| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deprecate pam_cracklib, there are two better alternatives to this
obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
from libpwquality project.
Deprecate pam_tally and pam_tally2 in favour of pam_faillock.
* configure.ac: Implement --enable-cracklib=check that enables build
of pam_cracklib when libcrack is available.
Disable build of pam_cracklib, pam_tally, and pam_tally2 by default.
* NEWS: Mention this change.
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add
--enable-tally, --enable-tally2, and --enable-cracklib=check
to check build of these deprecated modules.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used,
remove stereotypic definitions from other Makefiles, this way we no
longer have to worry about vendordir being used somewhere else in
documentation files.
Likewise, define VENDORDIR in config.h and remove stereotypic
-DVENDORDIR= additions from other Makefiles, this way we no longer
have to worry about VENDORDIR being used somewhere else in the code.
* configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR.
(AC_DEFINE_UNQUOTED): Add VENDORDIR.
(AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR.
* Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with
@STRINGPARAM_VENDORDIR@.
* doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove.
* libpam/Makefile.am [HAVE_VENDORDIR]: Remove.
* modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove.
(XSLTPROC_CUSTOM): Remove.
* modules/pam_securetty/pam_securetty.c: Move definitions of local
macros after config.h to benefit from macros defined there.
|
| |
|
|
|
|
|
| |
* Make.xml.rules: Rename to ...
* Make.xml.rules.in: ... new file.
* Makefile.am (EXTRA_DIST): Remove Make.xml.rules.
* configure.ac (AC_CONFIG_FILES): Add Make.xml.rules.
|
| |
|
|
|
|
| |
* configure.ac: Check for the library providing dlopen using
AC_SEARCH_LIBS instead of AC_CHECK_LIB to handle the case when
dlopen is a part of libc.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AC_ARG_ENABLE): Add tally and tally2.
(AM_CONDITIONAL): Add COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
* modules/Makefile.am [COND_BUILD_PAM_TALLY] (MAYBE_PAM_TALLY): Define.
[COND_BUILD_PAM_TALLY2] (MAYBE_PAM_TALLY2): Likewise.
(SUBDIRS): Replace pam_tally with $(COND_BUILD_PAM_TALLY), pam_tally2
with $(COND_BUILD_PAM_TALLY2).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBSELINUX with
COND_BUILD_PAM_SELINUX and COND_BUILD_PAM_SEPERMIT.
* modules/Makefile.am [COND_BUILD_PAM_SELINUX] (MAYBE_PAM_SELINUX):
Define.
[COND_BUILD_PAM_SEPERMIT] (MAYBE_PAM_SEPERMIT): Likewise.
(SUBDIRS): Replace pam_selinux with $(MAYBE_PAM_SELINUX),
pam_sepermit with MAYBE_PAM_SEPERMIT.
* modules/pam_selinux/Makefile.am: Assume HAVE_LIBSELINUX.
* modules/pam_sepermit/Makefile.am: Likewise.
|
| |
|
|
|
|
|
| |
* configure.ac (AC_CHECK_FUNCS): Do not set UNSHARE when checking for
unshare function.
(COND_BUILD_PAM_NAMESPACE): Check for $ac_cv_func_unshare instead of
$UNSHARE.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_UNSHARE with
COND_BUILD_PAM_NAMESPACE.
* modules/Makefile.am [COND_BUILD_PAM_NAMESPACE] (MAYBE_PAM_NAMESPACE):
Define.
(SUBDIRS): Replace pam_namespace with $(MAYBE_PAM_NAMESPACE).
* modules/pam_namespace/Makefile.am: Assume HAVE_UNSHARE.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBDB with
COND_BUILD_PAM_USERDB.
* modules/Makefile.am [COND_BUILD_PAM_USERDB] (MAYBE_PAM_USERDB):
Define.
(SUBDIRS): Replace pam_userdb with $(MAYBE_PAM_USERDB).
* modules/pam_userdb/Makefile.am: Assume HAVE_LIBDB.
|
| |
|
|
| |
* configure.ac (AC_DEFINE): Remove unused HAVE_LIBCRACK.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBCRACK with
COND_BUILD_PAM_CRACKLIB.
* modules/Makefile.am [COND_BUILD_PAM_CRACKLIB] (MAYBE_PAM_CRACKLIB):
Define.
(SUBDIRS): Replace pam_cracklib with $(MAYBE_PAM_CRACKLIB).
* modules/pam_cracklib/Makefile.am: Assume HAVE_LIBCRACK.
|
| |
|
|
|
| |
* configure.ac (AC_DEFINE, AC_SUBST): Remove unused HAVE_KEY_MANAGEMENT.
(AC_CHECK_DECL): Remove unused ENOKEY.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_KEY_MANAGEMENT with
COND_BUILD_PAM_KEYINIT.
* modules/Makefile.am [COND_BUILD_PAM_KEYINIT] (MAYBE_PAM_KEYINIT):
Define.
