summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Properly test for strtol() failure to find any digits.Josef Moellers2017-02-09
| | | | | * modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set to beginning and not NULL.
* pam_exec: fix a potential null pointer dereferenceDaniel Abrecht2017-01-19
| | | | | | | | | | Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS but the response is set to NULL. * modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa with a null pointer. Closes: https://github.com/linux-pam/linux-pam/pull/2
* Add missing comma in the limits.conf.5 manpage.Antonio Ospite2016-12-07
| | | | * modules/pam_limits/limits.conf.5.xml: add a missing comma
* Regular links doesn't work with -no-numbering -no-references.Tomas Mraz2016-11-14
| | | | * configure.ac: Use elinks instead of links.
* pam_access: First check for the (group) match.Tomas Mraz2016-11-01
| | | | | | | The (group) match is performed first to allow for groups containing '@'. * modules/pam_access/pam_access.c (user_match): First check for the (group) match.
* pam_ftp: Properly use the first name from the supplied listTomas Mraz2016-10-17
| | | | | | * modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list of anonymous users if user name matches. (pam_sm_authenticate): Free the returned value allocated in lookup().
* pam_issue: Fix no prompting in parse escape codes mode.Bartos-Elekes Zsolt2016-09-12
| | | | * modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().
* xtests: remove bash dependencyMaxin B. John2016-06-30
| | | | | | | | There are no bash specific syntax in the xtest scripts. So, remove the bash dependency. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Maxin B. John <maxin.john@intel.com>
* Unification and cleanup of syslog log levels.Tomas Mraz2016-06-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT. * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT. * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT. * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT. * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT. * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR. * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT. * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT. * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors with LOG_ERR. * modules/pam_limits/pam_limits.c: User login limit messages are syslogged with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with LOG_ERR. * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged with LOG_NOTICE. * modules/pam_namespace/pam_namespace.c: Make memory allocation failures LOG_CRIT. * modules/pam_nologin/pam_nologin.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged with LOG_NOTICE, non-memory errors with LOG_ERR. * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT. * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors LOG_ERR. * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT. * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures LOG_CRIT. * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE. * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and max retries ignorance by application likewise. * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR. * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged with LOG_NOTICE. * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
* pam_timestamp: fix typo in strncmp usageDmitry V. Levin2016-06-14
| | | | | | | | | | | | Before this fix, a typo in check_login_time resulted to ruser and struct utmp.ut_user being compared by the first character only, which in turn could lead to a too low timestamp value being assigned to oldest_login, effectively causing bypass of check_login_time. * modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo in strncmp usage. Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
* Correct the examples in pam_fail_delay(3) man page.Tomas Mraz2016-05-30
| | | | doc/man/pam_fail_delay.3.xml: Correct the examples.
* Remove spaces in examples for access.conf.Tomas Mraz2016-05-11
| | | | | | | | The spaces are ignored only with the default listsep. To remove confusion if non-default listsep is used they are removed from the examples. * modules/pam_access/access.conf: Remove all spaces around ':' in examples. * modules/pam_access/access.conf.5.xml: Likewise.
* build: avoid non-portable == with "test" (ticket #60)Mike Frysinger2016-05-05
| | | | | | | POSIX says test only accepts =. Some shells (including bash) accept ==, but we should still stick to = for portability. * configure.ac: Replace == with = in "test" invocations.
* Release version 1.3.0Thorsten Kukuk2016-04-28
| | | | | | * NEWS: add changes for 1.3.0. * configure.ac: bump version number. * libpam/Makefile.am: bump revision of libpam.so version.
* Updated translations from Zanata.Tomas Mraz2016-04-28
| | | | * po/*.po: Updated translations from Zanata.
* pam_wheel: Correct the documentation of the root_only option.Tomas Mraz2016-04-19
| | | | | * modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the root_only option.
* pam_unix: Document that MD5 password hash is used to store old passwords.Tomas Mraz2016-04-19
| | | | | modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used to store the old passwords when remember option is set.
* Project registered at Zanata (fedora.zanata.org) for translations.Tomas Mraz2016-04-14
| | | | | | | * zanata.xml: Configuration file for zanata client. * po/LINGUAS: Update languages as supported by Zanata. * po/Linux-PAM.pot: Updated from sources. * po/*.po: Updated from sources.
* pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.Tomas Mraz2016-04-06
| | | | | | | | | | | | | | | | We have to drop support for not_set_pass option which is not much useful anyway. Instead we get proper support for authtok_type option. * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty pe option. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas sword() call with equivalent pam_get_authtok() call. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop support for not_set_pass. * modules/pam_unix/support.c (_unix_read_password): Remove. * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
* pam_get_authtok(): Add authtok_type support to current password prompt.Tomas Mraz2016-04-06
| | | | | | * libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password, use different prompt for current password allowing for authtok_type to be displayed to the user.
* pam_unix: Make password expiration messages more user-friendly.Tomas Mraz2016-04-04
| | | | | * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password expiration messages more user-friendly.
* innetgr may not be there so make sure that when innetgr is not presentThorsten Kukuk2016-04-04
| | | | | | | | | | | then we inform about it and not use it. [ticket#46] * modules/pam_group/pam_group.c: ditto * modules/pam_succeed_if/pam_succeed_if.c: ditto * modules/pam_time/pam_time.c: ditto Signed-off-by: Khem Raj <raj.khem at gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* build: fix build when crypt() is not part of crypt_libs [ticket#46]Thorsten Kukuk2016-04-04
| | | | | | * configure.ac: Don't set empty -l option in crypt check Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* build: use $host_cpu for lib64 directory handling [ticket#46]Thorsten Kukuk2016-04-04
| | | | | | * configure.ac: use $host_cpu for lib64 directory handling. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* Fix whitespace issuesDmitry V. Levin2016-04-01
| | | | | | | | | | | | | | | | Remove blank lines at EOF introduced by commit a684595c0bbd88df71285f43fb27630e3829121e, making the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD * libpam/pam_dynamic.c: Remove blank line at EOF. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise.
