)) + { + int save_errno = errno; + pam_syslog(pamh, LOG_DEBUG, + "Could not set limit for '%s' to soft=%d, hard=%d:" + " %m; uid=%lu,euid=%lu", rlimit2str(i), + pl->limits[i].limit.rlim_cur, + pl->limits[i].limit.rlim_max, + (unsigned long) getuid(), + (unsigned long) geteuid()); + errno = save_errno; + } + if (res == -1 && errno == EPERM) + continue; status |= res; } @@ -1071,36 +1183,144 @@ static int setup_limits(pam_handle_t *pamh, } } + if (!retval && pl->chroot_dir[0]) { + i = chdir(pl->chroot_dir); + if (i == 0) + i = chroot(pl->chroot_dir); + if (i == 0) + i = chdir("/"); + if (i != 0) + retval = LIMIT_ERR; + } return retval; } +/* --- evaluting all files in VENDORDIR/security/limits.d and /etc/security/limits.d --- */ +static const char * +base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (const char * const *) a), + base_name(* (const char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/limits.d/@filename@.conf exists, then + * %vendordir%/security/limits.d/@filename@.conf should not be used. + * - All files in both limits.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char ** +read_limits_dir(pam_handle_t *pamh) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(LIMITS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_LIMITS_CONF_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_LIMITS_CONF_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_ACCESS_CONF_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_LIMITS_CONF_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* now the session stuff */ int pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int retval; - int i; - int glob_rc; + int retval, i; char *user_name; struct passwd *pwd; int ctrl; struct pam_limit_s plstruct; struct pam_limit_s *pl = &plstruct; - glob_t globbuf; - const char *oldlocale; D(("called.")); memset(pl, 0, sizeof(*pl)); - memset(&globbuf, 0, sizeof(globbuf)); ctrl = _pam_parse(pamh, argc, argv, pl); retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); if ( user_name == NULL || retval != PAM_SUCCESS ) { pam_syslog(pamh, LOG_ERR, "open_session - error recovering username"); return PAM_SESSION_ERR; - } + } + + int conf_file_set_by_user = (pl->conf_file != NULL); + if (pl->conf_file == NULL) { + pl->conf_file = LIMITS_FILE; +#ifdef VENDOR_LIMITS_FILE + /* + * Check whether LIMITS_FILE file is available. + * If it does not exist, fall back to VENDOR_LIMITS_FILE file. + */ + struct stat buffer; + if (stat(pl->conf_file, &buffer) != 0 && errno == ENOENT) + pl->conf_file = VENDOR_LIMITS_FILE; +#endif + } pwd = pam_modutil_getpwnam(pamh, user_name); if (!pwd) { @@ -1116,46 +1336,41 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return PAM_ABORT; } - retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (pwd->pw_uid == 0) + pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, + ctrl, pl, conf_file_set_by_user); if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE)); + D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); return PAM_SUCCESS; } - if (retval != PAM_SUCCESS || pl->conf_file != NULL) + if (retval != PAM_SUCCESS || conf_file_set_by_user) /* skip reading limits.d if config file explicitly specified */ goto out; /* Read subsequent *.conf files, if they exist. */ - - /* set the LC_COLLATE so the sorting order doesn't depend - on system locale */ - - oldlocale = setlocale(LC_COLLATE, "C"); - glob_rc = glob(LIMITS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); - - if (oldlocale != NULL) - setlocale (LC_COLLATE, oldlocale); - - if (!glob_rc) { - /* Parse the *.conf files. */ - for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { - pl->conf_file = globbuf.gl_pathv[i]; - retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); - if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); - globfree(&globbuf); - return PAM_SUCCESS; - } - if (retval != PAM_SUCCESS) - goto out; + char **filename_list = read_limits_dir(pamh); + if (filename_list != NULL) { + for (i = 0; filename_list[i] != NULL; i++) { + pl->conf_file = filename_list[i]; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl, 0); + if (retval != PAM_SUCCESS) + break; } + for (i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); + } + + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); + return PAM_SUCCESS; } out: - globfree(&globbuf); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "error parsing the configuration file: '%s' ",CONF_FILE); + pam_syslog(pamh, LOG_ERR, "error parsing the configuration file: '%s' ", pl->conf_file); return retval; } diff --git a/modules/pam_listfile/Makefile.am b/modules/pam_listfile/Makefile.am index 8b0fc281..c9ba85f6 100644 --- a/modules/pam_listfile/Makefile.am +++ b/modules/pam_listfile/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_listfile TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_listfile/Makefile.in b/modules/pam_listfile/Makefile.in index 86a9e918..ffe0df6a 100644 --- a/modules/pam_listfile/Makefile.in +++ b/modules/pam_listfile/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_listfile.8.xml dist_check_SCRIPTS = tst-pam_listfile TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_listfile/README.xml b/modules/pam_listfile/README.xml index d851aef3..d0b60107 100644 --- a/modules/pam_listfile/README.xml +++ b/modules/pam_listfile/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_listfile.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_listfile-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_listfile.8.xml" xpointer='xpointer(id("pam_listfile-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_listfile/pam_listfile.8 b/modules/pam_listfile/pam_listfile.8 index 35cc2e74..a23e6e5a 100644 --- a/modules/pam_listfile/pam_listfile.8 +++ b/modules/pam_listfile/pam_listfile.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_listfile .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LISTFILE" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LISTFILE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -82,27 +82,27 @@ No credentials are awarded by this module\&. .SH "OPTIONS" .PP .PP -\fBitem=[tty|user|rhost|ruser|group|shell]\fR +item=[tty|user|rhost|ruser|group|shell] .RS 4 What is listed in the file and should be checked for\&. .RE .PP -\fBsense=[allow|deny]\fR +sense=[allow|deny] .RS 4 Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\&. .RE .PP -\fBfile=\fR\fB\fI/path/filename\fR\fR +file=/path/filename .RS 4 File containing one item per line\&. The file needs to be a plain file and not world writable\&. .RE .PP -\fBonerr=[succeed|fail]\fR +onerr=[succeed|fail] .RS 4 What to do if something weird happens like being unable to open the file\&. .RE .PP -\fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR +apply=[user|@group] .RS 4 Restrict the user class for which the restriction apply\&. Note that with \fBitem=[user|ruser|group]\fR @@ -111,7 +111,7 @@ this does not make sense, but for it have a meaning\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Do not treat service refusals or missing list files as errors that need to be logged\&. .RE @@ -205,7 +205,7 @@ to the root account\&. .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_listfile was written by Michael K\&. Johnson <johnsonm@redhat\&.com> and Elliot Lee <sopwith@cuc\&.edu>\&. diff --git a/modules/pam_listfile/pam_listfile.8.xml b/modules/pam_listfile/pam_listfile.8.xml index 15f047c2..af747c1b 100644 --- a/modules/pam_listfile/pam_listfile.8.xml +++ b/modules/pam_listfile/pam_listfile.8.xml @@ -1,45 +1,42 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_listfile"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_listfile"> <refmeta> <refentrytitle>pam_listfile</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_listfile-name"> + <refnamediv xml:id="pam_listfile-name"> <refname>pam_listfile</refname> <refpurpose>deny or allow services based on an arbitrary file</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_listfile-cmdsynopsis"> + <cmdsynopsis xml:id="pam_listfile-cmdsynopsis" sepchar=" "> <command>pam_listfile.so</command> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> item=[tty|user|rhost|ruser|group|shell] </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> sense=[allow|deny] </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> file=<replaceable>/path/filename</replaceable> </arg> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> onerr=[succeed|fail] </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>] </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> quiet </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_listfile-description"> + <refsect1 xml:id="pam_listfile-description"> <title>DESCRIPTION</title> @@ -93,7 +90,7 @@ </para> </refsect1> - <refsect1 id="pam_listfile-options"> + <refsect1 xml:id="pam_listfile-options"> <title>OPTIONS</title> <para> @@ -101,7 +98,7 @@ <varlistentry> <term> - <option>item=[tty|user|rhost|ruser|group|shell]</option> + item=[tty|user|rhost|ruser|group|shell] </term> <listitem> <para> @@ -112,7 +109,7 @@ <varlistentry> <term> - <option>sense=[allow|deny]</option> + sense=[allow|deny] </term> <listitem> <para> @@ -124,7 +121,7 @@ <varlistentry> <term> - <option>file=<replaceable>/path/filename</replaceable></option> + file=/path/filename </term> <listitem> <para> @@ -136,7 +133,7 @@ <varlistentry> <term> - <option>onerr=[succeed|fail]</option> + onerr=[succeed|fail] </term> <listitem> <para> @@ -148,7 +145,7 @@ <varlistentry> <term> - <option>apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]</option> + apply=[user|@group] </term> <listitem> <para> @@ -161,7 +158,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -175,7 +172,7 @@ </para> </refsect1> - <refsect1 id="pam_listfile-types"> + <refsect1 xml:id="pam_listfile-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -183,7 +180,7 @@ </para> </refsect1> - <refsect1 id='pam_listfile-return_values'> + <refsect1 xml:id="pam_listfile-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -235,7 +232,7 @@ </para> </refsect1> - <refsect1 id='pam_listfile-examples'> + <refsect1 xml:id="pam_listfile-examples"> <title>EXAMPLES</title> <para> Classic 'ftpusers' authentication can be implemented with this entry @@ -271,7 +268,7 @@ auth required pam_listfile.so \ </para> </refsect1> - <refsect1 id='pam_listfile-see_also'> + <refsect1 xml:id="pam_listfile-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -281,12 +278,12 @@ auth required pam_listfile.so \ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_listfile-author'> + <refsect1 xml:id="pam_listfile-author"> <title>AUTHOR</title> <para> pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> @@ -294,4 +291,4 @@ auth required pam_listfile.so \ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c index 28fd58fc..937576fd 100644 --- a/modules/pam_listfile/pam_listfile.c +++ b/modules/pam_listfile/pam_listfile.c @@ -53,17 +53,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *citemp; char *ifname=NULL; char aline[256]; - char mybuf[256],myval[256]; + char mybuf[256],myval[256],apply_val[256]; struct stat fileinfo; FILE *inf; - const char *apply_val; int apply_type; /* Stuff for "extended" items */ struct passwd *userinfo; apply_type=APPLY_TYPE_NULL; - apply_val=""; + apply_val[0] = '\0'; for(i=0; i < argc; i++) { { @@ -133,10 +132,10 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, apply_type=APPLY_TYPE_NONE; if (myval[0]=='@') { apply_type=APPLY_TYPE_GROUP; - apply_val=myval+1; + memcpy(apply_val,myval+1,sizeof(myval)-1); } else { apply_type=APPLY_TYPE_USER; - apply_val=myval; + memcpy(apply_val,myval,sizeof(myval)); } } else { free(ifname); diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 46f87a89..f5d49dac 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_localuser TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_localuser/Makefile.in b/modules/pam_localuser/Makefile.in index 9f1526f2..57ea3071 100644 --- a/modules/pam_localuser/Makefile.in +++ b/modules/pam_localuser/Makefile.in @@ -434,6 +434,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -446,11 +447,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -482,12 +485,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -510,6 +515,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -520,12 +526,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -599,7 +609,8 @@ XMLS = README.xml pam_localuser.8.xml dist_check_SCRIPTS = tst-pam_localuser TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_localuser/README.xml b/modules/pam_localuser/README.xml index 4ab56d9d..f1b05d1a 100644 --- a/modules/pam_localuser/README.xml +++ b/modules/pam_localuser/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_localuser.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_localuser-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_localuser.8.xml" xpointer='xpointer(id("pam_localuser-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_localuser/pam_localuser.8 b/modules/pam_localuser/pam_localuser.8 index 724ab543..f4f2b29e 100644 --- a/modules/pam_localuser/pam_localuser.8 +++ b/modules/pam_localuser/pam_localuser.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_localuser .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LOCALUSER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LOCALUSER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -40,12 +40,12 @@ This could also be implemented using pam_listfile\&.so and a very short awk scri .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBfile=\fR\fB\fI/path/passwd\fR\fR +file=/path/passwd .RS 4 Use a file other than /etc/passwd\&. @@ -117,7 +117,7 @@ Local user account information\&. .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_localuser was written by Nalin Dahyabhai <nalin@redhat\&.com>\&. diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml index b3c1886b..e4b9e075 100644 --- a/modules/pam_localuser/pam_localuser.8.xml +++ b/modules/pam_localuser/pam_localuser.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_localuser"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_localuser"> <refmeta> <refentrytitle>pam_localuser</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_localuser-name"> + <refnamediv xml:id="pam_localuser-name"> <refname>pam_localuser</refname> <refpurpose>require users to be listed in /etc/passwd</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_localuser-cmdsynopsis"> + <cmdsynopsis xml:id="pam_localuser-cmdsynopsis" sepchar=" "> <command>pam_localuser.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> file=<replaceable>/path/passwd</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_localuser-description"> + <refsect1 xml:id="pam_localuser-description"> <title>DESCRIPTION</title> @@ -47,7 +44,7 @@ </refsect1> - <refsect1 id="pam_localuser-options"> + <refsect1 xml:id="pam_localuser-options"> <title>OPTIONS</title> <para> @@ -55,7 +52,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -66,7 +63,7 @@ <varlistentry> <term> - <option>file=<replaceable>/path/passwd</replaceable></option> + file=/path/passwd </term> <listitem> <para> @@ -80,7 +77,7 @@ </para> </refsect1> - <refsect1 id="pam_localuser-types"> + <refsect1 xml:id="pam_localuser-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -88,7 +85,7 @@ </para> </refsect1> - <refsect1 id='pam_localuser-return_values'> + <refsect1 xml:id="pam_localuser-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -153,7 +150,7 @@ </para> </refsect1> - <refsect1 id='pam_localuser-examples'> + <refsect1 xml:id="pam_localuser-examples"> <title>EXAMPLES</title> <para> Add the following lines to <filename>/etc/pam.d/su</filename> to @@ -165,11 +162,11 @@ account required pam_wheel.so </para> </refsect1> - <refsect1 id="pam_localuser-files"> + <refsect1 xml:id="pam_localuser-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/passwd</filename></term> + <term>/etc/passwd</term> <listitem> <para>Local user account information.</para> </listitem> @@ -177,7 +174,7 @@ account required pam_wheel.so </variablelist> </refsect1> - <refsect1 id='pam_localuser-see_also'> + <refsect1 xml:id="pam_localuser-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -187,16 +184,16 @@ account required pam_wheel.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_localuser-author'> + <refsect1 xml:id="pam_localuser-author"> <title>AUTHOR</title> <para> pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_loginuid/Makefile.am b/modules/pam_loginuid/Makefile.am index 071b2ae5..f7f5fd85 100644 --- a/modules/pam_loginuid/Makefile.am +++ b/modules/pam_loginuid/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_loginuid TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_loginuid/Makefile.in b/modules/pam_loginuid/Makefile.in index bcfe714b..fbb16ac9 100644 --- a/modules/pam_loginuid/Makefile.in +++ b/modules/pam_loginuid/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_loginuid.8.xml dist_check_SCRIPTS = tst-pam_loginuid TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_loginuid/README.xml b/modules/pam_loginuid/README.xml index 3bcd38ab..f972105f 100644 --- a/modules/pam_loginuid/README.xml +++ b/modules/pam_loginuid/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_loginuid.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_loginuid-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_loginuid.8.xml" xpointer='xpointer(id("pam_loginuid-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_loginuid/pam_loginuid.8 b/modules/pam_loginuid/pam_loginuid.8 index 3bb3fda2..70669a23 100644 --- a/modules/pam_loginuid/pam_loginuid.8 +++ b/modules/pam_loginuid/pam_loginuid.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_loginuid .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_LOGINUID" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LOGINUID" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_loginuid \- Record user\*(Aqs login uid to the process attribute The pam_loginuid module sets the loginuid process attribute for the process that was authenticated\&. This is necessary for applications to be correctly audited\&. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd\&. There are probably other entry point applications besides these\&. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to\&. .SH "OPTIONS" .PP -\fBrequire_auditd\fR +require_auditd .RS 4 This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running\&. .RE @@ -85,7 +85,7 @@ session required pam_loginuid\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBauditctl\fR(8), \fBauditd\fR(8) .SH "AUTHOR" diff --git a/modules/pam_loginuid/pam_loginuid.8.xml b/modules/pam_loginuid/pam_loginuid.8.xml index 9513b0e4..1beba983 100644 --- a/modules/pam_loginuid/pam_loginuid.8.xml +++ b/modules/pam_loginuid/pam_loginuid.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_loginuid"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_loginuid"> <refmeta> <refentrytitle>pam_loginuid</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_loginuid-name"> + <refnamediv xml:id="pam_loginuid-name"> <refname>pam_loginuid</refname> <refpurpose>Record user's login uid to the process attribute</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_loginuid-cmdsynopsis"> + <cmdsynopsis xml:id="pam_loginuid-cmdsynopsis" sepchar=" "> <command>pam_loginuid.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> require_auditd </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_loginuid-description"> + <refsect1 xml:id="pam_loginuid-description"> <title>DESCRIPTION</title> @@ -40,12 +37,12 @@ </para> </refsect1> - <refsect1 id="pam_loginuid-options"> + <refsect1 xml:id="pam_loginuid-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>require_auditd</option> + require_auditd </term> <listitem> <para> @@ -57,14 +54,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_loginuid-types"> + <refsect1 xml:id="pam_loginuid-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_loginuid-return_values'> + <refsect1 xml:id="pam_loginuid-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -98,7 +95,7 @@ </para> </refsect1> - <refsect1 id='pam_loginuid-examples'> + <refsect1 xml:id="pam_loginuid-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -111,7 +108,7 @@ session required pam_loginuid.so </programlisting> </refsect1> - <refsect1 id='pam_loginuid-see_also'> + <refsect1 xml:id="pam_loginuid-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -121,7 +118,7 @@ session required pam_loginuid.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>auditctl</refentrytitle><manvolnum>8</manvolnum> @@ -132,11 +129,11 @@ session required pam_loginuid.so </para> </refsect1> - <refsect1 id='pam_loginuid-author'> + <refsect1 xml:id="pam_loginuid-author"> <title>AUTHOR</title> <para> pam_loginuid was written by Steve Grubb <sgrubb@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_mail/Makefile.am b/modules/pam_mail/Makefile.am index 6756f409..1f52bcd1 100644 --- a/modules/pam_mail/Makefile.am +++ b/modules/pam_mail/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_mail TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_mail/Makefile.in b/modules/pam_mail/Makefile.in index fbbffa78..36df81cd 100644 --- a/modules/pam_mail/Makefile.in +++ b/modules/pam_mail/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_mail.8.xml dist_check_SCRIPTS = tst-pam_mail TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_mail/README.xml b/modules/pam_mail/README.xml index 4165d857..5dc89a85 100644 --- a/modules/pam_mail/README.xml +++ b/modules/pam_mail/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_mail.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_mail-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mail.8.xml" xpointer='xpointer(id("pam_mail-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_mail/pam_mail.8 b/modules/pam_mail/pam_mail.8 index a6f77667..ae4b890d 100644 --- a/modules/pam_mail/pam_mail.8 +++ b/modules/pam_mail/pam_mail.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_mail .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_MAIL" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_MAIL" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -49,17 +49,17 @@ format\&. .SH "OPTIONS" .PP .PP -\fBclose\fR +close .RS 4 Indicate if the user has any mail also on logout\&. .RE .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBdir=\fR\fB\fImaildir\fR\fR +dir=maildir .RS 4 Look for the user\*(Aqs mail in an alternative location defined by maildir/<login>\&. The default location for mail is @@ -68,12 +68,12 @@ maildir is prefixed by a \*(Aq~\*(Aq, the directory is interpreted as indicating a file in the user\*(Aqs home directory\&. .RE .PP -\fBempty\fR +empty .RS 4 Also print message if user has no mail\&. .RE .PP -\fBhash=\fR\fB\fIcount\fR\fR +hash=count .RS 4 Mail directory hash depth\&. For example, a \fIhashcount\fR @@ -81,26 +81,26 @@ of 2 would make the mail file be /var/spool/mail/u/s/user\&. .RE .PP -\fBnoenv\fR +noenv .RS 4 Do not set the \fBMAIL\fR environment variable\&. .RE .PP -\fBnopen\fR +nopen .RS 4 Don\*(Aqt print any mail information on login\&. This flag is useful to get the \fBMAIL\fR environment variable set, but to not display any information about it\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Only report when there is new mail\&. .RE .PP -\fBstandard\fR +standard .RS 4 Old style "You have\&.\&.\&." format which doesn\*(Aqt show the mail spool being used\&. This also implies "empty"\&. .RE @@ -153,7 +153,7 @@ session optional pam_mail\&.so standard .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_mail was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_mail/pam_mail.8.xml b/modules/pam_mail/pam_mail.8.xml index 95216b6c..9b4ce36a 100644 --- a/modules/pam_mail/pam_mail.8.xml +++ b/modules/pam_mail/pam_mail.8.xml @@ -1,54 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_mail"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_mail"> <refmeta> <refentrytitle>pam_mail</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_mail-name"> + <refnamediv xml:id="pam_mail-name"> <refname>pam_mail</refname> <refpurpose>Inform about available mail</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_mail-cmdsynopsis"> + <cmdsynopsis xml:id="pam_mail-cmdsynopsis" sepchar=" "> <command>pam_mail.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> dir=<replaceable>maildir</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> empty </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> hash=<replaceable>count</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noenv </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nopen </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> quiet </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> standard </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_mail-description"> + <refsect1 xml:id="pam_mail-description"> <title>DESCRIPTION</title> @@ -58,18 +55,18 @@ that has credential or session hooks. It gives a single message indicating the <emphasis>newness</emphasis> of any mail it finds in the user's mail folder. This module also sets the PAM - environment variable, <emphasis remap='B'>MAIL</emphasis>, to the + environment variable, <emphasis remap="B">MAIL</emphasis>, to the user's mail directory. </para> <para> If the mail spool file (be it <filename>/var/mail/$USER</filename> or a pathname given with the <option>dir=</option> parameter) is a directory then pam_mail assumes it is in the - <emphasis remap='I'>Maildir</emphasis> format. + <emphasis remap="I">Maildir</emphasis> format. </para> </refsect1> - <refsect1 id="pam_mail-options"> + <refsect1 xml:id="pam_mail-options"> <title>OPTIONS</title> <para> @@ -77,7 +74,7 @@ <varlistentry> <term> - <option>close</option> + close </term> <listitem> <para> @@ -88,7 +85,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -99,7 +96,7 @@ <varlistentry> <term> - <option>dir=<replaceable>maildir</replaceable></option> + dir=maildir </term> <listitem> <para> @@ -116,7 +113,7 @@ <varlistentry> <term> - <option>empty</option> + empty </term> <listitem> <para> @@ -127,7 +124,7 @@ <varlistentry> <term> - <option>hash=<replaceable>count</replaceable></option> + hash=count </term> <listitem> <para> @@ -141,11 +138,11 @@ <varlistentry> <term> - <option>noenv</option> + noenv </term> <listitem> <para> - Do not set the <emphasis remap='B'>MAIL</emphasis> + Do not set the <emphasis remap="B">MAIL</emphasis> environment variable. </para> </listitem> @@ -153,12 +150,12 @@ <varlistentry> <term> - <option>nopen</option> + nopen </term> <listitem> <para> Don't print any mail information on login. This flag is - useful to get the <emphasis remap='B'>MAIL</emphasis> + useful to get the <emphasis remap="B">MAIL</emphasis> environment variable set, but to not display any information about it. </para> @@ -167,7 +164,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -178,7 +175,7 @@ <varlistentry> <term> - <option>standard</option> + standard </term> <listitem> <para> @@ -193,7 +190,7 @@ </para> </refsect1> - <refsect1 id="pam_mail-types"> + <refsect1 xml:id="pam_mail-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>session</option> and @@ -202,7 +199,7 @@ </para> </refsect1> - <refsect1 id='pam_mail-return_values'> + <refsect1 xml:id="pam_mail-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -244,7 +241,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_mail-examples'> + <refsect1 xml:id="pam_mail-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -255,7 +252,7 @@ session optional pam_mail.so standard </para> </refsect1> - <refsect1 id='pam_mail-see_also'> + <refsect1 xml:id="pam_mail-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -265,16 +262,16 @@ session optional pam_mail.so standard <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_mail-author'> + <refsect1 xml:id="pam_mail-author"> <title>AUTHOR</title> <para> pam_mail was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c index 17383c7b..2b77e560 100644 --- a/modules/pam_mail/pam_mail.c +++ b/modules/pam_mail/pam_mail.c @@ -169,7 +169,7 @@ get_folder(pam_handle_t *pamh, int ctrl, hash[2 * i] = '\0'; rc = asprintf(&folder, MAIL_FILE_FORMAT, path, hash, pwd->pw_name); - _pam_overwrite(hash); + pam_overwrite_string(hash); _pam_drop(hash); if (rc < 0) goto get_folder_cleanup; @@ -211,7 +211,7 @@ get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder) } i = scandir(dir, &namelist, 0, alphasort); save_errno = errno; - _pam_overwrite(dir); + pam_overwrite_string(dir); _pam_drop(dir); if (i < 0) { type = 0; @@ -232,7 +232,7 @@ get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder) } i = scandir(dir, &namelist, 0, alphasort); save_errno = errno; - _pam_overwrite(dir); + pam_overwrite_string(dir); _pam_drop(dir); if (i < 0) { type = 0; @@ -264,7 +264,7 @@ get_mail_status(pam_handle_t *pamh, int ctrl, const char *folder) } get_mail_status_cleanup: - memset(&mail_st, 0, sizeof(mail_st)); + pam_overwrite_object(&mail_st); D(("user has %d mail in %s folder", type, folder)); return type; } @@ -286,7 +286,7 @@ report_mail(pam_handle_t *pamh, int ctrl, int type, const char *folder) switch (type) { case HAVE_NO_MAIL: - retval = pam_info (pamh, "%s", _("You have no mail.")); + retval = pam_info (pamh, "%s", _("You do not have any new mail.")); break; case HAVE_NEW_MAIL: retval = pam_info (pamh, "%s", _("You have new mail.")); @@ -415,7 +415,7 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, } D(("setting env: %s", tmp)); retval = pam_putenv(pamh, tmp); - _pam_overwrite(tmp); + pam_overwrite_string(tmp); _pam_drop(tmp); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_CRIT, @@ -457,7 +457,7 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, (void) pam_putenv(pamh, MAIL_ENV_NAME); do_mail_cleanup: - _pam_overwrite(folder); + pam_overwrite_string(folder); _pam_drop(folder); /* indicate success or failure */ diff --git a/modules/pam_mkhomedir/Makefile.am b/modules/pam_mkhomedir/Makefile.am index 04da1dcc..e0f80a96 100644 --- a/modules/pam_mkhomedir/Makefile.am +++ b/modules/pam_mkhomedir/Makefile.am @@ -16,7 +16,11 @@ dist_check_SCRIPTS = tst-pam_mkhomedir TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DMKHOMEDIR_HELPER=\"$(sbindir)/mkhomedir_helper\" $(WARN_CFLAGS) diff --git a/modules/pam_mkhomedir/Makefile.in b/modules/pam_mkhomedir/Makefile.in index 163531e8..3e5cb170 100644 --- a/modules/pam_mkhomedir/Makefile.in +++ b/modules/pam_mkhomedir/Makefile.in @@ -455,6 +455,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -467,11 +468,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -503,12 +506,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -531,6 +536,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -541,12 +547,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -620,7 +630,8 @@ XMLS = README.xml pam_mkhomedir.8.xml mkhomedir_helper.8.xml dist_check_SCRIPTS = tst-pam_mkhomedir TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DMKHOMEDIR_HELPER=\"$(sbindir)/mkhomedir_helper\" $(WARN_CFLAGS) diff --git a/modules/pam_mkhomedir/README.xml b/modules/pam_mkhomedir/README.xml index 978cbe77..ef998956 100644 --- a/modules/pam_mkhomedir/README.xml +++ b/modules/pam_mkhomedir/README.xml @@ -1,36 +1,23 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_mkhomedir.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_mkhomedir-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_mkhomedir.8.xml" xpointer='xpointer(id("pam_mkhomedir-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_mkhomedir/mkhomedir_helper.8 b/modules/pam_mkhomedir/mkhomedir_helper.8 index a9e68a0e..7f5e6160 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.8 +++ b/modules/pam_mkhomedir/mkhomedir_helper.8 @@ -1,13 +1,13 @@ '\" t .\" Title: mkhomedir_helper .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "MKHOMEDIR_HELPER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "MKHOMEDIR_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_mkhomedir/mkhomedir_helper.8.xml b/modules/pam_mkhomedir/mkhomedir_helper.8.xml index 8a76f2d6..0f4c4b40 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.8.xml +++ b/modules/pam_mkhomedir/mkhomedir_helper.8.xml @@ -1,31 +1,28 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="mkhomedir_helper"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="mkhomedir_helper"> <refmeta> <refentrytitle>mkhomedir_helper</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="mkhomedir_helper-name"> + <refnamediv xml:id="mkhomedir_helper-name"> <refname>mkhomedir_helper</refname> <refpurpose>Helper binary that creates home directories</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="mkhomedir_helper-cmdsynopsis"> + <cmdsynopsis xml:id="mkhomedir_helper-cmdsynopsis" sepchar=" "> <command>mkhomedir_helper</command> - <arg choice="req"> + <arg choice="req" rep="norepeat"> <replaceable>user</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>umask</replaceable> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>path-to-skel</replaceable> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>home_mode</replaceable> </arg> </arg> @@ -33,7 +30,7 @@ </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="mkhomedir_helper-description"> + <refsect1 xml:id="mkhomedir_helper-description"> <title>DESCRIPTION</title> @@ -63,7 +60,7 @@ </para> </refsect1> - <refsect1 id='mkhomedir_helper-see_also'> + <refsect1 xml:id="mkhomedir_helper-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -72,7 +69,7 @@ </para> </refsect1> - <refsect1 id='mkhomedir_helper-author'> + <refsect1 xml:id="mkhomedir_helper-author"> <title>AUTHOR</title> <para> Written by Tomas Mraz based on the code originally in @@ -80,4 +77,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c index 582fecce..643d5d01 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.c +++ b/modules/pam_mkhomedir/mkhomedir_helper.c @@ -39,6 +39,7 @@ create_homedir(const struct passwd *pwd, DIR *d; struct dirent *dent; int retval = PAM_SESSION_ERR; + struct stat stat_buf; /* Create the new directory */ if (mkdir(dest, 0700) && errno != EEXIST) @@ -54,6 +55,12 @@ create_homedir(const struct passwd *pwd, goto go_out; } + /* Various things such as an autofs mount with browsing disabled + * can cause the directory to appear only on stat. The intent is + * to minimize network traversal when a file explorer tries to + * traverse large chunks of a directory tree. So stat first.*/ + stat(source, &stat_buf); + /* Scan the directory */ d = opendir(source); if (d == NULL) @@ -184,8 +191,7 @@ create_homedir(const struct passwd *pwd, else pointed[pointedlen] = 0; #else - char pointed[PATH_MAX]; - memset(pointed, 0, sizeof(pointed)); + char pointed[PATH_MAX] = {}; pointedlen = readlink(newsource, pointed, sizeof(pointed) - 1); #endif diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8 b/modules/pam_mkhomedir/pam_mkhomedir.8 index b8a4754c..6962971e 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.8 +++ b/modules/pam_mkhomedir/pam_mkhomedir.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_mkhomedir .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_MKHOMEDIR" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_MKHOMEDIR" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -40,18 +40,18 @@ The pam_mkhomedir PAM module will create a users home directory if it does not e The new users home directory will not be removed after logout of the user\&. .SH "OPTIONS" .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt print informative messages\&. .RE .PP -\fBdebug\fR +debug .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP -\fBumask=\fR\fB\fImask\fR\fR +umask=mask .RS 4 The file mode creation mask is set to \fImask\fR\&. The default value of mask is 0022\&. If this option is not specified, then the permissions of created user home directory is set to the value of @@ -62,7 +62,7 @@ configuration item from in the same file\&. If there is no such configuration option either the default value of 0755 is used for the mode\&. .RE .PP -\fBskel=\fR\fB\fI/path/to/skel/directory\fR\fR +skel=/path/to/skel/directory .RS 4 Indicate an alternative skel @@ -129,7 +129,7 @@ A sample /etc/pam\&.d/login file: .SH "SEE ALSO" .PP \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHOR" .PP pam_mkhomedir was written by Jason Gunthorpe <jgg@debian\&.org>\&. diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8.xml b/modules/pam_mkhomedir/pam_mkhomedir.8.xml index 10109067..25f5497a 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.8.xml +++ b/modules/pam_mkhomedir/pam_mkhomedir.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_mkhomedir'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_mkhomedir"> <refmeta> <refentrytitle>pam_mkhomedir</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_mkhomedir-name'> + <refnamediv xml:id="pam_mkhomedir-name"> <refname>pam_mkhomedir</refname> <refpurpose> PAM module to create users home directory @@ -20,25 +17,25 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_mkhomedir-cmdsynopsis"> + <cmdsynopsis xml:id="pam_mkhomedir-cmdsynopsis" sepchar=" "> <command>pam_mkhomedir.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> silent </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> umask=<replaceable>mode</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> skel=<replaceable>skeldir</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_mkhomedir-description"> + <refsect1 xml:id="pam_mkhomedir-description"> <title>DESCRIPTION</title> <para> The pam_mkhomedir PAM module will create a users home directory @@ -55,13 +52,13 @@ </para> </refsect1> - <refsect1 id="pam_mkhomedir-options"> + <refsect1 xml:id="pam_mkhomedir-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -72,7 +69,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -86,7 +83,7 @@ <varlistentry> <term> - <option>umask=<replaceable>mask</replaceable></option> + umask=mask </term> <listitem> <para> @@ -106,7 +103,7 @@ <varlistentry> <term> - <option>skel=<replaceable>/path/to/skel/directory</replaceable></option> + skel=/path/to/skel/directory </term> <listitem> <para> @@ -119,14 +116,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_mkhomedir-types"> + <refsect1 xml:id="pam_mkhomedir-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id="pam_mkhomedir-return_values"> + <refsect1 xml:id="pam_mkhomedir-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -165,11 +162,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_mkhomedir-files"> + <refsect1 xml:id="pam_mkhomedir-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/skel</filename></term> + <term>/etc/skel</term> <listitem> <para>Default skel directory</para> </listitem> @@ -177,7 +174,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_mkhomedir-examples'> + <refsect1 xml:id="pam_mkhomedir-examples"> <title>EXAMPLES</title> <para> A sample /etc/pam.d/login file: @@ -198,22 +195,22 @@ </refsect1> - <refsect1 id="pam_mkhomedir-see_also"> + <refsect1 xml:id="pam_mkhomedir-see_also"> <title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_mkhomedir-author"> + <refsect1 xml:id="pam_mkhomedir-author"> <title>AUTHOR</title> <para> pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c index 48e578fa..6ddcd5a8 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.c +++ b/modules/pam_mkhomedir/pam_mkhomedir.c @@ -125,15 +125,6 @@ create_homedir (pam_handle_t *pamh, options_t *opt, D(("called.")); - /* - * This code arranges that the demise of the child does not cause - * the application to receive a signal it is not expecting - which - * may kill the application or worse. - */ - memset(&newsa, '\0', sizeof(newsa)); - newsa.sa_handler = SIG_DFL; - sigaction(SIGCHLD, &newsa, &oldsa); - if (opt->ctrl & MKHOMEDIR_DEBUG) { pam_syslog(pamh, LOG_DEBUG, "Executing mkhomedir_helper."); } @@ -153,6 +144,15 @@ create_homedir (pam_handle_t *pamh, options_t *opt, login_homemode = _pam_conv_str_umask_to_homemode(opt->umask); } + /* + * This code arranges that the demise of the child does not cause + * the application to receive a signal it is not expecting - which + * may kill the application or worse. + */ + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); + /* fork */ child = fork(); if (child == 0) { diff --git a/modules/pam_motd/Makefile.am b/modules/pam_motd/Makefile.am index 956dad2b..fc8f26c4 100644 --- a/modules/pam_motd/Makefile.am +++ b/modules/pam_motd/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_motd TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_motd/Makefile.in b/modules/pam_motd/Makefile.in index 14ab6bb8..4116d988 100644 --- a/modules/pam_motd/Makefile.in +++ b/modules/pam_motd/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_motd.8.xml dist_check_SCRIPTS = tst-pam_motd TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_motd/README b/modules/pam_motd/README index 01bc64e9..375ec809 100644 --- a/modules/pam_motd/README +++ b/modules/pam_motd/README @@ -52,6 +52,10 @@ motd_dir=/path/dirname.d colon-separated list. By default this option is set to /etc/motd.d:/run/ motd.d:/usr/lib/motd.d. +noupdate + + Don't run the scripts in /etc/update-motd.d to refresh the motd file. + When no options are given, the default behavior applies for both options. Specifying either option (or both) will disable the default behavior for both options. diff --git a/modules/pam_motd/README.xml b/modules/pam_motd/README.xml index 779e4d17..9e8edadf 100644 --- a/modules/pam_motd/README.xml +++ b/modules/pam_motd/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_motd.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_motd-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_motd.8.xml" xpointer='xpointer(id("pam_motd-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_motd/pam_motd.8 b/modules/pam_motd/pam_motd.8 index a211d6ee..6a6ab4e7 100644 --- a/modules/pam_motd/pam_motd.8 +++ b/modules/pam_motd/pam_motd.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_motd .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_MOTD" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_MOTD" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -93,7 +93,7 @@ The environment variable is set after showing the motd files, even when all of them were silenced using symbolic links\&. .SH "OPTIONS" .PP -\fBmotd=\fR\fB\fI/path/filename\fR\fR +motd=/path/filename .RS 4 The /path/filename @@ -101,7 +101,7 @@ file is displayed as message of the day\&. Multiple paths to try can be specifie /etc/motd:/run/motd:/usr/lib/motd\&. .RE .PP -\fBmotd_dir=\fR\fB\fI/path/dirname\&.d\fR\fR +motd_dir=/path/dirname\&.d .RS 4 The /path/dirname\&.d @@ -109,6 +109,13 @@ directory is scanned and each file contained inside of it is displayed\&. Multip /etc/motd\&.d:/run/motd\&.d:/usr/lib/motd\&.d\&. .RE .PP +\fBnoupdate\fR +.RS 4 +Don\*(Aqt run the scripts in +/etc/update\-motd\&.d +to refresh the motd file\&. +.RE +.PP When no options are given, the default behavior applies for both options\&. Specifying either option (or both) will disable the default behavior for both options\&. .SH "MODULE TYPES PROVIDED" .PP @@ -185,7 +192,7 @@ session optional pam_motd\&.so motd=/elsewhere/motd motd_dir=/elsewhere/motd\& \fBmotd\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_motd was written by Ben Collins <bcollins@debian\&.org>\&. diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml index 0afd4c99..8369779a 100644 --- a/modules/pam_motd/pam_motd.8.xml +++ b/modules/pam_motd/pam_motd.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_motd"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_motd"> <refmeta> <refentrytitle>pam_motd</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_motd-name"> + <refnamediv xml:id="pam_motd-name"> <refname>pam_motd</refname> <refpurpose>Display the motd file</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_motd-cmdsynopsis"> + <cmdsynopsis xml:id="pam_motd-cmdsynopsis" sepchar=" "> <command>pam_motd.