| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
Follow-up for c81280b16e1831ab0bdd0383486c7e2d1eaf1b5e.
* modules/pam_motd/pam_motd.c: Return PAM_IGNORE if pam_putenv succeeds.
* modules/pam_motd/pam_motd.8.xml: Document additional possible return values of the module.
|
| |
|
|
|
|
|
|
|
|
|
| |
This runs "make distcheck" using gcc-9, gcc-8, gcc-7, and clang
on x86_64, x86, x32, aarch64, s390x, and ppc64le architectures.
* .travis.yml: New file.
* ci/install-dependencies.sh: Likewise.
* ci/run-build-and-tests.sh: Likewise.
Resolves: https://github.com/linux-pam/linux-pam/issues/28
|
| |
|
|
|
|
|
|
|
|
|
| |
When xcrypt.h is available but -lxcrypt is not, pam_pwhistory fails to
build with the following diagnostics:
modules/pam_pwhistory/opasswd.c:111: undefined reference to `xcrypt_r'
Fix this by using the same check for xcrypt as in other modules.
* modules/pam_pwhistory/opasswd.c: Replace HAVE_XCRYPT_H with
HAVE_LIBXCRYPT.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS.
* doc/specs/Makefile.am: Likewise.
* libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL.
* modules/pam_access/pam_access.c: Avoid double const.
* modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy()
without copying the NUL byte.
* modules/pam_group/pam_group.c: Mark switch fallthrough with comment.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_limits/pam_limits.c: Remove unused units variable.
* modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers.
* modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter.
* modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead
of hardcoded value.
* modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing.
* modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters.
* modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly
cast for comparison.
* modules/pam_unix/support.c: Remove unused function.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a useful indication for update-motd profile.d snippet which can
also try to show MOTD when it is not already shown.
The use-case for that is showing MOTD in shells in containers without
PAM being involved.
* modules/pam_motd/pam_motd.c: Export MOTD_SHOWN=pam after showing MOTD
* modules/pam_motd/pam_motd.8.xml: Mention setting MOTD_SHOWN=pam in the man page
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an auth module to pam_keyinit, whose implementation of
pam_sm_setcred
is identical to the implementation of pam_sm_open_session.
It is useful with PAM applications, which call pam_setcred,
before calling pam_open_session.
* modules/pam_keyinit/pam_keyinit.c: Add an auth module to pam_keyinit.
* modules/pam_keyinit/pam_keyinit.8.xml: Update the manpage
to describe the new functionality.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_auth.c: Use LOG_NOTICE instead of LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
noexec, nosuid, and nodev flags support.
* modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
filter out the flags.
(parse_method): Call the function.
(ns_setup): Apply the flags to the tmpfs mount.
* modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.
|
| |
|
|
|
|
|
|
| |
There is no point in rising the allocation size by doubling when
we can allocate required memory size at once in the second pass.
* libpam/pam_modutil_ingroup.c (checkgrouplist): Allocate some reasonable
default size in first pass and required size in the second pass.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two messages added about obtaining the username are guarded
by the debug option as these should not be normally
logged - they can be useful for debugging but they do not
indicate any special condition.
The message about authenticating user with blank password is
still just LOG_DEBUG priority but it is logged unconditionally
because it is somewhat extraordinary condition to have an user
with blank password.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
D() macro calls which are not enabled on production builds with
regular pam_syslog() calls.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where Linux-PAM should additional look
for pam.d/*, login.defs and securetty if this files are not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
|
| |
|
|
| |
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It a reduced fsize limit is set in /etc/security/limits.conf and
pam_limits is in use pam_lastlog may cause a crash, e.g.
