| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt provides a libcrypt.pc file so use it if available as this
will allow to retrieve the library path (e.g.
-L/home/buildroot/output/host//riscv64-buildroot-linux-musl/sysroot/usr/lib)
which is useful when cross-compiling and will avoid the following build
failure on buildroot:
/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.2.
* NEWS: Update.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix the following build failure with libxcrypt and uclibc-ng:
ld: unix_chkpwd-passverify.o: in function `verify_pwd_hash':
passverify.c:(.text+0xab4): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/65d68b7c9c7de1c7cb0f941ff9982f93a49a56f8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* .gitignore: Add .pc files as they are generated by autoconf.
* configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
* libpam/Makefile.am: Install pam.pc.
* libpam/pam.pc.in: New file.
* libpam_misc/Makefile.am: Install pam_misc.pc
* libpam_misc/pam_misc.pc.in: New file.
* libpamc/Makefile.am: Install pamc.pc
This allow applications and PAM modules to automatically find libpam,
libpam_misc and libpamc if they are installed instead of having to
manually search for them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since many distributions are shipping a version of libxcrypt >= 4.0.0
as a replacement for glibc's libcrypt now, older versions of xcrypt,
which could be installed in parallel, are not relevant anymore.
* configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h.
(AC_SEARCH_LIBS): Remove xcrypt.
(AC_CHECK_FUNCS): Remove crypt_gensalt_r.
(AC_DEFINE): Remove HAVE_LIBXCRYPT.
* modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove.
* modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise.
(create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add --with-misc-conv-bufsize=<number> option to configure to allow
a longer buffer size for libpam_misc's misc_conv() function (it still
defaults to 512 bytes).
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sha1 is no longer recommended as a cryptographic algorithm for
authentication. Thus, the idea of this change is to replace the
implementation provided by hmacsha1 included in pam_timestamp module by
the one in the openssl library. This way, there's no need to maintain
the cryptographic algorithm implementation and it can be easily changed
with a single configuration change.
modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
functions around openssl's hmac implementation. Moreover, manage the key
generation and its read and write in a file. Include an option to
configure the cryptographic algorithm in login.defs file.
modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
modules/pam_timestamp/pam_timestamp.c: replace calls to functions
provided by hmacsha1 by functions provided by openssl's wrapper.
configure.ac: include openssl dependecy if it is enabled.
modules/pam_timestamp/Makefile.am: include new files and openssl library
to compilation.
ci/install-dependencies.sh: include openssl library to dependencies.
NEWS: add new item to next release.
Make.xml.rules.in: add stringparam profiling for hmac
doc/custom-man.xsl: change import docbook to one with profiling
modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
indicate the value in /etc/login.defs that holds the value for the
encryption algorithm
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Add this option to support the following scenario:
prefix = '/usr'
servicedir = '/lib/systemd/system'
* The default behavior is changed:
If this option is not given, servicedir will be set to the value that is
obtained from systemd pkg-config file. If the value cannot be obtained,
servicedir will be set to the default value '$(prefix)/lib/systemd/system'.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes `test: too many arguments` when building Linux-PAM using sbase.
This is due to a non-POSIX syntax test ... -a ... and test ... -o ....
> The XSI extensions specifying the -a and -o binary primaries and the
> '(' and ')' operators have been marked obsolescent.
See https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
|
| |
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.1.
|
| |
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.0.
* NEWS: Update.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
--enable-tally --enable-tally2.
* configure.ac: Remove --enable-tally and --enable-tally2 options.
(AM_CONDITIONAL): Remove COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
(AC_CONFIG_FILES): Remove modules/pam_tally/Makefile and
modules/pam_tally2/Makefile.
* doc/sag/pam_tally.xml: Remove.
* doc/sag/pam_tally2.xml: Likewise.
* doc/sag/Linux-PAM_SAG.xml: Do not include pam_tally.xml and
pam_tally2.xml.
* modules/Makefile.am (MAYBE_PAM_TALLY, MAYBE_PAM_TALLY2): Remove.
(SUBDIRS): Remove MAYBE_PAM_TALLY and MAYBE_PAM_TALLY2.
* modules/pam_tally/.gitignore: Remove.
