summaryrefslogtreecommitdiff
path: root/libpam/pam_handlers.c
Commit message (Collapse)AuthorAge
* Remove "--enable-static-modules" option and support fromThorsten Kukuk2016-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part.
* Support alternative "vendor configuration" files as fallback to /etcThorsten Kukuk2015-03-25
| | | | | | | | (Ticket#34, patch from ay Sievers <kay@vrfy.org>) * doc/man/pam.8.xml: document additonal config directory * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory * libpam/pam_private.h: adjust defines
* Add grantor field to audit records of libpam.Tomas Mraz2014-09-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | The grantor field gives audit trail of PAM modules which granted access for successful return from libpam calls. In case of failed return the grantor field is set to '?'. libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call. libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise. libpam/pam_password.c (pam_chauthtok): Likewise. libpam/pam_session.c (pam_open_session, pam_close_session): Likewise. libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter, add grantor= field to the message if grantors is set. (_pam_list_grantors): New function creating the string with grantors list. (_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors() to list the grantors from the handler list. (_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call. (pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog(). libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate. (_pam_clear_grantors): New function to clear grantor field of handler. (_pam_dispatch): Call _pam_clear_grantors() before executing the stack. Call _pam_auditlog() when appropriate. libpam/pam_handlers.c (extract_modulename): Do not allow empty module name or just "?" to avoid confusing audit trail. (_pam_add_handler): Test for NULL return from extract_modulename(). Clear grantor field of handler. libpam/pam_private.h: Add grantor field to struct handler, add handler pointer parameter to _pam_auditlog().
* Fix whitespace issuesDmitry V. Levin2011-10-26
| | | | | | Cleanup trailing whitespaces, indentation that uses spaces before tabs, and blank lines at EOF. Make the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
* Relevant BUGIDs: 2892529Thorsten Kukuk2009-12-08
| | | | | | | | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- 2009-12-08 Thorsten Kukuk <kukuk@thkukuk.de> * configure.in: Rename DEBUG to PAM_DEBUG. * libpam/pam_env.c: Likewise * libpam/pam_handlers.c: Likewise * libpam/pam_miscc.c: Likewise * libpam/pam_password.c: Likewise * libpam/include/security/_pam_macros.h: Likewise * libpamc/test/modules/pam_secret.c: Likewise * modules/pam_group/pam_group.c: Likewise * modules/pam_listfile/pam_listfile.c: Likewise * modules/pam_unix/pam_unix_auth.c: Likewise * modules/pam_unix/pam_unix_passwd.c: Likewise
* Relevant BUGIDs: rhbz#471762Tomas Mraz2008-11-24
| | | | | | | | | | | | | | | | | Purpose of commit: new feature Commit summary: --------------- 2008-11-24 Tomas Mraz <t8m@centrum.cz> * libpam/pam_handlers.c (_pam_parse_conf_file): '-' at beginning of type token marks silent module. (_pam_load_module): Add handler_type parameter. Do not log module load error if module is silent. (_pam_add_handler): Pass handler_type to _pam_load_module(). * libpam/pam_private.h: Add PAM_HT_SILENT_MODULE. * doc/man/pam.conf-syntax.xml: Document the '-' at beginning of type.
* Relevant BUGIDs:Dmitry V. Levin2008-02-18
| | | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- 2008-02-18 Dmitry V. Levin <ldv@altlinux.org> * libpam/pam_handlers.c (_pam_assemble_line): Fix potential buffer overflow. * xtests/tst-pam_assemble_line.pamd: New test for _pam_assemble_line. * xtests/tst-pam_assemble_line.sh: New script for tst-pam_assemble_line. * xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line.
