summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Fix check for libtirpc and enhance check for libnsl to includeThorsten Kukuk2016-03-24
| | | | | | | new libnsl. * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
* Remove YP dependencies from pam_access, they were never usedThorsten Kukuk2016-03-23
| | | | | | | | and such not needed. * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS * modules/pam_access/pam_access.c: Remove yp_get_default_domain case, it will never be used.
* Add checks for localtime() returning NULL.Tomas Mraz2016-03-04
| | | | | | | * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r returning NULL. * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning NULL.
* pam_unix: Silence warnings and fix a minor bug.Tomas Mraz2016-03-04
| | | | | | | | | Fixes a minor bug in behavior when is_selinux_enabled() returned negative value. * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro. (unix_update_shadow): Safe cast forwho to non-const char *. * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
* pam_env: Document the /etc/environment file.Tomas Mraz2016-02-17
| | | | | | | * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. * modules/pam_env/pam_env.8.xml: Add environ(7) reference. * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. Add a paragraph about /etc/environment. Add environ(7) reference.
* pam_unix: Add no_pass_expiry option to ignore password expiration.Tomas Mraz2016-02-17
| | | | | | | | | | | | * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry is on and return value data is not set to PAM_SUCCESS then ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the return value data. (pam_sm_setcred): Test for likeauth option and use the return value data only if set. * modules/pam_unix/support.h: Add the no_pass_expiry option.
* pam_unix: Change the salt length for new hashes to 16 charactersTomas Mraz2016-01-25
| | | | | * modules/pam_unix/passverify.c (create_password_hash): Change the salt length for new hashes to 16 characters.
* Relax the conditions for fatal failure on auditing.Tomas Mraz2015-12-17
| | | | | | | The PAM library calls will not fail anymore for any uid if the return value from the libaudit call is -EPERM. * libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
* pam_tally2: Optionally log the tally count when checking.Tomas Mraz2015-12-16
| | | | | * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option. (tally_check): Always log the tally count with debug option.
* Docfix: pam handle is const in pam_syslog() and pam_vsyslog()Jakub Hrozek2015-10-02
| | | | * doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().
* pam_loginuid: Add syslog message if required auditd is not detected.Tomas Mraz2015-09-24
| | | | | * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message if required auditd is not detected.
* Allow links to be used instead of w3m for documentation regeneration.Tomas Mraz2015-09-04
| | | | * configure.ac: If w3m is not found check for links.
* Add missing space in pam_misc_setenv man page.Tomas Mraz2015-09-04
| | | | * doc/man/pam_misc_setenv.3.xml: Add a missing space.
* pam_rootok: use rootok permission instead of passwd permission in SELinux check.Tomas Mraz2015-08-12
| | | | | * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of passwd permission.
* pam_timestamp: Avoid leaking file descriptor.Amarnath Valluri2015-08-05
| | | | | | | * modules/pam_timestamp/hmacsha1.c(hmac_key_create): close 'keyfd' when failed to own it. Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
* Release version 1.2.1Thorsten Kukuk2015-06-22
| | | | | | | | | | | | | | | | | | | | | | | | Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise
* Update NEWS fileThorsten Kukuk2015-04-27
|
* Release version 1.2.0Thorsten Kukuk2015-04-27
| | | | | | | | * NEWS: Update * configure.ac: Bump version * libpam/Makefile.am: Bump version of libpam * libpam_misc/Makefile.am: Bump version of libpam_misc * po/*: Regenerate po files
* Fix some grammatical errors in documentation.Thorsten Kukuk2015-04-27
| | | | | | | | | | | | | | | | | Patch by Louis Sautier * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors. * doc/man/pam.3.xml: Likewise. * doc/man/pam_acct_mgmt.3.xml: Likewise. * doc/man/pam_chauthtok.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_mail/pam_mail.8.xml: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_shells/pam_shells.8.xml: Likewise. * modules/pam_tally/pam_tally.8.xml: Likewise. * modules/pam_tally2/pam_tally2.8.xml: Likewise. * modules/pam_unix/pam_unix.8.xml: Likewise.
