summaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAge
* New upstream version 1.3.0Steve Langasek2019-01-22
|\
| * pam_wheel: Correct the documentation of the root_only option.Tomas Mraz2016-04-19
| | | | | | | | | | * modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the root_only option.
| * pam_unix: Document that MD5 password hash is used to store old passwords.Tomas Mraz2016-04-19
| | | | | | | | | | modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used to store the old passwords when remember option is set.
| * pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.Tomas Mraz2016-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have to drop support for not_set_pass option which is not much useful anyway. Instead we get proper support for authtok_type option. * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty pe option. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas sword() call with equivalent pam_get_authtok() call. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop support for not_set_pass. * modules/pam_unix/support.c (_unix_read_password): Remove. * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
| * pam_unix: Make password expiration messages more user-friendly.Tomas Mraz2016-04-04
| | | | | | | | | | * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password expiration messages more user-friendly.
| * innetgr may not be there so make sure that when innetgr is not presentThorsten Kukuk2016-04-04
| | | | | | | | | | | | | | | | | | | | | | then we inform about it and not use it. [ticket#46] * modules/pam_group/pam_group.c: ditto * modules/pam_succeed_if/pam_succeed_if.c: ditto * modules/pam_time/pam_time.c: ditto Signed-off-by: Khem Raj <raj.khem at gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
| * Fix whitespace issuesDmitry V. Levin2016-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove blank lines at EOF introduced by commit a684595c0bbd88df71285f43fb27630e3829121e, making the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD * libpam/pam_dynamic.c: Remove blank line at EOF. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise.
| * Use TI-RPC functions if we compile and link against libtirpc.Thorsten Kukuk2016-04-01
| | | | | | | | | | | | | | | | The old SunRPC functions don't work with IPv6. * configure.ac: Set and restore CPPFLAGS * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with rpcb_getaddr if available.
| * Remove "--enable-static-modules" option and support fromThorsten Kukuk2016-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part.
| * Fix check for libtirpc and enhance check for libnsl to includeThorsten Kukuk2016-03-24
| | | | | | | | | | | | | | new libnsl. * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
| * Remove YP dependencies from pam_access, they were never usedThorsten Kukuk2016-03-23
| | | | | | | | | | | | | | | | and such not needed. * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS * modules/pam_access/pam_access.c: Remove yp_get_default_domain case, it will never be used.
| * Add checks for localtime() returning NULL.Tomas Mraz2016-03-04
| | | | | | | | | | | | | | * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r returning NULL. * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning NULL.
| * pam_unix: Silence warnings and fix a minor bug.Tomas Mraz2016-03-04
| | | | | | | | | | | | | | | | | | Fixes a minor bug in behavior when is_selinux_enabled() returned negative value. * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro. (unix_update_shadow): Safe cast forwho to non-const char *. * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
| * pam_env: Document the /etc/environment file.Tomas Mraz2016-02-17
| | | | | | | | | | | | | | * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. * modules/pam_env/pam_env.8.xml: Add environ(7) reference. * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. Add a paragraph about /etc/environment. Add environ(7) reference.
| * pam_unix: Add no_pass_expiry option to ignore password expiration.Tomas Mraz2016-02-17
| | | | | | | | | | | | | | | | | | | | | | | | * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry is on and return value data is not set to PAM_SUCCESS then ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the return value data. (pam_sm_setcred): Test for likeauth option and use the return value data only if set. * modules/pam_unix/support.h: Add the no_pass_expiry option.
| * pam_unix: Change the salt length for new hashes to 16 charactersTomas Mraz2016-01-25
| | | | | | | | | | * modules/pam_unix/passverify.c (create_password_hash): Change the salt length for new hashes to 16 characters.
| * pam_tally2: Optionally log the tally count when checking.Tomas Mraz2015-12-16
| | | | | | | | | | * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option. (tally_check): Always log the tally count with debug option.
| * pam_loginuid: Add syslog message if required auditd is not detected.Tomas Mraz2015-09-24
| | | | | | | | | | * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message if required auditd is not detected.
| * pam_rootok: use rootok permission instead of passwd permission in SELinux check.Tomas Mraz2015-08-12
| | | | | | | | | | * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of passwd permission.
| * pam_timestamp: Avoid leaking file descriptor.Amarnath Valluri2015-08-05
| | | | | | | | | | | | | | * modules/pam_timestamp/hmacsha1.c(hmac_key_create): close 'keyfd' when failed to own it. Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
| * Release version 1.2.1Thorsten Kukuk2015-06-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise
| * Fix some grammatical errors in documentation.Thorsten Kukuk2015-04-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patch by Louis Sautier * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors. * doc/man/pam.3.xml: Likewise. * doc/man/pam_acct_mgmt.3.xml: Likewise. * doc/man/pam_chauthtok.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_mail/pam_mail.8.xml: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_shells/pam_shells.8.xml: Likewise. * modules/pam_tally/pam_tally.8.xml: Likewise. * modules/pam_tally2/pam_tally2.8.xml: Likewise. * modules/pam_unix/pam_unix.8.xml: Likewise.
