| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_ERR to LOG_NOTICE.
* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_WARNING to LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
pam_sm_acct_mgmt): Likewise.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Downgrade the syslog level for pam_get_user errors from LOG_WARNING
to LOG_NOTICE.
* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
|
|
|
|
| |
Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
from Linux-PAM), PAM_SM_* macros have no effect.
|
| |
|
|
|
| |
There are some source code including the same header file redundantly.
We remove these redundant header file inclusion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux-PAM. It was never official supported and was broken since years.
* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.
|
| |
|
|
|
| |
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
if required auditd is not detected.
|
| |
|
|
|
| |
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
during /proc/self/loginuid update that are not ignored.
|
| |
|
|
|
| |
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid
buffer initialization closer to its first use.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous patch to support user namespaces works fine with containers
that are started from a desktop/terminal session but fails when dealing
with containers that were started from a remote session such as ssh.
I haven't looked at the exact reason for that in the kernel but on the
userspace side of things, the difference is that containers started from
an ssh session will happily let pam open /proc/self/loginuid read-write,
will let it read its content but will then fail with EPERM when trying
to write to it.
So to make the userns support bullet proof, this commit moves the userns
check earlier in the function (which means a small performance impact as
it'll now happen everytime on kernels that have userns support) and will
set rc = PAM_IGNORE instead of rc = PAM_ERROR.
The rest of the code is still executed in the event that PAM is run on a
future kernel where we have some kind of audit namespace that includes a
working loginuid.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running pam_loginuid in a container using the user namespaces, even
uid 0 isn't allowed to set the loginuid property.
This change catches the EACCES from opening loginuid, checks if the user
is in the host namespace (by comparing the uid_map with the host's one)
and only if that's the case, sets rc to 1.
Should uid_map not exist or be unreadable for some reason, it'll be
assumed that the process is running on the host's namespace.
The initial reason behind this change was failure to ssh into an
unprivileged container (using a 3.13 kernel and current LXC) when using
a standard pam profile for sshd (which requires success from
pam_loginuid).
I believe this solution doesn't have any drawback and will allow people
to use unprivileged containers normally. An alternative would be to have
all distros set pam_loginuid as optional but that'd be bad for any of
the other potential failure case which people may care about.
There has also been some discussions to get some of the audit features
tied with the user namespaces but currently none of that has been merged
upstream and the currently proposed implementation doesn't cover
loginuid (nor is it clear how this should even work when loginuid is set
as immutable after initial write).
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
PAM_SUCCESS, so that we can distinguish between "loginuid set
successfully" and "loginuid not set, but this is expected".
Suggested by Steve Langasek.
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
does not exist, PAM_SESSION_ERR in case of any other error.
(_pam_loginuid): Forward the PAM error code returned by set_loginuid.
|
| |
|
|
|
| |
modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid
and skip writing if already correctly set.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: bugfix
Commit summary:
---------------
2008-08-29 Tomas Mraz <t8m@centrum.cz>
* modules/pam_loginuid/pam_loginuid.c(set_loginuid): Uids
are unsigned.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: bugfix
Commit summary:
---------------
2007-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Print
better error message if /proc/self/loginuid cannot be opened.
* modules/pam_limits/pam_limits.c (process_limit): Check for
variable overflow after multiplication [bnc#283001].
|
| |
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: cleanup
Commit summary:
---------------
2007-02-06 Tomas Mraz <t8m@centrum.cz>
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Remove
debug syslog message when loginuid doesn't exist.
|
|
|
Purpose of commit: new feature
Commit summary:
---------------
As discussed with Tomas I'm adding the pam_loginuid module from RH
to make the SELinux/Audit stack complete:
2006-08-29 Thorsten Kukuk <kukuk@thkukuk.de>
* doc/sag/pam_loginuid.xml: New.
* doc/sag/Linux-PAM_SAG.xml: Include pam_loginuid.xml.
* configure.in: Add modules/pam_loginuid/Makefile.
* modules/Makefile.am: Add pam_loginuid sub directory.
* libpam/pam_static_modules.h: Add pam_loginuid.
* modules/pam_loginuid/Makefile.am: New.
* modules/pam_loginuid/tst-pam_loginuid: New.
* modules/pam_loginuid/pam_loginuid.8.xml: New.
* modules/pam_loginuid/pam_loginuid.8: New, generated from XML source.
* modules/pam_loginuid/pam_loginuid.c: New.
* modules/pam_loginuid/README.xml: New.
* modules/pam_loginuid/README: New, generated from XML source.
|