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> motd=<replaceable>/path/filename</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> motd_dir=<replaceable>/path/dirname.d</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_motd-description"> + <refsect1 xml:id="pam_motd-description"> <title>DESCRIPTION</title> @@ -38,7 +35,7 @@ following locations: </para> <para> - <simplelist type='vert'> + <simplelist type="vert"> <member><filename>/etc/motd</filename></member> <member><filename>/run/motd</filename></member> <member><filename>/usr/lib/motd</filename></member> @@ -79,19 +76,19 @@ <command>ln -s /dev/null /etc/motd.d/my_motd</command> </para> <para> - The <emphasis remap='B'>MOTD_SHOWN=pam</emphasis> environment variable + The <emphasis remap="B">MOTD_SHOWN=pam</emphasis> environment variable is set after showing the motd files, even when all of them were silenced using symbolic links. </para> </refsect1> - <refsect1 id="pam_motd-options"> + <refsect1 xml:id="pam_motd-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>motd=<replaceable>/path/filename</replaceable></option> + motd=/path/filename </term> <listitem> <para> @@ -104,7 +101,7 @@ </varlistentry> <varlistentry> <term> - <option>motd_dir=<replaceable>/path/dirname.d</replaceable></option> + motd_dir=/path/dirname.d </term> <listitem> <para> @@ -115,6 +112,17 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>noupdate</option> + </term> + <listitem> + <para> + Don't run the scripts in <filename>/etc/update-motd.d</filename> + to refresh the motd file. + </para> + </listitem> + </varlistentry> </variablelist> <para> When no options are given, the default behavior applies for both @@ -123,14 +131,14 @@ </para> </refsect1> - <refsect1 id="pam_motd-types"> + <refsect1 xml:id="pam_motd-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_motd-return_values'> + <refsect1 xml:id="pam_motd-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -160,7 +168,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_motd-examples'> + <refsect1 xml:id="pam_motd-examples"> <title>EXAMPLES</title> <para> The suggested usage for <filename>/etc/pam.d/login</filename> is: @@ -183,7 +191,7 @@ session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d </para> </refsect1> - <refsect1 id='pam_motd-see_also'> + <refsect1 xml:id="pam_motd-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -196,12 +204,12 @@ session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_motd-author'> + <refsect1 xml:id="pam_motd-author"> <title>AUTHOR</title> <para> pam_motd was written by Ben Collins <bcollins@debian.org>. @@ -212,4 +220,4 @@ session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c index 6ac8cba2..8472dd64 100644 --- a/modules/pam_motd/pam_motd.c +++ b/modules/pam_motd/pam_motd.c @@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b) } } -static int filter_dirents(const struct dirent *d) -{ - return (d->d_type == DT_REG || d->d_type == DT_LNK); -} - static void try_to_display_directories_with_overrides(pam_handle_t *pamh, char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing) { @@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, for (i = 0; i < num_motd_dirs; i++) { int rv; - rv = scandir(motd_dir_path_split[i], &(dirscans[i]), - filter_dirents, alphasort); + rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL); if (rv < 0) { if (errno != ENOENT || report_missing) { pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m", @@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, if (dirscans_size_total == 0) goto out; + /* filter out unwanted names, directories, and complement data with lstat() */ + for (i = 0; i < num_motd_dirs; i++) { + struct dirent **d = dirscans[i]; + for (unsigned int j = 0; j < dirscans_sizes[i]; j++) { + int rc; + char *fullpath; + struct stat s; + + switch(d[j]->d_type) { /* the filetype determines how to proceed */ + case DT_REG: /* regular files and */ + case DT_LNK: /* symlinks */ + continue; /* are good. */ + case DT_UNKNOWN: /* for file systems that do not provide */ + /* a filetype, we use lstat() */ + if (join_dir_strings(&fullpath, motd_dir_path_split[i], + d[j]->d_name) <= 0) + break; + rc = lstat(fullpath, &s); + _pam_drop(fullpath); /* free the memory alloc'ed by join_dir_strings */ + if (rc != 0) /* if the lstat() somehow failed */ + break; + + if (S_ISREG(s.st_mode) || /* regular files and */ + S_ISLNK(s.st_mode)) continue; /* symlinks are good */ + break; + case DT_DIR: /* We don't want directories */ + default: /* nor anything else */ + break; + } + _pam_drop(d[j]); /* free memory */ + d[j] = NULL; /* indicate this one was dropped */ + dirscans_size_total--; + } + } + /* Allocate space for all file names found in the directories, including duplicates. */ if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) { pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array"); @@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, unsigned int j; for (j = 0; j < dirscans_sizes[i]; j++) { - dirnames_all[i_dirnames] = dirscans[i][j]->d_name; - i_dirnames++; + if (NULL != dirscans[i][j]) { + dirnames_all[i_dirnames] = dirscans[i][j]->d_name; + i_dirnames++; + } } } @@ -352,6 +383,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval = PAM_IGNORE; + int do_update = 1; const char *motd_path = NULL; char *motd_path_copy = NULL; unsigned int num_motd_paths = 0; @@ -361,6 +393,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, unsigned int num_motd_dir_paths = 0; char **motd_dir_path_split = NULL; int report_missing; + struct stat st; if (flags & PAM_SILENT) { return retval; @@ -390,6 +423,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, "motd_dir= specification missing argument - ignored"); } } + else if (!strcmp(*argv,"noupdate")) { + do_update = 0; + } else pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -402,6 +438,19 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, report_missing = 1; } + /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic. + This will be displayed only when calling pam_motd with + motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd + display both this file and /etc/motd. */ + if (do_update && (stat("/etc/update-motd.d", &st) == 0) + && S_ISDIR(st.st_mode)) + { + mode_t old_mask = umask(0022); + if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new")) + rename("/run/motd.dynamic.new", "/run/motd.dynamic"); + umask(old_mask); + } + if (motd_path != NULL) { motd_path_copy = strdup(motd_path); } diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 47cc38e1..507beea7 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -16,12 +16,16 @@ dist_check_SCRIPTS = tst-pam_namespace TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif namespaceddir = $(SCONFIGDIR)/namespace.d servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_namespace/Makefile.in b/modules/pam_namespace/Makefile.in index e21c836d..8fc29dc1 100644 --- a/modules/pam_namespace/Makefile.in +++ b/modules/pam_namespace/Makefile.in @@ -441,6 +441,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -453,11 +454,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -489,12 +492,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -517,6 +522,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -527,12 +533,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -606,11 +616,12 @@ XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml pam_namespace_helper. dist_check_SCRIPTS = tst-pam_namespace TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) namespaceddir = $(SCONFIGDIR)/namespace.d servicedir = $(systemdunitdir) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) noinst_HEADERS = md5.h pam_namespace.h argv_parse.h diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README index 106a073a..c5a6ec4d 100644 --- a/modules/pam_namespace/README +++ b/modules/pam_namespace/README @@ -14,6 +14,9 @@ polyinstantiated directory path, the instance directory path, flag whether the instance directory was newly created (0 for no, 1 for yes), and the user name as its arguments. +If /etc/security/namespace.init does not exist, %vendordir%/security/ +namespace.init is the alternative to be used for it. + The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate @@ -117,6 +120,16 @@ The /etc/security/namespace.conf file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. +The /etc/security/namespace.conf file ( or %vendordir%/security/namespace.conf +if it does not exist) specifies which directories are polyinstantiated, how +they are polyinstantiated, how instance directories would be named, and any +users for whom polyinstantiation would not be performed. Then individual *.conf +files from the /etc/security/namespace.d/ and %vendordir%/security/namespace.d +directories are taken too. If /etc/security/namespace.d/@filename@.conf exists, +then %vendordir%/security/namespace.d/@filename@.conf will not be used. All +namespace.d/*.conf files are sorted by their @filename@.conf in lexicographic +order regardless of which of the directories they reside in. + When someone logs in, the file namespace.conf is scanned. Comments are marked by # characters. Each non comment line represents one polyinstantiated directory. The fields are separated by spaces but can be quoted by " characters diff --git a/modules/pam_namespace/README.xml b/modules/pam_namespace/README.xml index 4ef99c9f..f94cb065 100644 --- a/modules/pam_namespace/README.xml +++ b/modules/pam_namespace/README.xml @@ -1,44 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamns SYSTEM "pam_namespace.8.xml"> ---> -<!-- -<!ENTITY nsconf SYSTEM "namespace.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> + + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(id("pam_namespace-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="namespace.conf.5.xml" xpointer='xpointer(id("namespace.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index 22e41ee0..07ad9a02 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -21,6 +21,8 @@ #include "md5.h" #include <string.h> +#include "pam_inline.h" + #define MD5Name(x) x #ifdef WORDS_BIGENDIAN @@ -149,7 +151,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); byteReverse(ctx->buf.c, 4); memcpy(digest, ctx->buf.c, 16); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ + pam_overwrite_object(ctx); /* In case it's sensitive */ } /* The four core functions - F1 is optimized somewhat */ diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 index ff122cbf..e4e8cfdd 100644 --- a/modules/pam_namespace/namespace.conf.5 +++ b/modules/pam_namespace/namespace.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: namespace.conf .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "NAMESPACE\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "NAMESPACE\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -162,7 +162,7 @@ This module also depends on pam_selinux\&.so setting the context\&. .PP \fBpam_namespace\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHORS" .PP The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. More features added by Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index a94b49e2..dcf69732 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="namespace.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="namespace.conf"> <refmeta> <refentrytitle>namespace.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -16,7 +13,7 @@ </refnamediv> - <refsect1 id='namespace.conf-description'> + <refsect1 xml:id="namespace.conf-description"> <title>DESCRIPTION</title> <para> @@ -30,13 +27,29 @@ directory path and the instance directory path as its arguments. </para> - <para> + <para condition="without_vendordir"> The <filename>/etc/security/namespace.conf</filename> file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. </para> + <para condition="with_vendordir"> + The <filename>/etc/security/namespace.conf</filename> file + ( or <filename>%vendordir%/security/namespace.conf</filename> if it does + not exist) specifies which directories are polyinstantiated, how they are + polyinstantiated, how instance directories would be named, and any users + for whom polyinstantiation would not be performed. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/namespace.d/</filename> and + <filename>%vendordir%/security/namespace.d</filename> directories are taken too. + If <filename>/etc/security/namespace.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/namespace.d/@filename@.conf</filename> will not be used. + All <filename>namespace.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + </para> + <para> When someone logs in, the file <filename>namespace.conf</filename> is scanned. Comments are marked by <emphasis>#</emphasis> characters. @@ -159,7 +172,7 @@ </refsect1> - <refsect1 id="namespace.conf-examples"> + <refsect1 xml:id="namespace.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -204,20 +217,20 @@ </refsect1> - <refsect1 id="namespace.conf-see_also"> + <refsect1 xml:id="namespace.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="namespace.conf-author"> + <refsect1 xml:id="namespace.conf-author"> <title>AUTHORS</title> <para> The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. More features added by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init index 67d4aa2d..d9053a13 100755 --- a/modules/pam_namespace/namespace.init +++ b/modules/pam_namespace/namespace.init @@ -16,7 +16,7 @@ if [ "$3" = 1 ]; then cp -rT /etc/skel "$homedir" chown -R "$user":"$gid" "$homedir" mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs) - mode=$(printf "%o" $((0777 & ~$mask))) + mode=$(printf "%o" $((0777 & ~mask))) chmod ${mode:-700} "$homedir" [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" fi diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 index d0afb6c6..d69f9fd6 100644 --- a/modules/pam_namespace/pam_namespace.8 +++ b/modules/pam_namespace/pam_namespace.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_NAMESPACE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -41,57 +41,57 @@ exists, it is used to initialize the instance directory after it is set up and m The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 A lot of debug information is logged using syslog .RE .PP -\fBunmnt_remnt\fR +unmnt_remnt .RS 4 For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context .RE .PP -\fBunmnt_only\fR +unmnt_only .RS 4 For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories .RE .PP -\fBrequire_selinux\fR +require_selinux .RS 4 If selinux is not enabled, return failure .RE .PP -\fBgen_hash\fR +gen_hash .RS 4 Instead of using the security context string for the instance name, generate and use its md5 hash\&. .RE .PP -\fBignore_config_error\fR +ignore_config_error .RS 4 If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&. .RE .PP -\fBignore_instance_parent_mode\fR +ignore_instance_parent_mode .RS 4 Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&. .RE .PP -\fBunmount_on_close\fR +unmount_on_close .RS 4 Explicitly unmount the polyinstantiated directories instead of relying on automatic namespace destruction after the last process in a namespace exits\&. This option should be used only in case it is ensured by other means that there cannot be any processes running in the private namespace left after the session close\&. It is also useful only in case there are multiple pam session calls in sequence from the same process\&. .RE .PP -\fBuse_current_context\fR +use_current_context .RS 4 Useful for services which do not change the SELinux context with setexeccon call\&. The module will use the current SELinux context of the calling process for the level and context polyinstantiation\&. .RE .PP -\fBuse_default_context\fR +use_default_context .RS 4 Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call\&. The module will use the default SELinux context of the user for the level and context polyinstantiation\&. .RE .PP -\fBmount_private\fR +mount_private .RS 4 This option can be used on systems where the / mount point or its submounts are made shared (for example with a \fBmount \-\-make\-rshared /\fR @@ -148,7 +148,7 @@ To use polyinstantiation with graphical display manager gdm, please refer to gdm \fBnamespace.conf\fR(5), \fBpam.d\fR(5), \fBmount\fR(8), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHORS" .PP The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&. Additional improvements by Xavier Toth <txtoth@gmail\&.com> and Tomas Mraz <tmraz@redhat\&.com>\&. diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index 57c44c4b..954093d9 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_namespace'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace"> <refmeta> <refentrytitle>pam_namespace</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_namespace-name'> + <refnamediv xml:id="pam_namespace-name"> <refname>pam_namespace</refname> <refpurpose> PAM module for configuring namespace for a session @@ -20,46 +17,46 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_namespace-cmdsynopsis"> + <cmdsynopsis xml:id="pam_namespace-cmdsynopsis" sepchar=" "> <command>pam_namespace.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_remnt </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmnt_only </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> require_selinux </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> gen_hash </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_config_error </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ignore_instance_parent_mode </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unmount_on_close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_current_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_default_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> mount_private </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_namespace-description"> + <refsect1 xml:id="pam_namespace-description"> <title>DESCRIPTION</title> <para> The pam_namespace PAM module sets up a private namespace for a session @@ -74,6 +71,12 @@ and the user name as its arguments. </para> + <para condition="with_vendordir"> + If <filename>/etc/security/namespace.init</filename> does not exist, + <filename>%vendordir%/security/namespace.init</filename> is the + alternative to be used for it. + </para> + <para> The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent @@ -88,13 +91,13 @@ </refsect1> - <refsect1 id="pam_namespace-options"> + <refsect1 xml:id="pam_namespace-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -105,7 +108,7 @@ <varlistentry> <term> - <option>unmnt_remnt</option> + unmnt_remnt </term> <listitem> <para> @@ -125,7 +128,7 @@ <varlistentry> <term> - <option>unmnt_only</option> + unmnt_only </term> <listitem> <para> @@ -140,7 +143,7 @@ <varlistentry> <term> - <option>require_selinux</option> + require_selinux </term> <listitem> <para> @@ -151,7 +154,7 @@ <varlistentry> <term> - <option>gen_hash</option> + gen_hash </term> <listitem> <para> @@ -164,7 +167,7 @@ <varlistentry> <term> - <option>ignore_config_error</option> + ignore_config_error </term> <listitem> <para> @@ -180,7 +183,7 @@ <varlistentry> <term> - <option>ignore_instance_parent_mode</option> + ignore_instance_parent_mode </term> <listitem> <para> @@ -195,7 +198,7 @@ <varlistentry> <term> - <option>unmount_on_close</option> + unmount_on_close </term> <listitem> <para> @@ -212,7 +215,7 @@ <varlistentry> <term> - <option>use_current_context</option> + use_current_context </term> <listitem> <para> @@ -226,7 +229,7 @@ <varlistentry> <term> - <option>use_default_context</option> + use_default_context </term> <listitem> <para> @@ -240,7 +243,7 @@ <varlistentry> <term> - <option>mount_private</option> + mount_private </term> <listitem> <para> @@ -265,7 +268,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-types"> + <refsect1 xml:id="pam_namespace-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. @@ -273,7 +276,7 @@ </para> </refsect1> - <refsect1 id="pam_namespace-return_values"> + <refsect1 xml:id="pam_namespace-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -303,33 +306,57 @@ </variablelist> </refsect1> - <refsect1 id="pam_namespace-files"> + <refsect1 xml:id="pam_namespace-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/namespace.conf</filename></term> + <term>/etc/security/namespace.conf</term> <listitem> <para>Main configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.conf</term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/namespace.conf</filename> does not exist.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.d</filename></term> + <term>/etc/security/namespace.d</term> <listitem> <para>Directory for additional configuration files</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.d</term> + <listitem> + <para>Directory for additional vendor specific configuration files.</para> + </listitem> + </varlistentry> + <varlistentry> - <term><filename>/etc/security/namespace.init</filename></term> + <term>/etc/security/namespace.init</term> <listitem> <para>Init script for instance directories</para> </listitem> </varlistentry> + + <varlistentry condition="with_vendordir"> + <term>%vendordir%/security/namespace.init</term> + <listitem> + <para>Vendor init script for instance directories if + /etc/security/namespace.init does not exist. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_namespace-examples"> + <refsect1 xml:id="pam_namespace-examples"> <title>EXAMPLES</title> <para> @@ -349,7 +376,7 @@ </refsect1> - <refsect1 id="pam_namespace-see_also"> + <refsect1 xml:id="pam_namespace-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -362,12 +389,12 @@ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_namespace-authors"> + <refsect1 xml:id="pam_namespace-authors"> <title>AUTHORS</title> <para> The namespace setup scheme was designed by Stephen Smalley, Janak Desai @@ -378,4 +405,4 @@ <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 4d4188d0..ef856443 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -39,6 +39,94 @@ #include "pam_namespace.h" #include "argv_parse.h" +/* --- evaluting all files in VENDORDIR/security/namespace.d and /etc/security/namespace.d --- */ +static const char *base_name(const char *path) +{ + const char *base = strrchr(path, '/'); + return base ? base+1 : path; +} + +static int +compare_filename(const void *a, const void *b) +{ + return strcmp(base_name(* (char * const *) a), + base_name(* (char * const *) b)); +} + +/* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/namespace.d/@filename@.conf exists, then + * %vendordir%/security/namespace.d/@filename@.conf should not be used. + * - All files in both namespace.d directories are sorted by their @filename@.conf in + * lexicographic order regardless of which of the directories they reside in. */ +static char **read_namespace_dir(struct instance_data *idata) +{ + glob_t globbuf; + size_t i=0; + int glob_rv = glob(NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf); + char **file_list; + size_t file_list_size = glob_rv == 0 ? globbuf.gl_pathc : 0; + +#ifdef VENDOR_NAMESPACE_D_GLOB + glob_t globbuf_vendor; + int glob_rv_vendor = glob(VENDOR_NAMESPACE_D_GLOB, GLOB_ERR | GLOB_NOSORT, NULL, &globbuf_vendor); + if (glob_rv_vendor == 0) + file_list_size += globbuf_vendor.gl_pathc; +#endif + file_list = malloc((file_list_size + 1) * sizeof(char*)); + if (file_list == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot allocate memory for file list: %m"); +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) + globfree(&globbuf_vendor); +#endif + if (glob_rv == 0) + globfree(&globbuf); + return NULL; + } + + if (glob_rv == 0) { + for (i = 0; i < globbuf.gl_pathc; i++) { + file_list[i] = strdup(globbuf.gl_pathv[i]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + } + } +#ifdef VENDOR_NAMESPACE_D_GLOB + if (glob_rv_vendor == 0) { + for (size_t j = 0; j < globbuf_vendor.gl_pathc; j++) { + if (glob_rv == 0 && globbuf.gl_pathc > 0) { + int double_found = 0; + for (size_t k = 0; k < globbuf.gl_pathc; k++) { + if (strcmp(base_name(globbuf.gl_pathv[k]), + base_name(globbuf_vendor.gl_pathv[j])) == 0) { + double_found = 1; + break; + } + } + if (double_found) + continue; + } + file_list[i] = strdup(globbuf_vendor.gl_pathv[j]); + if (file_list[i] == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "strdup failed: %m"); + break; + } + i++; + } + globfree(&globbuf_vendor); + } +#endif + file_list[i] = NULL; + qsort(file_list, i, sizeof(char *), compare_filename); + if (glob_rv == 0) + globfree(&globbuf); + + return file_list; +} + /* * Adds an entry for a polyinstantiated directory to the linked list of * polyinstantiated directories. It is called from process_line() while @@ -624,8 +712,6 @@ static int parse_config_file(struct instance_data *idata) char *line; int retval; size_t len = 0; - glob_t globbuf; - const char *oldlocale; size_t n; /* @@ -664,13 +750,16 @@ static int parse_config_file(struct instance_data *idata) * process_line to process each line. */ - memset(&globbuf, '\0', sizeof(globbuf)); - oldlocale = setlocale(LC_COLLATE, "C"); - glob(NAMESPACE_D_GLOB, 0, NULL, &globbuf); - if (oldlocale != NULL) - setlocale(LC_COLLATE, oldlocale); - confname = PAM_NAMESPACE_CONFIG; +#ifdef VENDOR_PAM_NAMESPACE_CONFIG + /* Check whether PAM_NAMESPACE_CONFIG file is available. + * If it does not exist, fall back to VENDOR_PAM_NAMESPACE_CONFIG file. */ + struct stat buffer; + if (stat(confname, &buffer) != 0 && errno == ENOENT) { + confname = VENDOR_PAM_NAMESPACE_CONFIG; + } +#endif + char **filename_list = read_namespace_dir(idata); n = 0; for (;;) { if (idata->flags & PAMNS_DEBUG) @@ -680,7 +769,6 @@ static int parse_config_file(struct instance_data *idata) if (fil == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s", confname); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -698,7 +786,6 @@ static int parse_config_file(struct instance_data *idata) "Error processing conf file %s line %s", confname, line); fclose(fil); free(line); - globfree(&globbuf); free(rhome); free(home); return PAM_SERVICE_ERR; @@ -707,14 +794,18 @@ static int parse_config_file(struct instance_data *idata) fclose(fil); free(line); - if (n >= globbuf.gl_pathc) + if (filename_list == NULL || filename_list[n] == NULL) break; - confname = globbuf.gl_pathv[n]; - n++; + confname = filename_list[n++]; + } + + if (filename_list != NULL) { + for (size_t i = 0; filename_list[i] != NULL; i++) + free(filename_list[i]); + free(filename_list); } - globfree(&globbuf); free(rhome); free(home); @@ -1103,7 +1194,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int dfd = AT_FDCWD; int dfd_next; int save_errno; - int flags = O_RDONLY; + int flags = O_RDONLY | O_DIRECTORY; int rv = -1; struct stat st; @@ -1157,22 +1248,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, rv = openat(dfd, dir, flags); } - if (rv != -1) { - if (fstat(rv, &st) != 0) { - save_errno = errno; - close(rv); - rv = -1; - errno = save_errno; - goto error; - } - if (!S_ISDIR(st.st_mode)) { - close(rv); - errno = ENOTDIR; - rv = -1; - goto error; - } - } - if (flags & O_NOFOLLOW) { /* we are inside user-owned dir - protect */ if (protect_mount(rv, p, idata) == -1) { @@ -1250,16 +1325,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, struct instance_data *idata, int newdir) { pid_t rc, pid; - struct sigaction newsa, oldsa; int status; const char *init_script = NAMESPACE_INIT_SCRIPT; - memset(&newsa, '\0', sizeof(newsa)); - newsa.sa_handler = SIG_DFL; - if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { - pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); - return PAM_SESSION_ERR; +#ifdef VENDOR_NAMESPACE_INIT_SCRIPT + /* Check whether NAMESPACE_INIT_SCRIPT file is available. + * If it does not exist, fall back to VENDOR_NAMESPACE_INIT_SCRIPT file. */ + struct stat buffer; + if (stat(init_script, &buffer) != 0 && errno == ENOENT) { + init_script = VENDOR_NAMESPACE_INIT_SCRIPT; } +#endif if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script) init_script = polyptr->init_script; @@ -1269,9 +1345,17 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Namespace init script not executable"); - rc = PAM_SESSION_ERR; - goto out; + return PAM_SESSION_ERR; } else { + struct sigaction newsa, oldsa; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler"); + return PAM_SESSION_ERR; + } + pid = fork(); if (pid == 0) { static char *envp[] = { NULL }; @@ -1309,13 +1393,13 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, rc = PAM_SESSION_ERR; goto out; } + rc = PAM_SUCCESS; +out: + (void) sigaction(SIGCHLD, &oldsa, NULL); + return rc; } } - rc = PAM_SUCCESS; -out: - (void) sigaction(SIGCHLD, &oldsa, NULL); - - return rc; + return PAM_SUCCESS; } static int create_polydir(struct polydir_s *polyptr, diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index b51f2841..a991b4c4 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -30,7 +30,7 @@ * DEALINGS IN THE SOFTWARE. */ -#if !(defined(linux)) +#ifndef __linux__ #error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! #endif @@ -90,15 +90,17 @@ /* * Module defines */ -#ifndef SECURECONF_DIR -#define SECURECONF_DIR "/etc/security/" +#define PAM_NAMESPACE_CONFIG (SCONFIGDIR "/namespace.conf") +#define NAMESPACE_INIT_SCRIPT (SCONFIGDIR "/namespace.init") +#define NAMESPACE_D_DIR (SCONFIGDIR "/namespace.d/") +#define NAMESPACE_D_GLOB (SCONFIGDIR "/namespace.d/*.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_NAMESPACE_INIT_SCRIPT (VENDOR_SCONFIGDIR "/namespace.init") +#define VENDOR_PAM_NAMESPACE_CONFIG (VENDOR_SCONFIGDIR "/namespace.conf") +#define VENDOR_NAMESPACE_D_DIR (VENDOR_SCONFIGDIR "/namespace.d/") +#define VENDOR_NAMESPACE_D_GLOB (VENDOR_SCONFIGDIR "/namespace.d/*.conf") #endif -#define PAM_NAMESPACE_CONFIG (SECURECONF_DIR "namespace.conf") -#define NAMESPACE_INIT_SCRIPT (SECURECONF_DIR "namespace.init") -#define NAMESPACE_D_DIR (SECURECONF_DIR "namespace.d/") -#define NAMESPACE_D_GLOB (SECURECONF_DIR "namespace.d/*.conf") - /* module flags */ #define PAMNS_DEBUG 0x00000100 /* Running in debug mode */ #define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */ diff --git a/modules/pam_namespace/pam_namespace_helper.8 b/modules/pam_namespace/pam_namespace_helper.8 index df93df2e..317cddc8 100644 --- a/modules/pam_namespace/pam_namespace_helper.8 +++ b/modules/pam_namespace/pam_namespace_helper.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_namespace_helper .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NAMESPACE_HELPER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NAMESPACE_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_namespace/pam_namespace_helper.8.xml b/modules/pam_namespace/pam_namespace_helper.8.xml index 2f5adbed..002c254a 100644 --- a/modules/pam_namespace/pam_namespace_helper.8.xml +++ b/modules/pam_namespace/pam_namespace_helper.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_namespace_helper"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_namespace_helper"> <refmeta> <refentrytitle>pam_namespace_helper</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_namespace_helper-name"> + <refnamediv xml:id="pam_namespace_helper-name"> <refname>pam_namespace_helper</refname> <refpurpose>Helper binary that creates home directories</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_namespace_helper-cmdsynopsis"> + <cmdsynopsis xml:id="pam_namespace_helper-cmdsynopsis" sepchar=" "> <command>pam_namespace_helper</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_namespace_helper-description"> + <refsect1 xml:id="pam_namespace_helper-description"> <title>DESCRIPTION</title> @@ -43,7 +40,7 @@ </para> </refsect1> - <refsect1 id='pam_namespace_helper-see_also'> + <refsect1 xml:id="pam_namespace_helper-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -52,11 +49,11 @@ </para> </refsect1> - <refsect1 id='pam_namespace_helper-author'> + <refsect1 xml:id="pam_namespace_helper-author"> <title>AUTHOR</title> <para> Written by Topi Miettinen. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_nologin/Makefile.am b/modules/pam_nologin/Makefile.am index d1ec2035..4343b61c 100644 --- a/modules/pam_nologin/Makefile.am +++ b/modules/pam_nologin/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_nologin TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_nologin/Makefile.in b/modules/pam_nologin/Makefile.in index 0e84bd69..ebfa09b3 100644 --- a/modules/pam_nologin/Makefile.in +++ b/modules/pam_nologin/Makefile.in @@ -434,6 +434,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -446,11 +447,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -482,12 +485,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -510,6 +515,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -520,12 +526,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -599,7 +609,8 @@ XMLS = README.xml pam_nologin.8.xml dist_check_SCRIPTS = tst-pam_nologin TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_nologin/README.xml b/modules/pam_nologin/README.xml index bc0808e7..5a993324 100644 --- a/modules/pam_nologin/README.xml +++ b/modules/pam_nologin/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_nologin.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_nologin-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-note"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-note")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_nologin.8.xml" xpointer='xpointer(id("pam_nologin-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_nologin/pam_nologin.8 b/modules/pam_nologin/pam_nologin.8 index df0c255e..c5df1b70 100644 --- a/modules/pam_nologin/pam_nologin.8 +++ b/modules/pam_nologin/pam_nologin.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_nologin .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_NOLOGIN" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NOLOGIN" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -41,7 +41,7 @@ or exists\&. The contents of the file are displayed to the user\&. The pam_nologin module has no effect on the root user\*(Aqs ability to log in\&. .SH "OPTIONS" .PP -\fBfile=\fR\fB\fI/path/nologin\fR\fR +file=/path/nologin .RS 4 Use this file instead the default /var/run/nologin @@ -49,7 +49,7 @@ or /etc/nologin\&. .RE .PP -\fBsuccessok\fR +successok .RS 4 Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE\&. .RE @@ -124,7 +124,7 @@ modules would lead to a successful login because the nologin module \fBnologin\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_nologin was written by Michael K\&. Johnson <johnsonm@redhat\&.com>\&. diff --git a/modules/pam_nologin/pam_nologin.8.xml b/modules/pam_nologin/pam_nologin.8.xml index c86e3763..1cc721a4 100644 --- a/modules/pam_nologin/pam_nologin.8.xml +++ b/modules/pam_nologin/pam_nologin.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_nologin"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_nologin"> <refmeta> <refentrytitle>pam_nologin</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_nologin-name"> + <refnamediv xml:id="pam_nologin-name"> <refname>pam_nologin</refname> <refpurpose>Prevent non-root users from login</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_nologin-cmdsynopsis"> + <cmdsynopsis xml:id="pam_nologin-cmdsynopsis" sepchar=" "> <command>pam_nologin.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> file=<replaceable>/path/nologin</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> successok </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_nologin-description"> + <refsect1 xml:id="pam_nologin-description"> <title>DESCRIPTION</title> @@ -40,13 +37,13 @@ </para> </refsect1> - <refsect1 id="pam_nologin-options"> + <refsect1 xml:id="pam_nologin-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>file=<replaceable>/path/nologin</replaceable></option> + file=/path/nologin </term> <listitem> <para> @@ -58,7 +55,7 @@ </varlistentry> <varlistentry> <term> - <option>successok</option> + successok </term> <listitem> <para> @@ -69,7 +66,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_nologin-types"> + <refsect1 xml:id="pam_nologin-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> module @@ -77,7 +74,7 @@ </para> </refsect1> - <refsect1 id='pam_nologin-return_values'> + <refsect1 xml:id="pam_nologin-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -123,7 +120,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_nologin-examples'> + <refsect1 xml:id="pam_nologin-examples"> <title>EXAMPLES</title> <para> The suggested usage for <filename>/etc/pam.d/login</filename> is: @@ -132,7 +129,7 @@ auth required pam_nologin.so </programlisting> </para> </refsect1> - <refsect1 id='pam_nologin-note'> + <refsect1 xml:id="pam_nologin-note"> <title>NOTES</title> <para> In order to make this module effective, all login methods should be @@ -147,7 +144,7 @@ auth required pam_nologin.so </para> </refsect1> - <refsect1 id='pam_nologin-see_also'> + <refsect1 xml:id="pam_nologin-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -160,16 +157,16 @@ auth required pam_nologin.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_nologin-author'> + <refsect1 xml:id="pam_nologin-author"> <title>AUTHOR</title> <para> pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index b7f9bab0..d7f83e0c 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -79,7 +79,6 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) if (fd >= 0) { - char *mtmp=NULL; int msg_style = PAM_TEXT_INFO; struct passwd *user_pwd; struct stat st; @@ -99,21 +98,25 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) goto clean_up_fd; } - mtmp = malloc(st.st_size+1); - if (!mtmp) { - pam_syslog(pamh, LOG_CRIT, "out of memory"); - retval = PAM_BUF_ERR; - goto clean_up_fd; - } - - if (pam_modutil_read(fd, mtmp, st.st_size) == st.st_size) { - mtmp[st.st_size] = '\0'; - (void) pam_prompt (pamh, msg_style, NULL, "%s", mtmp); + /* Don't print anything if the message is empty, will only + disturb the output with empty lines */ + if (st.st_size > 0) { + char *mtmp = malloc(st.st_size+1); + if (!mtmp) { + pam_syslog(pamh, LOG_CRIT, "out of memory"); + retval = PAM_BUF_ERR; + goto clean_up_fd; + } + + if (pam_modutil_read(fd, mtmp, st.st_size) == st.st_size) { + mtmp[st.st_size] = '\0'; + (void) pam_prompt (pamh, msg_style, NULL, "%s", mtmp); + } + else + retval = PAM_SYSTEM_ERR; + + free(mtmp); } - else - retval = PAM_SYSTEM_ERR; - - free(mtmp); clean_up_fd: diff --git a/modules/pam_permit/Makefile.am b/modules/pam_permit/Makefile.am index 3fb4792c..e9a05156 100644 --- a/modules/pam_permit/Makefile.am +++ b/modules/pam_permit/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_permit TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_permit/Makefile.in b/modules/pam_permit/Makefile.in index 10941722..47e8fac8 100644 --- a/modules/pam_permit/Makefile.in +++ b/modules/pam_permit/Makefile.in @@ -433,6 +433,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -445,11 +446,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -481,12 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,6 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -519,12 +525,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -598,7 +608,8 @@ XMLS = README.xml pam_permit.8.xml dist_check_SCRIPTS = tst-pam_permit TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_permit/README.xml b/modules/pam_permit/README.xml index acb38b51..c08425f8 100644 --- a/modules/pam_permit/README.xml +++ b/modules/pam_permit/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_permit.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_permit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_permit.8.xml" xpointer='xpointer(id("pam_permit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_permit/pam_permit.8 b/modules/pam_permit/pam_permit.8 index 88dff2bb..5432b750 100644 --- a/modules/pam_permit/pam_permit.8 +++ b/modules/pam_permit/pam_permit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_permit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_PERMIT" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PERMIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -78,7 +78,7 @@ account required pam_permit\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_permit was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&. diff --git a/modules/pam_permit/pam_permit.8.xml b/modules/pam_permit/pam_permit.8.xml index 6bb49658..9e6c7d02 100644 --- a/modules/pam_permit/pam_permit.8.xml +++ b/modules/pam_permit/pam_permit.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_permit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_permit"> <refmeta> <refentrytitle>pam_permit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_permit-name"> + <refnamediv xml:id="pam_permit-name"> <refname>pam_permit</refname> <refpurpose>The promiscuous module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_permit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_permit-cmdsynopsis" sepchar=" "> <command>pam_permit.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_permit-description"> + <refsect1 xml:id="pam_permit-description"> <title>DESCRIPTION</title> @@ -41,13 +38,13 @@ </para> </refsect1> - <refsect1 id="pam_permit-options"> + <refsect1 xml:id="pam_permit-options"> <title>OPTIONS</title> <para> This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_permit-types"> + <refsect1 xml:id="pam_permit-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option>, <option>account</option>, @@ -56,7 +53,7 @@ </para> </refsect1> - <refsect1 id='pam_permit-return_values'> + <refsect1 xml:id="pam_permit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -70,7 +67,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_permit-examples'> + <refsect1 xml:id="pam_permit-examples"> <title>EXAMPLES</title> <para> Add this line to your other login entries to disable account @@ -81,7 +78,7 @@ account required pam_permit.so </para> </refsect1> - <refsect1 id='pam_permit-see_also'> + <refsect1 xml:id="pam_permit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -91,16 +88,16 @@ account required pam_permit.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_permit-author'> + <refsect1 xml:id="pam_permit-author"> <title>AUTHOR</title> <para> pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am index 8a4dbcb2..6cd5ffd3 100644 --- a/modules/pam_pwhistory/Makefile.am +++ b/modules/pam_pwhistory/Makefile.am @@ -9,14 +9,19 @@ MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = $(XMLS) if HAVE_DOC -dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 +dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5 endif -XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \ + pwhistory.conf.5.xml dist_check_SCRIPTS = tst-pam_pwhistory -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" @@ -26,12 +31,14 @@ if HAVE_VERSIONING pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -noinst_HEADERS = opasswd.h +noinst_HEADERS = opasswd.h pwhistory_config.h + +dist_secureconf_DATA = pwhistory.conf securelib_LTLIBRARIES = pam_pwhistory.la pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ -pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c +pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c sbin_PROGRAMS = pwhistory_helper pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@ @@ -39,6 +46,9 @@ pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c pwhistory_helper_LDFLAGS = @EXE_LDFLAGS@ pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ +check_PROGRAMS = tst-pam_pwhistory-retval +tst_pam_pwhistory_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_pwhistory/Makefile.in b/modules/pam_pwhistory/Makefile.in index cf1082b0..dcb969ac 100644 --- a/modules/pam_pwhistory/Makefile.in +++ b/modules/pam_pwhistory/Makefile.in @@ -98,6 +98,7 @@ build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map sbin_PROGRAMS = pwhistory_helper$(EXEEXT) +check_PROGRAMS = tst-pam_pwhistory-retval$(EXEEXT) subdir = modules/pam_pwhistory ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -118,14 +119,15 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \ - $(am__dist_noinst_DATA_DIST) $(noinst_HEADERS) \ - $(am__DIST_COMMON) + $(am__dist_noinst_DATA_DIST) $(dist_secureconf_DATA) \ + $(noinst_HEADERS) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" \ - "$(DESTDIR)$(man8dir)" + "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(secureconfdir)" PROGRAMS = $(sbin_PROGRAMS) am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ @@ -157,7 +159,8 @@ am__uninstall_files_from_dir = { \ LTLIBRARIES = $(securelib_LTLIBRARIES) pam_pwhistory_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la am_pam_pwhistory_la_OBJECTS = pam_pwhistory_la-pam_pwhistory.lo \ - pam_pwhistory_la-opasswd.lo + pam_pwhistory_la-opasswd.lo \ + pam_pwhistory_la-pwhistory_config.lo pam_pwhistory_la_OBJECTS = $(am_pam_pwhistory_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -176,6 +179,10 @@ pwhistory_helper_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(pwhistory_helper_CFLAGS) $(CFLAGS) \ $(pwhistory_helper_LDFLAGS) $(LDFLAGS) -o $@ +tst_pam_pwhistory_retval_SOURCES = tst-pam_pwhistory-retval.c +tst_pam_pwhistory_retval_OBJECTS = tst-pam_pwhistory-retval.