| Commit message (Collapse) | Author | Age |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new feature to pam_motd to allow packages to install their own
message files in a "motd.d" directory, to be displayed after the primary
motd.
Add an option motd_d= to specify the location of this directory.
Modify the defaults, in the case where no options are given, to display
both /etc/motd and /etc/motd.d.
Fixes #47
* modules/pam_motd/pam_motd.c: add support for motd.d
* modules/pam_motd/pam_motd.8.xml: update the manpage
|
| | |
| |
| |
| |
| | |
* modules/pam_umask/pam_umask.8.xml: Document the real order of loading
umask.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is no need for pam_tally2 in --reset=0 mode to create a missing
tallylog file because its absence has the same meaning as its existence
with the appropriate entry reset.
This was not a big deal until useradd(8) from shadow suite release 4.5
started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
configuration.
The positive effect of this change is noticeable when using tools like
cpio(1) that cannot archive huge sparse files efficiently.
* modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
cline_filename when cline_reset == 0, exit early if the file is missing.
|
| | |
| |
| |
| |
| | |
* modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not
skip creating the directory if we are under /.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
remove unneeded code carried from pam_limits.
(pam_sm_open_session): When multiple enable/disable options are present do not
stop after first match.
|
| | |
| |
| |
| | |
* modules/pam_access/access.conf.5.xml: Add note about spaces around ':'
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Check the return value of malloc and if it failed print debug info, send
a syslog message and return an error code.
The test in AUTH_RETURN for ret_data not being NULL becomes redundant.
Signed-off-by: Peter Urbanec <git.user@urbanec.net>
|
| | |
| |
| |
| | |
* modules/pam_cracklib/pam_cracklib.c: Drop the unused macros.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
parse the uid range.
(pam_sm_open_session): Call parse_uid_range() and behave according to its result.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_access/pam_access.c (login_access): Return NOMATCH if
there was no match in the parsed file.
(pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
subdirectory and call login_access() on the individual files matched.
* modules/pam_access/pam_access.8.xml: Document the addition.
* modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.
|
| | |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.8.xml: The example configuration
does something different.
|
| | |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.8.xml: The module returns
PAM_PERM_DENIED when the user is not listed.
|
| | |
| |
| | |
* modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.
|
| | |
| |
| |
| |
| | |
* modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set
to beginning and not NULL.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS
but the response is set to NULL.
* modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa
with a null pointer.
Closes: https://github.com/linux-pam/linux-pam/pull/2
|
| | |
| |
| |
| | |
* modules/pam_limits/limits.conf.5.xml: add a missing comma
|
| | |
| |
| |
| |
| |
| |
| | |
The (group) match is performed first to allow for groups
containing '@'.
* modules/pam_access/pam_access.c (user_match): First check for the (group) match.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
of anonymous users if user name matches.
(pam_sm_authenticate): Free the returned value allocated in lookup().
|
| | |
| |
| |
| | |
* modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
with LOG_ERR.
* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
LOG_ERR.
* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
with LOG_NOTICE.
* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
LOG_CRIT, other errors LOG_ERR.
* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
with LOG_NOTICE, non-memory errors with LOG_ERR.
* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
LOG_ERR.
* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
other errors LOG_ERR.
* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
max retries ignorance by application likewise.
* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
with LOG_NOTICE.
* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before this fix, a typo in check_login_time resulted to ruser and
struct utmp.ut_user being compared by the first character only,
which in turn could lead to a too low timestamp value being assigned
to oldest_login, effectively causing bypass of check_login_time.
* modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
in strncmp usage.
Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The spaces are ignored only with the default listsep. To remove confusion
if non-default listsep is used they are removed from the examples.
* modules/pam_access/access.conf: Remove all spaces around ':' in examples.
* modules/pam_access/access.conf.5.xml: Likewise.
|
| |\| |
|
| | |
| |
| |
| |
| | |
* modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the
root_only option.
|
| | |
| |
| |
| |
| | |
modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
to store the old passwords when remember option is set.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We have to drop support for not_set_pass option which is not much useful
anyway. Instead we get proper support for authtok_type option.
* modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
pe
option.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
sword()
call with equivalent pam_get_authtok() call.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
support for not_set_pass.
* modules/pam_unix/support.c (_unix_read_password): Remove.
* modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
|
| | |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
expiration messages more user-friendly.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
then we inform about it and not use it. [ticket#46]
* modules/pam_group/pam_group.c: ditto
* modules/pam_succeed_if/pam_succeed_if.c: ditto
* modules/pam_time/pam_time.c: ditto
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove blank lines at EOF introduced by commit
a684595c0bbd88df71285f43fb27630e3829121e,
making the project free of warnings reported by
git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
* libpam/pam_dynamic.c: Remove blank line at EOF.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The old SunRPC functions don't work with IPv6.
* configure.ac: Set and restore CPPFLAGS
* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
rpcb_getaddr if available.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux-PAM. It was never official supported and was broken since years.
* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.
|
| | |
| |
| |
| |
| |
| |
| | |
new libnsl.
* configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
* modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
|
| | |
| |
| |
| |
| |
| |
| |
| | |
and such not needed.
* modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
* modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
it will never be used.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r
returning NULL.
* modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning
NULL.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes a minor bug in behavior when is_selinux_enabled()
returned negative value.
* modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
(unix_update_shadow): Safe cast forwho to non-const char *.
* modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
* modules/pam_env/pam_env.8.xml: Add environ(7) reference.
* modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
Add a paragraph about /etc/environment. Add environ(7) reference.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
is on and return value data is not set to PAM_SUCCESS then ignore
PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
return value data.
(pam_sm_setcred): Test for likeauth option and use the return value data
only if set.
* modules/pam_unix/support.h: Add the no_pass_expiry option.
|
| | |
| |
| |
| |
| | |
* modules/pam_unix/passverify.c (create_password_hash): Change the
salt length for new hashes to 16 characters.
|
| | |
| |
| |
| |
| | |
* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.
|
| | |
| |
| |
| |
| | |
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
if required auditd is not detected.
|
| | |
| |
| |
| |
| | |
* modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
passwd permission.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_timestamp/hmacsha1.c(hmac_key_create):
close 'keyfd' when failed to own it.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Security fix: CVE-2015-3238
If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Patch by Louis Sautier
* doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
* doc/man/pam.3.xml: Likewise.
* doc/man/pam_acct_mgmt.3.xml: Likewise.
* doc/man/pam_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* modules/pam_limits/limits.conf.5.xml: Likewise.
* modules/pam_mail/pam_mail.8.xml: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_shells/pam_shells.8.xml: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_unix/pam_unix.8.xml: Likewise.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
messages from session.
* modules/pam_unix/pam_unix.8.xml: Document new option.
* modules/pam_unix/support.h: Add quiet option.
* modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
'quiet' option is set.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
instead of crypt() if available.
* modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
instead of crypt() if available.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
(Ticket#24 and #29)
* modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
* modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
* modules/pam_env/pam_env.8.xml: Enhance documentation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
(Ticket #39)
* modules/pam_access/access.conf.5.xml
* modules/pam_access/pam_access.8.xml
Signed-off-by: Karl O. Pinc <kop at meme.com>
|
| | |
| |
| |
| | |
* modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
|