* Use TI-RPC functions if we compile and link against libtirpc.Thorsten Kukuk2016-04-01
| | | | | | | | The old SunRPC functions don't work with IPv6. * configure.ac: Set and restore CPPFLAGS * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with rpcb_getaddr if available.
* PAM_EXTERN isn't needed anymore, but don't remove it to not break lot ofThorsten Kukuk2016-03-29
| | | | | | external code using it. * libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility
* Remove "--enable-static-modules" option and support fromThorsten Kukuk2016-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part.
* Fix check for libtirpc and enhance check for libnsl to includeThorsten Kukuk2016-03-24
| | | | | | | new libnsl. * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
* Remove YP dependencies from pam_access, they were never usedThorsten Kukuk2016-03-23
| | | | | | | | and such not needed. * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS * modules/pam_access/pam_access.c: Remove yp_get_default_domain case, it will never be used.
* Add checks for localtime() returning NULL.Tomas Mraz2016-03-04
| | | | | | | * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r returning NULL. * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning NULL.
* pam_unix: Silence warnings and fix a minor bug.Tomas Mraz2016-03-04
| | | | | | | | | Fixes a minor bug in behavior when is_selinux_enabled() returned negative value. * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro. (unix_update_shadow): Safe cast forwho to non-const char *. * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
* pam_env: Document the /etc/environment file.Tomas Mraz2016-02-17
| | | | | | | * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. * modules/pam_env/pam_env.8.xml: Add environ(7) reference. * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. Add a paragraph about /etc/environment. Add environ(7) reference.
* pam_unix: Add no_pass_expiry option to ignore password expiration.Tomas Mraz2016-02-17
| | | | | | | | | | | | * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry is on and return value data is not set to PAM_SUCCESS then ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the return value data. (pam_sm_setcred): Test for likeauth option and use the return value data only if set. * modules/pam_unix/support.h: Add the no_pass_expiry option.
* pam_unix: Change the salt length for new hashes to 16 charactersTomas Mraz2016-01-25
| | | | | * modules/pam_unix/passverify.c (create_password_hash): Change the salt length for new hashes to 16 characters.
* Relax the conditions for fatal failure on auditing.Tomas Mraz2015-12-17
| | | | | | | The PAM library calls will not fail anymore for any uid if the return value from the libaudit call is -EPERM. * libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
* pam_tally2: Optionally log the tally count when checking.Tomas Mraz2015-12-16
| | | | | * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option. (tally_check): Always log the tally count with debug option.
* Docfix: pam handle is const in pam_syslog() and pam_vsyslog()Jakub Hrozek2015-10-02
| | | | * doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().
* pam_loginuid: Add syslog message if required auditd is not detected.Tomas Mraz2015-09-24
| | | | | * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message if required auditd is not detected.
* Allow links to be used instead of w3m for documentation regeneration.Tomas Mraz2015-09-04
| | | | * configure.ac: If w3m is not found check for links.
* Add missing space in pam_misc_setenv man page.Tomas Mraz2015-09-04
| | | | * doc/man/pam_misc_setenv.3.xml: Add a missing space.
* pam_rootok: use rootok permission instead of passwd permission in SELinux check.Tomas Mraz2015-08-12
| | | | | * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of passwd permission.
* pam_timestamp: Avoid leaking file descriptor.Amarnath Valluri2015-08-05
| | | | | | | * modules/pam_timestamp/hmacsha1.c(hmac_key_create): close 'keyfd' when failed to own it. Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
* Release version 1.2.1Thorsten Kukuk2015-06-22
| | | | | | | | | | | | | | | | | | | | | | | | Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise
* Update NEWS fileThorsten Kukuk2015-04-27
|
* Release version 1.2.0Thorsten Kukuk2015-04-27
| | | | | | | | * NEWS: Update * configure.ac: Bump version * libpam/Makefile.am: Bump version of libpam * libpam_misc/Makefile.am: Bump version of libpam_misc * po/*: Regenerate po files
* Fix some grammatical errors in documentation.Thorsten Kukuk2015-04-27
| | | | | | | | | | | | | | | | | Patch by Louis Sautier * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors. * doc/man/pam.3.xml: Likewise. * doc/man/pam_acct_mgmt.3.xml: Likewise. * doc/man/pam_chauthtok.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_mail/pam_mail.8.xml: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_shells/pam_shells.8.xml: Likewise. * modules/pam_tally/pam_tally.8.xml: Likewise. * modules/pam_tally2/pam_tally2.8.xml: Likewise. * modules/pam_unix/pam_unix.8.xml: Likewise.
* Add "quiet" option to pam_unix to suppress informential infoThorsten Kukuk2015-04-23
| | | | | | | | | messages from session. * modules/pam_unix/pam_unix.8.xml: Document new option. * modules/pam_unix/support.h: Add quiet option. * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if 'quiet' option is set.
* Use crypt_r if available in pam_userdb and in pam_unix.Tomas Mraz2015-04-07
| | | | | | | * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r() instead of crypt() if available. * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r() instead of crypt() if available.
* Support alternative "vendor configuration" files as fallback to /etcThorsten Kukuk2015-03-25
| | | | | | | | (Ticket#34, patch from ay Sievers <kay@vrfy.org>) * doc/man/pam.8.xml: document additonal config directory * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory * libpam/pam_private.h: adjust defines
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 13:51:36 +0000