$(OBJEXT) +tst_pam_pwhistory_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -193,8 +200,10 @@ depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles am__depfiles_remade = ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo \ ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo \ + ./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo \ ./$(DEPDIR)/pwhistory_helper-opasswd.Po \ - ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po + ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po \ + ./$(DEPDIR)/tst-pam_pwhistory-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -214,18 +223,21 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) -DIST_SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) +SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) \ + tst-pam_pwhistory-retval.c +DIST_SOURCES = $(pam_pwhistory_la_SOURCES) $(pwhistory_helper_SOURCES) \ + tst-pam_pwhistory-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) am__dist_noinst_DATA_DIST = README -DATA = $(dist_noinst_DATA) +DATA = $(dist_noinst_DATA) $(dist_secureconf_DATA) HEADERS = $(noinst_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -453,6 +465,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -465,11 +478,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -501,12 +516,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -529,6 +546,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -539,12 +557,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -613,26 +635,31 @@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = $(XMLS) -@HAVE_DOC_TRUE@dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 -XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml +@HAVE_DOC_TRUE@dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5 +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \ + pwhistory.conf.5.xml + dist_check_SCRIPTS = tst-pam_pwhistory -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) -noinst_HEADERS = opasswd.h +noinst_HEADERS = opasswd.h pwhistory_config.h +dist_secureconf_DATA = pwhistory.conf securelib_LTLIBRARIES = pam_pwhistory.la pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ -pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c +pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@ pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c pwhistory_helper_LDFLAGS = @EXE_LDFLAGS@ pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ +tst_pam_pwhistory_retval_LDADD = $(top_builddir)/libpam/libpam.la @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -667,6 +694,15 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ @@ -759,6 +795,10 @@ pwhistory_helper$(EXEEXT): $(pwhistory_helper_OBJECTS) $(pwhistory_helper_DEPEND @rm -f pwhistory_helper$(EXEEXT) $(AM_V_CCLD)$(pwhistory_helper_LINK) $(pwhistory_helper_OBJECTS) $(pwhistory_helper_LDADD) $(LIBS) +tst-pam_pwhistory-retval$(EXEEXT): $(tst_pam_pwhistory_retval_OBJECTS) $(tst_pam_pwhistory_retval_DEPENDENCIES) $(EXTRA_tst_pam_pwhistory_retval_DEPENDENCIES) + @rm -f tst-pam_pwhistory-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_pwhistory_retval_OBJECTS) $(tst_pam_pwhistory_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -767,8 +807,10 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhistory_helper-opasswd.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_pwhistory-retval.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -811,6 +853,13 @@ pam_pwhistory_la-opasswd.lo: opasswd.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -c -o pam_pwhistory_la-opasswd.lo `test -f 'opasswd.c' || echo '$(srcdir)/'`opasswd.c +pam_pwhistory_la-pwhistory_config.lo: pwhistory_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -MT pam_pwhistory_la-pwhistory_config.lo -MD -MP -MF $(DEPDIR)/pam_pwhistory_la-pwhistory_config.Tpo -c -o pam_pwhistory_la-pwhistory_config.lo `test -f 'pwhistory_config.c' || echo '$(srcdir)/'`pwhistory_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pam_pwhistory_la-pwhistory_config.Tpo $(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='pwhistory_config.c' object='pam_pwhistory_la-pwhistory_config.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_pwhistory_la_CFLAGS) $(CFLAGS) -c -o pam_pwhistory_la-pwhistory_config.lo `test -f 'pwhistory_config.c' || echo '$(srcdir)/'`pwhistory_config.c + pwhistory_helper-pwhistory_helper.o: pwhistory_helper.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pwhistory_helper_CFLAGS) $(CFLAGS) -MT pwhistory_helper-pwhistory_helper.o -MD -MP -MF $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo -c -o pwhistory_helper-pwhistory_helper.o `test -f 'pwhistory_helper.c' || echo '$(srcdir)/'`pwhistory_helper.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/pwhistory_helper-pwhistory_helper.Tpo $(DEPDIR)/pwhistory_helper-pwhistory_helper.Po @@ -844,6 +893,49 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +install-man5: $(dist_man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ @@ -887,6 +979,27 @@ uninstall-man8: } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +install-dist_secureconfDATA: $(dist_secureconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(secureconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(secureconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(secureconfdir)" || exit $$?; \ + done + +uninstall-dist_secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_secureconf_DATA)'; test -n "$(secureconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(secureconfdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -1060,7 +1173,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: $(dist_check_SCRIPTS) +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1070,7 +1183,7 @@ check-TESTS: $(dist_check_SCRIPTS) log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all $(dist_check_SCRIPTS) +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1088,6 +1201,13 @@ tst-pam_pwhistory.log: tst-pam_pwhistory --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_pwhistory-retval.log: tst-pam_pwhistory-retval$(EXEEXT) + @p='tst-pam_pwhistory-retval$(EXEEXT)'; \ + b='tst-pam_pwhistory-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1137,12 +1257,13 @@ distdir-am: $(DISTFILES) fi; \ done check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1182,14 +1303,16 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo -rm -f ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo -rm -f ./$(DEPDIR)/pwhistory_helper-opasswd.Po -rm -f ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po + -rm -f ./$(DEPDIR)/tst-pam_pwhistory-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1206,7 +1329,8 @@ info: info-am info-am: -install-data-am: install-man install-securelibLTLIBRARIES +install-data-am: install-dist_secureconfDATA install-man \ + install-securelibLTLIBRARIES install-dvi: install-dvi-am @@ -1222,7 +1346,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-man5 install-man8 install-pdf: install-pdf-am @@ -1237,8 +1361,10 @@ installcheck-am: maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/pam_pwhistory_la-opasswd.Plo -rm -f ./$(DEPDIR)/pam_pwhistory_la-pam_pwhistory.Plo + -rm -f ./$(DEPDIR)/pam_pwhistory_la-pwhistory_config.Plo -rm -f ./$(DEPDIR)/pwhistory_helper-opasswd.Po -rm -f ./$(DEPDIR)/pwhistory_helper-pwhistory_helper.Po + -rm -f ./$(DEPDIR)/tst-pam_pwhistory-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1255,28 +1381,30 @@ ps: ps-am ps-am: -uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ - uninstall-securelibLTLIBRARIES +uninstall-am: uninstall-dist_secureconfDATA uninstall-man \ + uninstall-sbinPROGRAMS uninstall-securelibLTLIBRARIES -uninstall-man: uninstall-man8 +uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ - check-am clean clean-generic clean-libtool clean-sbinPROGRAMS \ - clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ + install-data-am install-dist_secureconfDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-man8 install-pdf install-pdf-am \ + install-ps install-ps-am install-sbinPROGRAMS \ install-securelibLTLIBRARIES install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - recheck tags tags-am uninstall uninstall-am uninstall-man \ + recheck tags tags-am uninstall uninstall-am \ + uninstall-dist_secureconfDATA uninstall-man uninstall-man5 \ uninstall-man8 uninstall-sbinPROGRAMS \ uninstall-securelibLTLIBRARIES diff --git a/modules/pam_pwhistory/README b/modules/pam_pwhistory/README index 161bebc7..b4868767 100644 --- a/modules/pam_pwhistory/README +++ b/modules/pam_pwhistory/README @@ -31,9 +31,9 @@ enforce_for_root remember=N - The last N passwords for each user are saved in /etc/security/opasswd. The - default is 10. Value of 0 makes the module to keep the existing contents of - the opasswd file unchanged. + The last N passwords for each user are saved. The default is 10. Value of 0 + makes the module to keep the existing contents of the opasswd file + unchanged. retry=N @@ -43,6 +43,20 @@ authtok_type=STRING See pam_get_authtok(3) for more details. +file=/path/filename + + Store password history in file /path/filename rather than the default + location. The default location is /etc/security/opasswd. + +conf=/path/to/config-file + + Use another configuration file instead of the default /etc/security/ + pwhistory.conf. + +The options for configuring the module behavior are described in the +pwhistory.conf(5) manual page. The options specified on the module command line +override the values from the configuration file. + EXAMPLES An example password section would be: diff --git a/modules/pam_pwhistory/README.xml b/modules/pam_pwhistory/README.xml index f048e321..194edbc7 100644 --- a/modules/pam_pwhistory/README.xml +++ b/modules/pam_pwhistory/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_pwhistory.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_pwhistory-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_pwhistory.8.xml" xpointer='xpointer(//refsect1[@id = "pam_pwhistory-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_pwhistory.8.xml" xpointer='xpointer(id("pam_pwhistory-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index a6cd3d2a..859b3da4 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -44,6 +44,7 @@ #include <ctype.h> #include <errno.h> #include <fcntl.h> +#include <limits.h> #include <stdio.h> #include <unistd.h> #include <string.h> @@ -67,6 +68,7 @@ #include <security/pam_ext.h> #endif #include <security/pam_modules.h> +#include "pam_inline.h" #include "opasswd.h" @@ -74,8 +76,7 @@ #define RANDOM_DEVICE "/dev/urandom" #endif -#define OLD_PASSWORDS_FILE "/etc/security/opasswd" -#define TMP_PASSWORDS_FILE OLD_PASSWORDS_FILE".tmpXXXXXX" +#define DEFAULT_OLD_PASSWORDS_FILE SCONFIGDIR "/opasswd" #define DEFAULT_BUFLEN 4096 @@ -129,6 +130,7 @@ compare_password(const char *newpass, const char *oldpass) char *outval; #ifdef HAVE_CRYPT_R struct crypt_data output; + int retval; output.initialized = 0; @@ -137,12 +139,14 @@ compare_password(const char *newpass, const char *oldpass) outval = crypt (newpass, oldpass); #endif - return outval != NULL && strcmp(outval, oldpass) == 0; + retval = outval != NULL && strcmp(outval, oldpass) == 0; + pam_overwrite_string(outval); + return retval; } /* Check, if the new password is already in the opasswd file. */ PAMH_ARG_DECL(int -check_old_pass, const char *user, const char *newpass, int debug) +check_old_pass, const char *user, const char *newpass, const char *filename, int debug) { int retval = PAM_SUCCESS; FILE *oldpf; @@ -156,10 +160,13 @@ check_old_pass, const char *user, const char *newpass, int debug) return PAM_PWHISTORY_RUN_HELPER; #endif - if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) + const char *opasswd_file = + (filename != NULL ? filename : DEFAULT_OLD_PASSWORDS_FILE); + + if ((oldpf = fopen (opasswd_file, "r")) == NULL) { if (errno != ENOENT) - pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", opasswd_file); return PAM_SUCCESS; } @@ -235,16 +242,15 @@ check_old_pass, const char *user, const char *newpass, int debug) } while (oldpass != NULL); } - if (buf) - free (buf); + pam_overwrite_n(buf, buflen); + free (buf); return retval; } PAMH_ARG_DECL(int -save_old_pass, const char *user, int howmany, int debug UNUSED) +save_old_pass, const char *user, int howmany, const char *filename, int debug UNUSED) { - char opasswd_tmp[] = TMP_PASSWORDS_FILE; struct stat opasswd_stat; FILE *oldpf, *newpf; int newpf_fd; @@ -256,6 +262,15 @@ save_old_pass, const char *user, int howmany, int debug UNUSED) struct passwd *pwd; const char *oldpass; + /* Define opasswd file and temp file for opasswd */ + const char *opasswd_file = + (filename != NULL ? filename : DEFAULT_OLD_PASSWORDS_FILE); + char opasswd_tmp[PATH_MAX]; + + if ((size_t) snprintf (opasswd_tmp, sizeof (opasswd_tmp), "%s.tmpXXXXXX", + opasswd_file) >= sizeof (opasswd_tmp)) + return PAM_BUF_ERR; + pwd = pam_modutil_getpwnam (pamh, user); if (pwd == NULL) return PAM_USER_UNKNOWN; @@ -285,24 +300,22 @@ save_old_pass, const char *user, int howmany, int debug UNUSED) if (oldpass == NULL || *oldpass == '\0') return PAM_SUCCESS; - if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) + if ((oldpf = fopen (opasswd_file, "r")) == NULL) { if (errno == ENOENT) { - pam_syslog (pamh, LOG_NOTICE, "Creating %s", - OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_NOTICE, "Creating %s", opasswd_file); do_create = 1; } else { - pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", - OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", opasswd_file); return PAM_AUTHTOK_ERR; } } else if (fstat (fileno (oldpf), &opasswd_stat) < 0) { - pam_syslog (pamh, LOG_ERR, "Cannot stat %s: %m", OLD_PASSWORDS_FILE); + pam_syslog (pamh, LOG_ERR, "Cannot stat %s: %m", opasswd_file); fclose (oldpf); return PAM_AUTHTOK_ERR; } @@ -312,7 +325,7 @@ save_old_pass, const char *user, int howmany, int debug UNUSED) if (newpf_fd == -1) { pam_syslog (pamh, LOG_ERR, "Cannot create %s temp file: %m", - OLD_PASSWORDS_FILE); + opasswd_file); if (oldpf) fclose (oldpf); return PAM_AUTHTOK_ERR; @@ -321,23 +334,19 @@ save_old_pass, const char *user, int howmany, int debug UNUSED) { if (fchmod (newpf_fd, S_IRUSR|S_IWUSR) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set permissions of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set permissions of %s temp file: %m", opasswd_file); if (fchown (newpf_fd, 0, 0) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set owner/group of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set owner/group of %s temp file: %m", opasswd_file); } else { if (fchmod (newpf_fd, opasswd_stat.st_mode) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set permissions of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set permissions of %s temp file: %m", opasswd_file); if (fchown (newpf_fd, opasswd_stat.st_uid, opasswd_stat.st_gid) != 0) pam_syslog (pamh, LOG_ERR, - "Cannot set owner/group of %s temp file: %m", - OLD_PASSWORDS_FILE); + "Cannot set owner/group of %s temp file: %m", opasswd_file); } newpf = fdopen (newpf_fd, "w+"); if (newpf == NULL) @@ -514,6 +523,7 @@ save_old_pass, const char *user, int howmany, int debug UNUSED) } if (fputs (out, newpf) < 0) { + pam_overwrite_string(out); free (out); retval = PAM_AUTHTOK_ERR; if (oldpf) @@ -521,6 +531,7 @@ save_old_pass, const char *user, int howmany, int debug UNUSED) fclose (newpf); goto error_opasswd; } + pam_overwrite_string(out); free (out); } @@ -550,14 +561,23 @@ save_old_pass, const char *user, int howmany, int debug UNUSED) goto error_opasswd; } - unlink (OLD_PASSWORDS_FILE".old"); - if (link (OLD_PASSWORDS_FILE, OLD_PASSWORDS_FILE".old") != 0 && + char opasswd_backup[PATH_MAX]; + if ((size_t) snprintf (opasswd_backup, sizeof (opasswd_backup), "%s.old", + opasswd_file) >= sizeof (opasswd_backup)) + { + retval = PAM_BUF_ERR; + goto error_opasswd; + } + + unlink (opasswd_backup); + if (link (opasswd_file, opasswd_backup) != 0 && errno != ENOENT) pam_syslog (pamh, LOG_ERR, "Cannot create backup file of %s: %m", - OLD_PASSWORDS_FILE); - rename (opasswd_tmp, OLD_PASSWORDS_FILE); + opasswd_file); + rename (opasswd_tmp, opasswd_file); error_opasswd: unlink (opasswd_tmp); + pam_overwrite_n(buf, buflen); free (buf); return retval; diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h index 3f257288..19a4062c 100644 --- a/modules/pam_pwhistory/opasswd.h +++ b/modules/pam_pwhistory/opasswd.h @@ -57,10 +57,10 @@ void helper_log_err(int err, const char *format, ...); #endif -PAMH_ARG_DECL(int -check_old_pass, const char *user, const char *newpass, int debug); +PAMH_ARG_DECL(int check_old_pass, const char *user, const char *newpass, + const char *filename, int debug); -PAMH_ARG_DECL(int -save_old_pass, const char *user, int howmany, int debug); +PAMH_ARG_DECL(int save_old_pass, const char *user, int howmany, + const char *filename, int debug); #endif /* __OPASSWD_H__ */ diff --git a/modules/pam_pwhistory/pam_pwhistory.8 b/modules/pam_pwhistory/pam_pwhistory.8 index bdbd6c8d..e430bcd1 100644 --- a/modules/pam_pwhistory/pam_pwhistory.8 +++ b/modules/pam_pwhistory/pam_pwhistory.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_pwhistory .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_PWHISTORY" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PWHISTORY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pam_pwhistory \- PAM module to remember last passwords .SH "SYNOPSIS" .HP \w'\fBpam_pwhistory\&.so\fR\ 'u -\fBpam_pwhistory\&.so\fR [debug] [use_authtok] [enforce_for_root] [remember=\fIN\fR] [retry=\fIN\fR] [authtok_type=\fISTRING\fR] +\fBpam_pwhistory\&.so\fR [debug] [use_authtok] [enforce_for_root] [remember=\fIN\fR] [retry=\fIN\fR] [authtok_type=\fISTRING\fR] [file=\fI/path/filename\fR] [conf=\fI/path/to/config\-file\fR] .SH "DESCRIPTION" .PP This module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently\&. @@ -39,13 +39,13 @@ This module saves the last passwords for each user in order to force password ch This module does not work together with kerberos\&. In general, it does not make much sense to use this module in conjunction with NIS or LDAP, since the old passwords are stored on the local machine and are not available on another machine for password history checking\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP -\fBuse_authtok\fR +use_authtok .RS 4 When password changing enforce the module to use the new password provided by a previously stacked \fBpassword\fR @@ -54,17 +54,16 @@ module (this is used in the example of the stacking of the module documented below)\&. .RE .PP -\fBenforce_for_root\fR +enforce_for_root .RS 4 If this option is set, the check is enforced for root, too\&. .RE .PP -\fBremember=\fR\fB\fIN\fR\fR +remember=N .RS 4 The last \fIN\fR -passwords for each user are saved in -/etc/security/opasswd\&. The default is +passwords for each user are saved\&. The default is \fI10\fR\&. Value of \fI0\fR makes the module to keep the existing contents of the @@ -72,7 +71,7 @@ opasswd file unchanged\&. .RE .PP -\fBretry=\fR\fB\fIN\fR\fR +retry=N .RS 4 Prompt user at most \fIN\fR @@ -80,12 +79,30 @@ times before returning with error\&. The default is \fI1\fR\&. .RE .PP -\fBauthtok_type=\fR\fB\fISTRING\fR\fR +authtok_type=STRING .RS 4 See \fBpam_get_authtok\fR(3) for more details\&. .RE +.PP +file=/path/filename +.RS 4 +Store password history in file +/path/filename +rather than the default location\&. The default location is +/etc/security/opasswd\&. +.RE +.PP +conf=/path/to/config\-file +.RS 4 +Use another configuration file instead of the default +/etc/security/pwhistory\&.conf\&. +.RE +.PP +The options for configuring the module behavior are described in the +\fBpwhistory.conf\fR(5) +manual page\&. The options specified on the module command line override the values from the configuration file\&. .SH "MODULE TYPES PROVIDED" .PP Only the @@ -150,13 +167,19 @@ password required pam_unix\&.so use_authtok .PP /etc/security/opasswd .RS 4 -File with password history +Default file with password history +.RE +.PP +/etc/security/pwhistory\&.conf +.RS 4 +Config file for pam_pwhistory options .RE .SH "SEE ALSO" .PP +\fBpwhistory.conf\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) \fBpam_get_authtok\fR(3) .SH "AUTHOR" .PP diff --git a/modules/pam_pwhistory/pam_pwhistory.8.xml b/modules/pam_pwhistory/pam_pwhistory.8.xml index d88115c2..a5185fcb 100644 --- a/modules/pam_pwhistory/pam_pwhistory.8.xml +++ b/modules/pam_pwhistory/pam_pwhistory.8.xml @@ -1,46 +1,49 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_pwhistory"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_pwhistory"> <refmeta> <refentrytitle>pam_pwhistory</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_pwhistory-name"> + <refnamediv xml:id="pam_pwhistory-name"> <refname>pam_pwhistory</refname> <refpurpose>PAM module to remember last passwords</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_pwhistory-cmdsynopsis"> + <cmdsynopsis xml:id="pam_pwhistory-cmdsynopsis" sepchar=" "> <command>pam_pwhistory.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_authtok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> enforce_for_root </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> remember=<replaceable>N</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> retry=<replaceable>N</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> authtok_type=<replaceable>STRING</replaceable> </arg> + <arg choice="opt" rep="norepeat"> + file=<replaceable>/path/filename</replaceable> + </arg> + <arg choice="opt" rep="norepeat"> + conf=<replaceable>/path/to/config-file</replaceable> + </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_pwhistory-description"> + <refsect1 xml:id="pam_pwhistory-description"> <title>DESCRIPTION</title> @@ -58,12 +61,12 @@ </para> </refsect1> - <refsect1 id="pam_pwhistory-options"> + <refsect1 xml:id="pam_pwhistory-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -76,7 +79,7 @@ </varlistentry> <varlistentry> <term> - <option>use_authtok</option> + use_authtok </term> <listitem> <para> @@ -89,7 +92,7 @@ </varlistentry> <varlistentry> <term> - <option>enforce_for_root</option> + enforce_for_root </term> <listitem> <para> @@ -99,12 +102,12 @@ </varlistentry> <varlistentry> <term> - <option>remember=<replaceable>N</replaceable></option> + remember=N </term> <listitem> <para> The last <replaceable>N</replaceable> passwords for each - user are saved in <filename>/etc/security/opasswd</filename>. + user are saved. The default is <emphasis>10</emphasis>. Value of <emphasis>0</emphasis> makes the module to keep the existing contents of the <filename>opasswd</filename> file unchanged. @@ -113,7 +116,7 @@ </varlistentry> <varlistentry> <term> - <option>retry=<replaceable>N</replaceable></option> + retry=N </term> <listitem> <para> @@ -126,7 +129,7 @@ <varlistentry> <term> - <option>authtok_type=<replaceable>STRING</replaceable></option> + authtok_type=STRING </term> <listitem> <para> @@ -137,17 +140,49 @@ </listitem> </varlistentry> + <varlistentry> + <term> + file=/path/filename + </term> + <listitem> + <para> + Store password history in file <filename>/path/filename</filename> + rather than the default location. The default location is + <filename>/etc/security/opasswd</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + conf=/path/to/config-file + </term> + <listitem> + <para> + Use another configuration file instead of the default + <filename>/etc/security/pwhistory.conf</filename>. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The options for configuring the module behavior are described in the + <citerefentry><refentrytitle>pwhistory.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manual page. The options + specified on the module command line override the values from the + configuration file. + </para> </refsect1> - <refsect1 id="pam_pwhistory-types"> + <refsect1 xml:id="pam_pwhistory-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>password</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_pwhistory-return_values'> + <refsect1 xml:id="pam_pwhistory-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -186,7 +221,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_pwhistory-examples'> + <refsect1 xml:id="pam_pwhistory-examples"> <title>EXAMPLES</title> <para> An example password section would be: @@ -207,29 +242,47 @@ password required pam_unix.so use_authtok </para> </refsect1> - <refsect1 id="pam_pwhistory-files"> + <refsect1 xml:id="pam_pwhistory-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/opasswd</filename></term> + <term>/etc/security/opasswd</term> <listitem> - <para>File with password history</para> + <para>Default file with password history</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/etc/security/pwhistory.conf</filename></term> + <listitem> + <para>Config file for pam_pwhistory options</para> + </listitem> + </varlistentry> + <varlistentry condition="with_vendordir"> + <term><filename>%vendordir%/security/pwhistory.conf</filename></term> + <listitem> + <para> + Config file for pam_pwhistory options. It will be used if + <filename>/etc/security/pwhistory.conf</filename> does not exist. + </para> </listitem> </varlistentry> </variablelist> </refsect1> - <refsect1 id='pam_pwhistory-see_also'> + <refsect1 xml:id="pam_pwhistory-see_also"> <title>SEE ALSO</title> <para> <citerefentry> + <refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> <citerefentry> <refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum> @@ -237,11 +290,11 @@ password required pam_unix.so use_authtok </para> </refsect1> - <refsect1 id='pam_pwhistory-author'> + <refsect1 xml:id="pam_pwhistory-author"> <title>AUTHOR</title> <para> pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index ce2c21f5..5a7fb811 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -63,14 +63,8 @@ #include "opasswd.h" #include "pam_inline.h" +#include "pwhistory_config.h" -struct options_t { - int debug; - int enforce_for_root; - int remember; - int tries; -}; -typedef struct options_t options_t; static void @@ -104,13 +98,23 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) options->enforce_for_root = 1; else if (pam_str_skip_icase_prefix(argv, "authtok_type=") != NULL) { /* ignore, for pam_get_authtok */; } + else if ((str = pam_str_skip_icase_prefix(argv, "file=")) != NULL) + { + if (*str != '/') + { + pam_syslog (pamh, LOG_ERR, + "pam_pwhistory: file path should be absolute: %s", argv); + } + else + options->filename = str; + } else pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); } static int run_save_helper(pam_handle_t *pamh, const char *user, - int howmany, int debug) + int howmany, const char *filename, int debug) { int retval, child; struct sigaction newsa, oldsa; @@ -123,7 +127,7 @@ run_save_helper(pam_handle_t *pamh, const char *user, if (child == 0) { static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL }; if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_PIPE_FD, PAM_MODUTIL_PIPE_FD, @@ -137,9 +141,10 @@ run_save_helper(pam_handle_t *pamh, const char *user, args[0] = (char *)PWHISTORY_HELPER; args[1] = (char *)"save"; args[2] = (char *)user; + args[3] = (char *)filename; DIAG_POP_IGNORE_CAST_QUAL; - if (asprintf(&args[3], "%d", howmany) < 0 || - asprintf(&args[4], "%d", debug) < 0) + if (asprintf(&args[4], "%d", howmany) < 0 || + asprintf(&args[5], "%d", debug) < 0) { pam_syslog(pamh, LOG_ERR, "asprintf: %m"); _exit(PAM_SYSTEM_ERR); @@ -185,7 +190,7 @@ run_save_helper(pam_handle_t *pamh, const char *user, static int run_check_helper(pam_handle_t *pamh, const char *user, - const char *newpass, int debug) + const char *newpass, const char *filename, int debug) { int retval, child, fds[2]; struct sigaction newsa, oldsa; @@ -202,7 +207,7 @@ run_check_helper(pam_handle_t *pamh, const char *user, if (child == 0) { static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL, NULL, NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; /* reopen stdin as pipe */ if (dup2(fds[0], STDIN_FILENO) != STDIN_FILENO) @@ -223,8 +228,9 @@ run_check_helper(pam_handle_t *pamh, const char *user, args[0] = (char *)PWHISTORY_HELPER; args[1] = (char *)"check"; args[2] = (char *)user; + args[3] = (char *)filename; DIAG_POP_IGNORE_CAST_QUAL; - if (asprintf(&args[3], "%d", debug) < 0) + if (asprintf(&args[4], "%d", debug) < 0) { pam_syslog(pamh, LOG_ERR, "asprintf: %m"); _exit(PAM_SYSTEM_ERR); @@ -299,6 +305,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) options.remember = 10; options.tries = 1; + parse_config_file(pamh, argc, argv, &options); + /* Parse parameters for module */ for ( ; argc-- > 0; argv++) parse_option (pamh, *argv, &options); @@ -306,7 +314,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered"); - if (options.remember == 0) return PAM_IGNORE; @@ -323,10 +330,10 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SUCCESS; } - retval = save_old_pass (pamh, user, options.remember, options.debug); + retval = save_old_pass (pamh, user, options.remember, options.filename, options.debug); if (retval == PAM_PWHISTORY_RUN_HELPER) - retval = run_save_helper(pamh, user, options.remember, options.debug); + retval = run_save_helper(pamh, user, options.remember, options.filename, options.debug); if (retval != PAM_SUCCESS) return retval; @@ -358,9 +365,9 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - retval = check_old_pass (pamh, user, newpass, options.debug); + retval = check_old_pass (pamh, user, newpass, options.filename, options.debug); if (retval == PAM_PWHISTORY_RUN_HELPER) - retval = run_check_helper(pamh, user, newpass, options.debug); + retval = run_check_helper(pamh, user, newpass, options.filename, options.debug); if (retval != PAM_SUCCESS) { diff --git a/modules/pam_pwhistory/pwhistory.conf b/modules/pam_pwhistory/pwhistory.conf new file mode 100644 index 00000000..070b7197 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory.conf @@ -0,0 +1,21 @@ +# Configuration for remembering the last passwords used by a user. +# +# Enable the debugging logs. +# Enabled if option is present. +# debug +# +# root account's passwords are also remembered. +# Enabled if option is present. +# enforce_for_root +# +# Number of passwords to remember. +# The default is 10. +# remember = 10 +# +# Number of times to prompt for the password. +# The default is 1. +# retry = 1 +# +# The directory where the last passwords are kept. +# The default is /etc/security/opasswd. +# file = /etc/security/opasswd diff --git a/modules/pam_pwhistory/pwhistory.conf.5 b/modules/pam_pwhistory/pwhistory.conf.5 new file mode 100644 index 00000000..ae57798f --- /dev/null +++ b/modules/pam_pwhistory/pwhistory.conf.5 @@ -0,0 +1,118 @@ +'\" t +.\" Title: pwhistory.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM +.\" Language: English +.\" +.TH "PWHISTORY\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pwhistory.conf \- pam_pwhistory configuration file +.SH "DESCRIPTION" +.PP +\fBpwhistory\&.conf\fR +provides a way to configure the default settings for saving the last passwords for each user\&. This file is read by the +\fIpam_pwhistory\fR +module and is the preferred method over configuring +\fIpam_pwhistory\fR +directly\&. +.PP +The file has a very simple +\fIname = value\fR +format with possible comments starting with +\fI#\fR +character\&. The whitespace at the beginning of line, end of line, and around the +\fI=\fR +sign is ignored\&. +.SH "OPTIONS" +.PP +debug +.RS 4 +Turns on debugging via +\fBsyslog\fR(3)\&. +.RE +.PP +enforce_for_root +.RS 4 +If this option is set, the check is enforced for root, too\&. +.RE +.PP +remember=N +.RS 4 +The last +\fIN\fR +passwords for each user are saved\&. The default is +\fI10\fR\&. Value of +\fI0\fR +makes the module to keep the existing contents of the +opasswd +file unchanged\&. +.RE +.PP +retry=N +.RS 4 +Prompt user at most +\fIN\fR +times before returning with error\&. The default is 1\&. +.RE +.PP +file=/path/filename +.RS 4 +Store password history in file +\fI/path/filename\fR +rather than the default location\&. The default location is +/etc/security/opasswd\&. +.RE +.SH "EXAMPLES" +.PP +/etc/security/pwhistory\&.conf file example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +debug +remember=5 +file=/tmp/opasswd + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/etc/security/pwhistory\&.conf +.RS 4 +the config file for custom options +.RE +.SH "SEE ALSO" +.PP +\fBpwhistory\fR(8), +\fBpam_pwhistory\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_pwhistory was written by Thorsten Kukuk\&. The support for pwhistory\&.conf was written by Iker Pedrosa\&. diff --git a/modules/pam_pwhistory/pwhistory.conf.5.xml b/modules/pam_pwhistory/pwhistory.conf.5.xml new file mode 100644 index 00000000..2a2dfd3a --- /dev/null +++ b/modules/pam_pwhistory/pwhistory.conf.5.xml @@ -0,0 +1,152 @@ +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pwhistory.conf"> + + <refmeta> + <refentrytitle>pwhistory.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv xml:id="pwhistory.conf-name"> + <refname>pwhistory.conf</refname> + <refpurpose>pam_pwhistory configuration file</refpurpose> + </refnamediv> + + <refsect1 xml:id="pwhistory.conf-description"> + + <title>DESCRIPTION</title> + <para> + <emphasis remap="B">pwhistory.conf</emphasis> provides a way to configure the + default settings for saving the last passwords for each user. + This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the + preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly. + </para> + <para> + The file has a very simple <emphasis>name = value</emphasis> format with possible comments + starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end + of line, and around the <emphasis>=</emphasis> sign is ignored. + </para> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + debug + </term> + <listitem> + <para> + Turns on debugging via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + enforce_for_root + </term> + <listitem> + <para> + If this option is set, the check is enforced for root, too. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + remember=N + </term> + <listitem> + <para> + The last <replaceable>N</replaceable> passwords for each + user are saved. + The default is <emphasis>10</emphasis>. Value of + <emphasis>0</emphasis> makes the module to keep the existing + contents of the <filename>opasswd</filename> file unchanged. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + retry=N + </term> + <listitem> + <para> + Prompt user at most <replaceable>N</replaceable> times + before returning with error. The default is 1. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + file=/path/filename + </term> + <listitem> + <para> + Store password history in file + <replaceable>/path/filename</replaceable> rather than the default + location. The default location is + <filename>/etc/security/opasswd</filename>. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-examples"> + <title>EXAMPLES</title> + <para> + /etc/security/pwhistory.conf file example: + </para> + <programlisting> +debug +remember=5 +file=/tmp/opasswd + </programlisting> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term>/etc/security/pwhistory.conf</term> + <listitem> + <para>the config file for custom options</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 xml:id="pwhistory.conf-author"> + <title>AUTHOR</title> + <para> + pam_pwhistory was written by Thorsten Kukuk. The support for + pwhistory.conf was written by Iker Pedrosa. + </para> + </refsect1> + +</refentry>
\ No newline at end of file diff --git a/modules/pam_pwhistory/pwhistory_config.c b/modules/pam_pwhistory/pwhistory_config.c new file mode 100644 index 00000000..692cf80e --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_config.c @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <sys/stat.h> + +#include <security/pam_modutil.h> + +#include "pam_inline.h" +#include "pwhistory_config.h" + +#define PWHISTORY_DEFAULT_CONF SCONFIGDIR "/pwhistory.conf" + +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_PWHISTORY_DEFAULT_CONF (VENDOR_SCONFIGDIR "/pwhistory.conf") +#endif + +void +parse_config_file(pam_handle_t *pamh, int argc, const char **argv, + struct options_t *options) +{ + const char *fname = NULL; + int i; + char *val; + + for (i = 0; i < argc; ++i) { + const char *str = pam_str_skip_prefix(argv[i], "conf="); + + if (str != NULL) { + fname = str; + } + } + + if (fname == NULL) { + fname = PWHISTORY_DEFAULT_CONF; + +#ifdef VENDOR_PWHISTORY_DEFAULT_CONF + /* + * Check whether PWHISTORY_DEFAULT_CONF file is available. + * If it does not exist, fall back to VENDOR_PWHISTORY_DEFAULT_CONF file. + */ + struct stat buffer; + if (stat(fname, &buffer) != 0 && errno == ENOENT) { + fname = VENDOR_PWHISTORY_DEFAULT_CONF; + } +#endif + } + + val = pam_modutil_search_key (pamh, fname, "debug"); + if (val != NULL) { + options->debug = 1; + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "enforce_for_root"); + if (val != NULL) { + options->enforce_for_root = 1; + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "remember"); + if (val != NULL) { + unsigned int temp; + if (sscanf(val, "%u", &temp) != 1) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for remember argument"); + } else { + options->remember = temp; + } + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "retry"); + if (val != NULL) { + unsigned int temp; + if (sscanf(val, "%u", &temp) != 1) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for retry argument"); + } else { + options->tries = temp; + } + free(val); + } + + val = pam_modutil_search_key (pamh, fname, "file"); + if (val != NULL) { + if (*val != '/') { + pam_syslog (pamh, LOG_ERR, + "File path should be absolute: %s", val); + } else { + options->filename = val; + } + } +} diff --git a/modules/pam_pwhistory/pwhistory_config.h b/modules/pam_pwhistory/pwhistory_config.h new file mode 100644 index 00000000..e2b3bc83 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_config.h @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _PWHISTORY_CONFIG_H +#define _PWHISTORY_CONFIG_H + +#include <security/pam_ext.h> + +struct options_t { + int debug; + int enforce_for_root; + int remember; + int tries; + const char *filename; +}; +typedef struct options_t options_t; + +void +parse_config_file(pam_handle_t *pamh, int argc, const char **argv, + struct options_t *options); + +#endif /* _PWHISTORY_CONFIG_H */ diff --git a/modules/pam_pwhistory/pwhistory_helper.8 b/modules/pam_pwhistory/pwhistory_helper.8 index 684b5b02..0b837d32 100644 --- a/modules/pam_pwhistory/pwhistory_helper.8 +++ b/modules/pam_pwhistory/pwhistory_helper.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pwhistory_helper .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PWHISTORY_HELPER" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PWHISTORY_HELPER" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml index a0301764..8370a485 100644 --- a/modules/pam_pwhistory/pwhistory_helper.8.xml +++ b/modules/pam_pwhistory/pwhistory_helper.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pwhistory_helper"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pwhistory_helper"> <refmeta> <refentrytitle>pwhistory_helper</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pwhistory_helper-name"> + <refnamediv xml:id="pwhistory_helper-name"> <refname>pwhistory_helper</refname> <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pwhistory_helper-cmdsynopsis"> + <cmdsynopsis xml:id="pwhistory_helper-cmdsynopsis" sepchar=" "> <command>pwhistory_helper</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ... </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pwhistory_helper-description"> + <refsect1 xml:id="pwhistory_helper-description"> <title>DESCRIPTION</title> @@ -48,7 +45,7 @@ </para> </refsect1> - <refsect1 id='pwhistory_helper-see_also'> + <refsect1 xml:id="pwhistory_helper-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -57,7 +54,7 @@ </para> </refsect1> - <refsect1 id='pwhistory_helper-author'> + <refsect1 xml:id="pwhistory_helper-author"> <title>AUTHOR</title> <para> Written by Tomas Mraz based on the code originally in @@ -65,4 +62,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c index b08a14a7..469d95fa 100644 --- a/modules/pam_pwhistory/pwhistory_helper.c +++ b/modules/pam_pwhistory/pwhistory_helper.c @@ -51,7 +51,7 @@ static int -check_history(const char *user, const char *debug) +check_history(const char *user, const char *filename, const char *debug) { char pass[PAM_MAX_RESP_SIZE + 1]; char *passwords[] = { pass }; @@ -68,21 +68,21 @@ check_history(const char *user, const char *debug) return PAM_AUTHTOK_ERR; } - retval = check_old_pass(user, pass, dbg); + retval = check_old_pass(user, pass, filename, dbg); - memset(pass, '\0', PAM_MAX_RESP_SIZE); /* clear memory of the password */ + pam_overwrite_array(pass); /* clear memory of the password */ return retval; } static int -save_history(const char *user, const char *howmany, const char *debug) +save_history(const char *user, const char *filename, const char *howmany, const char *debug) { int num = atoi(howmany); int dbg = atoi(debug); /* no need to be too fancy here */ int retval; - retval = save_old_pass(user, num, dbg); + retval = save_old_pass(user, num, filename, dbg); return retval; } @@ -92,13 +92,14 @@ main(int argc, char *argv[]) { const char *option; const char *user; + const char *filename; /* * we establish that this program is running with non-tty stdin. * this is to discourage casual use. */ - if (isatty(STDIN_FILENO) || argc < 4) + if (isatty(STDIN_FILENO) || argc < 5) { fprintf(stderr, "This binary is not designed for running in this way.\n"); @@ -107,11 +108,12 @@ main(int argc, char *argv[]) option = argv[1]; user = argv[2]; + filename = argv[3]; - if (strcmp(option, "check") == 0 && argc == 4) - return check_history(user, argv[3]); - else if (strcmp(option, "save") == 0 && argc == 5) - return save_history(user, argv[3], argv[4]); + if (strcmp(option, "check") == 0 && argc == 5) + return check_history(user, filename, argv[4]); + else if (strcmp(option, "save") == 0 && argc == 6) + return save_history(user, filename, argv[4], argv[5]); fprintf(stderr, "This binary is not designed for running in this way.