(SUBDIRS): Replace pam_keyinit with $(MAYBE_PAM_KEYINIT).
* modules/pam_keyinit/Makefile.am: Assume HAVE_KEY_MANAGEMENT.
|
| |
|
|
| |
* configure.ac (AC_DEFINE): Remove unused HAVE_AUDIT_TTY_STATUS.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AM_CONDITIONAL): Replace HAVE_AUDIT_TTY_STATUS with
COND_BUILD_PAM_TTY_AUDIT.
* modules/Makefile.am [COND_BUILD_PAM_TTY_AUDIT] (MAYBE_PAM_TTY_AUDIT):
Define.
(SUBDIRS): Replace pam_tty_audit with $(MAYBE_PAM_TTY_AUDIT).
* modules/pam_tty_audit/Makefile.am: Assume HAVE_AUDIT_TTY_STATUS.
|
| |
|
|
| |
... and move them closer to the end of configure.ac.
|
| |
|
|
| |
* configure.ac: replace "test ! -z" with "test -n".
|
| |
|
|
|
|
|
| |
This makes disk quotas usable with central user databases, such as MySQL or
LDAP.
Resolves: https://github.com/linux-pam/linux-pam/issues/92
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
When configure is invoked with --enable-Werror option,
-Werror compiler option is added to WARN_CFLAGS.
This new configure option is intended primarily for CI purposes.
* configure.ac (AC_ARG_ENABLE): Add Werror. Forward -Werror
to JAPHAR_GREP_CFLAGS.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Configure script incorrectly used a non-cached variable (ac_lib) in the
cached code path. This results in no -lcrypt being defined resulting in
link errors on a re-build.
Update configure.ac to use ac_cv_search_crypt (via ac_res) to setup the
correct library arguments.
Signed-off-by: Mark Wutzke <mark.wutzke@alliedtelesis.co.nz>
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module will check if the user account type is system or regular based
on its uid. To evaluate the condition it will use 0-99 reserved range
together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
If these values are not set, it uses configure-time defaults
`--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
`SYS_UID_MAX` defaults to `UID_MIN - 1`.
This information can be used to skip specific module in pam stack
based on the account type. `pam_succeed_if uid < 1000` is used at the moment
however it does not reflect changes to `login.defs`.
|
| |
|
|
|
|
|
|
| |
Allow the user to disable documentation through --disable-doc (enabled
by default), this is especially useful when cross-compiling for embedded
targets
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This change adds a configure option to set the default value of the
usergroups option (of the pam_umask module) at build-time.
Distributions usually makes the decision if usergroups should be used or
not. This allows them to control the built-in default value, without
having to ship the value in a config file (cluttering up the view
of actually relevant user/system configuration overrides).
|
| |
|
|
|
|
|
|
| |
To be able to set CFLAGS from make command-line but not to lose the
warning flags.
* configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
* */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where Linux-PAM should additional look
for pam.d/*, login.defs and securetty if this files are not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
|
| | |
|
| |
|
|
|
|
| |
* configure.ac: Test for logwtmp needs -lutil in LIBS.
* modules/Makefile.am: Fix indentation of variable assignments causing
creation of incorrect Makefile.
|
| |
|
|
|
|
|
| |
* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
| |
* configure.ac: check for ruserok and ruserok_af
* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| | |
|
| |
|
|
| |
* configure.ac: Use elinks instead of links.
|
| |
|
|
|
|
|
| |
POSIX says test only accepts =. Some shells (including bash) accept ==,
but we should still stick to = for portability.
* configure.ac: Replace == with = in "test" invocations.
|
| |
|
|
|
|
| |
* NEWS: add changes for 1.3.0.
* configure.ac: bump version number.
* libpam/Makefile.am: bump revision of libpam.so version.
|
| |
|
|
|
|
| |
* configure.ac: Don't set empty -l option in crypt check
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
* configure.ac: use $host_cpu for lib64 directory handling.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
| |
The old SunRPC functions don't work with IPv6.
* configure.ac: Set and restore CPPFLAGS
* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
rpcb_getaddr if available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux-PAM. It was never official supported and was broken since years.
* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.
|
| |
|
|
|
|
|
| |
new libnsl.
* configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
* modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
|
| |
|
|
| |
* configure.ac: If w3m is not found check for links.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security fix: CVE-2015-3238
If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise
|
| |
|
|
|
|
|
|
| |
* NEWS: Update
* configure.ac: Bump version
* libpam/Makefile.am: Bump version of libpam
* libpam_misc/Makefile.am: Bump version of libpam_misc
* po/*: Regenerate po files
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Raise gettext requirement to the latest oldstable version 0.18.3.
This fixes the following automake warning:
configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.
* configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3.
* po/Makevars: Update from gettext-0.18.3.
|
| |
|
|
|
|
|
| |
Enable all automake warning flags except for the portability issues,
since non portable features are used among the makefiles.
* configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.
|
|
|
This fixes the following automake warning:
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
* configure.in: Rename to configure.ac.
|
