| Commit message (Collapse) | Author | Age |
|---|
| |\ |
|
| | |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
* modules/pam_unix/support.c: Likewise.
|
| | |
| |
| |
| | |
modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
|
| | |
| |
| |
| | |
modules/pam_unix/pam_unix_passwd.c: Add missing ')'..
|
| | |
| |
| |
| |
| | |
* modules/pam_exec/pam_exec.c: Add stdout and type= option
* modules/pam_exec/pam_exec.8.xml: Document new options
|
| | |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c: fix last change
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/support.c: Likewise.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
/proc
(sepermit_match): Apply the exclusive check only when loginuid not set.
|
| | |
| |
| |
| |
| |
| |
| | |
pam_rootok.c explicitly uses functions from libaudit, so the module has
to be linked with the library.
* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
* configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command. Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.
* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
|
| | |
| |
| |
| |
| | |
modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
|
| | |
| |
| |
| |
| |
| | |
modules/pam_access/pam_access.c (netgroup_match): As we did not use
yp_get_default_domain() in the 1.1 branch due to typo in ifdef
we should use it only as fallback.
|
| | |
| |
| |
| |
| | |
modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
|
| | |
| |
| |
| |
| | |
modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
on short read or read error.
|
| | |
| |
| |
| |
| | |
modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.
|
| | |
| |
| |
| |
| | |
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
|
| | |
| |
| |
| |
| | |
modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
longer than 13 characters and long salt.
|
| | |
| |
| |
| |
| | |
modules/pam_access/pam_access.c (netgroup_match): Fix typo
in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.
|
| | |
| |
| |
| |
| | |
modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
when run as root.
|
| | |
| |
| |
| |
| | |
modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
(compute_exec_context): Drop manual_context() call.
|
| | |
| |
| |
| | |
modules/pam_limits/limits.conf: Fix grammatical mistake.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
glibc's <sys/wait.h> starting with commit
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
when pam is being built with SELinux support enabled, pam_unix_passwd.c
uses getrlimit(2) and therefore should include <sys/resource.h> without
relying on other headers.
* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
structure.
modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
(parse_method): Parse the mntopts flag.
(ns_setup): Pass the mount_opts to mount().
modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
rhost from PAM items and pass them to audit.
modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
rhost from PAM items and pass them to audit.
(main): Obtain tty name of stdin and pass it to audit.
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
$(namespaceddir) on install.
modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
$(sepermitlockdir) on install.
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]
|
| | |
| |
| |
| | |
modules/pam_limits/limits.conf.5.xml: Document the limits.d existence.
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/Makefile.am: Add install-data-local target to create
namespaceddir.
modules/pam_sepermit/Makefile.am: Add install-data-local target to create
sepermitlockdir.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
sys/resource.h.
Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.
|
| | |
| |
| |
| |
| | |
modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field
parsing.
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option.
(sequence): New function to check for too long monotonic sequence of characters.
(password_check): Call the sequence().
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check.
|
| | |
| |
| |
| | |
modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section.
|
| | |
| |
| |
| |
| |
| | |
modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of
the process instead of the target user UID (same as in pam_cracklib) to
check for root. Always record old password.
|
| | |
| |
| |
| |
| |
| | |
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
(pam_sm_chauthtok): Enforce errors for root with the option.
modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
(simple): Add the check for the same class repetition.
(usercheck): Refactor into wordcheck().
(gecoscheck): New test for words from the GECOS field.
(password_check): Call the gecoscheck().
(pam_sm_chauthtok): Drop the diff_ignore from options struct.
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.
|
| | |
| |
| |
| |
| |
| | |
modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
uid==0.
modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and
option.
* modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out.
(_pam_session_parse): Renamed from _pam_parse.
(_pam_auth_parse): New function to parse auth arguments.
(_last_login_open): Factor out opening of the lastlog file.
(_last_login_read): Factor out opening of the lastlog file.
(pam_sm_authenticate): Implement the lockout functionality.
(pam_sm_setcred): Just return PAM_SUCCESS.
(pam_sm_acct_mgmt): Call pam_sm_authenticate().