* Relevant BUGIDs:Tomas Mraz2007-10-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Purpose of commit: new feature Commit summary: --------------- 2007-10-19 Tomas Mraz <t8m@centrum.cz> * xtests/tst-pam_access1.c: Use different name for user and group. * xtests/tst-pam_access1.sh: Likewise. * xtests/tst-pam_access2.c: Likewise. * xtests/tst-pam_access2.sh: Likewise. * xtests/tst-pam_access4.c: Likewise. * xtests/tst-pam_access4.sh: Likewise. * xtests/group.conf: Likewise. * xtests/tst-pam_group1.c: Likewise. * xtests/tst-pam_group1.sh: Likewise. * libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks, record substack level, skip over virtual substack modules, implement evaluation of done, die, reset and jumps in substacks. Also fixes too far jumps in substacks. * libpam/pam_end.c (pam_end): Drop substack evaluation states. * libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level parameter, instead of must_fail use handler_type needed for virtual substack modules. (_pam_load_conf_file): Add substack level parameter. (_pam_init_handlers): Substack level parameter added to _pam_parse_conf_file() calls. (_pam_load_module): New function. (_pam_add_handler): Refactor code into the _pam_load_module(). Add support for virtual substack modules. * libpam/pam_private.h: Rename must_fail to handler_type, add stack_level to struct handler. Define handler type constants. Add struct for substack evaluation states. Define constant for maximum substack level. Add substack states pointer to former state struct. * libpam/pam_start.c (pam_start): Initialize pointer to substack states. * doc/man/pam.conf-syntax.xml: Document substack control. * xtests/Makefile.am: Add new tests for substack evaluation. * xtests/run_xtests.sh: Support multiple .pamd files in a test. * xtests/tst-pam_authfail.pamd: New tests for substack evaluation. * xtests/tst-pam_authsucceed.pamd: Likewise. * xtests/tst-pam_substack1.pamd: Likewise. * xtests/tst-pam_substack1a.pamd: Likewise. * xtests/tst-pam_substack1.sh: Likewise. * xtests/tst-pam_substack2.pamd: Likewise. * xtests/tst-pam_substack2a.pamd: Likewise. * xtests/tst-pam_substack2.sh: Likewise. * xtests/tst-pam_substack3.pamd: Likewise. * xtests/tst-pam_substack3a.pamd: Likewise. * xtests/tst-pam_substack3.sh: Likewise. * xtests/tst-pam_substack4.pamd: Likewise. * xtests/tst-pam_substack4a.pamd: Likewise. * xtests/tst-pam_substack4.sh: Likewise. * xtests/tst-pam_substack5.pamd: Likewise. * xtests/tst-pam_substack5a.pamd: Likewise. * xtests/tst-pam_substack5.sh: Likewise.
* Relevant BUGIDs:Thorsten Kukuk2006-06-14
| | | | | | | | | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- 2006-06-14 Thorsten Kukuk <kukuk@thkukuk.de> * libpam/pam_handlers.c (extract_modulename): Use _pam_strdup instead of strdup. * libpam/pam_private.h: Remove _pam_strCMP. * libpam/pam_misc.c: Likewise. * libpam/pam_handlers.c: Replaced _pam_strCMP with strcasecmp.
* Relevant BUGIDs: noneThorsten Kukuk2006-01-22
| | | | | | | | | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- Fix infrastructure and compile errors for PAM_STATIC (static modules): 2006-01-22 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_acct_mgmt): Add support for static modules. * modules/pam_xauth/pam_xauth.c: Likewise. * libpam/pam_handlers.c (_pam_add_handler): Add pamh to _pam_open_static_handler call. * libpam/pam_static.c (_pam_open_static_handler): Add pamh as argument. * libpam/pam_private.h: Adjust prototype.
* Relevant BUGIDs: noneThorsten Kukuk2006-01-22
| | | | | | | | | | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- Fix compiling of static version of shared libpam, libpamc and libpam_misc libraries without assuming "--enable-static-modules do not make the modules dynamically loadable". 2006-01-22 Thorsten Kukuk <kukuk@thkukuk.de> * configure.in: Don't define PAM_DYNAMIC. * libpam/pam_handlers.c: Get ride of PAM_DYNAMIC, don't include pam_dynamic.h * libpam/pam_dynamic.c: Don't include pam_dynamic.h, exclude functions if we compile with PAM_STATIC. * libpam/pam_dynamic.h: Remove. * libpam/pam_private.h: Add function prototypes from pam_dynamic.h. * libpam/Makefile.am: Bump version number of libpam, remove pam_dynamic.h.
* Relevant BUGIDs: 534205Thorsten Kukuk2005-11-18
| | | | | | | | | | | | | | | Purpose of commit: new feature Commit summary: --------------- 2005-11-16 Thorsten Kukuk <kukuk@thkukuk.de> * libpam/pam_handlers.c: Replace code for all dlopen variants with a generic wrapper. * libpam/pam_dynamic.c: Implement generic wrapper for dlopen. * libpam/pam_dynamic.h: Provide prototypes. For Mac OS X support [#534205]
* Relevant BUGIDs: noneThorsten Kukuk2005-09-20
| | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- Fix missing NULL pointer check and us asprintf instead of malloc/snprintf (from Dmitry V. Levin).