----- begin /etc/pam.d/su ----
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth required pam_env.so
auth required pam_unix.so nullok
account required pam_unix.so
password required pam_unix.so nullok
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_lastlog.so
----- end /etc/pam.d/su -----
----- begin /etc/security/limits.d/fsize.conf -----
* soft fsize 1710
* hard fsize 1710
----- end /etc/security/limits.d/fsize.conf -----
# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1)
# su - user1
Last login: Wed Sep 11 01:52:44 UTC 2019 on console
$ exit
# id user2
uid=60000(user2) gid=60000(user2) groups=60000(user2)
# su - user2
File size limit exceeded
This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
In order to fix this, and an 'unlimited' option, which leads to saving
the 'fsize' limit and set it to unlimited before writing lastlog. After
that, restore the saved value. If 'fsize' is already unlimited nothing
is done.
Failing to set the 'fsize' limit is not a fatal error. With luck the
configured limit will suffice, so we try to write lastlog anyway, even
under the risk of dying due to a SIGXFSZ.
Failing to restore the 'fsize' limit is a fatal error, since we don't
want to keep it unlimited.
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
| |
|
|
|
|
| |
This adds the UID of the target user to the session open log.
Also fixing tabulation in pam_unix_sess.c.
|
| |
|
|
|
|
|
|
|
|
|
| |
This man page contained the incorrect statement that setting the
PAM_FAIL_DELAY item to NULL would disable any form of delay on
authentication failure.
I removed the incorrect statement and added a paragraph explaining
how an application should properly avoid delays.
Closes #137.
|
| |
|
|
| |
There is an extra space where there should not be one.
|
| |
|
|
|
|
|
| |
The function comment for "_pam_await_timer()" does not mention the
intended behavior of prioritizing the "PAM_FAIL_DELAY" item.
I updated the comment to make this intention clear.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The glibc implementation of getline/getdelim does not guarantee a NUL
terminator in lineptr if getline returns failure (-1). This occurs when
the opasswd file exists but is empty. Since strdup is called
immediately afterwards, this causes strdup to read uninitialized memory
and possibly buffer overrun / crash.
This also fixes a memory leak which always occurs when reading the last
line of the opasswd file. Since the strdup is called before checking
the return code from getline, getdelim, or fgets+strlen, it will
duplicate and never free either:
- The last successfully read line (for getline or getdelim)
- Uninitialized data (if the file is empty)
- A 0 byte string (for fgets+strlen)
Fix by always checking the return code of getline, getdelim, or
fgets+strlen before calling strdup.
|
| | |
|
| |
|
|
|
| |
* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
can be sometimes logged even when the option is not set.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
appropriately.
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
|
| |
|
|
| |
from git
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_passwd.c: Change MAX_PASS to MAXPASS.
* modules/pam_unix/support.c: Likewise.
|
| | |
|
| |
|
|
|
|
|
| |
Issue #118: Protect against Denial of Service attacks.
To prevent hashsum generation via crypt of very long passwords the
password is now stripped to 512 characters. This is equivalent behavior
to unix_chkpwd.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow for conditions that just check the user field to also work for
users not known to the system. Before this caused a PAM_USER_UNKNOWN
even if no extra data for an existing user was needed. E.g.
auth sufficient pam_succeed_if.so user = NotKnownToSystem
modules/pam_succeed_if/pam_succeed_if.c (evaluate): Change the pwd
parameter to an input/output parameter. Lazily request pwd with
pam_modutil_getpwnam() if needed and return PAM_USER_UNKNOWN on failure.
modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Don't
request the pwd if !use_uid anymore and shift the output from audit to
after the evaluate() call. Also make sure not to give the normal failure
message if the lazy pwd loading failed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_tally2 does fsync() after writing to a tally file.
This causes hard drive cache flushes on every failed SSH login on many
(if not most) filesystems.
And an internet-exposed machine can have a lot of these failed logins.
This operation however doesn't seem to be necessary - the pam_tally2
module does not do any operation which would need explicit post-crash
ordering, it just does simple file reads and writes.
And doing a fsync() after them doesn't close any race if the system happens
to crash between a write being posted and its fsync() completion.