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
* modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
returning NULL.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In --enable-static-modules mode, it was not possible to use "pam_unix"
in PAM config files. Instead, different names had to be used for each
management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
pam_unix_session. This change makes pam_unix configuration consistent
with other PAM modules.
* README: Remove the paragraph describing pam_unix distinctions in
--enable-static-modules mode.
* libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
_pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
_pam_unix_session_modstruct): Remove.
(_pam_unix_modstruct): New pam_module declaration.
* modules/pam_unix/pam_unix_static.h: New file.
* modules/pam_unix/pam_unix_static.c: Likewise.
* modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
(pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
* modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
* modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
* modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
* modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_session_modstruct): Remove.
Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove
obsolete declaration.
(static_modules): Remove undefined reference to
_pam_rhosts_auth_modstruct.
* modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to
{save,check}_old_pass in order to avoid conflicts with pam_unix.
* modules/pam_pwhistory/opasswd.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to
_pam_tally2_modstruct.
Signed-off-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
the unmount_on_close option and make the default to be to not unmount.
* modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
PAMNS_UNMOUNT_ON_CLOSE.
* modules/pam_namespace/pam_namespace.8.xml: Document the change.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
(check_inst_parent): Drop the always argument from protect_dir().
(create_polydir): Likewise.
(ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
(setup_namespace): Mark the / with MS_SLAVE|MS_REC.
* modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
rhost, and tty as left operand.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
possible left operands.
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_passwd.c (check_old_password): Make
sure we match only the whole username in opasswd entry.
* modules/pam_unix/passverify.c (save_old_password): Likewise make
sure we match only the whole username in opasswd entry.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis):
Reorder options, add new "restore" option.
pam_selinux-description): Rewrite.
(pam_selinux-options): Reorder options, describe new "restore" option.
(pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR
and PAM_BUF_ERR.
(pam_selinux-see_also): Remove pam.conf(5). Add execve(2), tty(4)
and selinux(8).
|
| | |
| |
| |
| |
| | |
* modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new
"restore" option.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_selinux/pam_selinux.c (security_restorelabel_tty,
security_label_tty): Remove old functions.
(module_data_t): New structure.
(free_module_data, cleanup, get_module_data, get_item,
set_exec_context, set_file_context, compute_exec_context,
compute_tty_context, restore_context, set_context,
create_context): New functions.
(pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session,
pam_sm_close_session): Use them.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
GNU automake documentation recommends to avoid using -l options in
LDADD or LIBADD when referring to libraries built by the package.
Instead, it recommends to write the file name of the library explicitly,
and use -l option only to list third-party libraries. As result, the
default value of *_DEPENDENCIES will list all local libraries and omit
the other ones.
* modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace
"-L$(top_builddir)/libpam -lpam" with
"$(top_builddir)/libpam/libpam.la", to follow GNU automake
recommendations.
* modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise.
* modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise.
* modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise.
* modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise.
* modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise.
* modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise.
* modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise.
* modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise.
* modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise.
* modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise.
* modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise.
* modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise.
* modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise.
* modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise.
* modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise.
* modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise.
* modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise.
* modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise.
* modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise.
* modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD,
mkhomedir_helper_LDADD): Likewise.
* modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise.
* modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise.
* modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise.
* modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise.
* modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise.
* modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise.
* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise.
* modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise.
* modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise.
* modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise.
* modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise.
* modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD):
Likewise.
* modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise.
* modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD,
pam_tally2_LDADD): Likewise.
* modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise.
* modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD,
pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise.
* modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise.
* modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise.
* modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise.
* modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise.
* modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise.
* modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise.
* modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise.
* tests/Makefile.am (LDADD): Likewise.
* examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam"
with "$(top_builddir)/libpam/libpam.la", and
"-L$(top_builddir)/libpam_misc -lpam_misc" with
"$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake
recommendations.
* xtests/Makefile.am (LDADD): Likewise.
* modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise.
|