\n"); diff --git a/modules/pam_pwhistory/tst-pam_pwhistory-retval.c b/modules/pam_pwhistory/tst-pam_pwhistory-retval.c new file mode 100644 index 00000000..9c9a62b4 --- /dev/null +++ b/modules/pam_pwhistory/tst-pam_pwhistory-retval.c @@ -0,0 +1,60 @@ +/* + * Check pam_pwhistory return values. + * + * Copyright (c) 2023 Stefan Schubert <schubi@suse.de> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_pwhistory" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* cleanup */ + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am index cc3f2f26..cb7dbe53 100644 --- a/modules/pam_rhosts/Makefile.am +++ b/modules/pam_rhosts/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_rhosts TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_rhosts/Makefile.in b/modules/pam_rhosts/Makefile.in index 6cfb1ff4..f67159cd 100644 --- a/modules/pam_rhosts/Makefile.in +++ b/modules/pam_rhosts/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_rhosts.8.xml dist_check_SCRIPTS = tst-pam_rhosts TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_rhosts/README.xml b/modules/pam_rhosts/README.xml index 5d3307e7..2345dffd 100644 --- a/modules/pam_rhosts/README.xml +++ b/modules/pam_rhosts/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_rhosts.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rhosts-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rhosts.8.xml" xpointer='xpointer(id("pam_rhosts-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8 index 61e9a446..327ad22e 100644 --- a/modules/pam_rhosts/pam_rhosts.8 +++ b/modules/pam_rhosts/pam_rhosts.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_rhosts .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_RHOSTS" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_RHOSTS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -54,17 +54,17 @@ connecting from the remote host (internally specified by the item \fBpam_authenticate()\fR\&. The module is not capable of independently probing the network connection for such information\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt print informative messages\&. .RE .PP -\fBsuperuser=\fR\fB\fIaccount\fR\fR +superuser=account .RS 4 Handle \fIaccount\fR @@ -122,7 +122,7 @@ auth required pam_unix\&.so \fBrhosts\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk\&.de> diff --git a/modules/pam_rhosts/pam_rhosts.8.xml b/modules/pam_rhosts/pam_rhosts.8.xml index eb96371d..41d541c7 100644 --- a/modules/pam_rhosts/pam_rhosts.8.xml +++ b/modules/pam_rhosts/pam_rhosts.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_rhosts"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_rhosts"> <refmeta> <refentrytitle>pam_rhosts</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_rhosts-name"> + <refnamediv xml:id="pam_rhosts-name"> <refname>pam_rhosts</refname> <refpurpose>The rhosts PAM module</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_rhosts-cmdsynopsis"> + <cmdsynopsis xml:id="pam_rhosts-cmdsynopsis" sepchar=" "> <command>pam_rhosts.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_rhosts-description"> + <refsect1 xml:id="pam_rhosts-description"> <title>DESCRIPTION</title> @@ -53,12 +50,12 @@ </para> </refsect1> - <refsect1 id="pam_rhosts-options"> + <refsect1 xml:id="pam_rhosts-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -68,7 +65,7 @@ </varlistentry> <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -78,7 +75,7 @@ </varlistentry> <varlistentry> <term> - <option>superuser=<replaceable>account</replaceable></option> + superuser=account </term> <listitem> <para> @@ -89,14 +86,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_rhosts-types"> + <refsect1 xml:id="pam_rhosts-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_rhosts-return_values'> + <refsect1 xml:id="pam_rhosts-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -120,7 +117,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_rhosts-examples'> + <refsect1 xml:id="pam_rhosts-examples"> <title>EXAMPLES</title> <para> To grant a remote user access by <filename>/etc/hosts.equiv</filename> @@ -137,7 +134,7 @@ auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_rhosts-see_also'> + <refsect1 xml:id="pam_rhosts-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -156,16 +153,16 @@ auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_rhosts-author'> + <refsect1 xml:id="pam_rhosts-author"> <title>AUTHOR</title> <para> pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_rootok/Makefile.am b/modules/pam_rootok/Makefile.am index 787218b4..c5b838f6 100644 --- a/modules/pam_rootok/Makefile.am +++ b/modules/pam_rootok/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_rootok TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_rootok/Makefile.in b/modules/pam_rootok/Makefile.in index d4422af6..64b6de13 100644 --- a/modules/pam_rootok/Makefile.in +++ b/modules/pam_rootok/Makefile.in @@ -433,6 +433,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -445,11 +446,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -481,12 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,6 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -519,12 +525,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -598,7 +608,8 @@ XMLS = README.xml pam_rootok.8.xml dist_check_SCRIPTS = tst-pam_rootok TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_rootok/README.xml b/modules/pam_rootok/README.xml index 6fb58cd0..58f77967 100644 --- a/modules/pam_rootok/README.xml +++ b/modules/pam_rootok/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_rootok.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rootok-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_rootok.8.xml" xpointer='xpointer(id("pam_rootok-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_rootok/pam_rootok.8 b/modules/pam_rootok/pam_rootok.8 index 861a6a6b..984cadd6 100644 --- a/modules/pam_rootok/pam_rootok.8 +++ b/modules/pam_rootok/pam_rootok.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_rootok .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_ROOTOK" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ROOTOK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -44,7 +44,7 @@ of the user but run with the authority of an enhanced effective\-UID\&. It is th that is checked\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE @@ -100,7 +100,7 @@ auth required pam_unix\&.so \fBsu\fR(1), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_rootok was written by Andrew G\&. Morgan, <morgan@kernel\&.org>\&. diff --git a/modules/pam_rootok/pam_rootok.8.xml b/modules/pam_rootok/pam_rootok.8.xml index 06457bf5..f30ad37f 100644 --- a/modules/pam_rootok/pam_rootok.8.xml +++ b/modules/pam_rootok/pam_rootok.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_rootok"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_rootok"> <refmeta> <refentrytitle>pam_rootok</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_rootok-name"> + <refnamediv xml:id="pam_rootok-name"> <refname>pam_rootok</refname> <refpurpose>Gain only root access</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_rootok-cmdsynopsis"> + <cmdsynopsis xml:id="pam_rootok-cmdsynopsis" sepchar=" "> <command>pam_rootok.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_rootok-description"> + <refsect1 xml:id="pam_rootok-description"> <title>DESCRIPTION</title> @@ -38,12 +35,12 @@ </para> </refsect1> - <refsect1 id="pam_rootok-options"> + <refsect1 xml:id="pam_rootok-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -54,7 +51,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_rootok-types"> + <refsect1 xml:id="pam_rootok-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option>, <option>account</option> and @@ -62,7 +59,7 @@ </para> </refsect1> - <refsect1 id='pam_rootok-return_values'> + <refsect1 xml:id="pam_rootok-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -77,7 +74,7 @@ <term>PAM_AUTH_ERR</term> <listitem> <para> - The <emphasis>UID</emphasis> is <emphasis remap='B'>not</emphasis> + The <emphasis>UID</emphasis> is <emphasis remap="B">not</emphasis> <emphasis>0</emphasis>. </para> </listitem> @@ -85,7 +82,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_rootok-examples'> + <refsect1 xml:id="pam_rootok-examples"> <title>EXAMPLES</title> <para> In the case of the <citerefentry> @@ -103,7 +100,7 @@ auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_rootok-see_also'> + <refsect1 xml:id="pam_rootok-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -116,16 +113,16 @@ auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_rootok-author'> + <refsect1 xml:id="pam_rootok-author"> <title>AUTHOR</title> <para> pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index dd374c53..9bc15abf 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -53,11 +53,10 @@ static int PAM_FORMAT((printf, 2, 3)) log_callback (int type UNUSED, const char *fmt, ...) { - int audit_fd; va_list ap; #ifdef HAVE_LIBAUDIT - audit_fd = audit_open(); + int audit_fd = audit_open(); if (audit_fd >= 0) { char *buf; diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am index 8ea02d83..c695d413 100644 --- a/modules/pam_securetty/Makefile.am +++ b/modules/pam_securetty/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_securetty TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_securetty/Makefile.in b/modules/pam_securetty/Makefile.in index 0763989f..f207cf98 100644 --- a/modules/pam_securetty/Makefile.in +++ b/modules/pam_securetty/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_securetty.8.xml dist_check_SCRIPTS = tst-pam_securetty TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_securetty/README b/modules/pam_securetty/README index 21764e43..86dbe348 100644 --- a/modules/pam_securetty/README +++ b/modules/pam_securetty/README @@ -7,7 +7,7 @@ DESCRIPTION pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in the securetty file. pam_securetty checks at first, if /etc/securetty exists. If not and it was -built with vendordir support, it will use <vendordir>/securetty. pam_securetty +built with vendordir support, it will use %vendordir%/securetty. pam_securetty also checks that the securetty files are plain files and not world writable. It will also allow root logins on the tty specified with console= switch on the kernel command line and on ttys from the /sys/class/tty/console/active. diff --git a/modules/pam_securetty/README.xml b/modules/pam_securetty/README.xml index a8c098a0..70176d75 100644 --- a/modules/pam_securetty/README.xml +++ b/modules/pam_securetty/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_securetty.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_securetty-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_securetty.8.xml" xpointer='xpointer(id("pam_securetty-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_securetty/pam_securetty.8 b/modules/pam_securetty/pam_securetty.8 index a808aea4..95804fb2 100644 --- a/modules/pam_securetty/pam_securetty.8 +++ b/modules/pam_securetty/pam_securetty.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_securetty .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SECURETTY" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SECURETTY" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,7 +39,7 @@ securetty file\&. pam_securetty checks at first, if /etc/securetty exists\&. If not and it was built with vendordir support, it will use -<vendordir>/securetty\&. pam_securetty also checks that the +/securetty\&. pam_securetty also checks that the securetty files are plain files and not world writable\&. It will also allow root logins on the tty specified with \fBconsole=\fR @@ -57,12 +57,12 @@ authentication method before any authentication methods\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBnoconsole\fR +noconsole .RS 4 Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the securetty @@ -134,7 +134,7 @@ auth required pam_unix\&.so \fBsecuretty\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&. diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml index e49d572b..fcf0e881 100644 --- a/modules/pam_securetty/pam_securetty.8.xml +++ b/modules/pam_securetty/pam_securetty.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_securetty"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_securetty"> <refmeta> <refentrytitle>pam_securetty</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_securetty-name"> + <refnamediv xml:id="pam_securetty-name"> <refname>pam_securetty</refname> <refpurpose>Limit root login to special devices</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_securetty-cmdsynopsis"> + <cmdsynopsis xml:id="pam_securetty-cmdsynopsis" sepchar=" "> <command>pam_securetty.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_securetty-description"> + <refsect1 xml:id="pam_securetty-description"> <title>DESCRIPTION</title> @@ -43,23 +40,23 @@ </para> <para> This module has no effect on non-root users and requires that the - application fills in the <emphasis remap='B'>PAM_TTY</emphasis> + application fills in the <emphasis remap="B">PAM_TTY</emphasis> item correctly. </para> <para> For canonical usage, should be listed as a - <emphasis remap='B'>required</emphasis> authentication method - before any <emphasis remap='B'>sufficient</emphasis> + <emphasis remap="B">required</emphasis> authentication method + before any <emphasis remap="B">sufficient</emphasis> authentication methods. </para> </refsect1> - <refsect1 id="pam_securetty-options"> + <refsect1 xml:id="pam_securetty-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -69,7 +66,7 @@ </varlistentry> <varlistentry> <term> - <option>noconsole</option> + noconsole </term> <listitem> <para> @@ -83,14 +80,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_securetty-types"> + <refsect1 xml:id="pam_securetty-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>auth</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_securetty-return_values'> + <refsect1 xml:id="pam_securetty-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -164,7 +161,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_securetty-examples'> + <refsect1 xml:id="pam_securetty-examples"> <title>EXAMPLES</title> <para> <programlisting> @@ -174,7 +171,7 @@ auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_securetty-see_also'> + <refsect1 xml:id="pam_securetty-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -187,16 +184,16 @@ auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_securetty-author'> + <refsect1 xml:id="pam_securetty-author"> <title>AUTHOR</title> <para> pam_securetty was written by Elliot Lee <sopwith@cuc.edu>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index 9476ab33..fbb6de6d 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_selinux TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include $(WARN_CFLAGS) diff --git a/modules/pam_selinux/Makefile.in b/modules/pam_selinux/Makefile.in index c58ce8e5..cad48d6c 100644 --- a/modules/pam_selinux/Makefile.in +++ b/modules/pam_selinux/Makefile.in @@ -440,6 +440,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -452,11 +453,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -488,12 +491,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -516,6 +521,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -526,12 +532,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -605,7 +615,8 @@ XMLS = README.xml pam_selinux.8.xml dist_check_SCRIPTS = tst-pam_selinux TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include $(WARN_CFLAGS) diff --git a/modules/pam_selinux/README.xml b/modules/pam_selinux/README.xml index 7e1baf55..dc1b5697 100644 --- a/modules/pam_selinux/README.xml +++ b/modules/pam_selinux/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_selinux.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_selinux-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_selinux.8.xml" xpointer='xpointer(id("pam_selinux-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 index 22a3d0a2..12fe0159 100644 --- a/modules/pam_selinux/pam_selinux.8 +++ b/modules/pam_selinux/pam_selinux.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_selinux .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 09/13/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SELINUX" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SELINUX" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -51,43 +51,43 @@ should be placed before them\&. When such a placement is not feasible, could be used to temporary restore original security contexts\&. .SH "OPTIONS" .PP -\fBopen\fR +open .RS 4 Only execute the open_session part of the module\&. .RE .PP -\fBclose\fR +close .RS 4 Only execute the close_session part of the module\&. .RE .PP -\fBrestore\fR +restore .RS 4 In open_session part of the module, temporarily restore the security contexts as they were before the previous call of the module\&. Another call of this module without the restore option will set up the new security contexts again\&. .RE .PP -\fBnottys\fR +nottys .RS 4 Do not setup security context of the controlling terminal\&. .RE .PP -\fBdebug\fR +debug .RS 4 Turn on debug messages via \fBsyslog\fR(3)\&. .RE .PP -\fBverbose\fR +verbose .RS 4 Attempt to inform the user when security context is set\&. .RE .PP -\fBselect_context\fR +select_context .RS 4 Attempt to ask the user for a custom security context role\&. If MLS is on, ask also for sensitivity level\&. .RE .PP -\fBenv_params\fR +env_params .RS 4 Attempt to obtain a custom security context role from PAM environment\&. If MLS is on, obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are \fISELINUX_ROLE_REQUESTED\fR, @@ -95,7 +95,7 @@ Attempt to obtain a custom security context role from PAM environment\&. If MLS \fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&. .RE .PP -\fBuse_current_range\fR +use_current_range .RS 4 Use the sensitivity level of the current process for the user context instead of the default level\&. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment\&. .RE @@ -144,7 +144,7 @@ session optional pam_selinux\&.so \fBexecve\fR(2), \fBtty\fR(4), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBselinux\fR(8) .SH "AUTHOR" .PP diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 28d465f5..7ec5dafb 100644 --- a/modules/pam_selinux/pam_selinux.8.xml +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -1,54 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_selinux"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_selinux"> <refmeta> <refentrytitle>pam_selinux</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_selinux-name"> + <refnamediv xml:id="pam_selinux-name"> <refname>pam_selinux</refname> <refpurpose>PAM module to set the default security context</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_selinux-cmdsynopsis"> + <cmdsynopsis xml:id="pam_selinux-cmdsynopsis" sepchar=" "> <command>pam_selinux.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> open </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> close </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> restore </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nottys </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> verbose </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> select_context </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> env_params </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_current_range </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_selinux-description"> + <refsect1 xml:id="pam_selinux-description"> <title>DESCRIPTION</title> <para> pam_selinux is a PAM module that sets up the default SELinux security @@ -79,12 +76,12 @@ </para> </refsect1> - <refsect1 id="pam_selinux-options"> + <refsect1 xml:id="pam_selinux-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>open</option> + open </term> <listitem> <para> @@ -94,7 +91,7 @@ </varlistentry> <varlistentry> <term> - <option>close</option> + close </term> <listitem> <para> @@ -104,7 +101,7 @@ </varlistentry> <varlistentry> <term> - <option>restore</option> + restore </term> <listitem> <para> @@ -117,7 +114,7 @@ </varlistentry> <varlistentry> <term> - <option>nottys</option> + nottys </term> <listitem> <para> @@ -127,7 +124,7 @@ </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -140,7 +137,7 @@ </varlistentry> <varlistentry> <term> - <option>verbose</option> + verbose </term> <listitem> <para> @@ -150,7 +147,7 @@ </varlistentry> <varlistentry> <term> - <option>select_context</option> + select_context </term> <listitem> <para> @@ -161,7 +158,7 @@ </varlistentry> <varlistentry> <term> - <option>env_params</option> + env_params </term> <listitem> <para> @@ -178,7 +175,7 @@ </varlistentry> <varlistentry> <term> - <option>use_current_range</option> + use_current_range </term> <listitem> <para> @@ -191,14 +188,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_selinux-types"> + <refsect1 xml:id="pam_selinux-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_selinux-return_values'> + <refsect1 xml:id="pam_selinux-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -236,7 +233,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_selinux-examples'> + <refsect1 xml:id="pam_selinux-examples"> <title>EXAMPLES</title> <programlisting> auth required pam_unix.so @@ -245,7 +242,7 @@ session optional pam_selinux.so </programlisting> </refsect1> - <refsect1 id='pam_selinux-see_also'> + <refsect1 xml:id="pam_selinux-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -258,7 +255,7 @@ session optional pam_selinux.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> @@ -266,11 +263,11 @@ session optional pam_selinux.so </para> </refsect1> - <refsect1 id='pam_selinux-author'> + <refsect1 xml:id="pam_selinux-author"> <title>AUTHOR</title> <para> pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index d8e10d8e..e52e0fc4 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -393,7 +393,6 @@ free_module_data(module_data_t *data) freecon(data->prev_exec_context); if (data->exec_context != data->default_user_context) freecon(data->exec_context); - memset(data, 0, sizeof(*data)); free(data); } @@ -553,7 +552,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) } pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m", data->tty_path); - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } tclass = string_to_security_class("chr_file"); @@ -563,7 +562,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) data->prev_tty_context = NULL; free(data->tty_path); data->tty_path = NULL; - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } if (security_compute_relabel(data->exec_context, data->prev_tty_context, @@ -575,7 +574,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) data->prev_tty_context = NULL; free(data->tty_path); data->tty_path = NULL; - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } return PAM_SUCCESS; @@ -606,7 +605,7 @@ restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug) data->prev_exec_context ? data->prev_exec_context : ""); err |= set_exec_context(pamh, data->prev_exec_context); - if (err && security_getenforce() == 1) + if (err && security_getenforce() != 0) return PAM_SESSION_ERR; return PAM_SUCCESS; @@ -658,7 +657,7 @@ set_context(pam_handle_t *pamh, const module_data_t *data, } #endif - if (err && security_getenforce() == 1) + if (err && security_getenforce() != 0) return PAM_SESSION_ERR; return PAM_SUCCESS; @@ -717,7 +716,7 @@ create_context(pam_handle_t *pamh, int argc, const char **argv, if (!data->exec_context) { free_module_data(data); - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) { diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index 18a89b60..6e7e96e5 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -13,15 +13,18 @@ dist_man_MANS = pam_sepermit.8 sepermit.conf.5 endif XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml dist_check_SCRIPTS = tst-pam_sepermit -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif sepermitlockdir = ${localstatedir}/run/sepermit AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include \ - -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" $(WARN_CFLAGS) pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @@ -33,6 +36,9 @@ endif dist_secureconf_DATA = sepermit.conf securelib_LTLIBRARIES = pam_sepermit.la +check_PROGRAMS = tst-pam_sepermit-retval +tst_pam_sepermit_retval_LDADD = $(top_builddir)/libpam/libpam.la + install-data-local: mkdir -p $(DESTDIR)$(sepermitlockdir) diff --git a/modules/pam_sepermit/Makefile.in b/modules/pam_sepermit/Makefile.in index 3d2ba129..4fb5cbf7 100644 --- a/modules/pam_sepermit/Makefile.in +++ b/modules/pam_sepermit/Makefile.in @@ -95,6 +95,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_sepermit-retval$(EXEEXT) subdir = modules/pam_sepermit ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -162,6 +163,10 @@ pam_sepermit_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(pam_sepermit_la_LDFLAGS) $(LDFLAGS) \ -o $@ +tst_pam_sepermit_retval_SOURCES = tst-pam_sepermit-retval.c +tst_pam_sepermit_retval_OBJECTS = tst-pam_sepermit-retval.$(OBJEXT) +tst_pam_sepermit_retval_DEPENDENCIES = \ + $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -177,7 +182,8 @@ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/pam_sepermit.Plo +am__depfiles_remade = ./$(DEPDIR)/pam_sepermit.Plo \ + ./$(DEPDIR)/tst-pam_sepermit-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -197,8 +203,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_sepermit.c -DIST_SOURCES = pam_sepermit.c +SOURCES = pam_sepermit.c tst-pam_sepermit-retval.c +DIST_SOURCES = pam_sepermit.c tst-pam_sepermit-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -436,6 +442,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -448,11 +455,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -484,12 +493,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -512,6 +523,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -522,12 +534,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -599,13 +615,13 @@ EXTRA_DIST = $(XMLS) @HAVE_DOC_TRUE@dist_man_MANS = pam_sepermit.8 sepermit.conf.5 XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml dist_check_SCRIPTS = tst-pam_sepermit -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) sepermitlockdir = ${localstatedir}/run/sepermit AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include \ - -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" $(WARN_CFLAGS) pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @@ -613,6 +629,7 @@ pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) dist_secureconf_DATA = sepermit.conf securelib_LTLIBRARIES = pam_sepermit.la +tst_pam_sepermit_retval_LDADD = $(top_builddir)/libpam/libpam.la @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -648,6 +665,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -686,6 +712,10 @@ clean-securelibLTLIBRARIES: pam_sepermit.la: $(pam_sepermit_la_OBJECTS) $(pam_sepermit_la_DEPENDENCIES) $(EXTRA_pam_sepermit_la_DEPENDENCIES) $(AM_V_CCLD)$(pam_sepermit_la_LINK) -rpath $(securelibdir) $(pam_sepermit_la_OBJECTS) $(pam_sepermit_la_LIBADD) $(LIBS) +tst-pam_sepermit-retval$(EXEEXT): $(tst_pam_sepermit_retval_OBJECTS) $(tst_pam_sepermit_retval_DEPENDENCIES) $(EXTRA_tst_pam_sepermit_retval_DEPENDENCIES) + @rm -f tst-pam_sepermit-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_sepermit_retval_OBJECTS) $(tst_pam_sepermit_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -693,6 +723,7 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_sepermit.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_sepermit-retval.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -1006,7 +1037,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: $(dist_check_SCRIPTS) +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1016,7 +1047,7 @@ check-TESTS: $(dist_check_SCRIPTS) log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all $(dist_check_SCRIPTS) +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1034,6 +1065,13 @@ tst-pam_sepermit.log: tst-pam_sepermit --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_sepermit-retval.log: tst-pam_sepermit-retval$(EXEEXT) + @p='tst-pam_sepermit-retval$(EXEEXT)'; \ + b='tst-pam_sepermit-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1083,7 +1121,8 @@ distdir-am: $(DISTFILES) fi; \ done check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1128,11 +1167,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/pam_sepermit.Plo + -rm -f ./$(DEPDIR)/tst-pam_sepermit-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1180,6 +1220,7 @@ installcheck-am: maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/pam_sepermit.Plo + -rm -f ./$(DEPDIR)/tst-pam_sepermit-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1204,7 +1245,7 @@ uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ - check-am clean clean-generic clean-libtool \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ diff --git a/modules/pam_sepermit/README b/modules/pam_sepermit/README index cd697bb9..b91424e6 100644 --- a/modules/pam_sepermit/README +++ b/modules/pam_sepermit/README @@ -23,6 +23,9 @@ disabled and pam_sepermit will return PAM_IGNORE. See sepermit.conf(5) for details. +If there is no explicitly specified configuration file and /etc/security/ +sepermit.conf does not exist, %vendordir%/security/sepermit.conf is used. + OPTIONS debug diff --git a/modules/pam_sepermit/README.xml b/modules/pam_sepermit/README.xml index bb65951c..a8d31d8c 100644 --- a/modules/pam_sepermit/README.xml +++ b/modules/pam_sepermit/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_sepermit.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_sepermit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_sepermit.8.xml" xpointer='xpointer(id("pam_sepermit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_sepermit/pam_sepermit.8 b/modules/pam_sepermit/pam_sepermit.8 index fb82cb97..32707460 100644 --- a/modules/pam_sepermit/pam_sepermit.8 +++ b/modules/pam_sepermit/pam_sepermit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_sepermit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SEPERMIT" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SEPERMIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -55,13 +55,13 @@ See for details\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP -\fBconf=\fR\fB\fI/path/to/config/file\fR\fR +conf=/path/to/config/file .RS 4 Path to alternative config file overriding the default\&. .RE @@ -124,7 +124,7 @@ session required pam_permit\&.so \fBsepermit.conf\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) \fBselinux\fR(8) .SH "AUTHOR" .PP diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml index 30d9cc54..1ead4298 100644 --- a/modules/pam_sepermit/pam_sepermit.8.xml +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_sepermit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_sepermit"> <refmeta> <refentrytitle>pam_sepermit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_sepermit-name"> + <refnamediv xml:id="pam_sepermit-name"> <refname>pam_sepermit</refname> <refpurpose>PAM module to allow/deny login depending on SELinux enforcement state</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_sepermit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_sepermit-cmdsynopsis" sepchar=" "> <command>pam_sepermit.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conf=<replaceable>/path/to/config/file</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_sepermit-description"> + <refsect1 xml:id="pam_sepermit-description"> <title>DESCRIPTION</title> <para> The pam_sepermit module allows or denies login depending on SELinux @@ -54,15 +51,19 @@ <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry> for details. </para> - + <para condition="with_vendordir"> + If there is no explicitly specified configuration file and + <filename>/etc/security/sepermit.conf</filename> does not exist, + <filename>%vendordir%/security/sepermit.conf</filename> is used. + </para> </refsect1> - <refsect1 id="pam_sepermit-options"> + <refsect1 xml:id="pam_sepermit-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -75,7 +76,7 @@ </varlistentry> <varlistentry> <term> - <option>conf=<replaceable>/path/to/config/file</replaceable></option> + conf=/path/to/config/file </term> <listitem> <para> @@ -86,7 +87,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_sepermit-types"> + <refsect1 xml:id="pam_sepermit-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> @@ -94,7 +95,7 @@ </para> </refsect1> - <refsect1 id='pam_sepermit-return_values'> + <refsect1 xml:id="pam_sepermit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -141,11 +142,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_sepermit-files"> + <refsect1 xml:id="pam_sepermit-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/sepermit.conf</filename></term> + <term>/etc/security/sepermit.conf</term> <listitem> <para>Default configuration file</para> </listitem> @@ -153,7 +154,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_sepermit-examples'> + <refsect1 xml:id="pam_sepermit-examples"> <title>EXAMPLES</title> <programlisting> auth [success=done ignore=ignore default=bad] pam_sepermit.so @@ -163,7 +164,7 @@ session required pam_permit.so </programlisting> </refsect1> - <refsect1 id='pam_sepermit-see_also'> + <refsect1 xml:id="pam_sepermit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -176,7 +177,7 @@ session required pam_permit.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> <citerefentry> <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> @@ -184,11 +185,11 @@ session required pam_permit.so </para> </refsect1> - <refsect1 id='pam_sepermit-author'> + <refsect1 xml:id="pam_sepermit-author"> <title>AUTHOR</title> <para> pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index f7d98d5b..5fbc8fdd 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -61,6 +61,12 @@ #include <selinux/selinux.h> +#include "pam_inline.h" + +#define SEPERMIT_CONF_FILE (SCONFIGDIR "/sepermit.conf") +#ifdef VENDOR_SCONFIGDIR +# define SEPERMIT_VENDOR_CONF_FILE (VENDOR_SCONFIGDIR "/sepermit.conf"); +#endif #define MODULE "pam_sepermit" #define OPT_DELIM ":" @@ -370,16 +376,31 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, const char *user = NULL; char *seuser = NULL; char *level = NULL; - const char *cfgfile = SEPERMIT_CONF_FILE; + const char *cfgfile = NULL; /* Parse arguments. */ for (i = 0; i < argc; i++) { + const char *str; + if (strcmp(argv[i], "debug") == 0) { debug = 1; + } else if ((str = pam_str_skip_prefix(argv[i], "conf=")) != NULL) { + cfgfile = str; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", argv[i]); } - if (strcmp(argv[i], "conf=") == 0) { - cfgfile = argv[i] + 5; - } + } + + if (cfgfile == NULL) { +#ifdef SEPERMIT_VENDOR_CONF_FILE + struct stat buffer; + + cfgfile = SEPERMIT_CONF_FILE; + if (stat(cfgfile, &buffer) != 0 && errno == ENOENT) + cfgfile = SEPERMIT_VENDOR_CONF_FILE; +#else + cfgfile = SEPERMIT_CONF_FILE; +#endif } if (debug) diff --git a/modules/pam_sepermit/sepermit.conf.5 b/modules/pam_sepermit/sepermit.conf.5 index b4b91c8d..d2cd3810 100644 --- a/modules/pam_sepermit/sepermit.conf.5 +++ b/modules/pam_sepermit/sepermit.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: sepermit.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "SEPERMIT\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "SEPERMIT\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -78,12 +78,12 @@ syntax\&. .PP The recognized options are: .PP -\fBexclusive\fR +exclusive .RS 4 Only single login session will be allowed for the user and the user\*(Aqs processes will be killed on logout\&. .RE .PP -\fBignore\fR +ignore .RS 4 The module will never return PAM_SUCCESS status for the user\&. It will return PAM_IGNORE if SELinux is in the enforcing mode, and PAM_AUTH_ERR otherwise\&. It is useful if you want to support passwordless guest users and other confined users with passwords simultaneously\&. .RE @@ -110,7 +110,7 @@ These are some example lines which might be specified in .PP \fBpam_sepermit\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8), +\fBpam\fR(7), \fBselinux\fR(8), .SH "AUTHOR" .PP diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml index 511480f6..1f1dcaeb 100644 --- a/modules/pam_sepermit/sepermit.conf.5.xml +++ b/modules/pam_sepermit/sepermit.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="sepermit.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="sepermit.conf"> <refmeta> <refentrytitle>sepermit.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_sepermit module</refpurpose> </refnamediv> - <refsect1 id='sepermit.conf-description'> + <refsect1 xml:id="sepermit.conf-description"> <title>DESCRIPTION</title> <para> The lines of the configuration file have the following syntax: @@ -24,7 +21,7 @@ <replaceable><user></replaceable>[:<replaceable><option></replaceable>:<replaceable><option></replaceable>...] </para> <para> - The <emphasis remap='B'>user</emphasis> can be specified in the following manner: + The <emphasis remap="B">user</emphasis> can be specified in the following manner: </para> <itemizedlist> <listitem> @@ -34,13 +31,13 @@ </listitem> <listitem> <para> - a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + a groupname, with <emphasis remap="B">@group</emphasis> syntax. This should not be confused with netgroups. </para> </listitem> <listitem> <para> - a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax. + a SELinux user name with <emphasis remap="B">%seuser</emphasis> syntax. </para> </listitem> </itemizedlist> @@ -51,7 +48,7 @@ <variablelist> <varlistentry> - <term><option>exclusive</option></term> + <term>exclusive</term> <listitem> <para> Only single login session will be allowed for the user @@ -60,7 +57,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>ignore</option></term> + <term>ignore</term> <listitem> <para> The module will never return PAM_SUCCESS status for the user. @@ -78,7 +75,7 @@ </para> </refsect1> - <refsect1 id="sepermit.conf-examples"> + <refsect1 xml:id="sepermit.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -91,20 +88,20 @@ </programlisting> </refsect1> - <refsect1 id="sepermit.conf-see_also"> + <refsect1 xml:id="sepermit.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>, </para> </refsect1> - <refsect1 id="sepermit.conf-author"> + <refsect1 xml:id="sepermit.conf-author"> <title>AUTHOR</title> <para> pam_sepermit and this manual page were written by Tomas Mraz <tmraz@redhat.com> </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_sepermit/tst-pam_sepermit-retval.c b/modules/pam_sepermit/tst-pam_sepermit-retval.c new file mode 100644 index 00000000..321bd6d1 --- /dev/null +++ b/modules/pam_sepermit/tst-pam_sepermit-retval.c @@ -0,0 +1,158 @@ +/* + * Check pam_sepermit return values and conf= option. + * + * Copyright (c) 2020-2022 Dmitry V. Levin <ldv@altlinux.org> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_sepermit" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char missing_file[] = TEST_NAME ".missing"; +static const char config_file[] = TEST_NAME ".conf"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_NE(NULL, fp = fopen(config_file, "w")); + ASSERT_LT(0, fprintf(fp, "nosuchuser:ignore\n")); + ASSERT_EQ(0, fclose(fp)); + + /* + * conf= specifies an existing file, + * PAM_IGNORE -> PAM_PERM_DENIED + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conf=%s\n" + "account required %s/.libs/%s.so conf=%s\n" + "password required %s/.libs/%s.so conf=%s\n" + "session required %s/.libs/%s.so conf=%s\n", + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * conf= specifies an existing file, + * PAM_IGNORE -> PAM_SUCCESS + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conf=%s\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so conf=%s\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so conf=%s\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so conf=%s\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, config_file, cwd, + cwd, MODULE_NAME, config_file, cwd, + cwd, MODULE_NAME, config_file, cwd, + cwd, MODULE_NAME, config_file, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* + * conf= specifies a missing file, + * PAM_IGNORE -> PAM_PERM_DENIED + */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conf=%s\n" + "account required %s/.libs/%s.so conf=%s\n" + "password required %s/.libs/%s.so conf=%s\n" + "session required %s/.libs/%s.so conf=%s\n", + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SERVICE_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* cleanup */ + ASSERT_EQ(0, unlink(config_file)); + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_setquota/Makefile.am b/modules/pam_setquota/Makefile.am index b01a3288..1582e515 100644 --- a/modules/pam_setquota/Makefile.am +++ b/modules/pam_setquota/Makefile.am @@ -11,7 +11,11 @@ dist_check_SCRIPTS = tst-pam_setquota TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_setquota/Makefile.in b/modules/pam_setquota/Makefile.in index f4f49f02..5e4375a9 100644 --- a/modules/pam_setquota/Makefile.in +++ b/modules/pam_setquota/Makefile.in @@ -424,6 +424,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -436,11 +437,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -472,12 +475,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -500,6 +505,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -510,12 +516,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -589,7 +599,8 @@ XMLS = README.xml pam_setquota.8.xml dist_check_SCRIPTS = tst-pam_setquota TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_setquota/README.xml b/modules/pam_setquota/README.xml index 4eeddecc..7f5e429d 100644 --- a/modules/pam_setquota/README.xml +++ b/modules/pam_setquota/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_setquota.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_setquota.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_setquota-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_setquota.8.xml" xpointer='xpointer(//refsect1[@id = "pam_setquota-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_setquota.8.xml" xpointer='xpointer(//refsect1[@id = "pam_setquota-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_setquota.8.xml" xpointer='xpointer(//refsect1[@id = "pam_setquota-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_setquota.8.xml" xpointer='xpointer(//refsect1[@id = "pam_setquota-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_setquota.8.xml" xpointer='xpointer(id("pam_setquota-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_setquota/pam_setquota.8 b/modules/pam_setquota/pam_setquota.8 index f09ba960..2c95097c 100644 --- a/modules/pam_setquota/pam_setquota.8 +++ b/modules/pam_setquota/pam_setquota.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_setquota .