* Relevant BUGIDs: noneThorsten Kukuk2005-09-17
| | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- Fix code for which gcc4.1 prints warnings
* Relevant BUGIDs: noneThorsten Kukuk2005-09-05
| | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- Remove duplicate check for NULL variable (Dmitry V. Levin)
* Relevant BUGIDs: noneThorsten Kukuk2005-09-04
| | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- Replace _pam_system_log with pam_syslog.
* Relevant BUGIDs: noneThorsten Kukuk2005-09-03
| | | | | | | | | Purpose of commit: new feature Commit summary: --------------- Add pam_syslog to unify log messages from PAM modules.
* Relevant BUGIDs: noneThorsten Kukuk2005-08-18
| | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- configure should set _GNU_SOURCE/_BSD_SOURCE
* Relevant BUGIDs: noneThorsten Kukuk2005-08-16
| | | | | | | | | Purpose of commit: new feature Commit summary: --------------- Big "automake/autoconf/libtool" commit
* Relevant BUGIDs: noneThorsten Kukuk2005-07-18
| | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- kill features.h inclusion in _pam_aconf.h
* Relevant BUGIDs:Thorsten Kukuk2005-02-07
| | | | | | | | Purpose of commit: bugfix Commit summary: --------------- Fix wrong variable name in debug code
* Relevant BUGIDs:Thorsten Kukuk2005-01-10
| | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- Fix seg.fault in case the PAM configuration file is corrupt
* Relevant BUGIDs:Thorsten Kukuk2004-10-06
| | | | | | | | | Purpose of commit: Commit summary: --------------- bugfix: Last part of fixes from Red Hat
* Relevant BUGIDs:Thorsten Kukuk2004-09-15
| | | | | | | | | Purpose of commit: Commit summary: --------------- bugfix: Add parts of Steve Grubb's resource leak and other fixes
* Relevant BUGIDs: 812567Jan Rekorajski2003-09-25
| | | | | | | | | | | Purpose of commit: new feature Commit summary: --------------- Implementation of "include" directive for pam config file syntax. - added module type PAM_T_ANY needed to know if we are loading included file or main one - let _pam_parse_conf_file() know of new directive - new function _pam_load_conf_file() used to load "included" configs
* Relevant BUGIDs: 770645Steve Langasek2003-07-13
| | | | | | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- Fix the many compile-time warnings caused by features.h being included before our _pam_aconf.h. This should make it much easier to find other bugs. Also, call config.status instead of configure, to allow rebuilding generated files with the same options.
* Relevant BUGIDs: 486063Andrew G. Morgan2001-12-11
| | | | | | | | | Purpose of commit: compatibility Commit summary: --------------- A BSD fix from Dag-Erling Smørgrav and Anton Berezin. What was there before did not correctly deal with BSD dynamic linking.
* Relevant BUGIDs: 468724Andrew G. Morgan2001-10-11
| | | | | | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- Legacy behavior for pam_close_session and pam_setcred was not sufficient. Basically, it appears to be common practice for some applications to call these functions without first calling pam_authenticate and pam_open_session which would have frozen the auth and session module stacks. The new behavior is to treat the returns of these secondary functions as authoritative when navigating the stack in the absence of a chain-freezing first set of calls. pam_chauthtok should not benefit from this behavior, and there does not appear to be a justification for using an event like this to freeze the stack outright - legacy behavior did not do that.
* Relevant BUGIDs: 449203Andrew G. Morgan2001-09-19
| | | | | | | | | Purpose of commit: new support Commit summary: --------------- Include some BSD changes (to the conversation function) and fix a few gcc warnings.
* Relevant BUGIDs: 129775Andrew G. Morgan2001-02-05
| | | | | | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- This bugfix leads to backwardly incompatable behavior with earlier releases of Linux-PAM. Note, this cleans up the setcred/session and chauthtok stacks in such a way that it is no longer preferred that the setcred module always return the same error code as the auth components of said modules did. This means behavior should be a great deal more sane. It also gives meaning to the unique return codes that are available to pam_sm_setcred. [I'm sure that when we add support for credential relevant events, this change will be critical.]
* Relevant BUGIDs: 129027, 128576Andrew G. Morgan2001-01-22
| | | | | | | | | | Purpose of commit: new feature + documentation Commit summary: --------------- Cleaned up the handling of AUTHTOK items and pam_[gs]et_data() functions. Added more clear documentation about the pam_[gs]et_item() functions to the pam_appl and pam_modules programmer guides.
* Initial revisionAndrew G. Morgan2000-06-20