| Commit message (Collapse) | Author | Age |
|\ |
|
| |
| |
| |
| | |
* maint/README-release: New file.
|
| |
| |
| |
| | |
* maint/gen-tag-message: New script for preparing tag message.
|
| |
| |
| |
| | |
* maint/make-dist: New script for preparing release tarballs.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Matthias Gerstner found the following issue:
<quote>
So this pam_setquota module iterates over all mounted file systems using
`setmntent()` and `getmntent()`. It tries to find the longest match of
a file system mounted on /home/$USER or above (except when the
fs=/some/path parameter is passed to the pam module).
The thing is that /home/$USER is owned by the unprivileged user. And
there exist tools like fusermount from libfuse which is by default
installed setuid-root for everybody. fusermount allows to mount a FUSE
file system using an arbitrary "source device name" as the unprivileged
user.
Thus considering the following use case:
1) there is only the root file system (/) or a file system is mounted on
/home, but not on /home/$USER.
2) the attacker mounts a fake FUSE file system over its own home directory:
```
user $ export _FUSE_COMMFD=0
user $ fusermount $HOME -ononempty,fsname=/dev/sda1
```
This will result in a mount entry in /proc/mounts looking like this:
```
/dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
```
3) when the attacker now logs in with pam_setquota configured then
pam_setquota will identify /dev/sda1 and the file system where
to apply the user's quota on.
As a result an unprivileged user has full control over onto which block
device the quota is applied.
</quote>
If the user's $HOME is on a separate partition, setting a quota on the
user's $HOME does not really make sense, so this patch skips mountpoints
equal to the user's $HOME, preventing the above mentioned bug as
a side-effect (or vice-versa).
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Co-authored-by: Tomáš Mráz <tmraz@redhat.com>
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/230
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pam_debug used to invoke pam_get_user and set PAM_USER to "nobody" when
pam_get_user returns an empty string as the user name. When either of
these functions returned an error value, it used to return that error
value. This hasn't been documented, and I couldn't find any rationale
for this behaviour.
* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Do not invoke
pam_get_user and pam_set_item.
|
| |
| |
| |
| |
| |
| |
| | |
Currently translated at 100.0% (122 of 122 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_ERR to LOG_NOTICE.
* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_WARNING to LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
pam_sm_acct_mgmt): Likewise.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Downgrade the syslog level for pam_get_user errors from LOG_WARNING
to LOG_NOTICE.
* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/tst-pam_localuser-retval.c: New file.
* modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
function.
(pam_sm_authenticate): Use it.
|
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade
the syslog level for errors related to pam_get_user from LOG_ERR to
LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Also, remove unused MODULE_NAME macro.
* modules/pam_localuser/pam_localuser.c: Stop including unused header
files.
(MODULE_NAME): Remove.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
pam_get_user is guaranteed to return one of the following values:
PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
PAM_SERVICE_ERR.
* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
new return values.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
it.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Since user name is untrusted input, it should be validated earlier
rather than later.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open
the passwd file after user name validation.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As BUFSIZ is the buffer size used in stdio, it must be an efficient size
for the line buffer. Also, it's larger than LINE_MAX used as the line
buffer size before this change, effectively raising the maximum user
name length supported by this module.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace
LINE_MAX with BUFSIZ.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before this change, a long line in the passwd file used to be treated as
several lines which could potentially result to false match and,
consequently, to incorrect PAM_SUCCESS return value.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle
long lines in passwd files properly.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
copy the user name into a temporary buffer, use the user name itself in
comparisons.
|
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log
unrecognized options.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When passwd file cannot be opened or the user name either cannot be
obtained or is not valid, return PAM_SERVICE_ERR instead of
PAM_SYSTEM_ERR.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Too long user names used to be truncated which could potentially result
to false match and, consequently, to incorrect PAM_SUCCESS return value.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_SERVICE_ERR if the user name is too long.
|
| |
| |
| |
| |
| |
| |
| |
| | |
"root:x" is not a local user name even if the passwd file contains
a line starting with "root:x:".