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SETQUOTA" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SETQUOTA" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -40,30 +40,30 @@ This makes quotas usable with central user databases, such as MySQL or LDAP\&. .SH "OPTIONS" .PP .PP -\fBfs=\fR\fB\fI/home\fR\fR +fs=/home .RS 4 The device file or mountpoint the policy applies to\&. Defaults to the filesystem containing the users home directory\&. .RE .PP -\fBoverwrite=\fR\fB\fI0\fR\fR +overwrite=0 .RS 4 Overwrite an existing quota\&. Note: Enabling this will remove the ability for the admin to manually configure different quotas for users for a filesystem with \fBedquota\fR(8)\&. (Defaults to 0) .RE .PP -\fBdebug=\fR\fB\fI0\fR\fR +debug=0 .RS 4 Enable debugging\&. A value of 1 outputs the old and new quota on a device\&. A value of 2 also prints out the matched and found filesystems should \fBfs\fR be unset\&. (Defaults to 0) .RE .PP -\fBstartuid=\fR\fB\fI1000\fR\fR +startuid=1000 .RS 4 Describe the start of the UID range the policy is applied to\&. (Defaults to UID_MIN from login\&.defs or the uidmin value defined at compile\-time if UID_MIN is undefined\&.) .RE .PP -\fBenduid=\fR\fB\fI0\fR\fR +enduid=0 .RS 4 Describe the end of the UID range the policy is applied to\&. Setting \fIenduid=0\fR @@ -72,7 +72,7 @@ results in an open\-ended UID range (i\&.e\&. all uids greater than are included)\&. (Defaults to 0) .RE .PP -\fBbsoftlimit=\fR\fB\fI19000\fR\fR +bsoftlimit=19000 .RS 4 Soft limit for disk quota blocks, as defined by \fBquotactl\fR(2)\&. Note: @@ -83,7 +83,7 @@ and be set at the same time! .RE .PP -\fBbhardlimit=\fR\fB\fI20000\fR\fR +bhardlimit=20000 .RS 4 Hard limit for disk quota blocks, as defined by \fBquotactl\fR(2)\&. Note: @@ -94,7 +94,7 @@ and be set at the same time! .RE .PP -\fBisoftlimit=\fR\fB\fI3000\fR\fR +isoftlimit=3000 .RS 4 Soft limit for inodes, as defined by \fB quotactl\fR(2)\&. Note: @@ -105,7 +105,7 @@ and be set at the same time! .RE .PP -\fBihardlimit=\fR\fB\fI4000\fR\fR +ihardlimit=4000 .RS 4 Hard limit for inodes, as defined by \fB quotactl\fR(2)\&. Note: diff --git a/modules/pam_setquota/pam_setquota.8.xml b/modules/pam_setquota/pam_setquota.8.xml index fe83c805..41644eeb 100644 --- a/modules/pam_setquota/pam_setquota.8.xml +++ b/modules/pam_setquota/pam_setquota.8.xml @@ -1,53 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_setquota"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_setquota"> <refmeta> <refentrytitle>pam_setquota</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_setquota-name"> + <refnamediv xml:id="pam_setquota-name"> <refname>pam_setquota</refname> <refpurpose>PAM module to set or modify disk quotas on session start</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_setquota-cmdsynopsis"> + <cmdsynopsis xml:id="pam_setquota-cmdsynopsis" sepchar=" "> <command>pam_setquota.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> fs=<replaceable>/home</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> overwrite=<replaceable>0</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug=<replaceable>0</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> startuid=<replaceable>1000</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> enduid=<replaceable>0</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> bsoftlimit=<replaceable>19000</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> bhardlimit=<replaceable>20000</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> isoftlimit=<replaceable>3000</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ihardlimit=<replaceable>4000</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_setquota-description"> + <refsect1 xml:id="pam_setquota-description"> <title>DESCRIPTION</title> @@ -60,14 +58,14 @@ </refsect1> - <refsect1 id="pam_setquota-options"> + <refsect1 xml:id="pam_setquota-options"> <title>OPTIONS</title> <para> <variablelist> <varlistentry> <term> - <option>fs=<replaceable>/home</replaceable></option> + fs=/home </term> <listitem> <para> @@ -78,7 +76,7 @@ </varlistentry> <varlistentry> <term> - <option>overwrite=<replaceable>0</replaceable></option> + overwrite=0 </term> <listitem> <para> @@ -91,7 +89,7 @@ </varlistentry> <varlistentry> <term> - <option>debug=<replaceable>0</replaceable></option> + debug=0 </term> <listitem> <para> @@ -103,7 +101,7 @@ </varlistentry> <varlistentry> <term> - <option>startuid=<replaceable>1000</replaceable></option> + startuid=1000 </term> <listitem> <para> @@ -115,7 +113,7 @@ </varlistentry> <varlistentry> <term> - <option>enduid=<replaceable>0</replaceable></option> + enduid=0 </term> <listitem> <para> @@ -128,7 +126,7 @@ </varlistentry> <varlistentry> <term> - <option>bsoftlimit=<replaceable>19000</replaceable></option> + bsoftlimit=19000 </term> <listitem> <para> @@ -142,7 +140,7 @@ </varlistentry> <varlistentry> <term> - <option>bhardlimit=<replaceable>20000</replaceable></option> + bhardlimit=20000 </term> <listitem> <para> @@ -156,7 +154,7 @@ </varlistentry> <varlistentry> <term> - <option>isoftlimit=<replaceable>3000</replaceable></option> + isoftlimit=3000 </term> <listitem> <para> @@ -169,7 +167,7 @@ </varlistentry> <varlistentry> <term> - <option>ihardlimit=<replaceable>4000</replaceable></option> + ihardlimit=4000 </term> <listitem> <para> @@ -184,14 +182,14 @@ </para> </refsect1> - <refsect1 id="pam_setquota-types"> + <refsect1 xml:id="pam_setquota-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> module type is provided. </para> </refsect1> - <refsect1 id='pam_setquota-return_values'> + <refsect1 xml:id="pam_setquota-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -255,7 +253,7 @@ </para> </refsect1> - <refsect1 id='pam_setquota-examples'> + <refsect1 xml:id="pam_setquota-examples"> <title>EXAMPLES</title> <para> A single invocation of `pam_setquota` applies a specific policy to a UID @@ -270,7 +268,7 @@ </para> </refsect1> - <refsect1 id='pam_setquota-see_also'> + <refsect1 xml:id="pam_setquota-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -285,7 +283,7 @@ </para> </refsect1> - <refsect1 id='pam_setquota-author'> + <refsect1 xml:id="pam_setquota-author"> <title>AUTHOR</title> <para> pam_setquota was originally written by @@ -298,4 +296,4 @@ </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_shells/Makefile.am b/modules/pam_shells/Makefile.am index b91bada5..e44915f2 100644 --- a/modules/pam_shells/Makefile.am +++ b/modules/pam_shells/Makefile.am @@ -15,17 +15,21 @@ dist_check_SCRIPTS = tst-pam_shells TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(WARN_CFLAGS) $(ECONF_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_shells.la -pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) if ENABLE_REGENERATE_MAN dist_noinst_DATA = README diff --git a/modules/pam_shells/Makefile.in b/modules/pam_shells/Makefile.in index c92648bc..3c236b33 100644 --- a/modules/pam_shells/Makefile.in +++ b/modules/pam_shells/Makefile.in @@ -148,7 +148,9 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_shells_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_shells_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_shells_la_SOURCES = pam_shells.c pam_shells_la_OBJECTS = pam_shells.lo AM_V_lt = $(am__v_lt_@AM_V@) @@ -428,6 +430,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +443,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +481,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +511,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +522,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,13 +605,14 @@ XMLS = README.xml pam_shells.8.xml dist_check_SCRIPTS = tst-pam_shells TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(WARN_CFLAGS) $(ECONF_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) securelib_LTLIBRARIES = pam_shells.la -pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS) @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am diff --git a/modules/pam_shells/README b/modules/pam_shells/README index e09dd205..bde6667c 100644 --- a/modules/pam_shells/README +++ b/modules/pam_shells/README @@ -7,7 +7,11 @@ DESCRIPTION pam_shells is a PAM module that only allows access to the system if the user's shell is listed in /etc/shells. -It also checks if /etc/shells is a plain file and not world writable. +If this file does not exist, entries are taken from files %vendordir%/shells, +%vendordir%/shells.d/* and /etc/shells.d/* in that order. + +It also checks if needed files (e.g. /etc/shells) are plain files and not world +writable. OPTIONS diff --git a/modules/pam_shells/README.xml b/modules/pam_shells/README.xml index 154b97b5..c4da1a06 100644 --- a/modules/pam_shells/README.xml +++ b/modules/pam_shells/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_shells.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_shells-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_shells.8.xml" xpointer='xpointer(id("pam_shells-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_shells/pam_shells.8 b/modules/pam_shells/pam_shells.8 index 4e519d17..7962badc 100644 --- a/modules/pam_shells/pam_shells.8 +++ b/modules/pam_shells/pam_shells.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_shells .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SHELLS" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SHELLS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,9 +37,8 @@ pam_shells \- PAM module to check for valid login shell pam_shells is a PAM module that only allows access to the system if the user\*(Aqs shell is listed in /etc/shells\&. .PP -It also checks if -/etc/shells -is a plain file and not world writable\&. +It also checks if needed files (e\&.g\&. +/etc/shells) are plain files and not world writable\&. .SH "OPTIONS" .PP This module does not recognise any options\&. @@ -85,7 +84,7 @@ auth required pam_shells\&.so \fBshells\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_shells was written by Erik Troan <ewt@redhat\&.com>\&. diff --git a/modules/pam_shells/pam_shells.8.xml b/modules/pam_shells/pam_shells.8.xml index 15f47671..bff889fb 100644 --- a/modules/pam_shells/pam_shells.8.xml +++ b/modules/pam_shells/pam_shells.8.xml @@ -1,27 +1,24 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_shells"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_shells"> <refmeta> <refentrytitle>pam_shells</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_shells-name"> + <refnamediv xml:id="pam_shells-name"> <refname>pam_shells</refname> <refpurpose>PAM module to check for valid login shell</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_shells-cmdsynopsis"> + <cmdsynopsis xml:id="pam_shells-cmdsynopsis" sepchar=" "> <command>pam_shells.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_shells-description"> + <refsect1 xml:id="pam_shells-description"> <title>DESCRIPTION</title> @@ -29,19 +26,27 @@ pam_shells is a PAM module that only allows access to the system if the user's shell is listed in <filename>/etc/shells</filename>. </para> + + <para condition="with_vendordir_and_with_econf"> + If this file does not exist, entries are taken from files + <filename>%vendordir%/shells</filename>, + <filename>%vendordir%/shells.d/*</filename> and + <filename>/etc/shells.d/*</filename> in that order. + </para> + <para> - It also checks if <filename>/etc/shells</filename> is a plain - file and not world writable. + It also checks if needed files (e.g. <filename>/etc/shells</filename>) are plain + files and not world writable. </para> </refsect1> - <refsect1 id="pam_shells-options"> + <refsect1 xml:id="pam_shells-options"> <title>OPTIONS</title> <para> This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_shells-types"> + <refsect1 xml:id="pam_shells-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> @@ -49,7 +54,7 @@ </para> </refsect1> - <refsect1 id='pam_shells-return_values'> + <refsect1 xml:id="pam_shells-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -80,7 +85,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_shells-examples'> + <refsect1 xml:id="pam_shells-examples"> <title>EXAMPLES</title> <para> <programlisting> @@ -89,7 +94,7 @@ auth required pam_shells.so </para> </refsect1> - <refsect1 id='pam_shells-see_also'> + <refsect1 xml:id="pam_shells-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -102,16 +107,16 @@ auth required pam_shells.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_shells-author'> + <refsect1 xml:id="pam_shells-author"> <title>AUTHOR</title> <para> pam_shells was written by Erik Troan <ewt@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index dc8f4878..abebdd0c 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -13,27 +13,47 @@ #include <string.h> #include <stdio.h> #include <stdlib.h> +#include <stdbool.h> #include <sys/stat.h> #include <syslog.h> #include <unistd.h> +#if defined (USE_ECONF) && defined (VENDORDIR) +#include <libeconf.h> +#endif #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> #define SHELL_FILE "/etc/shells" - +#define SHELLS "shells" +#define ETCDIR "/etc" #define DEFAULT_SHELL "/bin/sh" +static bool check_file(const char *filename, const void *pamh) +{ + struct stat sb; + + if (stat(filename, &sb)) { + pam_syslog(pamh, LOG_ERR, "Cannot stat %s: %m", filename); + return false; /* must have /etc/shells */ + } + + if ((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) { + pam_syslog(pamh, LOG_ERR, + "%s is either world writable or not a normal file", + filename); + return false; + } + return true; +} + static int perform_check(pam_handle_t *pamh) { int retval = PAM_AUTH_ERR; const char *userName; const char *userShell; - char shellFileLine[256]; - struct stat sb; struct passwd * pw; - FILE * shellFile; retval = pam_get_user(pamh, &userName, NULL); if (retval != PAM_SUCCESS) { @@ -48,18 +68,50 @@ static int perform_check(pam_handle_t *pamh) if (userShell[0] == '\0') userShell = DEFAULT_SHELL; - if (stat(SHELL_FILE,&sb)) { - pam_syslog(pamh, LOG_ERR, "Cannot stat %s: %m", SHELL_FILE); - return PAM_AUTH_ERR; /* must have /etc/shells */ +#if defined (USE_ECONF) && defined (VENDORDIR) + size_t size = 0; + econf_err error; + char **keys; + econf_file *key_file; + + error = econf_readDirsWithCallback(&key_file, + VENDORDIR, + ETCDIR, + SHELLS, + NULL, + "", /* key only */ + "#", /* comment */ + check_file, pamh); + if (error) { + pam_syslog(pamh, LOG_ERR, + "Cannot parse shell files: %s", + econf_errString(error)); + return PAM_AUTH_ERR; } - if ((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) { + error = econf_getKeys(key_file, NULL, &size, &keys); + if (error) { pam_syslog(pamh, LOG_ERR, - "%s is either world writable or not a normal file", - SHELL_FILE); + "Cannot evaluate entries in shell files: %s", + econf_errString(error)); + econf_free (key_file); return PAM_AUTH_ERR; } + retval = 1; + for (size_t i = 0; i < size; i++) { + retval = strcmp(keys[i], userShell); + if (!retval) + break; + } + econf_free (key_file); +#else + char shellFileLine[256]; + FILE * shellFile; + + if (!check_file(SHELL_FILE, pamh)) + return PAM_AUTH_ERR; + shellFile = fopen(SHELL_FILE,"r"); if (shellFile == NULL) { /* Check that we opened it successfully */ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SHELL_FILE); @@ -75,6 +127,7 @@ static int perform_check(pam_handle_t *pamh) } fclose(shellFile); + #endif if (retval) { return PAM_AUTH_ERR; diff --git a/modules/pam_stress/Makefile.am b/modules/pam_stress/Makefile.am index e964fcc4..ee78daef 100644 --- a/modules/pam_stress/Makefile.am +++ b/modules/pam_stress/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_stress TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_stress/Makefile.in b/modules/pam_stress/Makefile.in index 297f39d2..4788de54 100644 --- a/modules/pam_stress/Makefile.in +++ b/modules/pam_stress/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_stress.8.xml dist_check_SCRIPTS = tst-pam_stress TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_stress/README.xml b/modules/pam_stress/README.xml index 6f94685e..cc7a1848 100644 --- a/modules/pam_stress/README.xml +++ b/modules/pam_stress/README.xml @@ -1,31 +1,19 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamstress SYSTEM "pam_stress.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_stress.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_stress-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_stress.8.xml" xpointer='xpointer(id("pam_stress-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_stress.8.xml" xpointer='xpointer(//refsect1[@id = "pam_stress-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_stress.8.xml" xpointer='xpointer(id("pam_stress-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_stress.8.xml" xpointer='xpointer(//refsect1[@id = "pam_stress-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_stress.8.xml" xpointer='xpointer(id("pam_stress-options")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_stress/pam_stress.8 b/modules/pam_stress/pam_stress.8 index 2fdb9397..a522b7fb 100644 --- a/modules/pam_stress/pam_stress.8 +++ b/modules/pam_stress/pam_stress.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_stress .\" Author: [see the "AUTHORS" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_STRESS" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_STRESS" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,52 +37,52 @@ pam_stress \- The stress\-testing PAM module The pam_stress PAM module is mainly intended to give the impression of failing as a fully functioning module might\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Put lots of information in syslog\&. *NOTE* this option writes passwords to syslog, so don\*(Aqt use anything sensitive when testing\&. .RE .PP -\fBno_warn\fR +no_warn .RS 4 Do not give warnings about things (otherwise warnings are issued via the conversation function) .RE .PP -\fBuse_first_pass\fR +use_first_pass .RS 4 Do not prompt for a password, for pam_sm_authentication function just use item PAM_AUTHTOK\&. .RE .PP -\fBtry_first_pass\fR +try_first_pass .RS 4 Do not prompt for a password unless there has been no previous authentication token (item PAM_AUTHTOK is NULL) .RE .PP -\fBrootok\fR +rootok .RS 4 This is intended for the pam_sm_chauthtok function and it instructs this function to permit root to change the user\*(Aqs password without entering the old password\&. .RE .PP -\fBexpired\fR +expired .RS 4 An argument intended for the account and chauthtok module parts\&. It instructs the module to act as if the user\*(Aqs password has expired .RE .PP -\fBfail_1\fR +fail_1 .RS 4 This instructs the module to make its first function fail\&. .RE .PP -\fBfail_2\fR +fail_2 .RS 4 This instructs the module to make its second function (if there is one) fail\&. .RE .PP -\fBprelim\fR +prelim .RS 4 For pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK\&. .RE .PP -\fBrequired\fR +required .RS 4 For pam_sm_chauthtok, means fail if the user hasn\*(Aqt already been authenticated by this module\&. (See stress_new_pwd data string in the NOTES\&.) .RE diff --git a/modules/pam_stress/pam_stress.8.xml b/modules/pam_stress/pam_stress.8.xml index 98888b1c..617b7aae 100644 --- a/modules/pam_stress/pam_stress.8.xml +++ b/modules/pam_stress/pam_stress.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_stress'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_stress"> <refmeta> <refentrytitle>pam_stress</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_stress-name'> + <refnamediv xml:id="pam_stress-name"> <refname>pam_stress</refname> <refpurpose>The stress-testing PAM module</refpurpose> </refnamediv> @@ -18,42 +15,42 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_stress-cmdsynopsis"> + <cmdsynopsis xml:id="pam_stress-cmdsynopsis" sepchar=" "> <command>pam_stress.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> no_warn </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> try_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> rootok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> expired </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> fail_1 </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> fail_2 </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> prelim </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> required </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_stress-description"> + <refsect1 xml:id="pam_stress-description"> <title>DESCRIPTION</title> <para> The pam_stress PAM module is mainly intended to give the impression of failing as a fully @@ -61,13 +58,13 @@ functioning module might. </para> </refsect1> - <refsect1 id="pam_stress-options"> + <refsect1 xml:id="pam_stress-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -79,7 +76,7 @@ functioning module might. <varlistentry> <term> - <option>no_warn</option> + no_warn </term> <listitem> <para> @@ -91,7 +88,7 @@ functioning module might. <varlistentry> <term> - <option>use_first_pass</option> + use_first_pass </term> <listitem> <para> @@ -103,7 +100,7 @@ functioning module might. <varlistentry> <term> - <option>try_first_pass</option> + try_first_pass </term> <listitem> <para> @@ -115,7 +112,7 @@ functioning module might. <varlistentry> <term> - <option>rootok</option> + rootok </term> <listitem> <para> @@ -128,7 +125,7 @@ functioning module might. <varlistentry> <term> - <option>expired</option> + expired </term> <listitem> <para> @@ -141,7 +138,7 @@ functioning module might. <varlistentry> <term> - <option>fail_1</option> + fail_1 </term> <listitem> <para> @@ -152,7 +149,7 @@ functioning module might. <varlistentry> <term> - <option>fail_2</option> + fail_2 </term> <listitem> <para> @@ -164,7 +161,7 @@ functioning module might. <varlistentry> <term> - <option>prelim</option> + prelim </term> <listitem> <para> @@ -175,7 +172,7 @@ functioning module might. <varlistentry> <term> - <option>required</option> + required </term> <listitem> <para> @@ -189,7 +186,7 @@ functioning module might. </variablelist> </refsect1> - <refsect1 id="pam_stress-types"> + <refsect1 xml:id="pam_stress-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>auth</option>, <option>account</option>, @@ -197,7 +194,7 @@ functioning module might. </para> </refsect1> - <refsect1 id="pam_stress-return_values"> + <refsect1 xml:id="pam_stress-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -307,7 +304,7 @@ functioning module might. </variablelist> </refsect1> - <refsect1 id='pam_stress-notes'> + <refsect1 xml:id="pam_stress-notes"> <title>NOTES</title> <para> This module uses the stress_new_pwd data string which tells @@ -316,7 +313,7 @@ functioning module might. </para> </refsect1> - <refsect1 id='pam_stress-examples'> + <refsect1 xml:id="pam_stress-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -329,7 +326,7 @@ session required pam_stress.so </programlisting> </refsect1> - <refsect1 id="pam_stress-see_also"> + <refsect1 xml:id="pam_stress-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -344,7 +341,7 @@ session required pam_stress.so </para> </refsect1> - <refsect1 id="pam_stress-authors"> + <refsect1 xml:id="pam_stress-authors"> <title>AUTHORS</title> <para> The pam_stress PAM module was developed by @@ -353,4 +350,4 @@ session required pam_stress.so Lucas Ramage <ramage.lucas@protonmail.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c index 6c7a6251..b2c55586 100644 --- a/modules/pam_stress/pam_stress.c +++ b/modules/pam_stress/pam_stress.c @@ -18,6 +18,7 @@ #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> +#include "pam_inline.h" /* ---------- */ @@ -240,7 +241,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* try to set password item */ retval = pam_set_item(pamh,PAM_AUTHTOK,pass); - _pam_overwrite(pass); /* clean up local copy of password */ + pam_overwrite_string(pass); /* clean up local copy of password */ free(pass); pass = NULL; if (retval != PAM_SUCCESS) { @@ -432,7 +433,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, return retval; } retval = pam_set_item(pamh, PAM_OLDAUTHTOK, pass); - _pam_overwrite(pass); + pam_overwrite_string(pass); free(pass); pass = NULL; if (retval != PAM_SUCCESS) { @@ -495,7 +496,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (strcmp(resp[i-2].resp,resp[i-1].resp)) { /* passwords are not the same; forget and return error */ - _pam_drop_reply(resp, i); + pam_drop_response(resp, i); if (!(flags & PAM_SILENT) && !(ctrl & PAM_ST_NO_WARN)) { pmsg[0] = &msg[0]; @@ -505,7 +506,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, resp = NULL; (void) converse(pamh,1,pmsg,&resp); if (resp) { - _pam_drop_reply(resp, 1); + pam_drop_response(resp, 1); } } return PAM_AUTHTOK_ERR; @@ -523,7 +524,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, retval = PAM_SYSTEM_ERR; } - _pam_drop_reply(resp, i); /* clean up the passwords */ + pam_drop_response(resp, i); /* clean up the passwords */ } else { pam_syslog(pamh, LOG_ERR, "pam_sm_chauthtok: this must be a Linux-PAM error"); diff --git a/modules/pam_succeed_if/Makefile.am b/modules/pam_succeed_if/Makefile.am index cb54f843..f79a4b03 100644 --- a/modules/pam_succeed_if/Makefile.am +++ b/modules/pam_succeed_if/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_succeed_if TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_succeed_if/Makefile.in b/modules/pam_succeed_if/Makefile.in index 995b6db5..5028fe07 100644 --- a/modules/pam_succeed_if/Makefile.in +++ b/modules/pam_succeed_if/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_succeed_if.8.xml dist_check_SCRIPTS = tst-pam_succeed_if TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_succeed_if/README.xml b/modules/pam_succeed_if/README.xml index c52f00a0..1c174af0 100644 --- a/modules/pam_succeed_if/README.xml +++ b/modules/pam_succeed_if/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_succeed_if.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_succeed_if-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_succeed_if.8.xml" xpointer='xpointer(id("pam_succeed_if-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 index 8b33c62a..98a9d857 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8 +++ b/modules/pam_succeed_if/pam_succeed_if.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_succeed_if .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 -.\" Manual: Linux-PAM +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual .\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_SUCCEED_IF" "8" "09/03/2021" "Linux-PAM" "Linux\-PAM" +.TH "PAM_SUCCEED_IF" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -42,32 +42,32 @@ The module should be given one or more conditions as module arguments, and authe The following \fIflag\fRs are supported: .PP -\fBdebug\fR +debug .RS 4 Turns on debugging messages sent to syslog\&. .RE .PP -\fBuse_uid\fR +use_uid .RS 4 Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Don\*(Aqt log failure or success to the system log\&. .RE .PP -\fBquiet_fail\fR +quiet_fail .RS 4 Don\*(Aqt log failure to the system log\&. .RE .PP -\fBquiet_success\fR +quiet_success .RS 4 Don\*(Aqt log success to the system log\&. .RE .PP -\fBaudit\fR +audit .RS 4 Log unknown users to the system log\&. .RE @@ -86,82 +86,82 @@ Available fields are and \fIservice\fR: .PP -\fBfield < number\fR +field < number .RS 4 Field has a value numerically less than number\&. .RE .PP -\fBfield <= number\fR +field <= number .RS 4 Field has a value numerically less than or equal to number\&. .RE .PP -\fBfield eq number\fR +field eq number .RS 4 Field has a value numerically equal to number\&. .RE .PP -\fBfield >= number\fR +field >= number .RS 4 Field has a value numerically greater than or equal to number\&. .RE .PP -\fBfield > number\fR +field > number .RS 4 Field has a value numerically greater than number\&. .RE .PP -\fBfield ne number\fR +field ne number .RS 4 Field has a value numerically different from number\&. .RE .PP -\fBfield = string\fR +field = string .RS 4 Field exactly matches the given string\&. .RE .PP -\fBfield != string\fR +field != string .RS 4 Field does not match the given string\&. .RE .PP -\fBfield =~ glob\fR +field =~ glob .RS 4 Field matches the given glob\&. .RE .PP -\fBfield !~ glob\fR +field !~ glob .RS 4 Field does not match the given glob\&. .RE .PP -\fBfield in item:item:\&.\&.\&.\fR +field in item:item:\&.\&.\&. .RS 4 Field is contained in the list of items separated by colons\&. .RE .PP -\fBfield notin item:item:\&.\&.\&.\fR +field notin item:item:\&.\&.\&. .RS 4 Field is not contained in the list of items separated by colons\&. .RE .PP -\fBuser ingroup group[:group:\&.\&.\&.\&.]\fR +user ingroup group[:group:\&.\&.\&.\&.] .RS 4 User is in given group(s)\&. .RE .PP -\fBuser notingroup group[:group:\&.\&.\&.\&.]\fR +user notingroup group[:group:\&.\&.\&.\&.] .RS 4 User is not in given group(s)\&. .RE .PP -\fBuser innetgr netgroup\fR +user innetgr netgroup .RS 4 (user,host) is in given netgroup\&. .RE .PP -\fBuser notinnetgr group\fR +user notinnetgr group .RS 4 (user,host) is not in given netgroup\&. .RE @@ -220,7 +220,7 @@ type required othermodule\&.so arguments\&.\&.\&. .SH "SEE ALSO" .PP \fBglob\fR(7), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP Nalin Dahyabhai <nalin@redhat\&.com> diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml index 14d939a3..b8f65e7d 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8.xml +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -1,34 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - - -<refentry id='pam_succeed_if'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_succeed_if"> <!-- Copyright 2003, 2004 Red Hat, Inc. --> <!-- Written by Nalin Dahyabhai <nalin@redhat.com> --> <refmeta> <refentrytitle>pam_succeed_if</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_succeed_if-name'> + <refnamediv xml:id="pam_succeed_if-name"> <refname>pam_succeed_if</refname> <refpurpose>test account characteristics</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id='pam_succeed_if-cmdsynopsis'> + <cmdsynopsis xml:id="pam_succeed_if-cmdsynopsis" sepchar=" "> <command>pam_succeed_if.so</command> - <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg> - <arg choice='opt' rep='repeat'><replaceable>condition</replaceable></arg> + <arg choice="opt" rep="repeat"><replaceable>flag</replaceable></arg> + <arg choice="opt" rep="repeat"><replaceable>condition</replaceable></arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id='pam_succeed_if-description'> + <refsect1 xml:id="pam_succeed_if-description"> <title>DESCRIPTION</title> <para> pam_succeed_if.so is designed to succeed or fail authentication @@ -43,7 +39,7 @@ </para> </refsect1> - <refsect1 id="pam_succeed_if-options"> + <refsect1 xml:id="pam_succeed_if-options"> <title>OPTIONS</title> <para> The following <emphasis>flag</emphasis>s are supported: @@ -51,13 +47,13 @@ <variablelist> <varlistentry> - <term><option>debug</option></term> + <term>debug</term> <listitem> <para>Turns on debugging messages sent to syslog.</para> </listitem> </varlistentry> <varlistentry> - <term><option>use_uid</option></term> + <term>use_uid</term> <listitem> <para> Evaluate conditions using the account of the user whose UID @@ -67,13 +63,13 @@ </listitem> </varlistentry> <varlistentry> - <term><option>quiet</option></term> + <term>quiet</term> <listitem> <para>Don't log failure or success to the system log.</para> </listitem> </varlistentry> <varlistentry> - <term><option>quiet_fail</option></term> + <term>quiet_fail</term> <listitem> <para> Don't log failure to the system log. @@ -81,7 +77,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>quiet_success</option></term> + <term>quiet_success</term> <listitem> <para> Don't log success to the system log. @@ -89,7 +85,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>audit</option></term> + <term>audit</term> <listitem> <para> Log unknown users to the system log. @@ -112,13 +108,13 @@ <variablelist> <varlistentry> - <term><option>field < number</option></term> + <term>field < number</term> <listitem> <para>Field has a value numerically less than number.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field <= number</option></term> + <term>field <= number</term> <listitem> <para> Field has a value numerically less than or equal to number. @@ -126,7 +122,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field eq number</option></term> + <term>field eq number</term> <listitem> <para> Field has a value numerically equal to number. @@ -134,7 +130,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field >= number</option></term> + <term>field >= number</term> <listitem> <para> Field has a value numerically greater than or equal to number. @@ -142,7 +138,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field > number</option></term> + <term>field > number</term> <listitem> <para> Field has a value numerically greater than number. @@ -150,7 +146,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field ne number</option></term> + <term>field ne number</term> <listitem> <para> Field has a value numerically different from number. @@ -158,7 +154,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field = string</option></term> + <term>field = string</term> <listitem> <para> Field exactly matches the given string. @@ -166,7 +162,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field != string</option></term> + <term>field != string</term> <listitem> <para> Field does not match the given string. @@ -174,49 +170,49 @@ </listitem> </varlistentry> <varlistentry> - <term><option>field =~ glob</option></term> + <term>field =~ glob</term> <listitem> <para>Field matches the given glob.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field !~ glob</option></term> + <term>field !~ glob</term> <listitem> <para>Field does not match the given glob.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field in item:item:...</option></term> + <term>field in item:item:...</term> <listitem> <para>Field is contained in the list of items separated by colons.</para> </listitem> </varlistentry> <varlistentry> - <term><option>field notin item:item:...</option></term> + <term>field notin item:item:...</term> <listitem> <para>Field is not contained in the list of items separated by colons.</para> </listitem> </varlistentry> <varlistentry> - <term><option>user ingroup group[:group:....]</option></term> + <term>user ingroup group[:group:....]</term> <listitem> <para>User is in given group(s).</para> </listitem> </varlistentry> <varlistentry> - <term><option>user notingroup group[:group:....]</option></term> + <term>user notingroup group[:group:....]</term> <listitem> <para>User is not in given group(s).</para> </listitem> </varlistentry> <varlistentry> - <term><option>user innetgr netgroup</option></term> + <term>user innetgr netgroup</term> <listitem> <para>(user,host) is in given netgroup.</para> </listitem> </varlistentry> <varlistentry> - <term><option>user notinnetgr group</option></term> + <term>user notinnetgr group</term> <listitem> <para>(user,host) is not in given netgroup.</para> </listitem> @@ -224,7 +220,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_succeed_if-types"> + <refsect1 xml:id="pam_succeed_if-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -232,7 +228,7 @@ </para> </refsect1> - <refsect1 id='pam_succeed_if-return_values'> + <refsect1 xml:id="pam_succeed_if-return_values"> <title>RETURN VALUES</title> <variablelist> @@ -267,7 +263,7 @@ </refsect1> - <refsect1 id='pam_succeed_if-examples'> + <refsect1 xml:id="pam_succeed_if-examples"> <title>EXAMPLES</title> <para> To emulate the behaviour of <emphasis>pam_wheel</emphasis>, except @@ -288,20 +284,20 @@ type required othermodule.so arguments... </programlisting> </refsect1> - <refsect1 id='pam_succeed_if-see_also'> + <refsect1 xml:id="pam_succeed_if-see_also"> <title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_succeed_if-author'> + <refsect1 xml:id="pam_succeed_if-author"> <title>AUTHOR</title> <para>Nalin Dahyabhai <nalin@redhat.com></para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index 7103ae30..5bf79c45 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -294,13 +294,6 @@ evaluate(pam_handle_t *pamh, int debug, { char buf[LINE_MAX] = ""; const char *attribute = left; - /* Figure out what we're evaluating here, and convert it to a string.*/ - if ((strcasecmp(left, "login") == 0) || - (strcasecmp(left, "name") == 0) || - (strcasecmp(left, "user") == 0)) { - snprintf(buf, sizeof(buf), "%s", user); - left = buf; - } /* Get information about the user if needed. */ if ((*pwd == NULL) && ((strcasecmp(left, "uid") == 0) || @@ -314,33 +307,34 @@ evaluate(pam_handle_t *pamh, int debug, return PAM_USER_UNKNOWN; } } - if (strcasecmp(left, "uid") == 0) { + /* Figure out what we're evaluating here, and convert it to a string.*/ + if ((strcasecmp(left, "login") == 0) || + (strcasecmp(left, "name") == 0) || + (strcasecmp(left, "user") == 0)) { + snprintf(buf, sizeof(buf), "%s", user); + left = buf; + } else if (strcasecmp(left, "uid") == 0) { snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_uid); left = buf; - } - if (strcasecmp(left, "gid") == 0) { + } else if (strcasecmp(left, "gid") == 0) { snprintf(buf, sizeof(buf), "%lu", (unsigned long) (*pwd)->pw_gid); left = buf; - } - if (strcasecmp(left, "shell") == 0) { + } else if (strcasecmp(left, "shell") == 0) { snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_shell); left = buf; - } - if ((strcasecmp(left, "home") == 0) || + } else if ((strcasecmp(left, "home") == 0) || (strcasecmp(left, "dir") == 0) || (strcasecmp(left, "homedir") == 0)) { snprintf(buf, sizeof(buf), "%s", (*pwd)->pw_dir); left = buf; - } - if (strcasecmp(left, "service") == 0) { + } else if (strcasecmp(left, "service") == 0) { const void *svc; if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS || svc == NULL) svc = ""; snprintf(buf, sizeof(buf), "%s", (const char *)svc); left = buf; - } - if (strcasecmp(left, "ruser") == 0) { + } else if (strcasecmp(left, "ruser") == 0) { const void *ruser; if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS || ruser == NULL) @@ -348,16 +342,14 @@ evaluate(pam_handle_t *pamh, int debug, snprintf(buf, sizeof(buf), "%s", (const char *)ruser); left = buf; user = buf; - } - if (strcasecmp(left, "rhost") == 0) { + } else if (strcasecmp(left, "rhost") == 0) { const void *rhost; if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS || rhost == NULL) rhost = ""; snprintf(buf, sizeof(buf), "%s", (const char *)rhost); left = buf; - } - if (strcasecmp(left, "tty") == 0) { + } else if (strcasecmp(left, "tty") == 0) { const void *tty; if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS || tty == NULL) diff --git a/modules/pam_time/Makefile.am b/modules/pam_time/Makefile.am index 833d51a6..a71e6781 100644 --- a/modules/pam_time/Makefile.am +++ b/modules/pam_time/Makefile.am @@ -12,13 +12,17 @@ dist_man_MANS = time.conf.5 pam_time.8 endif XMLS = README.xml time.conf.5.xml pam_time.8.xml dist_check_SCRIPTS = tst-pam_time -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -28,6 +32,9 @@ pam_time_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_time.la dist_secureconf_DATA = time.conf +check_PROGRAMS = tst-pam_time-retval +tst_pam_time_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_time/Makefile.in b/modules/pam_time/Makefile.in index 08d02d62..a1f0467c 100644 --- a/modules/pam_time/Makefile.in +++ b/modules/pam_time/Makefile.in @@ -94,6 +94,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +check_PROGRAMS = tst-pam_time-retval$(EXEEXT) subdir = modules/pam_time ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -157,6 +158,9 @@ AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +tst_pam_time_retval_SOURCES = tst-pam_time-retval.c +tst_pam_time_retval_OBJECTS = tst-pam_time-retval.$(OBJEXT) +tst_pam_time_retval_DEPENDENCIES = $(top_builddir)/libpam/libpam.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -172,7 +176,8 @@ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/pam_time.Plo +am__depfiles_remade = ./$(DEPDIR)/pam_time.Plo \ + ./$(DEPDIR)/tst-pam_time-retval.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -192,8 +197,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = pam_time.c -DIST_SOURCES = pam_time.c +SOURCES = pam_time.c tst-pam_time-retval.c +DIST_SOURCES = pam_time.c tst-pam_time-retval.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -431,6 +436,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,11 +449,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -479,12 +487,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -507,6 +517,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -517,12 +528,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -594,16 +609,18 @@ EXTRA_DIST = $(XMLS) @HAVE_DOC_TRUE@dist_man_MANS = time.conf.5 pam_time.8 XMLS = README.xml time.conf.5.xml pam_time.8.xml dist_check_SCRIPTS = tst-pam_time -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_TIME_CONF=\"$(SCONFIGDIR)/time.conf\" $(WARN_CFLAGS) + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) pam_time_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_time.la dist_secureconf_DATA = time.conf +tst_pam_time_retval_LDADD = $(top_builddir)/libpam/libpam.la @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -639,6 +656,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ @@ -677,6 +703,10 @@ clean-securelibLTLIBRARIES: pam_time.la: $(pam_time_la_OBJECTS) $(pam_time_la_DEPENDENCIES) $(EXTRA_pam_time_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(securelibdir) $(pam_time_la_OBJECTS) $(pam_time_la_LIBADD) $(LIBS) +tst-pam_time-retval$(EXEEXT): $(tst_pam_time_retval_OBJECTS) $(tst_pam_time_retval_DEPENDENCIES) $(EXTRA_tst_pam_time_retval_DEPENDENCIES) + @rm -f tst-pam_time-retval$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tst_pam_time_retval_OBJECTS) $(tst_pam_time_retval_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -684,6 +714,7 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_time.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tst-pam_time-retval.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -997,7 +1028,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: $(dist_check_SCRIPTS) +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1007,7 +1038,7 @@ check-TESTS: $(dist_check_SCRIPTS) log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ exit $$?; -recheck: all $(dist_check_SCRIPTS) +recheck: all $(check_PROGRAMS) $(dist_check_SCRIPTS) @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @set +e; $(am__set_TESTS_bases); \ bases=`for i in $$bases; do echo $$i; done \ @@ -1025,6 +1056,13 @@ tst-pam_time.log: tst-pam_time --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tst-pam_time-retval.log: tst-pam_time-retval$(EXEEXT) + @p='tst-pam_time-retval$(EXEEXT)'; \ + b='tst-pam_time-retval'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \ $(am__set_b); \ @@ -1074,7 +1112,8 @@ distdir-am: $(DISTFILES) fi; \ done check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ + $(dist_check_SCRIPTS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) @@ -1119,11 +1158,12 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am -clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ - mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -f ./$(DEPDIR)/pam_time.Plo + -rm -f ./$(DEPDIR)/tst-pam_time-retval.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1171,6 +1211,7 @@ installcheck-am: maintainer-clean: maintainer-clean-am -rm -f ./$(DEPDIR)/pam_time.Plo + -rm -f ./$(DEPDIR)/tst-pam_time-retval.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1195,7 +1236,7 @@ uninstall-man: uninstall-man5 uninstall-man8 .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ - check-am clean clean-generic clean-libtool \ + check-am clean clean-checkPROGRAMS clean-generic clean-libtool \ clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ diff --git a/modules/pam_time/README b/modules/pam_time/README index 9b20847c..2fa4c164 100644 --- a/modules/pam_time/README +++ b/modules/pam_time/README @@ -14,6 +14,9 @@ from which they are making their request. By default rules for time/port access are taken from config file /etc/security/ time.conf. An alternative file can be specified with the conffile option. +If there is no explicitly specified configuration file and /etc/security/ +time.conf does not exist, %vendordir%/security/time.conf is used. + If Linux PAM is compiled with audit support the module will report when it denies access. diff --git a/modules/pam_time/README.xml b/modules/pam_time/README.xml index 6c11eec1..8a2faa0b 100644 --- a/modules/pam_time/README.xml +++ b/modules/pam_time/README.xml @@ -1,34 +1,19 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamtime SYSTEM "pam_time.8.xml"> ---> -<!