* Add "quiet" option to pam_unix to suppress informential infoThorsten Kukuk2015-04-23
| | | | | | | | | messages from session. * modules/pam_unix/pam_unix.8.xml: Document new option. * modules/pam_unix/support.h: Add quiet option. * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if 'quiet' option is set.
* Use crypt_r if available in pam_userdb and in pam_unix.Tomas Mraz2015-04-07
| | | | | | | * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r() instead of crypt() if available. * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r() instead of crypt() if available.
* Support alternative "vendor configuration" files as fallback to /etcThorsten Kukuk2015-03-25
| | | | | | | | (Ticket#34, patch from ay Sievers <kay@vrfy.org>) * doc/man/pam.8.xml: document additonal config directory * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory * libpam/pam_private.h: adjust defines
* pam_env: expand @{HOME} and @{SHELL} and enhance documentationThorsten Kukuk2015-03-25
| | | | | | | | (Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation
* Clarify pam_access docs re PAM service names and X $DISPLAY value testing.Thorsten Kukuk2015-03-24
| | | | | | | | | (Ticket #39) * modules/pam_access/access.conf.5.xml * modules/pam_access/pam_access.8.xml Signed-off-by: Karl O. Pinc <kop at meme.com>
* Don't use sudo directory, the timestamp format is different (Ticket#32)Thorsten Kukuk2015-03-24
| | | | * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
* Enhance group.conf examples (Ticket#35)Thorsten Kukuk2015-03-24
| | | | * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
* Document timestampdir option (Ticket#33)Thorsten Kukuk2015-03-24
| | | | * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
* Adjust documentation (Ticket#36)Thorsten Kukuk2015-03-24
| | | | | * libpam/pam_delay.c: Change 25% in comment to 50% as used in code. * doc/man/pam_fail_delay.3.xml: Change 25% to 50%
* Updated translations from Transifex.Tomas Mraz2015-02-18
| | | | * po/*.po: Updated translations from Transifex.
* build: raise gettext version requirementDmitry V. Levin2015-01-07
| | | | | | | | | | | | Raise gettext requirement to the latest oldstable version 0.18.3. This fixes the following automake warning: configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged. configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead, configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files. * configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3. * po/Makevars: Update from gettext-0.18.3.
* build: adjust automake warning flagsRonny Chevalier2015-01-07
| | | | | | | Enable all automake warning flags except for the portability issues, since non portable features are used among the makefiles. * configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.
* build: rename configure.in to configure.acDmitry V. Levin2015-01-07
| | | | | | | This fixes the following automake warning: aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in' * configure.in: Rename to configure.ac.
* Remove unmodified GNU gettext files installed by autopointDmitry V. Levin2015-01-07
| | | | | | | | | | | | | | | | | | These files are part of GNU gettext; we have not modified them, they are installed by autopoint which is called by autoreconf, so they had to be removed from this repository along with ABOUT-NLS, config.rpath, and mkinstalldirs files that were removed by commit Linux-PAM-1_1_5-7-g542ec8b. * po/Makefile.in.in: Remove. * po/Rules-quot: Likewise. * po/boldquot.sed: Likewise. * po/en@boldquot.header: Likewise. * po/en@quot.header: Likewise. * po/insert-header.sin: Likewise. * po/quot.sed: Likewise. * po/remove-potcdate.sin: Likewise. * po/.gitignore: Ignore these files.
* Update .gitignoreRonny Chevalier2015-01-06
| | | | * .gitignore: Ignore *.log and *.trs files.
* libpam: Only print "Password change aborted" when it's true.Luke Shumaker2015-01-02
| | | | | | | | | | | | | | | | pam_get_authtok() may be used any time that a password needs to be entered, unlike pam_get_authtok_{no,}verify(), which may only be used when changing a password; yet when the user aborts, it prints "Password change aborted." whether or not that was the operation being performed. This bug was non-obvious because none of the modules distributed with Linux-PAM use it for anything but changing passwords; pam_unix has its own utility function that it uses instead. As an example, the nss-pam-ldapd package uses it in pam_sm_authenticate(). libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the password is trying to be changed before printing a message about the password change being aborted.