Let's remove this operation to get rid of all these extra cache flushes.
|
| | |
|
| |
|
|
|
|
|
|
| |
By default, pam_wheel checks for applicant membership in the wheel group
for *all* access requests, regardless of whether the target user is root
or non-root. Only if root_only is provided does it limit the membership
check to cases when the target user is root. Update the documentation to
reflect this.
|
| | |
|
| |
|
|
|
|
|
| |
The silent option explicitly silents only the last login message and not
bad logins. Add a note to the manual to make this clear.
* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_lastlog module will not log info about failed login if the session
was opened with PAM_SILENT flag.
Example use case enabled by this change:
sudo --non-interactive program
If this command is run by another program expecting specific output from
the command run by sudo, the unexpected info about failed logins will
break this program.
* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
(_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
|
| |
|
|
|
|
| |
* configure.ac: Test for logwtmp needs -lutil in LIBS.
* modules/Makefile.am: Fix indentation of variable assignments causing
creation of incorrect Makefile.
|
| |
|
|
|
|
| |
glibc only. A static string is better.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
| |
* configure.ac: check for ruserok and ruserok_af
* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pam_motd module will not log if the default motd.d directories
are missing.
Also cleanup some code cleanliness issues and fix compilation
warnings.
* modules/pam_motd/pam_motd.c: Constification of constant strings.
(try_to_display_directory): Removed unused function.
(pam_split_string): Replace uint with unsigned int. Fix warnings.
(compare_strings): Fix warnings by proper constification.
(try_to_display_directories_with_overrides): Cleanups. Switch
off the logging if the motd.d directories are missing and they
are default ones.
(pam_sm_open_session): Cleanup warnings. Pass the information
to try_to_display_directories_with_overrides() that non-default
motd options are used.
|
| |
|
|
|
|
|
|
| |
* modules/pam_lastlog/pam_lastlog.8.xml: Add the documentation of the
LASTLOG_UID_MAX option.
* modules/pam_lastlog/pam_lastlog.c: New function get_lastlog_uid_max().
(last_login_date): Check the uid against the get_lastlog_uid_max().
(pam_authenticate): Likewise.
|
| |
|
|
|
|
|
|
|
|
|
| |
* libpam/pam_modutil_searchkey.c: New source file with pam_modutil_search_key().
* libpam/Makefile.am: Add the pam_modutil_searchkey.c.
* libpam/include/security/pam_modutil.h: Add the pam_modutil_search_key() prototype.
* libpam/libpam.map: Add the pam_modutil_search_key() into a new version.
* modules/pam_faildelay/pam_faildelay.c: Drop search_key() and use
pam_modutil_search_key().
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_unix/support.c: Likewise.
|
| |
|
|
|
|
|
|
| |
* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
to verify_pwd_hash() call.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt can be build-time configured to support (or not support)
various hashing methods. Future versions will also have support for
runtime configuration by the system's vendor and/or administrator.
For that reason adminstrator should be notified by pam if users cannot
log into their account anymore because of such a change in the system's
configuration of libxcrypt.
Also check for malformed hashes, like descrypt hashes starting with
"$2...", which might have been generated by unsafe base64 encoding
functions as used in glibc <= 2.16.
Such hashes are likely to be rejected by many recent implementations
of libcrypt.
* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
hashes found by checksalt to syslog.
|
| |
|
|
| |
This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt since v4.4.0 supports a default method for its
gensalt function on most system configurations. As the
default method is to be considered the strongest available
hash method, it should be preferred over all other hash
methods supported by pam.
* modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
* modules/pam_unix/passverify.c: Add crypt_default method.
* modules/pam_unix/support.h: Likewise.
|
| |
|
|
|
|
|
|
|
| |
pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.
* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
of disabled or invalid salt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt (v4.2 and later) has added support for the yescrypt
hashing method; gost-yescrypt has been added in v4.3.
* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
|
