| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
| |
Currently translated at 100.0% (117 of 117 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently translated at 100.0% (117 of 117 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
Translated using Weblate (Polish)
Currently translated at 100.0% (117 of 117 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
|
| |
|
|
| |
* tests/Makefile.am: Add confdir to EXTRA_DIST.
|
| |
|
|
| |
To load PAM stack configurations from specified directory
|
| |
|
|
|
|
|
|
|
|
|
| |
Linux-PAM moved to github long time ago, update the remaining
bug tracking references to point to github issues tracker.
* README: Refer to https://github.com/linux-pam/linux-pam/issues
instead of sourceforge.net.
* po/Makevars: Refer to https://github.com/linux-pam/linux-pam/issues
instead of http://sourceforge.net/projects/pam .
* po/Linux-PAM.pot: Regenerated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the build is configured using --disable-nis option, gcc complains:
pam_unix_passwd.c: In function '_do_setpass':
pam_unix_passwd.c:398:8: warning: unused variable 'master' [-Wunused-variable]
support.c: In function '_unix_getpwnam':
support.c:305:21: warning: parameter 'nis' set but not used [-Wunused-but-set-parameter]
* modules/pam_unix/pam_unix_passwd.c (_do_setpass): Move the definition
of "master" variable to [HAVE_NIS].
* modules/pam_unix/support.c (_unix_getpwnam) [!(HAVE_YP_GET_DEFAULT_DOMAIN
&& HAVE_YP_BIND && HAVE_YP_MATCH && HAVE_YP_UNBIND)]: Do not assign
the unused parameter but mark it as used.
|
| |
|
|
| |
* NEWS (1.4.0): Sort module-related news entries.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove trailing whitespace introduced by commit
f9c9c72121eada731e010ab3620762bcf63db08f.
Remove blank lines at EOF introduced by commit
65d6735c5949ec233df9813f734e918a93fa36cf.
This makes the project free of warnings reported by
git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
* doc/custom-html.xsl: Remove blank line at EOF.
* doc/custom-man.xsl: Likewise.
* modules/pam_motd/pam_motd.c: Remove trailing whitespace.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Configure script incorrectly used a non-cached variable (ac_lib) in the
cached code path. This results in no -lcrypt being defined resulting in
link errors on a re-build.
Update configure.ac to use ac_cv_search_crypt (via ac_res) to setup the
correct library arguments.
Signed-off-by: Mark Wutzke <mark.wutzke@alliedtelesis.co.nz>
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
|
| | |
|
| |
|
|
| |
Updated pot and po files
|
| |
|
|
|
|
|
| |
Currently translated at 100.0% (116 of 116 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
|
| |
|
|
|
|
|
| |
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
|
| |
|
|
|
|
|
| |
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
Translated using Weblate (Polish)
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deleted translation using Weblate (German (Low))
Deleted translation using Weblate (Angika)
Deleted translation using Weblate (English (United Kingdom))
Deleted translation using Weblate (Asturian)
Deleted translation using Weblate (bal (generated))
Deleted translation using Weblate (Bodo)
Deleted translation using Weblate (Breton)
Deleted translation using Weblate (Cornish)
Deleted translation using Weblate (Cornish)
Deleted translation using Weblate (ilo (generated))
Deleted translation using Weblate (Maithili)
Deleted translation using Weblate (Pedi)
Deleted translation using Weblate (Tibetan)
Deleted translation using Weblate (Twi)
Deleted translation using Weblate (wba (generated))
|
| |
|
|
|
|
|
| |
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
|
| |
|
|
|
|
| |
If kernel audit is disabled the socket open will return
EPROTONOSUPPORT.
Return PAM_IGNORE from pam_tty_audit and log a warning
in this situation so login is not blocked by the module.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When pam_modutil_sanitize_helper_fds() is invoked with
PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
or stderr, it closes the read end of the newly created dummy pipe.
The negative side effect of this approach is that any write to such
descriptor triggers a SIGPIPE. Avoid this by closing the write end of
the dummy pipe and using its read end as a dummy pipe descriptor for
output. Any read from such descriptor returns 0, and any write just
fails with EBADF, which should work better with unprepared writers.
* libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
(redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
|
| |
|
|
| |
u_intX_t is a glibcism this fixes the issue of compiling against musl libc.
|
| |
|
|
|
| |
* modules/pam_group/group.conf.5.xml: Replace bare & with &.
* modules/pam_time/time.conf.5.xml: Likewise.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* modules/pam_group/group.conf.5.xml: Document what logic list means.
* modules/pam_time/time.conf.5.xml: Likewise.
* modules/pam_group/pam_group.c (logic_field): Clear the not operator for the
further operations.
* modules/pam_time/pam_time.c (logic_field): Likewise.
|
| |
|
|
|
|
| |
If the shell is empty in /etc/passwd entry it means /bin/sh.
* modules/pam_shells/pam_shells.c (perform_check): Use /bin/sh as default shell.
|
| |
|
|
|
| |
* modules/pam_env/pam_env.8.xml: Document the change.
* modules/pam_env/pam_env.c: Set DEFAULT_USER_READ_ENVFILE to 0.
|
| |
|
|
|
|
|
|
|
| |
Raise BUF_SIZE to 8192 bytes.
* modules/pam_env/pam_env.c (_parse_env_file): Ignore lines starting with '='.
(_assemble_line): Detect long lines and binary files.
(_check_var): Avoid overwriting global variable.
(_expand_arg): Avoid repeated strlen calls.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
|
| |
* modules/pam_succeed_if/pam_succeed_if.c: Fix const issues.