* modules/pam_tally/Makefile.am: Likewise.
* modules/pam_tally/README.xml: Likewise.
* modules/pam_tally/faillog.h: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally/pam_tally_app.c: Likewise.
* modules/pam_tally/tst-pam_tally: Likewise.
* modules/pam_tally2/.gitignore: Likewise.
* modules/pam_tally2/Makefile.am: Likewise.
* modules/pam_tally2/README.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_tally2/pam_tally2_app.c: Likewise.
* modules/pam_tally2/tallylog.h: Likewise.
* modules/pam_tally2/tst-pam_tally2: Likewise.
* modules/pam_timestamp/pam_timestamp_check.8.xml: Fix typo by replacing
pam_tally with pam_timestamp.
* po/POTFILES.in: Remove ./modules/pam_tally/pam_tally_app.c,
./modules/pam_tally/pam_tally.c, ./modules/pam_tally2/pam_tally2_app.c,
and ./modules/pam_tally2/pam_tally2.c.
* NEWS: Document this change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ci/install-dependencies.sh: Remove libcrack2-dev.
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
--enable-cracklib=check.
* conf/pam.conf: Remove references to pam_cracklib.so.
* configure.ac: Remove --enable-cracklib option.
(AC_SUBST): Remove LIBCRACK.
(AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB.
(AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile.
* doc/sag/pam_cracklib.xml: Remove.
* doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml.
* modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove.
(SUBDIRS): Remove MAYBE_PAM_CRACKLIB.
* modules/pam_cracklib/Makefile.am: Remove.
* modules/pam_cracklib/README.xml: Likewise.
* modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_cracklib/tst-pam_cracklib: Likewise.
* xtests/tst-pam_cracklib1.c: Likewise.
* xtests/tst-pam_cracklib1.pamd: Likewise.
* xtests/tst-pam_cracklib2.c: Likewise.
* xtests/tst-pam_cracklib2.pamd: Likewise.
* modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib
in examples with pam_passwdqc.
* modules/pam_unix/pam_unix.8.xml: Likewise.
* po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c.
* xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2.
* xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd
and tst-pam_cracklib2.pamd.
(XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2.
* NEWS: Document this change.
|
| |
|
|
| |
This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some distributions do not build pam_unix, e.g. ALT uses pam_tcb instead.
Add a configure option to disable build of pam_unix so that those who
choose not to build pam_unix no longer have to edit modules/Makefile.am
file. The default is unchanged, i.e. build of pam_unix is enabled.
* configure.ac (AC_ARG_ENABLE): Add unix.
(AM_CONDITIONAL): Add COND_BUILD_PAM_UNIX.
* modules/Makefile.am [COND_BUILD_PAM_UNIX] (MAYBE_PAM_UNIX): Define.
(SUBDIRS): Replace pam_unix with $(COND_BUILD_PAM_UNIX).
|
| |
|
|
|
|
|
|
|
| |
This makes them built with full RELRO if -Wl,-z,relro is specified.
* m4/ld-z-now.m4: New file.
* m4/.gitignore: Add it to exclude list.
* configure.ac: Call PAM_LD_Z_NOW.
(EXE_LDFLAGS): Append $ZNOW_LDFLAGS.
|
| |
|
|
|
|
|
|
|
| |
There are going to be other options added to CFLAGS and LDFLAGS
of executables made along with modules.
* configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from
PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of
PIE_CFLAGS and PIE_LDFLAGS. All users updated.
|
| |
|
|
|
|
|
| |
* configure.ac: Rewrite -fpie/pie check using AC_LINK_IFELSE to make
the code more readable. Add --enable-pie=check support and make it
the default, terminate if --enable-pie is specified but -fpie/pie
support is not available.
|
| |
|
|
|
|
|
|
|
| |
Rewrite using AC_CACHE_CHECK to create a more readable autoconf macro.
* m4/attribute.m4: New file.
* m4/japhar_grep_cflags.m4: Remove.
* m4/.gitignore: Replace japhar_grep_cflags.m4 with attribute.m4.
* configure.ac: Replace AC_C___ATTRIBUTE__ with PAM_ATTRIBUTE_UNUSED.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As the old machinery was not prepared for adding compiler options
conditionally when the compiler supports them, replace it with
a new machinery that implements this.