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_PERM_DENIED if the user name contains a colon.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: New file.
* modules/pam_mkhomedir/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_mkhomedir_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_faildelay/tst-pam_faildelay-retval.c: New file.
* modules/pam_faildelay/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_faildelay_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_rootok/tst-pam_rootok-retval.c: New file.
* modules/pam_rootok/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_rootok_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_nologin/tst-pam_nologin-retval.c: New file.
* modules/pam_nologin/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_nologin_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_echo/tst-pam_echo-retval.c: New file.
* modules/pam_echo/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_echo_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_warn/tst-pam_warn-retval.c: New file.
* modules/pam_warn/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_warn_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_debug/tst-pam_debug-retval.c: New file.
* modules/pam_debug/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_debug_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_permit/tst-pam_permit-retval.c: New file.
* modules/pam_permit/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_permit_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_deny/tst-pam_deny-retval.c: New file.
* modules/pam_deny/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_deny_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Introduce a new internal header file for definitions of handy macros
providing convenient assertion testing functionality.
* libpam/include/test_assert.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/test_assert.h.
|
| |
| |
| |
| |
| |
| |
| | |
Currently translated at 100.0% (122 of 122 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Every stack jump, besides the jump itself, has a side effect which is
one of 'ignore', 'ok', or 'bad'. Unfortunately, the side effect is far
from obvious because it depends on the PAM function call, and the
documentation that contradicts the implementation does not help either.
* doc/man/pam.conf-syntax.xml (actionN): Rewrite the description
of stack jump effects to match the implementation.
Fixes: 871a6e14d65c3c446ae0af51166dabc7a47a2b56
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Translated using Weblate (Norwegian Bokmål)
Currently translated at 99.1% (121 of 122 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nb_NO/
* Translated using Weblate (Catalan)
Currently translated at 98.3% (120 of 122 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
Co-authored-by: Allan Nordhøy <epost@anotheragency.no>
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pam_modutil_getpwnam
pam_modutil_getpwnam is perfectly capable of handling empty strings as
user names, no need to double check that.
* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
the user name for emptyness before passing it to pam_modutil_getpwnam.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
* modules/pam_shells/pam_shells.c (perform_check): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
|
| |
| |
| |
| |
| | |
* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document
PAM_BUF_ERR and PAM_CONV_ERR return values.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Return
PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document it.
|
| |
| |
| |
| |
| | |
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document
PAM_BUF_ERR and PAM_CONV_ERR return values.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_faillock/pam_faillock.c (get_pam_user): Return
PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
pam_get_user is guaranteed to return one of the following values:
PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not
replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
PAM_SERVICE_ERR.
* modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document
new return values.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If pam_get_user returned PAM_SUCCESS, the user name is guaranteed
to be a valid C string, no need to double check that.
* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
for NULL the user name returned by pam_get_user when the latter returned
PAM_SUCCESS.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise.
* modules/pam_filter/pam_filter.c (process_args): Likewise.
* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
* modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise.
* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise.
* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
* modules/pam_shells/pam_shells.c (perform_check): Likewise.
* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
* modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
* modules/pam_wheel/pam_wheel.c (perform_check): Likewise.
* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt):
Likewise.
|
| |
| |
| |
| |
| | |
* modules/pam_umask/pam_umask.8.xml (RETURN VALUES): Document
PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
|
| |
| |
| |
| |
| | |
* modules/pam_exec/pam_exec.8.xml (RETURN VALUES): Document
PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Deprecate pam_cracklib, there are two better alternatives to this
obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
from libpwquality project.
Deprecate pam_tally and pam_tally2 in favour of pam_faillock.
* configure.ac: Implement --enable-cracklib=check that enables build
of pam_cracklib when libcrack is available.
Disable build of pam_cracklib, pam_tally, and pam_tally2 by default.
* NEWS: Mention this change.
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add
--enable-tally, --enable-tally2, and --enable-cracklib=check
to check build of these deprecated modules.
|
| | |
|
| | |
|