-- -<!ENTITY timeconf SYSTEM "time.conf.5.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_time-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_time.8.xml" xpointer='xpointer(id("pam_time-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_time.8.xml" xpointer='xpointer(id("pam_time-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="time.conf.5.xml" xpointer='xpointer(id("time.conf-examples")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 index 28d84d75..13a53ef3 100644 --- a/modules/pam_time/pam_time.8 +++ b/modules/pam_time/pam_time.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_time .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIME" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_TIME" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -44,18 +44,18 @@ option\&. If Linux PAM is compiled with audit support the module will report when it denies access\&. .SH "OPTIONS" .PP -\fBconffile=/path/to/time\&.conf\fR +conffile=/path/to/time\&.conf .RS 4 Indicate an alternative time\&.conf style configuration file to override the default\&. .RE .PP -\fBdebug\fR +debug .RS 4 Some debug information is printed with \fBsyslog\fR(3)\&. .RE .PP -\fBnoaudit\fR +noaudit .RS 4 Do not report logins at disallowed time to the audit subsystem\&. .RE @@ -116,7 +116,7 @@ login account required pam_time\&.so .PP \fBtime.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8)\&. +\fBpam\fR(7)\&. .SH "AUTHOR" .PP pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml index 4708220c..748bcd1e 100644 --- a/modules/pam_time/pam_time.8.xml +++ b/modules/pam_time/pam_time.8.xml @@ -1,16 +1,13 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_time'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_time"> <refmeta> <refentrytitle>pam_time</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_time-name'> + <refnamediv xml:id="pam_time-name"> <refname>pam_time</refname> <refpurpose> PAM module for time control access @@ -20,22 +17,22 @@ <!-- body begins here --> <refsynopsisdiv> - <cmdsynopsis id="pam_time-cmdsynopsis"> + <cmdsynopsis xml:id="pam_time-cmdsynopsis" sepchar=" "> <command>pam_time.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> conffile=conf-file </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> noaudit </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_time-description"> + <refsect1 xml:id="pam_time-description"> <title>DESCRIPTION</title> <para> The pam_time PAM module does not authenticate the user, but instead @@ -51,19 +48,24 @@ <filename>/etc/security/time.conf</filename>. An alternative file can be specified with the <emphasis>conffile</emphasis> option. </para> + <para condition="with_vendordir"> + If there is no explicitly specified configuration file and + <filename>/etc/security/time.conf</filename> does not exist, + <filename>%vendordir%/security/time.conf</filename> is used. + </para> <para> If Linux PAM is compiled with audit support the module will report when it denies access. </para> </refsect1> - <refsect1 id="pam_time-options"> + <refsect1 xml:id="pam_time-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>conffile=/path/to/time.conf</option> + conffile=/path/to/time.conf </term> <listitem> <para> @@ -74,7 +76,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -86,7 +88,7 @@ <varlistentry> <term> - <option>noaudit</option> + noaudit </term> <listitem> <para> @@ -98,14 +100,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_time-types"> + <refsect1 xml:id="pam_time-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>account</option> type is provided. </para> </refsect1> - <refsect1 id="pam_time-return_values"> + <refsect1 xml:id="pam_time-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -151,11 +153,11 @@ </variablelist> </refsect1> - <refsect1 id="pam_time-files"> + <refsect1 xml:id="pam_time-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/etc/security/time.conf</filename></term> + <term>/etc/security/time.conf</term> <listitem> <para>Default configuration file</para> </listitem> @@ -163,7 +165,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_time-examples'> + <refsect1 xml:id="pam_time-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -174,7 +176,7 @@ login account required pam_time.so </programlisting> </refsect1> - <refsect1 id="pam_time-see_also"> + <refsect1 xml:id="pam_time-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -184,15 +186,15 @@ login account required pam_time.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry>. </para> </refsect1> - <refsect1 id="pam_time-authors"> + <refsect1 xml:id="pam_time-authors"> <title>AUTHOR</title> <para> pam_time was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index 089ae22d..6b7adefc 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -33,6 +33,11 @@ #include <libaudit.h> #endif +#define PAM_TIME_CONF (SCONFIGDIR "/time.conf") +#ifdef VENDOR_SCONFIGDIR +#define VENDOR_PAM_TIME_CONF (VENDOR_SCONFIGDIR "/time.conf") +#endif + #define PAM_TIME_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ @@ -53,7 +58,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, const char ** { int ctrl = 0; - *conffile = PAM_TIME_CONF; + *conffile = NULL; /* step through arguments */ for (; argc-- > 0; ++argv) { const char *str; @@ -77,6 +82,20 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, const char ** } } + if (*conffile == NULL) { + *conffile = PAM_TIME_CONF; +#ifdef VENDOR_PAM_TIME_CONF + /* + * Check whether PAM_TIME_CONF file is available. + * If it does not exist, fall back to VENDOR_PAM_TIME_CONF file. + */ + struct stat buffer; + if (stat(*conffile, &buffer) != 0 && errno == ENOENT) { + *conffile = VENDOR_PAM_TIME_CONF; + } +#endif + } + return ctrl; } @@ -88,7 +107,7 @@ shift_buf(char *mem, int from) char *start = mem; while ((*mem = mem[from]) != '\0') ++mem; - memset(mem, '\0', PAM_TIME_BUFLEN - (mem - start)); + pam_overwrite_n(mem, PAM_TIME_BUFLEN - (mem - start)); return mem; } @@ -149,7 +168,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state, if (i < 0) { pam_syslog(pamh, LOG_ERR, "error reading %s: %m", file); close(fd); - memset(*buf, 0, PAM_TIME_BUFLEN); + pam_overwrite_n(*buf, PAM_TIME_BUFLEN); _pam_drop(*buf); *state = STATE_EOF; return -1; @@ -168,7 +187,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state, return -1; } - memset(to, '\0', PAM_TIME_BUFLEN - (to - *buf)); + pam_overwrite_n(to, PAM_TIME_BUFLEN - (to - *buf)); to = *buf; onspace = 1; /* delete any leading spaces */ diff --git a/modules/pam_time/time.conf.5 b/modules/pam_time/time.conf.5 index 2dda8bee..90649773 100644 --- a/modules/pam_time/time.conf.5 +++ b/modules/pam_time/time.conf.5 @@ -1,13 +1,13 @@ '\" t .\" Title: time.conf .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "TIME\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "TIME\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -109,7 +109,7 @@ games ; * ; !waster ; Wd0000\-2400 | Wk1800\-0800 .PP \fBpam_time\fR(8), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_time was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_time/time.conf.5.xml b/modules/pam_time/time.conf.5.xml index acbe2329..30c9a921 100644 --- a/modules/pam_time/time.conf.5.xml +++ b/modules/pam_time/time.conf.5.xml @@ -1,13 +1,10 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="time.conf"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="time.conf"> <refmeta> <refentrytitle>time.conf</refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> <refnamediv> @@ -15,7 +12,7 @@ <refpurpose>configuration file for the pam_time module</refpurpose> </refnamediv> - <refsect1 id='time.conf-description'> + <refsect1 xml:id="time.conf-description"> <title>DESCRIPTION</title> <para> @@ -43,9 +40,9 @@ </para> <para> In words, each rule occupies a line, terminated with a newline - or the beginning of a comment; a '<emphasis remap='B'>#</emphasis>'. + or the beginning of a comment; a '<emphasis remap="B">#</emphasis>'. It contains four fields separated with semicolons, - '<emphasis remap='B'>;</emphasis>'. + '<emphasis remap="B">;</emphasis>'. </para> <para> @@ -107,7 +104,7 @@ </para> </refsect1> - <refsect1 id="time.conf-examples"> + <refsect1 xml:id="time.conf-examples"> <title>EXAMPLES</title> <para> These are some example lines which might be specified in @@ -131,19 +128,19 @@ games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 </para> </refsect1> - <refsect1 id="time.conf-see_also"> + <refsect1 xml:id="time.conf-see_also"> <title>SEE ALSO</title> <para> <citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> - <refsect1 id="time.conf-author"> + <refsect1 xml:id="time.conf-author"> <title>AUTHOR</title> <para> pam_time was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_time/tst-pam_time-retval.c b/modules/pam_time/tst-pam_time-retval.c new file mode 100644 index 00000000..281ac80d --- /dev/null +++ b/modules/pam_time/tst-pam_time-retval.c @@ -0,0 +1,107 @@ +/* + * Check pam_time return values. + * + * Copyright (c) 2020-2022 Dmitry V. Levin <ldv@altlinux.org> + * Copyright (c) 2022 Stefan Schubert <schubi@suse.de> + */ + +#include "test_assert.h" + +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <security/pam_appl.h> + +#define MODULE_NAME "pam_time" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char config_file[] = TEST_NAME ".conf"; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n" + "account required %s/.libs/%s.so\n" + "password required %s/.libs/%s.so\n" + "session required %s/.libs/%s.so\n", + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME, + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_NE(NULL, fp = fopen(config_file, "w")); + ASSERT_LT(0, fprintf(fp, "# only root can access %s\n" + "%s ; * ; !root ; !Al0000-2400\n", + service_file, service_file)); + ASSERT_EQ(0, fclose(fp)); + + /* conffile= specifies an existing file */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, + fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so conffile=%s\n" + "account required %s/.libs/%s.so conffile=%s\n" + "password required %s/.libs/%s.so conffile=%s\n" + "session required %s/.libs/%s.so conffile=%s\n", + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file, + cwd, MODULE_NAME, config_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "noone", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* cleanup */ + ASSERT_EQ(0, unlink(config_file)); + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am index d290b85f..27d61237 100644 --- a/modules/pam_timestamp/Makefile.am +++ b/modules/pam_timestamp/Makefile.am @@ -16,15 +16,19 @@ dist_check_SCRIPTS = tst-pam_timestamp TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(LOGIND_CFLAGS) $(WARN_CFLAGS) pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) $(CRYPTO_LIBS) -pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) if HAVE_VERSIONING pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -42,17 +46,14 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) pam_timestamp_check_SOURCES = pam_timestamp_check.c pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ -if COND_USE_OPENSSL -hmacfile_SOURCES = hmac_openssl_wrapper.c -else +if !COND_USE_OPENSSL hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c -endif hmacfile_LDADD = $(top_builddir)/libpam/libpam.la - check_PROGRAMS = hmacfile +endif if ENABLE_REGENERATE_MAN dist_noinst_DATA = README diff --git a/modules/pam_timestamp/Makefile.in b/modules/pam_timestamp/Makefile.in index 440020b5..feffca8e 100644 --- a/modules/pam_timestamp/Makefile.in +++ b/modules/pam_timestamp/Makefile.in @@ -100,7 +100,7 @@ host_triplet = @host@ sbin_PROGRAMS = pam_timestamp_check$(EXEEXT) @COND_USE_OPENSSL_TRUE@am__append_2 = hmac_openssl_wrapper.c @COND_USE_OPENSSL_FALSE@am__append_3 = hmacsha1.c sha1.c -check_PROGRAMS = hmacfile$(EXEEXT) +@COND_USE_OPENSSL_FALSE@check_PROGRAMS = hmacfile$(EXEEXT) subdir = modules/pam_timestamp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -158,7 +158,9 @@ am__uninstall_files_from_dir = { \ $(am__cd) "$$dir" && rm -f $$files; }; \ } LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_timestamp_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_timestamp_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) am__pam_timestamp_la_SOURCES_DIST = pam_timestamp.c \ hmac_openssl_wrapper.c hmacsha1.c sha1.c @COND_USE_OPENSSL_TRUE@am__objects_1 = pam_timestamp_la-hmac_openssl_wrapper.lo @@ -175,18 +177,17 @@ pam_timestamp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(pam_timestamp_la_CFLAGS) $(CFLAGS) \ $(pam_timestamp_la_LDFLAGS) $(LDFLAGS) -o $@ -am__hmacfile_SOURCES_DIST = hmacfile.c hmacsha1.c sha1.c \ - hmac_openssl_wrapper.c +am__hmacfile_SOURCES_DIST = hmacfile.c hmacsha1.c sha1.c @COND_USE_OPENSSL_FALSE@am_hmacfile_OBJECTS = hmacfile.$(OBJEXT) \ @COND_USE_OPENSSL_FALSE@ hmacsha1.$(OBJEXT) sha1.$(OBJEXT) -@COND_USE_OPENSSL_TRUE@am_hmacfile_OBJECTS = \ -@COND_USE_OPENSSL_TRUE@ hmac_openssl_wrapper.$(OBJEXT) hmacfile_OBJECTS = $(am_hmacfile_OBJECTS) -hmacfile_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +@COND_USE_OPENSSL_FALSE@hmacfile_DEPENDENCIES = \ +@COND_USE_OPENSSL_FALSE@ $(top_builddir)/libpam/libpam.la am_pam_timestamp_check_OBJECTS = \ pam_timestamp_check-pam_timestamp_check.$(OBJEXT) pam_timestamp_check_OBJECTS = $(am_pam_timestamp_check_OBJECTS) -pam_timestamp_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_timestamp_check_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(pam_timestamp_check_CFLAGS) $(CFLAGS) \ @@ -206,8 +207,7 @@ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/hmac_openssl_wrapper.Po \ - ./$(DEPDIR)/hmacfile.Po ./$(DEPDIR)/hmacsha1.Po \ +am__depfiles_remade = ./$(DEPDIR)/hmacfile.Po ./$(DEPDIR)/hmacsha1.Po \ ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po \ ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo \ ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo \ @@ -473,6 +473,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -485,11 +486,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -521,12 +524,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -549,6 +554,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -559,12 +565,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -638,25 +648,25 @@ XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml dist_check_SCRIPTS = tst-pam_timestamp TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(LOGIND_CFLAGS) $(WARN_CFLAGS) pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module \ $(AM_LDFLAGS) $(CRYPTO_LIBS) $(am__append_1) -pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) securelib_LTLIBRARIES = pam_timestamp.la pam_timestamp_la_SOURCES = pam_timestamp.c $(am__append_2) \ $(am__append_3) pam_timestamp_la_CFLAGS = $(AM_CFLAGS) pam_timestamp_check_SOURCES = pam_timestamp_check.c pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ @COND_USE_OPENSSL_FALSE@hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c -@COND_USE_OPENSSL_TRUE@hmacfile_SOURCES = hmac_openssl_wrapper.c -hmacfile_LDADD = $(top_builddir)/libpam/libpam.la +@COND_USE_OPENSSL_FALSE@hmacfile_LDADD = $(top_builddir)/libpam/libpam.la @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -802,7 +812,6 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_openssl_wrapper.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacfile.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacsha1.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po@am__quote@ # am--include-marker @@ -1236,8 +1245,7 @@ clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -f ./$(DEPDIR)/hmac_openssl_wrapper.Po - -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacfile.Po -rm -f ./$(DEPDIR)/hmacsha1.Po -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo @@ -1290,8 +1298,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -f ./$(DEPDIR)/hmac_openssl_wrapper.Po - -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacfile.Po -rm -f ./$(DEPDIR)/hmacsha1.Po -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo diff --git a/modules/pam_timestamp/README.xml b/modules/pam_timestamp/README.xml index 5b72deb1..fe01080b 100644 --- a/modules/pam_timestamp/README.xml +++ b/modules/pam_timestamp/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_timestamp.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_timestamp-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-notes"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-notes")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c index 926c2fb9..2549c1db 100644 --- a/modules/pam_timestamp/hmac_openssl_wrapper.c +++ b/modules/pam_timestamp/hmac_openssl_wrapper.c @@ -54,6 +54,7 @@ #include <security/pam_modutil.h> #include "hmac_openssl_wrapper.h" +#include "pam_inline.h" #define LOGIN_DEFS "/etc/login.defs" #define CRYPTO_KEY "HMAC_CRYPTO_ALGO" @@ -144,7 +145,7 @@ read_file(pam_handle_t *pamh, int fd, char **text, size_t *text_length) if (bytes_read < (size_t)st.st_size) { pam_syslog(pamh, LOG_ERR, "Short read on key file"); - memset(tmp, 0, st.st_size); + pam_overwrite_n(tmp, st.st_size); free(tmp); return PAM_AUTH_ERR; } @@ -167,14 +168,14 @@ write_file(pam_handle_t *pamh, const char *file_name, char *text, S_IRUSR | S_IWUSR); if (fd == -1) { pam_syslog(pamh, LOG_ERR, "Unable to open [%s]: %m", file_name); - memset(text, 0, text_length); + pam_overwrite_n(text, text_length); free(text); return PAM_AUTH_ERR; } if (fchown(fd, owner, group) == -1) { pam_syslog(pamh, LOG_ERR, "Unable to change ownership [%s]: %m", file_name); - memset(text, 0, text_length); + pam_overwrite_n(text, text_length); free(text); close(fd); return PAM_AUTH_ERR; @@ -294,7 +295,7 @@ done: free(hmac_message); } if (key != NULL) { - memset(key, 0, key_length); + pam_overwrite_n(key, key_length); free(key); } if (ctx != NULL) { diff --git a/modules/pam_timestamp/hmacsha1.c b/modules/pam_timestamp/hmacsha1.c index 45a3cac2..384ccde8 100644 --- a/modules/pam_timestamp/hmacsha1.c +++ b/modules/pam_timestamp/hmacsha1.c @@ -48,6 +48,7 @@ #include <unistd.h> #include <syslog.h> #include <security/pam_ext.h> +#include "pam_inline.h" #include "hmacsha1.h" #include "sha1.h" @@ -107,7 +108,7 @@ hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, /* If we didn't get enough, stop here. */ if (count < key_size) { pam_syslog(pamh, LOG_ERR, "Short read on random device"); - memset(key, 0, key_size); + pam_overwrite_n(key, key_size); free(key); close(keyfd); return; @@ -122,7 +123,7 @@ hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, } count += i; } - memset(key, 0, key_size); + pam_overwrite_n(key, key_size); free(key); close(keyfd); } @@ -180,7 +181,7 @@ hmac_key_read(pam_handle_t *pamh, const char *filename, size_t default_key_size, /* Require that we got the expected amount of data. */ if (count < st.st_size) { - memset(tmp, 0, st.st_size); + pam_overwrite_n(tmp, st.st_size); free(tmp); return; } @@ -204,7 +205,7 @@ hmac_sha1_generate(void **mac, size_t *mac_length, const void *raw_key, size_t raw_key_size, const void *text, size_t text_length) { - unsigned char key[MAXIMUM_KEY_SIZE], tmp_key[MAXIMUM_KEY_SIZE]; + unsigned char key[MAXIMUM_KEY_SIZE] = {}, tmp_key[MAXIMUM_KEY_SIZE]; size_t maximum_key_size = SHA1_BLOCK_SIZE, minimum_key_size = SHA1_OUTPUT_SIZE; const unsigned char ipad = 0x36, opad = 0x5c; @@ -223,7 +224,6 @@ hmac_sha1_generate(void **mac, size_t *mac_length, /* If the key is too long, "compress" it, else copy it and pad it * out with zero bytes. */ - memset(key, 0, sizeof(key)); if (raw_key_size > maximum_key_size) { sha1_init(&sha1); sha1_update(&sha1, raw_key, raw_key_size); @@ -251,8 +251,8 @@ hmac_sha1_generate(void **mac, size_t *mac_length, sha1_output(&sha1, outer); /* We don't need any of the keys any more. */ - memset(key, 0, sizeof(key)); - memset(tmp_key, 0, sizeof(tmp_key)); + pam_overwrite_array(key); + pam_overwrite_array(tmp_key); /* Allocate space to store the output. */ *mac_length = sizeof(outer); @@ -284,7 +284,7 @@ hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length, hmac_sha1_generate(mac, mac_length, key, key_length, text, text_length); - memset(key, 0, key_length); + pam_overwrite_n(key, key_length); free(key); } diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8 index cd8195dc..347724b3 100644 --- a/modules/pam_timestamp/pam_timestamp.8 +++ b/modules/pam_timestamp/pam_timestamp.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_timestamp .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIMESTAMP" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -45,33 +45,28 @@ When an application opens a session using directory for the user\&. When an application attempts to authenticate the user, a \fIpam_timestamp\fR will treat a sufficiently recent timestamp file as grounds for succeeding\&. -.PP -The default encryption hash is taken from the -\fBHMAC_CRYPTO_ALGO\fR -variable from -\fI/etc/login\&.defs\fR\&. .SH "OPTIONS" .PP -\fBtimestampdir=\fR\fB\fIdirectory\fR\fR +timestampdir=directory .RS 4 Specify an alternate directory where \fIpam_timestamp\fR creates timestamp files\&. .RE .PP -\fBtimestamp_timeout=\fR\fB\fInumber\fR\fR +timestamp_timeout=number .RS 4 How long should \fIpam_timestamp\fR treat timestamp as valid after their last modification date (in seconds)\&. Default is 300 seconds\&. .RE .PP -\fBverbose\fR +verbose .RS 4 Attempt to inform the user when access is granted\&. .RE .PP -\fBdebug\fR +debug .RS 4 Turns on debugging messages sent to \fBsyslog\fR(3)\&. @@ -129,7 +124,7 @@ timestamp files and directories \fBpam_timestamp_check\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_timestamp was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml index 83e5aea8..e6b2df70 100644 --- a/modules/pam_timestamp/pam_timestamp.8.xml +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -1,39 +1,36 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_timestamp"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_timestamp"> <refmeta> <refentrytitle>pam_timestamp</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_timestamp-name"> + <refnamediv xml:id="pam_timestamp-name"> <refname>pam_timestamp</refname> <refpurpose>Authenticate using cached successful authentication attempts</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_timestamp-cmdsynopsis"> + <cmdsynopsis xml:id="pam_timestamp-cmdsynopsis" sepchar=" "> <command>pam_timestamp.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> timestampdir=<replaceable>directory</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> timestamp_timeout=<replaceable>number</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> verbose </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_timestamp-description"> + <refsect1 xml:id="pam_timestamp-description"> <title>DESCRIPTION</title> @@ -52,18 +49,18 @@ file as grounds for succeeding. </para> <para condition="openssl_hmac"> The default encryption hash is taken from the - <emphasis remap='B'>HMAC_CRYPTO_ALGO</emphasis> variable from + <emphasis remap="B">HMAC_CRYPTO_ALGO</emphasis> variable from <emphasis>/etc/login.defs</emphasis>. </para> </refsect1> - <refsect1 id="pam_timestamp-options"> + <refsect1 xml:id="pam_timestamp-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>timestampdir=<replaceable>directory</replaceable></option> + timestampdir=directory </term> <listitem> <para> @@ -74,7 +71,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>timestamp_timeout=<replaceable>number</replaceable></option> + timestamp_timeout=number </term> <listitem> <para> @@ -86,7 +83,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>verbose</option> + verbose </term> <listitem> <para> @@ -96,7 +93,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -109,7 +106,7 @@ file as grounds for succeeding. </variablelist> </refsect1> - <refsect1 id="pam_timestamp-types"> + <refsect1 xml:id="pam_timestamp-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>session</option> @@ -117,7 +114,7 @@ file as grounds for succeeding. </para> </refsect1> - <refsect1 id='pam_timestamp-return_values'> + <refsect1 xml:id="pam_timestamp-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -148,7 +145,7 @@ file as grounds for succeeding. </variablelist> </refsect1> - <refsect1 id='pam_timestamp-notes'> + <refsect1 xml:id="pam_timestamp-notes"> <title>NOTES</title> <para> Users can get confused when they are not always asked for passwords when @@ -157,7 +154,7 @@ noticing that it is not being asked for. </para> </refsect1> - <refsect1 id='pam_timestamp-examples'> + <refsect1 xml:id="pam_timestamp-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_timestamp.so verbose @@ -168,11 +165,11 @@ session optional pam_timestamp.so </programlisting> </refsect1> - <refsect1 id="pam_timestamp-files"> + <refsect1 xml:id="pam_timestamp-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/pam_timestamp/...</filename></term> + <term>/var/run/pam_timestamp/...</term> <listitem> <para>timestamp files and directories</para> </listitem> @@ -180,7 +177,7 @@ session optional pam_timestamp.so </variablelist> </refsect1> - <refsect1 id='pam_timestamp-see_also'> + <refsect1 xml:id="pam_timestamp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -193,16 +190,16 @@ session optional pam_timestamp.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_timestamp-author'> + <refsect1 xml:id="pam_timestamp-author"> <title>AUTHOR</title> <para> pam_timestamp was written by Nalin Dahyabhai. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index 01dd1385..c5fa6dfc 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -53,7 +53,6 @@ #include <time.h> #include <sys/time.h> #include <unistd.h> -#include <utmp.h> #include <syslog.h> #include <paths.h> #ifdef WITH_OPENSSL @@ -62,6 +61,12 @@ #include "hmacsha1.h" #endif /* WITH_OPENSSL */ +#ifdef USE_LOGIND +#include <systemd/sd-login.h> +#else +#include <utmp.h> +#endif + #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> @@ -90,7 +95,7 @@ static int check_dir_perms(pam_handle_t *pamh, const char *tdir) { - char scratch[BUFLEN]; + char scratch[BUFLEN] = {}; struct stat st; int i; /* Check that the directory is "safe". */ @@ -98,7 +103,6 @@ check_dir_perms(pam_handle_t *pamh, const char *tdir) return PAM_AUTH_ERR; } /* Iterate over the path, checking intermediate directories. */ - memset(scratch, 0, sizeof(scratch)); for (i = 0; (tdir[i] != '\0') && (i < (int)sizeof(scratch)); i++) { scratch[i] = tdir[i]; if ((scratch[i] == '/') || (tdir[i + 1] == '\0')) { @@ -200,10 +204,26 @@ timestamp_good(time_t then, time_t now, time_t interval) } static int -check_login_time(const char *ruser, time_t timestamp) +check_login_time( +#ifdef USE_LOGIND + uid_t uid, +#else + const char *ruser, +#endif + time_t timestamp) { - struct utmp utbuf, *ut; time_t oldest_login = 0; +#ifdef USE_LOGIND +#define USEC_PER_SEC ((uint64_t) 1000000ULL) + uint64_t usec = 0; + + if (sd_uid_get_login_time(uid, &usec) < 0) { + return PAM_SERVICE_ERR; + } + + oldest_login = usec/USEC_PER_SEC; +#else + struct utmp utbuf, *ut; setutent(); while( @@ -224,6 +244,7 @@ check_login_time(const char *ruser, time_t timestamp) } } endutent(); +#endif if(oldest_login == 0 || timestamp < oldest_login) { return PAM_AUTH_ERR; } @@ -532,7 +553,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) close(fd); return PAM_AUTH_ERR; } +#ifdef USE_LOGIND + struct passwd *pwd = pam_modutil_getpwnam(pamh, ruser); + if (pwd != NULL) { + return PAM_SERVICE_ERR; + } + if (check_login_time(pwd->pw_uid, then) != PAM_SUCCESS) +#else if (check_login_time(ruser, then) != PAM_SUCCESS) +#endif { pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " "older than oldest login, disallowing " @@ -728,6 +757,9 @@ main(int argc, char **argv) fd_set write_fds; char path[BUFLEN]; struct stat st; +#ifdef USE_LOGIND + uid_t uid; +#endif /* Check that there's nothing funny going on with stdio. */ if ((fstat(STDIN_FILENO, &st) == -1) || @@ -783,6 +815,9 @@ main(int argc, char **argv) if (pwd == NULL) { retval = 4; } +#ifdef USE_LOGIND + uid = pwd->pw_uid; +#endif /* Get the name of the target user. */ user = strdup(pwd->pw_name); @@ -833,7 +868,11 @@ main(int argc, char **argv) /* Check the timestamp. */ if (lstat(path, &st) != -1) { /* Check oldest login against timestamp */ +#ifdef USE_LOGIND + if (check_login_time(uid, st.st_mtime) != PAM_SUCCESS) { +#else if (check_login_time(user, st.st_mtime) != PAM_SUCCESS) { +#endif retval = 7; } else if (timestamp_good(st.st_mtime, time(NULL), DEFAULT_TIMESTAMP_TIMEOUT) != PAM_SUCCESS) { diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8 index a0373757..f19a2252 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8 +++ b/modules/pam_timestamp/pam_timestamp_check.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_timestamp_check .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIMESTAMP_CHECK" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP_CHECK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,19 +39,19 @@ With no arguments will check to see if the default timestamp is valid, or optionally remove it\&. .SH "OPTIONS" .PP -\fB\-k\fR +\-k .RS 4 Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\*(Aqs \fI\-k\fR option\&. .RE .PP -\fB\-d\fR +\-d .RS 4 Instead of returning validity using an exit status, loop indefinitely, polling regularly and printing the status on standard output\&. .RE .PP -\fB\fItarget_user\fR\fR +target_user .RS 4 By default \fBpam_timestamp_check\fR @@ -127,7 +127,7 @@ timestamp files and directories \fBpam_timestamp_check\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_timestamp was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml index 3a65d7ef..e947f753 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8.xml +++ b/modules/pam_timestamp/pam_timestamp_check.8.xml @@ -1,36 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_timestamp_check"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_timestamp_check"> <refmeta> <refentrytitle>pam_timestamp_check</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_timestamp_check-name"> + <refnamediv xml:id="pam_timestamp_check-name"> <refname>pam_timestamp_check</refname> <refpurpose>Check to see if the default timestamp is valid</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_timestamp_check-cmdsynopsis"> + <cmdsynopsis xml:id="pam_timestamp_check-cmdsynopsis" sepchar=" "> <command>pam_timestamp_check</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> -k </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> -d </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>target_user</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_timestamp_check-description"> + <refsect1 xml:id="pam_timestamp_check-description"> <title>DESCRIPTION</title> @@ -40,13 +37,13 @@ see if the default timestamp is valid, or optionally remove it. </para> </refsect1> - <refsect1 id="pam_timestamp_check-options"> + <refsect1 xml:id="pam_timestamp_check-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>-k</option> + -k </term> <listitem> <para> @@ -57,7 +54,7 @@ see if the default timestamp is valid, or optionally remove it. </varlistentry> <varlistentry> <term> - <option>-d</option> + -d </term> <listitem> <para> @@ -69,7 +66,7 @@ see if the default timestamp is valid, or optionally remove it. </varlistentry> <varlistentry> <term> - <option><replaceable>target_user</replaceable></option> + target_user </term> <listitem> <para> @@ -85,7 +82,7 @@ see if the default timestamp is valid, or optionally remove it. </variablelist> </refsect1> - <refsect1 id='pam_timestamp_check-return_values'> + <refsect1 xml:id="pam_timestamp_check-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -147,7 +144,7 @@ see if the default timestamp is valid, or optionally remove it. </variablelist> </refsect1> - <refsect1 id='pam_timestamp-notes'> + <refsect1 xml:id="pam_timestamp-notes"> <title>NOTES</title> <para> Users can get confused when they are not always asked for passwords when @@ -156,7 +153,7 @@ noticing that it is not being asked for. </para> </refsect1> - <refsect1 id='pam_timestamp-examples'> + <refsect1 xml:id="pam_timestamp-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_timestamp.so verbose @@ -167,11 +164,11 @@ session optional pam_timestamp.so </programlisting> </refsect1> - <refsect1 id="pam_timestamp-files"> + <refsect1 xml:id="pam_timestamp-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/sudo/...</filename></term> + <term>/var/run/sudo/...</term> <listitem> <para>timestamp files and directories</para> </listitem> @@ -179,7 +176,7 @@ session optional pam_timestamp.so </variablelist> </refsect1> - <refsect1 id='pam_timestamp-see_also'> + <refsect1 xml:id="pam_timestamp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -192,16 +189,16 @@ session optional pam_timestamp.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_timestamp-author'> + <refsect1 xml:id="pam_timestamp-author"> <title>AUTHOR</title> <para> pam_timestamp was written by Nalin Dahyabhai. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_tty_audit/Makefile.in b/modules/pam_tty_audit/Makefile.in index 124a811a..e3f556bf 100644 --- a/modules/pam_tty_audit/Makefile.in +++ b/modules/pam_tty_audit/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ diff --git a/modules/pam_tty_audit/README.xml b/modules/pam_tty_audit/README.xml index 4dad6bbe..95b851cb 100644 --- a/modules/pam_tty_audit/README.xml +++ b/modules/pam_tty_audit/README.xml @@ -1,41 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd"> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tty_audit-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-notes")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_tty_audit.8.xml" xpointer='xpointer(id("pam_tty_audit-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8 index 628cec46..2ba53358 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8 +++ b/modules/pam_tty_audit/pam_tty_audit.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_tty_audit .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TTY_AUDIT" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TTY_AUDIT" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_tty_audit \- Enable or disable TTY auditing for specified users The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&. .SH "OPTIONS" .PP -\fBdisable=\fR\fB\fIpatterns\fR\fR +disable=patterns .RS 4 For each user matching \fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous @@ -46,7 +46,7 @@ option matching the same user name on the command line\&. See NOTES for further \fB\fIpatterns\fR\fR\&. .RE .PP -\fBenable=\fR\fB\fIpatterns\fR\fR +enable=patterns .RS 4 For each user matching \fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous @@ -55,7 +55,7 @@ option matching the same user name on the command line\&. See NOTES for further \fB\fIpatterns\fR\fR\&. .RE .PP -\fBopen_only\fR +open_only .RS 4 Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\*(Aqt \fBfork()\fR @@ -63,7 +63,7 @@ to run the authenticated session, such as \fBsudo\fR\&. .RE .PP -\fBlog_passwd\fR +log_passwd .RS 4 Log keystrokes when ECHO mode is off but ICANON mode is active\&. This is the mode in which the tty is placed during password entry\&. By default, passwords are not logged\&. This option may not be available on older kernels (3\&.9?)\&. .RE @@ -129,7 +129,7 @@ session required pam_tty_audit\&.so disable=* enable=root \fBaureport\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&. diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 1c0ba5c4..79d8115e 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -1,33 +1,30 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_tty_audit"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_tty_audit"> <refmeta> <refentrytitle>pam_tty_audit</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_tty_audit-name"> + <refnamediv xml:id="pam_tty_audit-name"> <refname>pam_tty_audit</refname> <refpurpose>Enable or disable TTY auditing for specified users</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_tty_audit-cmdsynopsis"> + <cmdsynopsis xml:id="pam_tty_audit-cmdsynopsis" sepchar=" "> <command>pam_tty_audit.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> disable=<replaceable>patterns</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> enable=<replaceable>patterns</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_tty_audit-description"> + <refsect1 xml:id="pam_tty_audit-description"> <title>DESCRIPTION</title> <para> The pam_tty_audit PAM module is used to enable or disable TTY auditing. @@ -35,12 +32,12 @@ </para> </refsect1> - <refsect1 id="pam_tty_audit-options"> + <refsect1 xml:id="pam_tty_audit-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>disable=<replaceable>patterns</replaceable></option> + disable=patterns </term> <listitem> <para> @@ -53,7 +50,7 @@ </varlistentry> <varlistentry> <term> - <option>enable=<replaceable>patterns</replaceable></option> + enable=patterns </term> <listitem> <para> @@ -66,7 +63,7 @@ </varlistentry> <varlistentry> <term> - <option>open_only</option> + open_only </term> <listitem> <para> @@ -79,7 +76,7 @@ </varlistentry> <varlistentry> <term> - <option>log_passwd</option> + log_passwd </term> <listitem> <para> @@ -93,14 +90,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_tty_audit-types"> + <refsect1 xml:id="pam_tty_audit-types"> <title>MODULE TYPES PROVIDED</title> <para> - Only the <emphasis remap='B'>session</emphasis> type is supported. + Only the <emphasis remap="B">session</emphasis> type is supported. </para> </refsect1> - <refsect1 id='pam_tty_audit-return_values'> + <refsect1 xml:id="pam_tty_audit-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -125,7 +122,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_tty_audit-notes'> + <refsect1 xml:id="pam_tty_audit-notes"> <title>NOTES</title> <para> When TTY auditing is enabled, it is inherited by all processes started by @@ -158,7 +155,7 @@ </para> </refsect1> - <refsect1 id='pam_tty_audit-examples'> + <refsect1 xml:id="pam_tty_audit-examples"> <title>EXAMPLES</title> <para> Audit all administrative actions. @@ -168,7 +165,7 @@ session required pam_tty_audit.so disable=* enable=root </para> </refsect1> - <refsect1 id='pam_tty_audit-see_also'> + <refsect1 xml:id="pam_tty_audit-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -181,19 +178,19 @@ session required pam_tty_audit.so disable=* enable=root <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_tty_audit-author'> + <refsect1 xml:id="pam_tty_audit-author"> <title>AUTHOR</title> <para> - pam_tty_audit was written by Miloslav Trmač + pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. The log_passwd option was added by Richard Guy Briggs <rgb@redhat.com>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_umask/Makefile.am b/modules/pam_umask/Makefile.am index b8c506ef..1482a432 100644 --- a/modules/pam_umask/Makefile.am +++ b/modules/pam_umask/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_umask TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_umask/Makefile.in b/modules/pam_umask/Makefile.in index b4d72c99..08ad8c69 100644 --- a/modules/pam_umask/Makefile.in +++ b/modules/pam_umask/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_umask.8.xml dist_check_SCRIPTS = tst-pam_umask TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_umask/README.xml b/modules/pam_umask/README.xml index 9afbe543..d2b82d10 100644 --- a/modules/pam_umask/README.xml +++ b/modules/pam_umask/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_umask.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_umask-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_umask.8.xml" xpointer='xpointer(id("pam_umask-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_umask/pam_umask.8 b/modules/pam_umask/pam_umask.8 index 73a609fe..c7636e2e 100644 --- a/modules/pam_umask/pam_umask.8 +++ b/modules/pam_umask/pam_umask.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_umask .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_UMASK" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_UMASK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -86,27 +86,27 @@ The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in a .SH "OPTIONS" .PP .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBsilent\fR +silent .RS 4 Don\*(Aqt print informative messages\&. .RE .PP -\fBusergroups\fR +usergroups .RS 4 If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. .RE .PP -\fBnousergroups\fR +nousergroups .RS 4 This is the direct opposite of the usergroups option described above, which can be useful in case pam_umask has been compiled with usergroups enabled by default and you want to disable it at runtime\&. .RE .PP -\fBumask=\fR\fB\fImask\fR\fR +umask=mask .RS 4 Sets the calling process\*(Aqs file mode creation mask (umask) to \fBmask\fR @@ -170,7 +170,7 @@ to set the user specific umask at login: .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_umask was written by Thorsten Kukuk <kukuk@thkukuk\&.de>\&. diff --git a/modules/pam_umask/pam_umask.8.xml b/modules/pam_umask/pam_umask.8.xml index 7c4a310b..acb3bc0b 100644 --- a/modules/pam_umask/pam_umask.8.xml +++ b/modules/pam_umask/pam_umask.8.xml @@ -1,42 +1,39 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_umask"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_umask"> <refmeta> <refentrytitle>pam_umask</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_umask-name"> + <refnamediv xml:id="pam_umask-name"> <refname>pam_umask</refname> <refpurpose>PAM module to set the file mode creation mask</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_umask-cmdsynopsis"> + <cmdsynopsis xml:id="pam_umask-cmdsynopsis" sepchar=" "> <command>pam_umask.