* m4/warnings.m4: New file.
* m4/warn_lang_flags.m4: Likewise.
* m4/.gitignore: Add exclusions for them.
* m4/japhar_grep_cflags.m4 (JAPHAR_GREP_CFLAGS): Remove.
* configure.ac: Call pam_WARN_LANG_FLAGS. Remove all uses
of JAPHAR_GREP_CFLAGS.
|
| |
|
|
| |
documentation
|
| |
|
|
|
|
|
|
|
|
| |
Portable code should not assume that test builtin supports == operator.
* configure.ac (opt_uidmin, opt_sysuidmin, opt_kerneloverflowuid): Fix
initialization.
Resolves: https://github.com/linux-pam/linux-pam/issues/241
Fixes: 926d7935e ("pam_usertype: new module to tell if uid is in login.defs ranges")
|
| |
|
|
|
|
|
|
|
|
|
| |
Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails
if "none required" is returned by AC_SEARCH_LIBS for libcrypt.
Resolves: https://github.com/linux-pam/linux-pam/pull/235
Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e
Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly")
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deprecate pam_cracklib, there are two better alternatives to this
obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
from libpwquality project.
Deprecate pam_tally and pam_tally2 in favour of pam_faillock.
* configure.ac: Implement --enable-cracklib=check that enables build
of pam_cracklib when libcrack is available.
Disable build of pam_cracklib, pam_tally, and pam_tally2 by default.
* NEWS: Mention this change.
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add
--enable-tally, --enable-tally2, and --enable-cracklib=check
to check build of these deprecated modules.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used,
remove stereotypic definitions from other Makefiles, this way we no
longer have to worry about vendordir being used somewhere else in
documentation files.
Likewise, define VENDORDIR in config.h and remove stereotypic
-DVENDORDIR= additions from other Makefiles, this way we no longer
have to worry about VENDORDIR being used somewhere else in the code.
* configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR.
(AC_DEFINE_UNQUOTED): Add VENDORDIR.
(AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR.
* Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with
@STRINGPARAM_VENDORDIR@.
* doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove.
* libpam/Makefile.am [HAVE_VENDORDIR]: Remove.
* modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove.
(XSLTPROC_CUSTOM): Remove.
* modules/pam_securetty/pam_securetty.c: Move definitions of local
macros after config.h to benefit from macros defined there.
|
| |
|
|
|
|
|
| |
* Make.xml.rules: Rename to ...
* Make.xml.rules.in: ... new file.
* Makefile.am (EXTRA_DIST): Remove Make.xml.rules.
* configure.ac (AC_CONFIG_FILES): Add Make.xml.rules.
|
| |
|
|
|
|
| |
* configure.ac: Check for the library providing dlopen using
AC_SEARCH_LIBS instead of AC_CHECK_LIB to handle the case when
dlopen is a part of libc.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AC_ARG_ENABLE): Add tally and tally2.
(AM_CONDITIONAL): Add COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
* modules/Makefile.am [COND_BUILD_PAM_TALLY] (MAYBE_PAM_TALLY): Define.
[COND_BUILD_PAM_TALLY2] (MAYBE_PAM_TALLY2): Likewise.
(SUBDIRS): Replace pam_tally with $(COND_BUILD_PAM_TALLY), pam_tally2
with $(COND_BUILD_PAM_TALLY2).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBSELINUX with
COND_BUILD_PAM_SELINUX and COND_BUILD_PAM_SEPERMIT.
* modules/Makefile.am [COND_BUILD_PAM_SELINUX] (MAYBE_PAM_SELINUX):
Define.
[COND_BUILD_PAM_SEPERMIT] (MAYBE_PAM_SEPERMIT): Likewise.
(SUBDIRS): Replace pam_selinux with $(MAYBE_PAM_SELINUX),
pam_sepermit with MAYBE_PAM_SEPERMIT.
* modules/pam_selinux/Makefile.am: Assume HAVE_LIBSELINUX.
* modules/pam_sepermit/Makefile.am: Likewise.
|
| |
|
|
|
|
|
| |
* configure.ac (AC_CHECK_FUNCS): Do not set UNSHARE when checking for
unshare function.