* build: extend cross compiling check to cover CPPFLAGS (ticket #21)Dmitry V. Levin2014-12-10
| | | | | | | | | | Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS, and BUILD_LDFLAGS variables introduced earlier to override CC, CFLAGS, and LDFLAGS, respectively. * configure.in (BUILD_CPPFLAGS): Define. * doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.
* Do not use yywrap (ticket #42)Dmitry V. Levin2014-12-09
| | | | | | | | | | | Our scanners do not really use yywrap. Explicitly disable yywrap so that no references to yywrap will be generated and no LEXLIB would be needed. * conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove. * conf/pam_conv1/pam_conv_l.l: Enable noyywrap option. * doc/specs/Makefile.am (padout_LDADD): Remove. * doc/specs/parse_l.l: Enable noyywrap option.
* doc: fix a trivial typo in pam_authenticate return values (ticket #38)Kyle Manna2014-12-09
| | | | * doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL.
* doc: fix typo in pam_authenticate.3.xmlRonny Chevalier2014-12-08
| | | | * doc/man/pam_authenticate.3.xml: Fix typo.
* pam_succeed_if: Fix copy&paste error in rhost and tty values.Tomas Mraz2014-10-17
| | | | | modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST and PAM_TTY properly for the rhost and tty values.
* pam_succeed_if: Use long long type for numeric valuesTomas Mraz2014-10-17
| | | | | | | | | The currently used long with additional conversion to int is too small for uids and gids. modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace strtol() with strtoll() and int with long long in the parameters of comparison functions.
* Add grantor field to audit records of libpam.Tomas Mraz2014-09-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | The grantor field gives audit trail of PAM modules which granted access for successful return from libpam calls. In case of failed return the grantor field is set to '?'. libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call. libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise. libpam/pam_password.c (pam_chauthtok): Likewise. libpam/pam_session.c (pam_open_session, pam_close_session): Likewise. libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter, add grantor= field to the message if grantors is set. (_pam_list_grantors): New function creating the string with grantors list. (_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors() to list the grantors from the handler list. (_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call. (pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog(). libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate. (_pam_clear_grantors): New function to clear grantor field of handler. (_pam_dispatch): Call _pam_clear_grantors() before executing the stack. Call _pam_auditlog() when appropriate. libpam/pam_handlers.c (extract_modulename): Do not allow empty module name or just "?" to avoid confusing audit trail. (_pam_add_handler): Test for NULL return from extract_modulename(). Clear grantor field of handler. libpam/pam_private.h: Add grantor field to struct handler, add handler pointer parameter to _pam_auditlog().
* pam_mkhomedir: Drop superfluous stat() call.Tomas Mraz2014-08-26
| | | | | modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous stat() call.
* pam_exec: Do not depend on open() returning STDOUT_FILENO.Tomas Mraz2014-08-26
| | | | | modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to STDOUT_FILENO if needed.
* pam_keyinit: Check return value of setregid.Robin Hack2014-08-25
| | | | modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.
* pam_filter: Avoid leaking descriptors when fork() fails.Robin Hack2014-08-25
| | | | modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
* pam_echo: Avoid leaking file descriptor.Robin Hack2014-08-14
| | | | modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.
* pam_tty_audit: Silence Coverity reporting uninitialized use.Robin Hack2014-08-13
| | | | | modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also msg_flags.
* pam_tally2: Avoid uninitialized use of fileinfo.Tomas Mraz2014-08-13
| | | | | | Problem found by Robin Hack <rhack@redhat.com>. modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size just try to read it.
* pam_access: Avoid uninitialized access of line.Tomas Mraz2014-08-13
| | | | | * modules/pam_access/pam_access.c (login_access): Reorder condition so line is not accessed when uninitialized.