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> silent </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> usergroups </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> nousergroups </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> umask=<replaceable>mask</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_umask-description"> + <refsect1 xml:id="pam_umask-description"> <title>DESCRIPTION</title> @@ -81,7 +78,7 @@ </refsect1> - <refsect1 id="pam_umask-options"> + <refsect1 xml:id="pam_umask-options"> <title>OPTIONS</title> <para> @@ -89,7 +86,7 @@ <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -100,7 +97,7 @@ <varlistentry> <term> - <option>silent</option> + silent </term> <listitem> <para> @@ -111,20 +108,20 @@ <varlistentry> <term> - <option>usergroups</option> + usergroups </term> <listitem> <para> If the user is not root and the username is the same as primary group name, the umask group bits are set to be the - same as owner bits (examples: 022 -> 002, 077 -> 007). + same as owner bits (examples: 022 -> 002, 077 -> 007). </para> </listitem> </varlistentry> <varlistentry> <term> - <option>nousergroups</option> + nousergroups </term> <listitem> <para> @@ -137,7 +134,7 @@ <varlistentry> <term> - <option>umask=<replaceable>mask</replaceable></option> + umask=mask </term> <listitem> <para> @@ -153,14 +150,14 @@ </para> </refsect1> - <refsect1 id="pam_umask-types"> + <refsect1 xml:id="pam_umask-types"> <title>MODULE TYPES PROVIDED</title> <para> Only the <option>session</option> type is provided. </para> </refsect1> - <refsect1 id='pam_umask-return_values'> + <refsect1 xml:id="pam_umask-return_values"> <title>RETURN VALUES</title> <para> <variablelist> @@ -225,7 +222,7 @@ </para> </refsect1> - <refsect1 id='pam_umask-examples'> + <refsect1 xml:id="pam_umask-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/login</filename> to @@ -236,7 +233,7 @@ </para> </refsect1> - <refsect1 id='pam_umask-see_also'> + <refsect1 xml:id="pam_umask-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -246,16 +243,16 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_umask-author'> + <refsect1 xml:id="pam_umask-author"> <title>AUTHOR</title> <para> pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index 1658735b..ddba63c5 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -5,7 +5,7 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(XMLS) CHANGELOG +EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c yppasswd_xdr.c $(XMLS) CHANGELOG if HAVE_DOC dist_man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8 @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_unix TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ @@ -39,7 +43,10 @@ noinst_PROGRAMS = bigcrypt pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ - passverify.c yppasswd_xdr.c md5_good.c md5_broken.c + passverify.c md5_good.c md5_broken.c obscure.c +if HAVE_NIS + pam_unix_la_SOURCES += yppasswd_xdr.c +endif bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) diff --git a/modules/pam_unix/Makefile.in b/modules/pam_unix/Makefile.in index 4dcfdf64..1de5b72b 100644 --- a/modules/pam_unix/Makefile.in +++ b/modules/pam_unix/Makefile.in @@ -98,6 +98,7 @@ host_triplet = @host@ @HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map sbin_PROGRAMS = unix_chkpwd$(EXEEXT) unix_update$(EXEEXT) noinst_PROGRAMS = bigcrypt$(EXEEXT) +@HAVE_NIS_TRUE@am__append_2 = yppasswd_xdr.c subdir = modules/pam_unix ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -156,9 +157,13 @@ am__uninstall_files_from_dir = { \ } LTLIBRARIES = $(securelib_LTLIBRARIES) pam_unix_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__pam_unix_la_SOURCES_DIST = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ + passverify.c md5_good.c md5_broken.c yppasswd_xdr.c +@HAVE_NIS_TRUE@am__objects_1 = yppasswd_xdr.lo am_pam_unix_la_OBJECTS = bigcrypt.lo pam_unix_acct.lo pam_unix_auth.lo \ pam_unix_passwd.lo pam_unix_sess.lo support.lo passverify.lo \ - yppasswd_xdr.lo md5_good.lo md5_broken.lo + md5_good.lo md5_broken.lo $(am__objects_1) pam_unix_la_OBJECTS = $(am_pam_unix_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -247,7 +252,7 @@ am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \ $(unix_chkpwd_SOURCES) $(unix_update_SOURCES) -DIST_SOURCES = $(pam_unix_la_SOURCES) $(bigcrypt_SOURCES) \ +DIST_SOURCES = $(am__pam_unix_la_SOURCES_DIST) $(bigcrypt_SOURCES) \ $(unix_chkpwd_SOURCES) $(unix_update_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ @@ -486,6 +491,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -498,11 +504,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -534,12 +542,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -562,6 +572,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -572,12 +583,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -645,13 +660,14 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c $(XMLS) CHANGELOG +EXTRA_DIST = md5.c md5_crypt.c lckpwdf.-c yppasswd_xdr.c $(XMLS) CHANGELOG @HAVE_DOC_TRUE@dist_man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8 XMLS = README.xml pam_unix.8.xml unix_chkpwd.8.xml unix_update.8.xml dist_check_SCRIPTS = tst-pam_unix TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ -DUPDATE_HELPER=\"$(sbindir)/unix_update\" \ @@ -664,10 +680,9 @@ pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ securelib_LTLIBRARIES = pam_unix.la noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h -pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ - pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ - passverify.c yppasswd_xdr.c md5_good.c md5_broken.c - +pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c pam_unix_auth.c \ + pam_unix_passwd.c pam_unix_sess.c support.c passverify.c \ + md5_good.c md5_broken.c $(am__append_2) bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) bigcrypt_LDADD = @LIBCRYPT@ diff --git a/modules/pam_unix/README b/modules/pam_unix/README index 67a2d215..be11095f 100644 --- a/modules/pam_unix/README +++ b/modules/pam_unix/README @@ -171,8 +171,40 @@ broken_shadow minlen=n - Set a minimum password length of n characters. The max. for DES crypt based - passwords are 8 characters. + Set a minimum password length of n characters. The default value is 6. The + maximum for DES crypt-based passwords is 8 characters. + +obscure + + Enable some extra checks on password strength. These checks are based on + the "obscure" checks in the original shadow package. The behavior is + similar to the pam_cracklib module, but for non-dictionary-based checks. + The following checks are implemented: + + Palindrome + + Verifies that the new password is not a palindrome of (i.e., the + reverse of) the previous one. + + Case Change Only + + Verifies that the new password isn't the same as the old one with a + change of case. + + Similar + + Verifies that the new password isn't too much like the previous one. + + Simple + + Is the new password too simple? This is based on the length of the + password and the number of different types of characters (alpha, + numeric, etc.) used. + + Rotated + + Is the new password a rotated version of the old password? (E.g., + "billy" and "illyb") no_pass_expiry diff --git a/modules/pam_unix/README.xml b/modules/pam_unix/README.xml index 7fd340b3..49a65946 100644 --- a/modules/pam_unix/README.xml +++ b/modules/pam_unix/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_unix.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_unix-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_unix.8.xml" xpointer='xpointer(id("pam_unix-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c index d8d61a4b..c1028668 100644 --- a/modules/pam_unix/bigcrypt.c +++ b/modules/pam_unix/bigcrypt.c @@ -29,6 +29,7 @@ #include <string.h> #include <stdlib.h> #include <security/_pam_macros.h> +#include "pam_inline.h" #ifdef HAVE_CRYPT_H #include <crypt.h> #endif @@ -56,12 +57,12 @@ char *bigcrypt(const char *key, const char *salt) #endif unsigned long int keylen, n_seg, j; char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr; - char keybuf[KEYBUF_SIZE + 1]; + char keybuf[KEYBUF_SIZE + 1] = {}; D(("called with key='%s', salt='%s'.", key, salt)); /* reset arrays */ - dec_c2_cryptbuf = malloc(CBUF_SIZE); + dec_c2_cryptbuf = calloc(1, CBUF_SIZE); if (!dec_c2_cryptbuf) { return NULL; } @@ -73,8 +74,6 @@ char *bigcrypt(const char *key, const char *salt) } cdata->initialized = 0; #endif - memset(keybuf, 0, KEYBUF_SIZE + 1); - memset(dec_c2_cryptbuf, 0, CBUF_SIZE); /* fill KEYBUF_SIZE with key */ strncpy(keybuf, key, KEYBUF_SIZE); @@ -116,6 +115,7 @@ char *bigcrypt(const char *key, const char *salt) } /* and place in the static area */ strncpy(cipher_ptr, tmp_ptr, 13); + pam_overwrite_string(tmp_ptr); cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */ @@ -136,9 +136,10 @@ char *bigcrypt(const char *key, const char *salt) tmp_ptr = crypt(plaintext_ptr, salt_ptr); #endif if (tmp_ptr == NULL) { - _pam_overwrite(dec_c2_cryptbuf); + pam_overwrite_string(dec_c2_cryptbuf); free(dec_c2_cryptbuf); #ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); free(cdata); #endif return NULL; @@ -146,6 +147,7 @@ char *bigcrypt(const char *key, const char *salt) /* skip the salt for seg!=0 */ strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); + pam_overwrite_string(tmp_ptr); cipher_ptr += ESEGMENT_SIZE; plaintext_ptr += SEGMENT_SIZE; @@ -155,6 +157,7 @@ char *bigcrypt(const char *key, const char *salt) D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf)); #ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); free(cdata); #endif diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c index 593d6dc3..95b8de4c 100644 --- a/modules/pam_unix/md5.c +++ b/modules/pam_unix/md5.c @@ -21,26 +21,27 @@ #include <string.h> #include "md5.h" +#include "pam_inline.h" + #ifndef HIGHFIRST #define byteReverse(buf, len) /* Nothing */ #else -typedef unsigned char PAM_ATTRIBUTE_ALIGNED(4) uint8_aligned; - -static void byteReverse(uint8_aligned *buf, unsigned longs); +static void byteReverse(uint32 *buf, unsigned longs); #ifndef ASM_MD5 /* * Note: this code is harmless on little-endian machines. */ -static void byteReverse(uint8_aligned *buf, unsigned longs) +static void byteReverse(uint32 *buf, unsigned longs) { uint32 t; do { - t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | - ((unsigned) buf[1] << 8 | buf[0]); - *(uint32 *) buf = t; - buf += 4; + unsigned char *p = (unsigned char *) buf; + t = (uint32) ((unsigned) p[3] << 8 | p[2]) << 16 | + ((unsigned) p[1] << 8 | p[0]); + *buf = t; + ++buf; } while (--longs); } #endif @@ -89,7 +90,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign return; } memcpy(p, buf, t); - byteReverse(ctx->in.c, 16); + byteReverse(ctx->in.i, 16); MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += t; len -= t; @@ -98,7 +99,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign while (len >= 64) { memcpy(ctx->in.c, buf, 64); - byteReverse(ctx->in.c, 16); + byteReverse(ctx->in.i, 16); MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); buf += 64; len -= 64; @@ -133,7 +134,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) if (count < 8) { /* Two lots of padding: Pad the first block to 64 bytes */ memset(p, 0, count); - byteReverse(ctx->in.c, 16); + byteReverse(ctx->in.i, 16); MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); /* Now fill the next block with 56 bytes */ @@ -142,15 +143,15 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) /* Pad block to 56 bytes */ memset(p, 0, count - 8); } - byteReverse(ctx->in.c, 14); + byteReverse(ctx->in.i, 14); /* Append length in bits and transform */ memcpy(ctx->in.i + 14, ctx->bits, 2*sizeof(uint32)); MD5Name(MD5Transform)(ctx->buf.i, ctx->in.i); - byteReverse(ctx->buf.c, 4); + byteReverse(ctx->buf.i, 4); memcpy(digest, ctx->buf.c, 16); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ + pam_overwrite_object(ctx); /* In case it's sensitive */ } #ifndef ASM_MD5 diff --git a/modules/pam_unix/md5_crypt.c b/modules/pam_unix/md5_crypt.c index 94f7b434..ed5ecda4 100644 --- a/modules/pam_unix/md5_crypt.c +++ b/modules/pam_unix/md5_crypt.c @@ -87,7 +87,7 @@ char *MD5Name(crypt_md5)(const char *pw, const char *salt) MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl); /* Don't leave anything around in vm they could use. */ - memset(final, 0, sizeof final); + pam_overwrite_array(final); /* Then something really weird... */ for (j = 0, i = strlen(pw); i; i >>= 1) @@ -151,7 +151,7 @@ char *MD5Name(crypt_md5)(const char *pw, const char *salt) *p = '\0'; /* Don't leave anything around in vm they could use. */ - memset(final, 0, sizeof final); + pam_overwrite_array(final); return passwd; } diff --git a/modules/pam_unix/obscure.c b/modules/pam_unix/obscure.c new file mode 100644 index 00000000..2ffac920 --- /dev/null +++ b/modules/pam_unix/obscure.c @@ -0,0 +1,198 @@ +/* + * Copyright 1989 - 1994, Julianne Frances Haugh + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Julianne F. Haugh nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#include <ctype.h> +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> +#include <pwd.h> +#include <security/pam_modules.h> +#include <security/_pam_macros.h> + + +#include "support.h" + +/* can't be a palindrome - like `R A D A R' or `M A D A M' */ +static int palindrome(const char *old, const char *new) { + int i, j; + + i = strlen (new); + + for (j = 0;j < i;j++) + if (new[i - j - 1] != new[j]) + return 0; + + return 1; +} + +/* more than half of the characters are different ones. */ +static int similar(const char *old, const char *new) { + int i, j; + + /* + * XXX - sometimes this fails when changing from a simple password + * to a really long one (MD5). For now, I just return success if + * the new password is long enough. Please feel free to suggest + * something better... --marekm + */ + if (strlen(new) >= 8) + return 0; + + for (i = j = 0; new[i] && old[i]; i++) + if (strchr(new, old[i])) + j++; + + if (i >= j * 2) + return 0; + + return 1; +} + +/* a nice mix of characters. */ +static int simple(const char *old, const char *new) { + int digits = 0; + int uppers = 0; + int lowers = 0; + int others = 0; + int size; + int i; + + for (i = 0;new[i];i++) { + if (isdigit (new[i])) + digits++; + else if (isupper (new[i])) + uppers++; + else if (islower (new[i])) + lowers++; + else + others++; + } + + /* + * The scam is this - a password of only one character type + * must be 8 letters long. Two types, 7, and so on. + */ + + size = 9; + if (digits) size--; + if (uppers) size--; + if (lowers) size--; + if (others) size--; + + if (size <= i) + return 0; + + return 1; +} + +static char *str_lower(char *string) { + char *cp; + + for (cp = string; *cp; cp++) + *cp = tolower(*cp); + return string; +} + +static const char * password_check(const char *old, const char *new, + const struct passwd *pwdp) { + const char *msg = NULL; + char *oldmono, *newmono, *wrapped; + + if (strcmp(new, old) == 0) + return _("Bad: new password must be different than the old one"); + + newmono = str_lower(strdup(new)); + oldmono = str_lower(strdup(old)); + wrapped = (char *)malloc(strlen(oldmono) * 2 + 1); + strcpy (wrapped, oldmono); + strcat (wrapped, oldmono); + + if (palindrome(oldmono, newmono)) { + msg = _("Bad: new password cannot be a palindrome"); + } else if (strcmp(oldmono, newmono) == 0) { + msg = _("Bad: new and old password must differ by more than just case"); + } else if (similar(oldmono, newmono)) { + msg = _("Bad: new and old password are too similar"); + } else if (simple(old, new)) { + msg = _("Bad: new password is too simple"); + } else if (strstr(wrapped, newmono)) { + msg = _("Bad: new password is just a wrapped version of the old one"); + } + + _pam_delete(newmono); + _pam_delete(oldmono); + _pam_delete(wrapped); + + return msg; +} + +const char *obscure_msg(const char *old, const char *new, + const struct passwd *pwdp, unsigned int ctrl) { + int oldlen, newlen; + char *new1, *old1; + const char *msg; + + if (old == NULL) + return NULL; /* no check if old is NULL */ + + oldlen = strlen(old); + newlen = strlen(new); + + /* Remaining checks are optional. */ + if (off(UNIX_OBSCURE_CHECKS,ctrl)) + return NULL; + + if ((msg = password_check(old, new, pwdp)) != NULL) + return msg; + + /* The traditional crypt() truncates passwords to 8 chars. It is + possible to circumvent the above checks by choosing an easy + 8-char password and adding some random characters to it... + Example: "password$%^&*123". So check it again, this time + truncated to the maximum length. Idea from npasswd. --marekm */ + + if (!UNIX_DES_CRYPT(ctrl)) + return NULL; /* unlimited password length */ + + if (oldlen <= 8 && newlen <= 8) + return NULL; + + new1 = strndup(new,8); + old1 = strndup(old,8); + + msg = password_check(old1, new1, pwdp); + + _pam_delete(new1); + _pam_delete(old1); + + return msg; +} diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 index d9cdea5a..07f8308f 100644 --- a/modules/pam_unix/pam_unix.8 +++ b/modules/pam_unix/pam_unix.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_unix .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_UNIX" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_UNIX" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -71,31 +71,31 @@ Remaining arguments, supported by others functions of this module, are silently \fBsyslog\fR(3)\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP -\fBaudit\fR +audit .RS 4 A little more extreme than debug\&. .RE .PP -\fBquiet\fR +quiet .RS 4 Turns off informational messages namely messages about session open and close via \fBsyslog\fR(3)\&. .RE .PP -\fBnullok\fR +nullok .RS 4 The default action of this module is to not permit the user access to a service if their official password is blank\&. The \fBnullok\fR argument overrides this default\&. .RE .PP -\fBnullresetok\fR +nullresetok .RS 4 Allow users to authenticate with blank password if password reset is enforced even if \fBnullok\fR @@ -104,24 +104,24 @@ is not set\&. If password reset is not required and is not set the authentication with blank password will be denied\&. .RE .PP -\fBtry_first_pass\fR +try_first_pass .RS 4 Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&. .RE .PP -\fBuse_first_pass\fR +use_first_pass .RS 4 The argument \fBuse_first_pass\fR forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. .RE .PP -\fBnodelay\fR +nodelay .RS 4 This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&. .RE .PP -\fBuse_authtok\fR +use_authtok .RS 4 When password changing enforce the module to set the new password to the one provided by a previously stacked \fBpassword\fR @@ -130,17 +130,17 @@ module (this is used in the example of the stacking of the module documented below)\&. .RE .PP -\fBauthtok_type=\fR\fB\fItype\fR\fR +authtok_type=type .RS 4 This argument can be used to modify the password prompt when changing passwords to include the type of the password\&. Empty by default\&. .RE .PP -\fBnis\fR +nis .RS 4 NIS RPC is used for setting new passwords\&. .RE .PP -\fBremember=\fR\fB\fIn\fR\fR +remember=n .RS 4 The last \fIn\fR @@ -151,75 +151,106 @@ in order to force password change history and keep the user from alternating bet module should be used\&. .RE .PP -\fBshadow\fR +shadow .RS 4 Try to maintain a shadow based system\&. .RE .PP -\fBmd5\fR +md5 .RS 4 When a user changes their password next, encrypt it with the MD5 algorithm\&. .RE .PP -\fBbigcrypt\fR +bigcrypt .RS 4 When a user changes their password next, encrypt it with the DEC C2 algorithm\&. .RE .PP -\fBsha256\fR +sha256 .RS 4 When a user changes their password next, encrypt it with the SHA256 algorithm\&. The SHA256 algorithm must be supported by the \fBcrypt\fR(3) function\&. .RE .PP -\fBsha512\fR +sha512 .RS 4 When a user changes their password next, encrypt it with the SHA512 algorithm\&. The SHA512 algorithm must be supported by the \fBcrypt\fR(3) function\&. .RE .PP -\fBblowfish\fR +blowfish .RS 4 When a user changes their password next, encrypt it with the blowfish algorithm\&. The blowfish algorithm must be supported by the \fBcrypt\fR(3) function\&. .RE .PP -\fBgost_yescrypt\fR +gost_yescrypt .RS 4 When a user changes their password next, encrypt it with the gost\-yescrypt algorithm\&. The gost\-yescrypt algorithm must be supported by the \fBcrypt\fR(3) function\&. .RE .PP -\fByescrypt\fR +yescrypt .RS 4 When a user changes their password next, encrypt it with the yescrypt algorithm\&. The yescrypt algorithm must be supported by the \fBcrypt\fR(3) function\&. .RE .PP -\fBrounds=\fR\fB\fIn\fR\fR +rounds=n .RS 4 Set the optional number of rounds of the SHA256, SHA512, blowfish, gost\-yescrypt, and yescrypt password hashing algorithms to \fIn\fR\&. .RE .PP -\fBbroken_shadow\fR +broken_shadow .RS 4 Ignore errors reading shadow information for users in the account management module\&. .RE .PP -\fBminlen=\fR\fB\fIn\fR\fR +minlen=n .RS 4 Set a minimum password length of \fIn\fR -characters\&. The max\&. for DES crypt based passwords are 8 characters\&. +characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. +.RE +.PP +\fBobscure\fR +.RS 4 +Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: +.PP +\fBPalindrome\fR +.RS 4 +Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. +.RE +.PP +\fBCase Change Only\fR +.RS 4 +Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. +.RE +.PP +\fBSimilar\fR +.RS 4 +Verifies that the new password isn\*(Aqt too much like the previous one\&. +.RE +.PP +\fBSimple\fR +.RS 4 +Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. +.RE +.PP +\fBRotated\fR +.RS 4 +Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") +.RE +.sp .RE .PP -\fBno_pass_expiry\fR +no_pass_expiry .RS 4 When set ignore password expiration as defined by the \fIshadow\fR @@ -279,7 +310,7 @@ session required pam_unix\&.so \fBlogin.defs\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_unix was written by various people\&. diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index 9f9c8185..a025c0ef 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_unix"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_unix"> <refmeta> <refentrytitle>pam_unix</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_unix-name"> + <refnamediv xml:id="pam_unix-name"> <refname>pam_unix</refname> <refpurpose>Module for traditional password authentication</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_unix-cmdsynopsis"> + <cmdsynopsis xml:id="pam_unix-cmdsynopsis" sepchar=" "> <command>pam_unix.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ... </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_unix-description"> + <refsect1 xml:id="pam_unix-description"> <title>DESCRIPTION</title> @@ -42,7 +39,7 @@ <emphasis>shadow</emphasis> elements: expire, last_change, max_change, min_change, warn_change. In the case of the latter, it may offer advice to the user on changing their password or, through the - <emphasis remap='B'>PAM_AUTHTOKEN_REQD</emphasis> return, delay + <emphasis remap="B">PAM_AUTHTOKEN_REQD</emphasis> return, delay giving service to the user until they have established a new password. The entries listed above are documented in the <citerefentry> <refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum> @@ -89,7 +86,7 @@ <para> The password component of this module performs the task of updating the user's password. The default encryption hash is taken from the - <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from + <emphasis remap="B">ENCRYPT_METHOD</emphasis> variable from <emphasis>/etc/login.defs</emphasis> </para> @@ -107,13 +104,13 @@ </para> </refsect1> - <refsect1 id="pam_unix-options"> + <refsect1 xml:id="pam_unix-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -127,7 +124,7 @@ <varlistentry> <term> - <option>audit</option> + audit </term> <listitem> <para> @@ -138,7 +135,7 @@ <varlistentry> <term> - <option>quiet</option> + quiet </term> <listitem> <para> @@ -153,7 +150,7 @@ <varlistentry> <term> - <option>nullok</option> + nullok </term> <listitem> <para> @@ -165,7 +162,7 @@ </varlistentry> <varlistentry> <term> - <option>nullresetok</option> + nullresetok </term> <listitem> <para> @@ -178,7 +175,7 @@ </varlistentry> <varlistentry> <term> - <option>try_first_pass</option> + try_first_pass </term> <listitem> <para> @@ -190,7 +187,7 @@ </varlistentry> <varlistentry> <term> - <option>use_first_pass</option> + use_first_pass </term> <listitem> <para> @@ -203,7 +200,7 @@ </varlistentry> <varlistentry> <term> - <option>nodelay</option> + nodelay </term> <listitem> <para> @@ -216,7 +213,7 @@ </varlistentry> <varlistentry> <term> - <option>use_authtok</option> + use_authtok </term> <listitem> <para> @@ -230,7 +227,7 @@ </varlistentry> <varlistentry> <term> - <option>authtok_type=<replaceable>type</replaceable></option> + authtok_type=type </term> <listitem> <para> @@ -242,7 +239,7 @@ </varlistentry> <varlistentry> <term> - <option>nis</option> + nis </term> <listitem> <para> @@ -252,7 +249,7 @@ </varlistentry> <varlistentry> <term> - <option>remember=<replaceable>n</replaceable></option> + remember=n </term> <listitem> <para> @@ -269,7 +266,7 @@ </varlistentry> <varlistentry> <term> - <option>shadow</option> + shadow </term> <listitem> <para> @@ -279,7 +276,7 @@ </varlistentry> <varlistentry> <term> - <option>md5</option> + md5 </term> <listitem> <para> @@ -290,7 +287,7 @@ </varlistentry> <varlistentry> <term> - <option>bigcrypt</option> + bigcrypt </term> <listitem> <para> @@ -301,7 +298,7 @@ </varlistentry> <varlistentry> <term> - <option>sha256</option> + sha256 </term> <listitem> <para> @@ -315,7 +312,7 @@ </varlistentry> <varlistentry> <term> - <option>sha512</option> + sha512 </term> <listitem> <para> @@ -329,7 +326,7 @@ </varlistentry> <varlistentry> <term> - <option>blowfish</option> + blowfish </term> <listitem> <para> @@ -343,7 +340,7 @@ </varlistentry> <varlistentry> <term> - <option>gost_yescrypt</option> + gost_yescrypt </term> <listitem> <para> @@ -357,7 +354,7 @@ </varlistentry> <varlistentry> <term> - <option>yescrypt</option> + yescrypt </term> <listitem> <para> @@ -371,7 +368,7 @@ </varlistentry> <varlistentry> <term> - <option>rounds=<replaceable>n</replaceable></option> + rounds=n </term> <listitem> <para> @@ -384,7 +381,7 @@ </varlistentry> <varlistentry> <term> - <option>broken_shadow</option> + broken_shadow </term> <listitem> <para> @@ -395,19 +392,92 @@ </varlistentry> <varlistentry> <term> - <option>minlen=<replaceable>n</replaceable></option> + minlen=n </term> <listitem> <para> Set a minimum password length of <replaceable>n</replaceable> - characters. The max. for DES crypt based passwords are 8 - characters. + characters. The default value is 6. The maximum for DES + crypt-based passwords is 8 characters. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>obscure</option> + </term> + <listitem> + <para> + Enable some extra checks on password strength. These checks + are based on the "obscure" checks in the original shadow + package. The behavior is similar to the pam_cracklib + module, but for non-dictionary-based checks. The following + checks are implemented: + <variablelist> + <varlistentry> + <term> + <option>Palindrome</option> + </term> + <listitem> + <para> + Verifies that the new password is not a palindrome + of (i.e., the reverse of) the previous one. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Case Change Only</option> + </term> + <listitem> + <para> + Verifies that the new password isn't the same as the + old one with a change of case. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Similar</option> + </term> + <listitem> + <para> + Verifies that the new password isn't too much like + the previous one. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Simple</option> + </term> + <listitem> + <para> + Is the new password too simple? This is based on + the length of the password and the number of + different types of characters (alpha, numeric, etc.) + used. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>Rotated</option> + </term> + <listitem> + <para> + Is the new password a rotated version of the old + password? (E.g., "billy" and "illyb") + </para> + </listitem> + </varlistentry> + </variablelist> </para> </listitem> </varlistentry> <varlistentry> <term> - <option>no_pass_expiry</option> + no_pass_expiry </term> <listitem> <para> @@ -418,9 +488,9 @@ meaning that other authentication source or method succeeded. The example can be public key authentication in <emphasis>sshd</emphasis>. The module will return - <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual - <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or - <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>. + <emphasis remap="B">PAM_SUCCESS</emphasis> instead of eventual + <emphasis remap="B">PAM_NEW_AUTHTOK_REQD</emphasis> or + <emphasis remap="B">PAM_AUTHTOK_EXPIRED</emphasis>. </para> </listitem> </varlistentry> @@ -432,7 +502,7 @@ </para> </refsect1> - <refsect1 id="pam_unix-types"> + <refsect1 xml:id="pam_unix-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -440,7 +510,7 @@ </para> </refsect1> - <refsect1 id='pam_unix-return_values'> + <refsect1 xml:id="pam_unix-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -454,7 +524,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_unix-examples'> + <refsect1 xml:id="pam_unix-examples"> <title>EXAMPLES</title> <para> An example usage for <filename>/etc/pam.d/login</filename> @@ -473,7 +543,7 @@ session required pam_unix.so </para> </refsect1> - <refsect1 id='pam_unix-see_also'> + <refsect1 xml:id="pam_unix-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -486,16 +556,16 @@ session required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_unix-author'> + <refsect1 xml:id="pam_unix-author"> <title>AUTHOR</title> <para> pam_unix was written by various people. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index a20e919e..652f3c5a 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -66,35 +66,29 @@ #include <security/pam_ext.h> #include <security/pam_modutil.h> +#include "pam_inline.h" #include "pam_cc_compat.h" #include "md5.h" #include "support.h" #include "passverify.h" #include "bigcrypt.h" -#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER -# define HAVE_NIS -#endif - #ifdef HAVE_NIS # include <rpc/rpc.h> - -# if HAVE_RPCSVC_YP_PROT_H -# include <rpcsvc/yp_prot.h> -# endif - -# if HAVE_RPCSVC_YPCLNT_H -# include <rpcsvc/ypclnt.h> -# endif +# include <rpcsvc/yp_prot.h> +# include <rpcsvc/ypclnt.h> # include "yppasswd.h" -# if !HAVE_DECL_GETRPCPORT &&!HAVE_RPCB_GETADDR +# if !defined(HAVE_DECL_GETRPCPORT) &&!defined(HAVE_RPCB_GETADDR) extern int getrpcport(const char *host, unsigned long prognum, unsigned long versnum, unsigned int proto); # endif /* GNU libc 2.1 */ #endif +extern const char *obscure_msg(const char *, const char *, const struct passwd *, + unsigned int); + /* How it works: Gets in username (has to be done) from the calling program @@ -593,6 +587,11 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh return retval; } } + if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ + struct passwd *pwd; + pwd = pam_modutil_getpwnam(pamh, user); + remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ + } } if (remark) { _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); @@ -608,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) int retval; int remember = -1; int rounds = 0; - int pass_min_len = 0; + int pass_min_len = 6; /* <DO NOT free() THESE> */ const char *user; diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index f2474a5b..7ff8bf07 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -96,7 +96,7 @@ PAMH_ARG_DECL(int verify_pwd_hash, } else if (*hash != '$' && hash_len >= 13) { pp = bigcrypt(p, hash); if (pp && hash_len == 13 && strlen(pp) > hash_len) { - _pam_overwrite(pp + hash_len); + pam_overwrite_string(pp + hash_len); } } else { /* @@ -147,7 +147,7 @@ PAMH_ARG_DECL(int verify_pwd_hash, if (cdata != NULL) { cdata->initialized = 0; pp = x_strdup(crypt_r(p, hash, cdata)); - memset(cdata, '\0', sizeof(*cdata)); + pam_overwrite_object(cdata); free(cdata); } #else @@ -334,7 +334,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, #define PW_TMPFILE "/etc/npasswd" #define SH_TMPFILE "/etc/nshadow" -#define OPW_TMPFILE "/etc/security/nopasswd" +#define OPW_TMPFILE SCONFIGDIR "/nopasswd" /* * i64c - convert an integer to a radix 64 character @@ -427,7 +427,7 @@ PAMH_ARG_DECL(char * create_password_hash, #else char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */ #endif - char *sp; + char *sp, *ret; #ifdef HAVE_CRYPT_R struct crypt_data *cdata = NULL; #endif @@ -456,7 +456,7 @@ PAMH_ARG_DECL(char * create_password_hash, password = tmppass; } hashed = bigcrypt(password, salt); - memset(tmppass, '\0', sizeof(tmppass)); + pam_overwrite_array(tmppass); password = NULL; return hashed; } @@ -494,18 +494,21 @@ PAMH_ARG_DECL(char * create_password_hash, on(UNIX_SHA256_PASS, ctrl) ? "sha256" : on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); if(sp) { - memset(sp, '\0', strlen(sp)); + pam_overwrite_string(sp); } #ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); free(cdata); #endif return NULL; } - sp = x_strdup(sp); + ret = strdup(sp); + pam_overwrite_string(sp); #ifdef HAVE_CRYPT_R + pam_overwrite_object(cdata); free(cdata); #endif - return sp; + return ret; } #ifdef WITH_SELINUX @@ -801,7 +804,7 @@ PAMH_ARG_DECL(int unix_update_passwd, struct passwd *tmpent = NULL; struct stat st; FILE *pwfile, *opwfile; - int err = 1; + int err = 1, found = 0; int oldmask; #ifdef WITH_SELINUX char *prev_context_raw = NULL; @@ -872,6 +875,7 @@ PAMH_ARG_DECL(int unix_update_passwd, tmpent->pw_passwd = assigned_passwd.charp; err = 0; + found = 1; } if (putpwent(tmpent, pwfile)) { D(("error writing entry to password file: %m")); @@ -914,7 +918,7 @@ done: return PAM_SUCCESS; } else { unlink(PW_TMPFILE); - return PAM_AUTHTOK_ERR; + return found ? PAM_AUTHTOK_ERR : PAM_USER_UNKNOWN; } } @@ -1090,7 +1094,7 @@ helper_verify_password(const char *name, const char *p, int nullok) } if (hash) { - _pam_overwrite(hash); + pam_overwrite_string(hash); _pam_drop(hash); } diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h index c07037d2..463ef185 100644 --- a/modules/pam_unix/passverify.h +++ b/modules/pam_unix/passverify.h @@ -8,7 +8,7 @@ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT -#define OLD_PASSWORDS_FILE "/etc/security/opasswd" +#define OLD_PASSWORDS_FILE SCONFIGDIR "/opasswd" int is_pwd_shadowed(const struct passwd *pwd); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 27ca7127..043273d2 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -19,7 +19,7 @@ #include <ctype.h> #include <syslog.h> #include <sys/resource.h> -#ifdef HAVE_RPCSVC_YPCLNT_H +#ifdef HAVE_NIS #include <rpcsvc/ypclnt.h> #endif @@ -805,7 +805,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name } cleanup: - memset(pw, 0, sizeof(pw)); /* clear memory of the password */ + pam_overwrite_array(pw); /* clear memory of the password */ if (data_name) _pam_delete(data_name); if (salt) diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 19754dc1..9c065c5c 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -6,6 +6,7 @@ #define _PAM_UNIX_SUPPORT_H #include <pwd.h> +#include "libpam/include/pam_inline.h" /* * File to read value of ENCRYPT_METHOD from. @@ -101,60 +102,64 @@ typedef struct { #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */ #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ +#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ +#define UNIX_NULLOK_SECURE 35 /* deprecated alias for nullok */ /* -------------- */ -#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */ +#define UNIX_CTRLS_ 36 /* number of ctrl arguments defined */ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = { -/* symbol token name ctrl mask ctrl * - * --------------------------- -------------------- ------------------------- ---------------- */ - -/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, -/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, -/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, -/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, -/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0}, -/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0}, -/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, -/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0}, -/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0}, -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, -/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, -/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, -/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, -/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1}, -/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0}, -/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, -/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, -/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, -/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1}, -/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, -/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, -/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, -/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, -/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1}, -/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1}, -/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, -/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1}, -/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, -/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, -/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, -/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1}, -/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1}, -/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1}, -/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0}, +/* symbol token name ctrl mask ctrl * + * --------------------------- -------------------- ------------------------- ------------ */ + +/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, +/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, +/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, +/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, +/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0}, +/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0}, +/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0}, +/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0}, +/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0}, +/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, +/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, +/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, +/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, +/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1}, +/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0}, +/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, +/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, +/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, +/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1}, +/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, +/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, +/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, +/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, +/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1}, +/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1}, +/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, +/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1}, +/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, +/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0}, +/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0}, +/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1}, +/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1}, +/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, +/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, +/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200ULL), 0, 0}, }; #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) /* use this to free strings. ESPECIALLY password strings */ -#define _pam_delete(xx) \ -{ \ - _pam_overwrite(xx); \ - _pam_drop(xx); \ +#define _pam_delete(xx) \ +{ \ + pam_overwrite_string(xx); \ + _pam_drop(xx); \ } extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl, diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8 index 93c95bd6..7c1963b3 100644 --- a/modules/pam_unix/unix_chkpwd.8 +++ b/modules/pam_unix/unix_chkpwd.8 @@ -1,13 +1,13 @@ '\" t .\" Title: unix_chkpwd .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "UNIX_CHKPWD" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "UNIX_CHKPWD" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_unix/unix_chkpwd.8.xml b/modules/pam_unix/unix_chkpwd.8.xml index a10dbe33..ca0fa109 100644 --- a/modules/pam_unix/unix_chkpwd.8.xml +++ b/modules/pam_unix/unix_chkpwd.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="unix_chkpwd"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="unix_chkpwd"> <refmeta> <refentrytitle>unix_chkpwd</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="unix_chkpwd-name"> + <refnamediv xml:id="unix_chkpwd-name"> <refname>unix_chkpwd</refname> <refpurpose>Helper binary that verifies the password of the current user</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="unix_chkpwd-cmdsynopsis"> + <cmdsynopsis xml:id="unix_chkpwd-cmdsynopsis" sepchar=" "> <command>unix_chkpwd</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ... </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="unix_chkpwd-description"> + <refsect1 xml:id="unix_chkpwd-description"> <title>DESCRIPTION</title> @@ -48,7 +45,7 @@ </para> </refsect1> - <refsect1 id='unix_chkpwd-see_also'> + <refsect1 xml:id="unix_chkpwd-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -57,11 +54,11 @@ </para> </refsect1> - <refsect1 id='unix_chkpwd-author'> + <refsect1 xml:id="unix_chkpwd-author"> <title>AUTHOR</title> <para> Written by Andrew Morgan and other various people. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 3931bab2..5e7b571e 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -138,9 +138,10 @@ int main(int argc, char *argv[]) /* if the caller specifies the username, verify that user matches it */ if (user == NULL || strcmp(user, argv[1])) { + gid_t gid = getgid(); user = argv[1]; /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) + if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) return PAM_AUTH_ERR; } } @@ -176,7 +177,7 @@ int main(int argc, char *argv[]) retval = helper_verify_password(user, pass, nullok); - memset(pass, '\0', PAM_MAX_RESP_SIZE); /* clear memory of the password */ + pam_overwrite_array(pass); /* clear memory of the password */ /* return pass or fail */ diff --git a/modules/pam_unix/unix_update.8 b/modules/pam_unix/unix_update.8 index b1f5ac71..b3b7a28f 100644 --- a/modules/pam_unix/unix_update.8 +++ b/modules/pam_unix/unix_update.8 @@ -1,13 +1,13 @@ '\" t .\" Title: unix_update .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "UNIX_UPDATE" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "UNIX_UPDATE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/modules/pam_unix/unix_update.8.xml b/modules/pam_unix/unix_update.8.xml index 6c7467b9..1a968652 100644 --- a/modules/pam_unix/unix_update.8.xml +++ b/modules/pam_unix/unix_update.8.xml @@ -1,30 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="unix_update"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="unix_update"> <refmeta> <refentrytitle>unix_update</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="unix_update-name"> + <refnamediv xml:id="unix_update-name"> <refname>unix_update</refname> <refpurpose>Helper binary that updates the password of a given user</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="unix_update-cmdsynopsis"> + <cmdsynopsis xml:id="unix_update-cmdsynopsis" sepchar=" "> <command>unix_update</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> ... </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="unix_update-description"> + <refsect1 xml:id="unix_update-description"> <title>DESCRIPTION</title> @@ -48,7 +45,7 @@ </para> </refsect1> - <refsect1 id='unix_update-see_also'> + <refsect1 xml:id="unix_update-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -57,11 +54,11 @@ </para> </refsect1> - <refsect1 id='unix_update-author'> + <refsect1 xml:id="unix_update-author"> <title>AUTHOR</title> <para> Written by Tomas Mraz and other various people. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 3559972b..49a70ff3 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -55,15 +55,18 @@ set_password(const char *forwho, const char *shadow, const char *remember) if (npass != 2) { /* is it a valid password? */ if (npass == 1) { helper_log_err(LOG_DEBUG, "no new password supplied"); - memset(pass, '\0', PAM_MAX_RESP_SIZE); + pam_overwrite_array(pass); } else { helper_log_err(LOG_DEBUG, "no valid passwords supplied"); } return PAM_AUTHTOK_ERR; } - if (lock_pwdf() != PAM_SUCCESS) + if (lock_pwdf() != PAM_SUCCESS) { + pam_overwrite_array(pass); + pam_overwrite_array(towhat); return PAM_AUTHTOK_LOCK_BUSY; + } pwd = getpwnam(forwho); @@ -98,8 +101,8 @@ set_password(const char *forwho, const char *shadow, const char *remember) } done: - memset(pass, '\0', PAM_MAX_RESP_SIZE); - memset(towhat, '\0', PAM_MAX_RESP_SIZE); + pam_overwrite_array(pass); + pam_overwrite_array(towhat); unlock_pwdf(); diff --git a/modules/pam_unix/yppasswd.h b/modules/pam_unix/yppasswd.h index 5f947071..dc686cd7 100644 --- a/modules/pam_unix/yppasswd.h +++ b/modules/pam_unix/yppasswd.h @@ -1,28 +1,20 @@ /* - * yppasswdd - * Copyright 1994, 1995, 1996 Olaf Kirch, <okir@lst.de> - * - * This program is covered by the GNU General Public License, version 2 - * or later. It is provided in the hope that it is useful. However, the author - * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details. - * - * This file was generated automatically by rpcgen from yppasswd.x, and - * editied manually. + * Please do not edit this file. + * It was generated using rpcgen. */ -#ifndef _YPPASSWD_H_ -#define _YPPASSWD_H_ +#ifndef _YPPASSWD_H_RPCGEN +#define _YPPASSWD_H_RPCGEN -#define YPPASSWDPROG ((u_long)100009) -#define YPPASSWDVERS ((u_long)1) -#define YPPASSWDPROC_UPDATE ((u_long)1) +#include <rpc/rpc.h> -/* - * The password struct passed by the update call. I renamed it to - * xpasswd to avoid a type clash with the one defined in <pwd.h>. - */ -#ifndef __sgi -typedef struct xpasswd { + +#ifdef __cplusplus +extern "C" { +#endif + + +struct xpasswd { char *pw_name; char *pw_passwd; int pw_uid; @@ -30,22 +22,45 @@ typedef struct xpasswd { char *pw_gecos; char *pw_dir; char *pw_shell; -} xpasswd; - -#else -#include <pwd.h> +}; typedef struct xpasswd xpasswd; -#endif -/* The updated password information, plus the old password. - */ -typedef struct yppasswd { +struct yppasswd { char *oldpass; xpasswd newpw; -} yppasswd; +}; +typedef struct yppasswd yppasswd; -/* XDR encoding/decoding routines */ -bool_t xdr_xpasswd(XDR * xdrs, xpasswd * objp); -bool_t xdr_yppasswd(XDR * xdrs, yppasswd * objp); +#define YPPASSWDPROG 100009 +#define YPPASSWDVERS 1 + +#if defined(__STDC__) || defined(__cplusplus) +#define YPPASSWDPROC_UPDATE 1 +extern int * yppasswdproc_update_1(yppasswd *, CLIENT *); +extern int * yppasswdproc_update_1_svc(yppasswd *, struct svc_req *); +extern int yppasswdprog_1_freeresult (SVCXPRT *, xdrproc_t, caddr_t); + +#else /* K&R C */ +#define YPPASSWDPROC_UPDATE 1 +extern int * yppasswdproc_update_1(); +extern int * yppasswdproc_update_1_svc(); +extern int yppasswdprog_1_freeresult (); +#endif /* K&R C */ + +/* the xdr functions */ + +#if defined(__STDC__) || defined(__cplusplus) +extern bool_t xdr_passwd (XDR *, xpasswd*); +extern bool_t xdr_yppasswd (XDR *, yppasswd*); + +#else /* K&R C */ +extern bool_t xdr_passwd (); +extern bool_t xdr_yppasswd (); + +#endif /* K&R C */ + +#ifdef __cplusplus +} +#endif -#endif /* _YPPASSWD_H_ */ +#endif /* !_YPPASSWD_H_RPCGEN */ diff --git a/modules/pam_unix/yppasswd_xdr.c b/modules/pam_unix/yppasswd_xdr.c index f2b86a56..0523d523 100644 --- a/modules/pam_unix/yppasswd_xdr.c +++ b/modules/pam_unix/yppasswd_xdr.c @@ -1,40 +1,36 @@ /* - * yppasswdd - * Copyright 1994, 1995, 1996 Olaf Kirch, <okir@lst.de> - * - * This program is covered by the GNU General Public License, version 2 - * or later. It is provided in the hope that it is useful. However, the author - * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details. - * - * This file was generated automatically by rpcgen from yppasswd.x, and - * editied manually. + * Please do not edit this file. + * It was generated using rpcgen. */ -#include "config.h" - -#ifdef HAVE_RPC_RPC_H - -#include <rpc/rpc.h> #include "yppasswd.h" bool_t -xdr_xpasswd(XDR * xdrs, xpasswd * objp) +xdr_passwd (XDR *xdrs, xpasswd *objp) { - return xdr_string(xdrs, &objp->pw_name, ~0) - && xdr_string(xdrs, &objp->pw_passwd, ~0) - && xdr_int(xdrs, &objp->pw_uid) - && xdr_int(xdrs, &objp->pw_gid) - && xdr_string(xdrs, &objp->pw_gecos, ~0) - && xdr_string(xdrs, &objp->pw_dir, ~0) - && xdr_string(xdrs, &objp->pw_shell, ~0); + if (!xdr_string (xdrs, &objp->pw_name, ~0)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_passwd, ~0)) + return FALSE; + if (!xdr_int (xdrs, &objp->pw_uid)) + return FALSE; + if (!xdr_int (xdrs, &objp->pw_gid)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_gecos, ~0)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_dir, ~0)) + return FALSE; + if (!xdr_string (xdrs, &objp->pw_shell, ~0)) + return FALSE; + return TRUE; } - bool_t -xdr_yppasswd(XDR * xdrs, yppasswd * objp) +xdr_yppasswd (XDR *xdrs, yppasswd *objp) { - return xdr_string(xdrs, &objp->oldpass, ~0) - && xdr_xpasswd(xdrs, &objp->newpw); + if (!xdr_string (xdrs, &objp->oldpass, ~0)) + return FALSE; + if (!xdr_passwd (xdrs, &objp->newpw)) + return FALSE; + return TRUE; } - -#endif diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am index aa70e7de..e31d9ccc 100644 --- a/modules/pam_userdb/Makefile.am +++ b/modules/pam_userdb/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_userdb TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_userdb/Makefile.in b/modules/pam_userdb/Makefile.in index 6eb785f0..c19b4231 100644 --- a/modules/pam_userdb/Makefile.in +++ b/modules/pam_userdb/Makefile.in @@ -431,6 +431,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,11 +444,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -479,12 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -507,6 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -517,12 +523,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -596,7 +606,8 @@ XMLS = README.xml pam_userdb.8.xml dist_check_SCRIPTS = tst-pam_userdb TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_userdb/README.xml b/modules/pam_userdb/README.xml index b22c09e7..4e8f8ee7 100644 --- a/modules/pam_userdb/README.xml +++ b/modules/pam_userdb/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_userdb.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_userdb-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_userdb/pam_userdb.8 b/modules/pam_userdb/pam_userdb.8 index fc002787..a2493b50 100644 --- a/modules/pam_userdb/pam_userdb.8 +++ b/modules/pam_userdb/pam_userdb.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_userdb .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_USERDB" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_USERDB" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_userdb \- PAM module to authenticate against a db database The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\&. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\&. .SH "OPTIONS" .PP -\fBcrypt=[crypt|none]\fR +crypt=[crypt|none] .RS 4 Indicates whether encrypted or plaintext passwords are stored in the database\&. If it is \fBcrypt\fR, passwords should be stored in the database in @@ -47,7 +47,7 @@ form\&. If is selected, passwords should be stored in the database as plaintext\&. .RE .PP -\fBdb=\fR\fB\fI/path/database\fR\fR +db=/path/database .RS 4 Use the /path/database @@ -58,37 +58,37 @@ if no database is provided\&. Note that the path to the database file should be suffix\&. .RE .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. Note that password hashes, both from db and computed, will be printed to syslog\&. .RE .PP -\fBdump\fR +dump .RS 4 Dump all the entries in the database to the log\&. Don\*(Aqt do this by default! .RE .PP -\fBicase\fR +icase .RS 4 Make the password verification to be case insensitive (ie when working with registration numbers and such)\&. Only works with plaintext password storage\&. .RE .PP -\fBtry_first_pass\fR +try_first_pass .RS 4 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will try to converse\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. .RE .PP -\fBuse_first_pass\fR +use_first_pass .RS 4 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will fail\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. .RE .PP -\fBunknown_ok\fR +unknown_ok .RS 4 Do not return error when checking for a user that is not in the database\&. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\&. .RE .PP -\fBkey_only\fR +key_only .RS 4 The username and password are concatenated together in the database hash as \*(Aqusername\-password\*(Aq with a random value\&. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\&. this is useful in cases where the username may not be unique but the username and password pair are\&. .RE @@ -152,7 +152,7 @@ auth sufficient pam_userdb\&.so icase db=/etc/dbtest \fBcrypt\fR(3), \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_userdb was written by Cristian Gafton >gafton@redhat\&.com<\&. diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml index bce92850..86ba895a 100644 --- a/modules/pam_userdb/pam_userdb.8.xml +++ b/modules/pam_userdb/pam_userdb.8.xml @@ -1,54 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_userdb"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_userdb"> <refmeta> <refentrytitle>pam_userdb</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_userdb-name"> + <refnamediv xml:id="pam_userdb-name"> <refname>pam_userdb</refname> <refpurpose>PAM module to authenticate against a db database</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_userdb-cmdsynopsis"> + <cmdsynopsis xml:id="pam_userdb-cmdsynopsis" sepchar=" "> <command>pam_userdb.so</command> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> db=<replaceable>/path/database</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> crypt=[crypt|none] </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> icase </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> dump </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> try_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unknown_ok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> key_only </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_userdb-description"> + <refsect1 xml:id="pam_userdb-description"> <title>DESCRIPTION</title> @@ -60,13 +57,13 @@ </para> </refsect1> - <refsect1 id="pam_userdb-options"> + <refsect1 xml:id="pam_userdb-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>crypt=[crypt|none]</option> + crypt=[crypt|none] </term> <listitem> <para> @@ -82,13 +79,13 @@ </varlistentry> <varlistentry> <term> - <option>db=<replaceable>/path/database</replaceable></option> + db=/path/database </term> <listitem> <para> Use the <filename>/path/database</filename> database for performing lookup. There is no default; the module will - return <emphasis remap='B'>PAM_IGNORE</emphasis> if no + return <emphasis remap="B">PAM_IGNORE</emphasis> if no database is provided. Note that the path to the database file should be specified without the <filename>.db</filename> suffix. </para> @@ -96,7 +93,7 @@ </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -107,7 +104,7 @@ </varlistentry> <varlistentry> <term> - <option>dump</option> + dump </term> <listitem> <para> @@ -118,7 +115,7 @@ </varlistentry> <varlistentry> <term> - <option>icase</option> + icase </term> <listitem> <para> @@ -131,7 +128,7 @@ <varlistentry> <term> - <option>try_first_pass</option> + try_first_pass </term> <listitem> <para> @@ -146,7 +143,7 @@ </varlistentry> <varlistentry> <term> - <option>use_first_pass</option> + use_first_pass </term> <listitem> <para> @@ -161,7 +158,7 @@ </varlistentry> <varlistentry> <term> - <option>unknown_ok</option> + unknown_ok </term> <listitem> <para> @@ -174,7 +171,7 @@ </varlistentry> <varlistentry> <term> - <option>key_only</option> + key_only </term> <listitem> <para> @@ -191,7 +188,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_userdb-types"> + <refsect1 xml:id="pam_userdb-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> module @@ -199,7 +196,7 @@ </para> </refsect1> - <refsect1 id='pam_userdb-return_values'> + <refsect1 xml:id="pam_userdb-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -259,14 +256,14 @@ </variablelist> </refsect1> - <refsect1 id='pam_userdb-examples'> + <refsect1 xml:id="pam_userdb-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_userdb.so icase db=/etc/dbtest </programlisting> </refsect1> - <refsect1 id='pam_userdb-see_also'> + <refsect1 xml:id="pam_userdb-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -279,16 +276,16 @@ auth sufficient pam_userdb.so icase db=/etc/dbtest <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_userdb-author'> + <refsect1 xml:id="pam_userdb-author"> <title>AUTHOR</title> <para> pam_userdb was written by Cristian Gafton >gafton@redhat.com<. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index f467ea4c..297403b0 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -62,7 +62,7 @@ obtain_authtok(pam_handle_t *pamh) retval = pam_set_item(pamh, PAM_AUTHTOK, resp); /* clean it up */ - _pam_overwrite(resp); + pam_overwrite_string(resp); _pam_drop(resp); if ( (retval != PAM_SUCCESS) || @@ -181,7 +181,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, if (key.dptr) { data = dbm_fetch(dbm, key); - memset(key.dptr, 0, key.dsize); + pam_overwrite_n(key.dptr, key.dsize); free(key.dptr); } @@ -247,8 +247,11 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, free(cdata); #endif } + pam_overwrite_string(pwhash); free(pwhash); } + + pam_overwrite_string(cryptpw); } else { /* Unknown password encryption method - diff --git a/modules/pam_usertype/Makefile.am b/modules/pam_usertype/Makefile.am index 28224b94..e6d35e48 100644 --- a/modules/pam_usertype/Makefile.am +++ b/modules/pam_usertype/Makefile.am @@ -16,7 +16,11 @@ dist_check_SCRIPTS = tst-pam_usertype TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_usertype/Makefile.in b/modules/pam_usertype/Makefile.in index 4118a622..28b96739 100644 --- a/modules/pam_usertype/Makefile.in +++ b/modules/pam_usertype/Makefile.in @@ -429,6 +429,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -441,11 +442,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -477,12 +480,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -505,6 +510,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -515,12 +521,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -594,7 +604,8 @@ XMLS = README.xml pam_usertype.8.xml dist_check_SCRIPTS = tst-pam_usertype TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_usertype/README b/modules/pam_usertype/README index 246a3895..290a8fe1 100644 --- a/modules/pam_usertype/README +++ b/modules/pam_usertype/README @@ -6,8 +6,8 @@ DESCRIPTION pam_usertype.so is designed to succeed or fail authentication based on type of the account of the authenticated user. The type of the account is decided with -help of SYS_UID_MIN and SYS_UID_MAX settings in /etc/login.defs. One use is to -select whether to load other modules based on this test. +help of SYS_UID_MAX settings in /etc/login.defs. One use is to select whether +to load other modules based on this test. The module should be given only one condition as module argument. Authentication will succeed only if the condition is met. diff --git a/modules/pam_usertype/README.xml b/modules/pam_usertype/README.xml index 58550465..7faf549e 100644 --- a/modules/pam_usertype/README.xml +++ b/modules/pam_usertype/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_usertype.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_usertype.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_usertype-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_usertype.8.xml" xpointer='xpointer(id("pam_usertype-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_usertype/pam_usertype.8 b/modules/pam_usertype/pam_usertype.8 index 2f021013..4bc8652e 100644 --- a/modules/pam_usertype/pam_usertype.8 +++ b/modules/pam_usertype/pam_usertype.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_usertype .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 -.\" Manual: Linux-PAM +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 +.\" Manual: Linux-PAM Manual .\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_USERTYPE" "8" "09/03/2021" "Linux-PAM" "Linux\-PAM" +.TH "PAM_USERTYPE" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -35,8 +35,6 @@ pam_usertype \- check if the authenticated user is a system or regular account .SH "DESCRIPTION" .PP pam_usertype\&.so is designed to succeed or fail authentication based on type of the account of the authenticated user\&. The type of the account is decided with help of -\fISYS_UID_MIN\fR -and \fISYS_UID_MAX\fR settings in \fI/etc/login\&.defs\fR\&. One use is to select whether to load other modules based on this test\&. @@ -47,12 +45,12 @@ The module should be given only one condition as module argument\&. Authenticati The following \fIflag\fRs are supported: .PP -\fBuse_uid\fR +use_uid .RS 4 Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&. .RE .PP -\fBaudit\fR +audit .RS 4 Log unknown users to the system log\&. .RE @@ -60,12 +58,12 @@ Log unknown users to the system log\&. Available \fIcondition\fRs are: .PP -\fBissystem\fR +issystem .RS 4 Succeed if the user is a system user\&. .RE .PP -\fBisregular\fR +isregular .RS 4 Succeed if the user is a regular user\&. .RE diff --git a/modules/pam_usertype/pam_usertype.8.xml b/modules/pam_usertype/pam_usertype.8.xml index 7651da6e..87ad0796 100644 --- a/modules/pam_usertype/pam_usertype.8.xml +++ b/modules/pam_usertype/pam_usertype.8.xml @@ -1,37 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - - -<refentry id='pam_usertype'> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_usertype"> <refmeta> <refentrytitle>pam_usertype</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id='pam_usertype-name'> + <refnamediv xml:id="pam_usertype-name"> <refname>pam_usertype</refname> <refpurpose>check if the authenticated user is a system or regular account</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id='pam_usertype-cmdsynopsis'> + <cmdsynopsis xml:id="pam_usertype-cmdsynopsis" sepchar=" "> <command>pam_usertype.so</command> - <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg> - <arg choice='req'><replaceable>condition</replaceable></arg> + <arg choice="opt" rep="repeat"><replaceable>flag</replaceable></arg> + <arg choice="req" rep="norepeat"><replaceable>condition</replaceable></arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id='pam_usertype-description'> + <refsect1 xml:id="pam_usertype-description"> <title>DESCRIPTION</title> <para> pam_usertype.so is designed to succeed or fail authentication based on type of the account of the authenticated user. The type of the account is decided with help of - <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis> + <emphasis>SYS_UID_MAX</emphasis> settings in <emphasis>/etc/login.defs</emphasis>. One use is to select whether to load other modules based on this test. </para> @@ -42,7 +38,7 @@ </para> </refsect1> - <refsect1 id="pam_usertype-options"> + <refsect1 xml:id="pam_usertype-options"> <title>OPTIONS</title> <para> The following <emphasis>flag</emphasis>s are supported: @@ -50,7 +46,7 @@ <variablelist> <varlistentry> - <term><option>use_uid</option></term> + <term>use_uid</term> <listitem> <para> Evaluate conditions using the account of the user whose UID @@ -60,7 +56,7 @@ </listitem> </varlistentry> <varlistentry> - <term><option>audit</option></term> + <term>audit</term> <listitem> <para> Log unknown users to the system log. @@ -75,13 +71,13 @@ <variablelist> <varlistentry> - <term><option>issystem</option></term> + <term>issystem</term> <listitem> <para>Succeed if the user is a system user.</para> </listitem> </varlistentry> <varlistentry> - <term><option>isregular</option></term> + <term>isregular</term> <listitem> <para>Succeed if the user is a regular user.</para> </listitem> @@ -89,7 +85,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_usertype-types"> + <refsect1 xml:id="pam_usertype-types"> <title>MODULE TYPES PROVIDED</title> <para> All module types (<option>account</option>, <option>auth</option>, @@ -97,7 +93,7 @@ </para> </refsect1> - <refsect1 id='pam_usertype-return_values'> + <refsect1 xml:id="pam_usertype-return_values"> <title>RETURN VALUES</title> <variablelist> @@ -170,7 +166,7 @@ </refsect1> - <refsect1 id='pam_usertype-examples'> + <refsect1 xml:id="pam_usertype-examples"> <title>EXAMPLES</title> <para> Skip remaining modules if the user is a system user: @@ -180,7 +176,7 @@ account sufficient pam_usertype.so issystem </programlisting> </refsect1> - <refsect1 id='pam_usertype-see_also'> + <refsect1 xml:id="pam_usertype-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -192,8 +188,8 @@ account sufficient pam_usertype.so issystem </para> </refsect1> - <refsect1 id='pam_usertype-author'> + <refsect1 xml:id="pam_usertype-author"> <title>AUTHOR</title> <para>Pavel Březina <pbrezina@redhat.com></para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c index d03b73b5..cfd9c8bb 100644 --- a/modules/pam_usertype/pam_usertype.c +++ b/modules/pam_usertype/pam_usertype.c @@ -194,7 +194,6 @@ static int pam_usertype_is_system(pam_handle_t *pamh, uid_t uid) { uid_t uid_min; - uid_t sys_min; uid_t sys_max; if (uid == (uid_t)-1) { @@ -202,21 +201,19 @@ pam_usertype_is_system(pam_handle_t *pamh, uid_t uid) return PAM_USER_UNKNOWN; } - if (uid <= 99) { - /* Reserved. */ - return PAM_SUCCESS; - } - if (uid == PAM_USERTYPE_OVERFLOW_UID) { /* nobody */ return PAM_SUCCESS; } uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN); - sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN); sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1); - return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR; + if (uid <= sys_max && uid < uid_min) { + return PAM_SUCCESS; + } + + return PAM_AUTH_ERR; } static int @@ -253,7 +250,7 @@ pam_usertype_evaluate(struct pam_usertype_opts *opts, /** * Arguments: - * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX> + * - issystem: uid less than SYS_UID_MAX * - isregular: not issystem * - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if) * - audit: log unknown users to syslog diff --git a/modules/pam_warn/Makefile.am b/modules/pam_warn/Makefile.am index d0f021fe..5e13f8f2 100644 --- a/modules/pam_warn/Makefile.am +++ b/modules/pam_warn/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_warn TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_warn/Makefile.in b/modules/pam_warn/Makefile.in index a1f192f9..aff1ee54 100644 --- a/modules/pam_warn/Makefile.in +++ b/modules/pam_warn/Makefile.in @@ -433,6 +433,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -445,11 +446,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -481,12 +484,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -509,6 +514,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -519,12 +525,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -598,7 +608,8 @@ XMLS = README.xml pam_warn.8.xml dist_check_SCRIPTS = tst-pam_warn TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_warn/README.xml b/modules/pam_warn/README.xml index 4367c28f..56093f80 100644 --- a/modules/pam_warn/README.xml +++ b/modules/pam_warn/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_warn.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_warn-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_warn.8.xml" xpointer='xpointer(id("pam_warn-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_warn/pam_warn.8 b/modules/pam_warn/pam_warn.8 index 2b990faa..0138c707 100644 --- a/modules/pam_warn/pam_warn.8 +++ b/modules/pam_warn/pam_warn.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_warn .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_WARN" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WARN" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -83,7 +83,7 @@ other session required pam_deny\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_warn was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. diff --git a/modules/pam_warn/pam_warn.8.xml b/modules/pam_warn/pam_warn.8.xml index 1764ec92..a69e1d69 100644 --- a/modules/pam_warn/pam_warn.8.xml +++ b/modules/pam_warn/pam_warn.8.xml @@ -1,25 +1,22 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_warn"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_warn"> <refmeta> <refentrytitle>pam_warn</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_warn-name"> + <refnamediv xml:id="pam_warn-name"> <refname>pam_warn</refname> <refpurpose>PAM module which logs all PAM items if called</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_warn-cmdsynopsis"> + <cmdsynopsis xml:id="pam_warn-cmdsynopsis" sepchar=" "> <command>pam_warn.so</command> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_warn-description"> + <refsect1 xml:id="pam_warn-description"> <title>DESCRIPTION</title> <para> pam_warn is a PAM module that logs the service, terminal, user, @@ -28,17 +25,17 @@ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> </citerefentry>. The items are not probed for, but instead obtained from the standard PAM items. The module always returns - <emphasis remap='B'>PAM_IGNORE</emphasis>, indicating that it + <emphasis remap="B">PAM_IGNORE</emphasis>, indicating that it does not want to affect the authentication process. </para> </refsect1> - <refsect1 id="pam_warn-options"> + <refsect1 xml:id="pam_warn-options"> <title>OPTIONS</title> <para>This module does not recognise any options.</para> </refsect1> - <refsect1 id="pam_warn-types"> + <refsect1 xml:id="pam_warn-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option>, <option>account</option>, @@ -47,7 +44,7 @@ </para> </refsect1> - <refsect1 id='pam_warn-return_values'> + <refsect1 xml:id="pam_warn-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -61,7 +58,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_warn-examples'> + <refsect1 xml:id="pam_warn-examples"> <title>EXAMPLES</title> <programlisting> #%PAM-1.0 @@ -80,7 +77,7 @@ other session required pam_deny.so </programlisting> </refsect1> - <refsect1 id='pam_warn-see_also'> + <refsect1 xml:id="pam_warn-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -90,16 +87,16 @@ other session required pam_deny.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_warn-author'> + <refsect1 xml:id="pam_warn-author"> <title>AUTHOR</title> <para> pam_warn was written by Andrew G. Morgan <morgan@kernel.org>. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_wheel/Makefile.am b/modules/pam_wheel/Makefile.am index 67ddc678..4d9084e0 100644 --- a/modules/pam_wheel/Makefile.am +++ b/modules/pam_wheel/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_wheel TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_wheel/Makefile.in b/modules/pam_wheel/Makefile.in index fedf07ad..d9ea36d3 100644 --- a/modules/pam_wheel/Makefile.in +++ b/modules/pam_wheel/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_wheel.8.xml dist_check_SCRIPTS = tst-pam_wheel TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index 5dae4b61..ec9e7d7e 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -39,12 +39,6 @@ trust modules the wheel members may be able to su to root without being prompted for a passwd). -use_uid - - The check will be done against the real uid of the calling process, instead - of trying to obtain the user from the login session associated with the - terminal in use. - EXAMPLES The root account gains access by default (rootok), only wheel members can diff --git a/modules/pam_wheel/README.xml b/modules/pam_wheel/README.xml index 9e33d7ff..e40c46e8 100644 --- a/modules/pam_wheel/README.xml +++ b/modules/pam_wheel/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_wheel.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_wheel-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_wheel.8.xml" xpointer='xpointer(id("pam_wheel-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 index 648046e6..ca687e59 100644 --- a/modules/pam_wheel/pam_wheel.8 +++ b/modules/pam_wheel/pam_wheel.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_wheel .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 09/13/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_WHEEL" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WHEEL" "8" "09/13/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pam_wheel \- Only permit root access to members of group wheel .SH "SYNOPSIS" .HP \w'\fBpam_wheel\&.so\fR\ 'u -\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] +\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] .SH "DESCRIPTION" .PP The pam_wheel PAM module is used to enforce the so\-called @@ -42,12 +42,12 @@ group\&. If no group with this name exist, the module is using the group with th \fB0\fR\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBdeny\fR +deny .RS 4 Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the \fBgroup\fR @@ -56,27 +56,22 @@ option), deny access\&. Conversely, if the user is not in the group, return PAM_ was also specified, in which case we return PAM_SUCCESS)\&. .RE .PP -\fBgroup=\fR\fB\fIname\fR\fR +group=name .RS 4 Instead of checking the wheel or GID 0 groups, use the \fB\fIname\fR\fR group to perform the authentication\&. .RE .PP -\fBroot_only\fR +root_only .RS 4 The check for wheel membership is done only when the target user UID is 0\&. .RE .PP -\fBtrust\fR +trust .RS 4 The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. .RE -.PP -\fBuse_uid\fR -.RS 4 -The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&. -.RE .SH "MODULE TYPES PROVIDED" .PP The @@ -141,7 +136,7 @@ su auth required pam_unix\&.so .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&. diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml index ee8c7d26..86f2828a 100644 --- a/modules/pam_wheel/pam_wheel.8.xml +++ b/modules/pam_wheel/pam_wheel.8.xml @@ -1,45 +1,39 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_wheel"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_wheel"> <refmeta> <refentrytitle>pam_wheel</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_wheel-name"> + <refnamediv xml:id="pam_wheel-name"> <refname>pam_wheel</refname> <refpurpose>Only permit root access to members of group wheel</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_wheel-cmdsynopsis"> + <cmdsynopsis xml:id="pam_wheel-cmdsynopsis" sepchar=" "> <command>pam_wheel.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> deny </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> group=<replaceable>name</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> root_only </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> trust </arg> - <arg choice="opt"> - use_uid - </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_wheel-description"> + <refsect1 xml:id="pam_wheel-description"> <title>DESCRIPTION</title> <para> The pam_wheel PAM module is used to enforce the so-called @@ -47,16 +41,16 @@ access to the target user if the applicant user is a member of the <emphasis>wheel</emphasis> group. If no group with this name exist, the module is using the group with the group-ID - <emphasis remap='B'>0</emphasis>. + <emphasis remap="B">0</emphasis>. </para> </refsect1> - <refsect1 id="pam_wheel-options"> + <refsect1 xml:id="pam_wheel-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -66,7 +60,7 @@ </varlistentry> <varlistentry> <term> - <option>deny</option> + deny </term> <listitem> <para> @@ -81,7 +75,7 @@ </varlistentry> <varlistentry> <term> - <option>group=<replaceable>name</replaceable></option> + group=name </term> <listitem> <para> @@ -93,7 +87,7 @@ </varlistentry> <varlistentry> <term> - <option>root_only</option> + root_only </term> <listitem> <para> @@ -104,7 +98,7 @@ </varlistentry> <varlistentry> <term> - <option>trust</option> + trust </term> <listitem> <para> @@ -116,30 +110,18 @@ </para> </listitem> </varlistentry> - <varlistentry> - <term> - <option>use_uid</option> - </term> - <listitem> - <para> - The check will be done against the real uid of the calling process, - instead of trying to obtain the user from the login session - associated with the terminal in use. - </para> - </listitem> - </varlistentry> </variablelist> </refsect1> - <refsect1 id="pam_wheel-types"> + <refsect1 xml:id="pam_wheel-types"> <title>MODULE TYPES PROVIDED</title> <para> - The <emphasis remap='B'>auth</emphasis> and - <emphasis remap='B'>account</emphasis> module types are provided. + The <emphasis remap="B">auth</emphasis> and + <emphasis remap="B">account</emphasis> module types are provided. </para> </refsect1> - <refsect1 id='pam_wheel-return_values'> + <refsect1 xml:id="pam_wheel-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -204,7 +186,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_wheel-examples'> + <refsect1 xml:id="pam_wheel-examples"> <title>EXAMPLES</title> <para> The root account gains access by default (rootok), only wheel @@ -218,7 +200,7 @@ su auth required pam_unix.so </para> </refsect1> - <refsect1 id='pam_wheel-see_also'> + <refsect1 xml:id="pam_wheel-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -228,12 +210,12 @@ su auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_wheel-author'> + <refsect1 xml:id="pam_wheel-author"> <title>AUTHOR</title> <para> pam_wheel was written by Cristian Gafton <gafton@redhat.com>. diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 179f56b3..5eb7b82f 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -47,9 +47,8 @@ /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 -#define PAM_USE_UID_ARG 0x0002 -#define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 +#define PAM_TRUST_ARG 0x0002 +#define PAM_DENY_ARG 0x0004 #define PAM_ROOT_ONLY_ARG 0x0020 static int @@ -68,8 +67,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; - else if (!strcmp(*argv,"use_uid")) - ctrl |= PAM_USE_UID_ARG; + else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ else if (!strcmp(*argv,"trust")) ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) @@ -118,39 +116,14 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) } } - if (ctrl & PAM_USE_UID_ARG) { - tpwd = pam_modutil_getpwuid (pamh, getuid()); - if (tpwd == NULL) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; - } else { - fromsu = pam_modutil_getlogin(pamh); - - /* if getlogin fails try a fallback to PAM_RUSER */ - if (fromsu == NULL) { - const char *rhostname; - - retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); - if (retval != PAM_SUCCESS || rhostname == NULL) { - retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); - } - } - - if (fromsu != NULL) { - tpwd = pam_modutil_getpwnam (pamh, fromsu); - } - - if (fromsu == NULL || tpwd == NULL) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; + tpwd = pam_modutil_getpwuid (pamh, getuid()); + if (tpwd == NULL) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); } + return PAM_SERVICE_ERR; } + fromsu = tpwd->pw_name; /* * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am index 7c557706..bf736abe 100644 --- a/modules/pam_xauth/Makefile.am +++ b/modules/pam_xauth/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_xauth TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_xauth/Makefile.in b/modules/pam_xauth/Makefile.in index 4838634b..4d3a6b79 100644 --- a/modules/pam_xauth/Makefile.in +++ b/modules/pam_xauth/Makefile.in @@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -593,7 +603,8 @@ XMLS = README.xml pam_xauth.8.xml dist_check_SCRIPTS = tst-pam_xauth TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_xauth/README.xml b/modules/pam_xauth/README.xml index adefbd98..04fc2468 100644 --- a/modules/pam_xauth/README.xml +++ b/modules/pam_xauth/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_xauth.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_xauth-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-implementation"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-implementation")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_xauth.8.xml" xpointer='xpointer(id("pam_xauth-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 index 90177fbc..e6f23c10 100644 --- a/modules/pam_xauth/pam_xauth.8 +++ b/modules/pam_xauth/pam_xauth.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_xauth .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_XAUTH" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_XAUTH" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -76,12 +76,12 @@ Both the import and export files support wildcards (such as \fI*\fR)\&. Both the import and export files can be empty, signifying that no users are allowed\&. .SH "OPTIONS" .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. .RE .PP -\fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR +xauthpath=/path/to/xauth .RS 4 Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth, @@ -90,12 +90,12 @@ Specify the path the xauth program (it is expected in by default)\&. .RE .PP -\fBsystemuser=\fR\fB\fIUID\fR\fR +systemuser=UID .RS 4 Specify the highest UID which will be assumed to belong to a "system" user\&. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\&. .RE .PP -\fBtargetuser=\fR\fB\fIUID\fR\fR +targetuser=UID .RS 4 Specify a single target UID which is exempt from the systemuser check\&. .RE @@ -177,7 +177,7 @@ XXX .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(7) .SH "AUTHOR" .PP pam_xauth was written by Nalin Dahyabhai <nalin@redhat\&.com>, based on original version by Michael K\&. Johnson <johnsonm@redhat\&.com>\&. diff --git a/modules/pam_xauth/pam_xauth.8.xml b/modules/pam_xauth/pam_xauth.8.xml index 08c06cf8..214226ba 100644 --- a/modules/pam_xauth/pam_xauth.8.xml +++ b/modules/pam_xauth/pam_xauth.8.xml @@ -1,39 +1,36 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_xauth"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_xauth"> <refmeta> <refentrytitle>pam_xauth</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_xauth-name"> + <refnamediv xml:id="pam_xauth-name"> <refname>pam_xauth</refname> <refpurpose>PAM module to forward xauth keys between users</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_xauth-cmdsynopsis"> + <cmdsynopsis xml:id="pam_xauth-cmdsynopsis" sepchar=" "> <command>pam_xauth.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> xauthpath=<replaceable>/path/to/xauth</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> systemuser=<replaceable>UID</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> targetuser=<replaceable>UID</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_xauth-description"> + <refsect1 xml:id="pam_xauth-description"> <title>DESCRIPTION</title> <para> The pam_xauth PAM module is designed to forward xauth keys @@ -81,25 +78,25 @@ If a user has a <filename>.xauth/export</filename> file, the user will only forward cookies to users listed in the file. If there is no <filename>~/.xauth/export</filename> file, and the invoking user is - not <emphasis remap='B'>root</emphasis>, the user will forward cookies + not <emphasis remap="B">root</emphasis>, the user will forward cookies to any other user. If there is no <filename>~/.xauth/export</filename> - file, and the invoking user is <emphasis remap='B'>root</emphasis>, - the user will <emphasis remap='I'>not</emphasis> forward cookies to + file, and the invoking user is <emphasis remap="B">root</emphasis>, + the user will <emphasis remap="I">not</emphasis> forward cookies to other users. </para> <para> Both the import and export files support wildcards (such as - <emphasis remap='I'>*</emphasis>). Both the import and export files + <emphasis remap="I">*</emphasis>). Both the import and export files can be empty, signifying that no users are allowed. </para> </refsect1> - <refsect1 id="pam_xauth-options"> + <refsect1 xml:id="pam_xauth-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -109,7 +106,7 @@ </varlistentry> <varlistentry> <term> - <option>xauthpath=<replaceable>/path/to/xauth</replaceable></option> + xauthpath=/path/to/xauth </term> <listitem> <para> @@ -122,7 +119,7 @@ </varlistentry> <varlistentry> <term> - <option>systemuser=<replaceable>UID</replaceable></option> + systemuser=UID </term> <listitem> <para> @@ -135,7 +132,7 @@ </varlistentry> <varlistentry> <term> - <option>targetuser=<replaceable>UID</replaceable></option> + targetuser=UID </term> <listitem> <para> @@ -147,14 +144,14 @@ </variablelist> </refsect1> - <refsect1 id="pam_xauth-types"> + <refsect1 xml:id="pam_xauth-types"> <title>MODULE TYPES PROVIDED</title> <para> - Only the <emphasis remap='B'>session</emphasis> type is provided. + Only the <emphasis remap="B">session</emphasis> type is provided. </para> </refsect1> - <refsect1 id='pam_xauth-return_values'> + <refsect1 xml:id="pam_xauth-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -205,7 +202,7 @@ </variablelist> </refsect1> - <refsect1 id='pam_xauth-examples'> + <refsect1 xml:id="pam_xauth-examples"> <title>EXAMPLES</title> <para> Add the following line to <filename>/etc/pam.d/su</filename> to @@ -216,10 +213,10 @@ session optional pam_xauth.so </para> </refsect1> - <refsect1 id="pam_xauth-implementation"> + <refsect1 xml:id="pam_xauth-implementation"> <title>IMPLEMENTATION DETAILS</title> <para> - pam_xauth will work <emphasis remap='I'>only</emphasis> if it is + pam_xauth will work <emphasis remap="I">only</emphasis> if it is used from a setuid application in which the <function>getuid</function>() call returns the id of the user running the application, and for which PAM can supply the name @@ -247,17 +244,17 @@ session optional pam_xauth.so </para> </refsect1> - <refsect1 id="pam_lastlog-files"> + <refsect1 xml:id="pam_lastlog-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>~/.xauth/import</filename></term> + <term>~/.xauth/import</term> <listitem> <para>XXX</para> </listitem> </varlistentry> <varlistentry> - <term><filename>~/.xauth/export</filename></term> + <term>~/.xauth/export</term> <listitem> <para>XXX</para> </listitem> @@ -266,7 +263,7 @@ session optional pam_xauth.so </refsect1> - <refsect1 id='pam_xauth-see_also'> + <refsect1 xml:id="pam_xauth-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -276,12 +273,12 @@ session optional pam_xauth.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> </citerefentry> </para> </refsect1> - <refsect1 id='pam_xauth-author'> + <refsect1 xml:id="pam_xauth-author"> <title>AUTHOR</title> <para> pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, @@ -290,4 +287,4 @@ session optional pam_xauth.so </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index 03f8dc78..f3e2a40d 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -52,6 +52,7 @@ #include <stdlib.h> #include <string.h> #include <syslog.h> +#include <signal.h> #include <security/pam_modules.h> #include <security/_pam_macros.h> @@ -99,6 +100,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, char *buffer = NULL; size_t buffer_size = 0; va_list ap; + struct sigaction newsa, oldsa; *output = NULL; @@ -114,6 +116,17 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, return -1; } + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { + pam_syslog(pamh, LOG_ERR, "failed to reset SIGCHLD handler: %m"); + close(ipipe[0]); + close(ipipe[1]); + close(opipe[0]); + close(opipe[1]); + return -1; + } + /* Fork off a child. */ child = fork(); if (child == -1) { @@ -128,7 +141,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, if (child == 0) { /* We're the child. */ size_t j; - const char *args[10]; + const char *args[10] = {}; /* Drop privileges. */ if (setgid(gid) == -1) { @@ -168,8 +181,6 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, PAM_MODUTIL_NULL_FD) < 0) { _exit(1); } - /* Initialize the argument list. */ - memset(args, 0, sizeof(args)); /* Convert the varargs list into a regular array of strings. */ va_start(ap, command); args[0] = command; @@ -209,6 +220,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, } close(opipe[0]); waitpid(child, NULL, 0); + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ return -1; } /* Save the new buffer location, copy the newly-read data into @@ -225,6 +237,7 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output, close(opipe[0]); *output = buffer; waitpid(child, NULL, 0); + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ return 0; } @@ -549,9 +562,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, } /* Allocate enough space to hold an adjusted name. */ tlen = strlen(display) + LINE_MAX + 1; - t = malloc(tlen); + t = calloc(1, tlen); if (t != NULL) { - memset(t, 0, tlen); if (gethostname(t, tlen - 1) != -1) { /* Append the protocol and then the * screen number. */ |