(COND_BUILD_PAM_NAMESPACE): Check for $ac_cv_func_unshare instead of
$UNSHARE.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_UNSHARE with
COND_BUILD_PAM_NAMESPACE.
* modules/Makefile.am [COND_BUILD_PAM_NAMESPACE] (MAYBE_PAM_NAMESPACE):
Define.
(SUBDIRS): Replace pam_namespace with $(MAYBE_PAM_NAMESPACE).
* modules/pam_namespace/Makefile.am: Assume HAVE_UNSHARE.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBDB with
COND_BUILD_PAM_USERDB.
* modules/Makefile.am [COND_BUILD_PAM_USERDB] (MAYBE_PAM_USERDB):
Define.
(SUBDIRS): Replace pam_userdb with $(MAYBE_PAM_USERDB).
* modules/pam_userdb/Makefile.am: Assume HAVE_LIBDB.
|
| |
|
|
| |
* configure.ac (AC_DEFINE): Remove unused HAVE_LIBCRACK.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBCRACK with
COND_BUILD_PAM_CRACKLIB.
* modules/Makefile.am [COND_BUILD_PAM_CRACKLIB] (MAYBE_PAM_CRACKLIB):
Define.
(SUBDIRS): Replace pam_cracklib with $(MAYBE_PAM_CRACKLIB).
* modules/pam_cracklib/Makefile.am: Assume HAVE_LIBCRACK.
|
| |
|
|
|
| |
* configure.ac (AC_DEFINE, AC_SUBST): Remove unused HAVE_KEY_MANAGEMENT.
(AC_CHECK_DECL): Remove unused ENOKEY.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_KEY_MANAGEMENT with
COND_BUILD_PAM_KEYINIT.
* modules/Makefile.am [COND_BUILD_PAM_KEYINIT] (MAYBE_PAM_KEYINIT):
Define.
(SUBDIRS): Replace pam_keyinit with $(MAYBE_PAM_KEYINIT).
* modules/pam_keyinit/Makefile.am: Assume HAVE_KEY_MANAGEMENT.
|
| |
|
|
| |
* configure.ac (AC_DEFINE): Remove unused HAVE_AUDIT_TTY_STATUS.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_AUDIT_TTY_STATUS with
COND_BUILD_PAM_TTY_AUDIT.
* modules/Makefile.am [COND_BUILD_PAM_TTY_AUDIT] (MAYBE_PAM_TTY_AUDIT):
Define.
(SUBDIRS): Replace pam_tty_audit with $(MAYBE_PAM_TTY_AUDIT).
* modules/pam_tty_audit/Makefile.am: Assume HAVE_AUDIT_TTY_STATUS.
|
| |
|
|
| |
... and move them closer to the end of configure.ac.
|
| |
|
|
| |
* configure.ac: replace "test ! -z" with "test -n".
|
| |
|
|
|
|
|
| |
This makes disk quotas usable with central user databases, such as MySQL or
LDAP.
Resolves: https://github.com/linux-pam/linux-pam/issues/92
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
When configure is invoked with --enable-Werror option,
-Werror compiler option is added to WARN_CFLAGS.
This new configure option is intended primarily for CI purposes.
* configure.ac (AC_ARG_ENABLE): Add Werror. Forward -Werror
to JAPHAR_GREP_CFLAGS.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Configure script incorrectly used a non-cached variable (ac_lib) in the
cached code path. This results in no -lcrypt being defined resulting in
link errors on a re-build.
Update configure.ac to use ac_cv_search_crypt (via ac_res) to setup the
correct library arguments.
Signed-off-by: Mark Wutzke <mark.wutzke@alliedtelesis.co.nz>
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module will check if the user account type is system or regular based
on its uid. To evaluate the condition it will use 0-99 reserved range
together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
If these values are not set, it uses configure-time defaults
`--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
`SYS_UID_MAX` defaults to `UID_MIN - 1`.
This information can be used to skip specific module in pam stack
based on the account type. `pam_succeed_if uid < 1000` is used at the moment
however it does not reflect changes to `login.defs`.
|
| |
|
|
|
|
|
|
| |
Allow the user to disable documentation through --disable-doc (enabled
by default), this is especially useful when cross-compiling for embedded
targets
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