| * Add "quiet" option to pam_unix to suppress informential infoThorsten Kukuk2015-04-23
| | | | | | | | | | | | | | | | | | messages from session. * modules/pam_unix/pam_unix.8.xml: Document new option. * modules/pam_unix/support.h: Add quiet option. * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if 'quiet' option is set.
| * Use crypt_r if available in pam_userdb and in pam_unix.Tomas Mraz2015-04-07
| | | | | | | | | | | | | | * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r() instead of crypt() if available. * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r() instead of crypt() if available.
| * pam_env: expand @{HOME} and @{SHELL} and enhance documentationThorsten Kukuk2015-03-25
| | | | | | | | | | | | | | | | (Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation
| * Clarify pam_access docs re PAM service names and X $DISPLAY value testing.Thorsten Kukuk2015-03-24
| | | | | | | | | | | | | | | | | | (Ticket #39) * modules/pam_access/access.conf.5.xml * modules/pam_access/pam_access.8.xml Signed-off-by: Karl O. Pinc <kop at meme.com>
| * Don't use sudo directory, the timestamp format is different (Ticket#32)Thorsten Kukuk2015-03-24
| | | | | | | | * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
| * Enhance group.conf examples (Ticket#35)Thorsten Kukuk2015-03-24
| | | | | | | | * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
| * Document timestampdir option (Ticket#33)Thorsten Kukuk2015-03-24
| | | | | | | | * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
| * pam_succeed_if: Fix copy&paste error in rhost and tty values.Tomas Mraz2014-10-17
| | | | | | | | | | modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST and PAM_TTY properly for the rhost and tty values.
| * pam_succeed_if: Use long long type for numeric valuesTomas Mraz2014-10-17
| | | | | | | | | | | | | | | | | | The currently used long with additional conversion to int is too small for uids and gids. modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace strtol() with strtoll() and int with long long in the parameters of comparison functions.
| * pam_mkhomedir: Drop superfluous stat() call.Tomas Mraz2014-08-26
| | | | | | | | | | modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous stat() call.
| * pam_exec: Do not depend on open() returning STDOUT_FILENO.Tomas Mraz2014-08-26
| | | | | | | | | | modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to STDOUT_FILENO if needed.
| * pam_keyinit: Check return value of setregid.Robin Hack2014-08-25
| | | | | | | | modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.
| * pam_filter: Avoid leaking descriptors when fork() fails.Robin Hack2014-08-25
| | | | | | | | modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
| * pam_echo: Avoid leaking file descriptor.Robin Hack2014-08-14
| | | | | | | | modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.
| * pam_tty_audit: Silence Coverity reporting uninitialized use.Robin Hack2014-08-13
| | | | | | | | | | modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also msg_flags.
| * pam_tally2: Avoid uninitialized use of fileinfo.Tomas Mraz2014-08-13
| | | | | | | | | | | | Problem found by Robin Hack <rhack@redhat.com>. modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size just try to read it.
| * pam_access: Avoid uninitialized access of line.Tomas Mraz2014-08-13
| | | | | | | | | | * modules/pam_access/pam_access.c (login_access): Reorder condition so line is not accessed when uninitialized.
| * pam_lastlog: Properly clean up last_login structure before use.Tomas Mraz2014-08-05
| | | | | | | | | | modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login structure before use.
| * Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.Tomas Mraz2014-07-21
| | | | | | | | | | | | | | * modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields in opasswd entry and return error. * modules/pam_unix/passverify.c (save_old_password): Test for missing fields in opasswd entry and skip it.
| * pam_limits: nofile refers to file descriptors not filesTomas Mraz2014-06-19
| | | | | | | | | | modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit. modules/pam_limits/limits.conf: Likewise.
| * pam_limits: clarify documentation of maxlogins and maxsyslogins limits.Tomas Mraz2014-06-19
| | | | | | | | | | modules/pam_limits/limits.conf.5.xml: clarify documentation of maxlogins and maxsyslogins limits.
| * pam_unix: Check for NULL return from Goodcrypt_md5().Tomas Mraz2014-06-19
| | | | | | | | | | modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for NULL return from Goodcrypt_md5().
| * pam_unix: check for NULL return from malloc()Tomas Mraz2014-06-19
| | | | | | | | * modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().
| * pam_loginuid: Document one more possible case of PAM_IGNORE return.Tomas Mraz2014-05-22
| | | | | | | | | | modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case of PAM_IGNORE return value.
| * pam_loginuid: Document other possible return values.Tomas Mraz2014-05-22
| | | | | | | | | | modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return values.
| * pam_timestamp: fix potential directory traversal issue (ticket #27)Dmitry V. Levin2014-03-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of the timestamp pathname it creates, so extra care should be taken to avoid potential directory traversal issues. * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat "." and ".." tty values as invalid. (get_ruser): Treat "." and ".." ruser values, as well as any ruser value containing '/', as invalid. Fixes CVE-2014-2583. Reported-by: Sebastian Krahmer <krahmer@suse.de>
| * pam_userdb: document that .db suffix should not be usedTomas Mraz2014-03-20
| | | | | | | | | | modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix should not be used and correct the example.
| * pam_selinux: canonicalize user nameTomas Mraz2014-03-11
| | | | | | | | | | | | SELinux expects canonical user name for example without domain component. * modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().