* modules/pam_usertype/pam_usertype.c: Avoid maybe used uninitialized warning.
|
| |
|
|
|
|
|
|
|
|
| |
Adding nullresetok to auth phase of pam_unix module will allow users
with blank password to authenticate in order to immediatelly change
their password even if nullok is not set.
This allows to have blank password authentication disabled but still
allows administrator to create new user accounts with expired blank
password that must be change on the first login.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Examples:
account requisite pam_succeed_if.so user ingroup group1:group2
OR
account requisite pam_succeed_if.so user notingroup group1:group2
OR
account requisite pam_succeed_if.so user ingroup wheel
OR
account requisite pam_succeed_if.so user notingroup wheel
Can be very convenient to grant access based on complex group memberships (LDAP, etc)
|
| |
|
|
|
| |
There are some source code including the same header file redundantly.
We remove these redundant header file inclusion.
|
| |
|
|
|
| |
* modules/pam_tally/pam_tally.8.xml: Mention account leakage without silent
* modules/pam_tally2/pam_tally2.8.xml: Mention account leakage without silent
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module will check if the user account type is system or regular based
on its uid. To evaluate the condition it will use 0-99 reserved range
together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
If these values are not set, it uses configure-time defaults
`--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
`SYS_UID_MAX` defaults to `UID_MIN - 1`.
This information can be used to skip specific module in pam stack
based on the account type. `pam_succeed_if uid < 1000` is used at the moment
however it does not reflect changes to `login.defs`.
|
| |
|
|
|
|
|
|
| |
Allow the user to disable documentation through --disable-doc (enabled
by default), this is especially useful when cross-compiling for embedded
targets
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new internal header file with definitions of
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL macros,
use them to temporary silence -Wcast-qual compilation warnings
in various modules.
* libpam/include/pam_cc_compat.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/pam_cc_compat.h.
* modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_cc_compat.h".
(create_homedir): Wrap execve invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_namespace/pam_namespace.c: Include "pam_cc_compat.h".
(pam_sm_close_session): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_tty_audit/pam_tty_audit.c: Include "pam_cc_compat.h".
(nl_send): Wrap the cast that discards ‘const’ qualifier in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_acct.c: Include "pam_cc_compat.h".
(_unix_run_verify_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_passwd.c: Include "pam_cc_compat.h".
(_unix_run_update_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/passverify.c: Include "pam_cc_compat.h".
(unix_update_shadow): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/support.c: Include "pam_cc_compat.h".
(_unix_run_helper_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_xauth/pam_xauth.c: Include "pam_cc_compat.h".
(run_coprocess): Wrap execv invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also fix the following compilation warning:
tests/tst-pam_mkargv.c:21:22: warning: initialization discards ‘const’
qualifier from pointer target type [-Wdiscarded-qualifiers]
char *argvstring = "user = XENDT\\userα user=XENDT\\user1";
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* libpam/pam_misc.c (_pam_mkargv): Add const qualifier to the first
argument.
* libpam/pam_private.h (_pam_mkargv): Likewise.
* tests/tst-pam_mkargv.c (main): Convert argvstring from a pointer into
a static const string, make argvresult array static const.
|
| |
|
|
|
|
|
|
|
|
| |
* libpam/pam_modutil_searchkey.c: Avoid assigning empty string literal to
non-const char *.
* modules/pam_filter/pam_filter.c: Avoid using const char **.
* modules/pam_mkhomedir/pam_mkhomedir.c: Properly cast out const for execve().
* modules/pam_namespace/pam_namespace.c: Properly cast out const from pam data.
* modules/pam_tally2/pam_tally2.c: String literal must be assigned to
const char *.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the call to the crypt(3) function failed for some reason during
hashing a new login passphrase, the wrapper function for computing
a hash with the md5crypt method was called internally by the pam_unix
module in previous versions of linux-pam.
With CVE-2012-3287 in mind, the md5crypt method is not considered to
be a safe nor recommended hashing method for a new login passphrase
since at least 2012. Thus pam_unix should error out in case of a
failure in crypt(3) instead of silently computing a hashed passphrase
using a potentially unsafe method.
* modules/pam_unix/pam_unix.8.xml: Update documentation.
* modules/pam_unix/passverify.c (create_password_hash): Return NULL
on error instead of silently invoke crypt_md5_wrapper().
|
| |
|
| |
helper_verify_password's variable salt is not just the salt but the whole hash. Renamed for clarity and conformity with the rest of the code.
|
| |
|
|
|
| |
According to the man pages, "Each invocation of va_start() must be
matched by a corresponding invocation of va_end() in the same function."
|
| |
|
|
|
|
| |
Signed-off-by: Russ Allbery <rra@debian.org>
Bug-Debian: https://bugs.debian.org/651560
|
| | |
|
| | |
|
| |
|
|
|
| |
Add a short description of the nousergroups to the pam_umask(8)
man-page.
|
| |
|
|
|
|
|
|
|
|
| |
This is particularly useful when pam has been built with the new
--enable-usergroups configure switch, allowing users to override
the default-enabled state and disabling usergroups at runtime.
This is synonymous but opposite to current and previous pam_umask
default that could be changed to enabled at runtime with the usergroups
argument.
|
| |
|
|
|
|
|
|
|
|
| |
This change adds a configure option to set the default value of the
usergroups option (of the pam_umask module) at build-time.
Distributions usually makes the decision if usergroups should be used or
not. This allows them to control the built-in default value, without
having to ship the value in a config file (cluttering up the view
of actually relevant user/system configuration overrides).
|
| |
|
|
|
|
|
| |
IPv6 address prefix sizes larger than 128 (i.e. not larger or equal to) should
be discarded. Additionally, for IPv4 addresses, the largest valid prefix size
should be 32.
Fixes #161
|
