summaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAge
* pam_namespace: simplify distribution of manual pagesDmitry V. Levin2020-04-27
| | | | * modules/pam_namespace/Makefile.am: Merge MAN5 and MAN8 into man_MANS.
* modules/*/Makefile.am: remove manual pages from noinst_DATADmitry V. Levin2020-04-27
| | | | | | | | | | | Manual pages already belong to man_MANS, listing them also in noinst_DATA does not help in any way. * modules/pam_cracklib/Makefile.am (noinst_DATA): Remove pam_cracklib.8. * modules/pam_selinux/Makefile.am (noinst_DATA): Remove pam_selinux.8. * modules/pam_sepermit/Makefile.am (noinst_DATA): Remove pam_sepermit.8 and sepermit.conf.5. * modules/pam_userdb/Makefile.am (noinst_DATA): Remove pam_userdb.8.
* configure: add --disable-tally and --disable-tally2 optionsDmitry V. Levin2020-04-27
| | | | | | | | | * configure.ac (AC_ARG_ENABLE): Add tally and tally2. (AM_CONDITIONAL): Add COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2. * modules/Makefile.am [COND_BUILD_PAM_TALLY] (MAYBE_PAM_TALLY): Define. [COND_BUILD_PAM_TALLY2] (MAYBE_PAM_TALLY2): Likewise. (SUBDIRS): Replace pam_tally with $(COND_BUILD_PAM_TALLY), pam_tally2 with $(COND_BUILD_PAM_TALLY2).
* build: move pam_selinux and pam_sepermit build conditions to modules/Makefile.amDmitry V. Levin2020-04-26
| | | | | | | | | | | | * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBSELINUX with COND_BUILD_PAM_SELINUX and COND_BUILD_PAM_SEPERMIT. * modules/Makefile.am [COND_BUILD_PAM_SELINUX] (MAYBE_PAM_SELINUX): Define. [COND_BUILD_PAM_SEPERMIT] (MAYBE_PAM_SEPERMIT): Likewise. (SUBDIRS): Replace pam_selinux with $(MAYBE_PAM_SELINUX), pam_sepermit with MAYBE_PAM_SEPERMIT. * modules/pam_selinux/Makefile.am: Assume HAVE_LIBSELINUX. * modules/pam_sepermit/Makefile.am: Likewise.
* build: move pam_namespace build condition to modules/Makefile.amDmitry V. Levin2020-04-26
| | | | | | | | | * configure.ac (AM_CONDITIONAL): Replace HAVE_UNSHARE with COND_BUILD_PAM_NAMESPACE. * modules/Makefile.am [COND_BUILD_PAM_NAMESPACE] (MAYBE_PAM_NAMESPACE): Define. (SUBDIRS): Replace pam_namespace with $(MAYBE_PAM_NAMESPACE). * modules/pam_namespace/Makefile.am: Assume HAVE_UNSHARE.
* build: move pam_userdb build condition to modules/Makefile.amDmitry V. Levin2020-04-26
| | | | | | | | | * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBDB with COND_BUILD_PAM_USERDB. * modules/Makefile.am [COND_BUILD_PAM_USERDB] (MAYBE_PAM_USERDB): Define. (SUBDIRS): Replace pam_userdb with $(MAYBE_PAM_USERDB). * modules/pam_userdb/Makefile.am: Assume HAVE_LIBDB.
* build: move pam_cracklib build condition to modules/Makefile.amDmitry V. Levin2020-04-26
| | | | | | | | | * configure.ac (AM_CONDITIONAL): Replace HAVE_LIBCRACK with COND_BUILD_PAM_CRACKLIB. * modules/Makefile.am [COND_BUILD_PAM_CRACKLIB] (MAYBE_PAM_CRACKLIB): Define. (SUBDIRS): Replace pam_cracklib with $(MAYBE_PAM_CRACKLIB). * modules/pam_cracklib/Makefile.am: Assume HAVE_LIBCRACK.
* build: move pam_keyinit build condition to modules/Makefile.amDmitry V. Levin2020-04-26
| | | | | | | | | * configure.ac (AM_CONDITIONAL): Replace HAVE_KEY_MANAGEMENT with COND_BUILD_PAM_KEYINIT. * modules/Makefile.am [COND_BUILD_PAM_KEYINIT] (MAYBE_PAM_KEYINIT): Define. (SUBDIRS): Replace pam_keyinit with $(MAYBE_PAM_KEYINIT). * modules/pam_keyinit/Makefile.am: Assume HAVE_KEY_MANAGEMENT.
* build: move pam_tty_audit build condition to modules/Makefile.amDmitry V. Levin2020-04-26
| | | | | | | | | * configure.ac (AM_CONDITIONAL): Replace HAVE_AUDIT_TTY_STATUS with COND_BUILD_PAM_TTY_AUDIT. * modules/Makefile.am [COND_BUILD_PAM_TTY_AUDIT] (MAYBE_PAM_TTY_AUDIT): Define. (SUBDIRS): Replace pam_tty_audit with $(MAYBE_PAM_TTY_AUDIT). * modules/pam_tty_audit/Makefile.am: Assume HAVE_AUDIT_TTY_STATUS.
* modules/Makefile.am: sort SUBDIRSDmitry V. Levin2020-04-26
| | | | | | Also list one element of SUBDIRS per line for the ease of maintenance. * modules/Makefile.am (SUBDIRS): List one per line, sort.
* pam_issue: fix potential read out of boundsDmitry V. Levin2020-04-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reported by gcc-10 -Warray-bounds: In file included from /usr/include/string.h:494, from modules/pam_issue/pam_issue.c:19: In function 'strncat', inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:197:3: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [260, 389] from the object at 'uts' is out of the bounds of referenced subobject 'version' with type 'char[65]' at offset 195 [-Werror=array-bounds] 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from modules/pam_issue/pam_issue.c:26: modules/pam_issue/pam_issue.c: In function 'read_issue_quoted': /usr/include/x86_64-linux-gnu/sys/utsname.h:59:10: note: subobject 'version' declared here 59 | char version[_UTSNAME_VERSION_LENGTH]; | ^~~~~~~ In file included from /usr/include/string.h:494, from modules/pam_issue/pam_issue.c:19: In function 'strncat', inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:188:3: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [65, 389] from the object at 'uts' is out of the bounds of referenced subobject 'sysname' with type 'char[65]' at offset 0 [-Werror=array-bounds] 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from modules/pam_issue/pam_issue.c:26: modules/pam_issue/pam_issue.c: In function 'read_issue_quoted': /usr/include/x86_64-linux-gnu/sys/utsname.h:51:10: note: subobject 'sysname' declared here 51 | char sysname[_UTSNAME_SYSNAME_LENGTH]; | ^~~~~~~ In file included from /usr/include/string.h:494, from modules/pam_issue/pam_issue.c:19: In function 'strncat', inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:194:3: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [195, 389] from the object at 'uts' is out of the bounds of referenced subobject 'release' with type 'char[65]' at offset 130 [-Werror=array-bounds] 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from modules/pam_issue/pam_issue.c:26: modules/pam_issue/pam_issue.c: In function 'read_issue_quoted': /usr/include/x86_64-linux-gnu/sys/utsname.h:57:10: note: subobject 'release' declared here 57 | char release[_UTSNAME_RELEASE_LENGTH]; | ^~~~~~~ In file included from /usr/include/string.h:494, from modules/pam_issue/pam_issue.c:19: In function 'strncat', inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:191:3: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [130, 389] from the object at 'uts' is out of the bounds of referenced subobject 'nodename' with type 'char[65]' at offset 65 [-Werror=array-bounds] 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from modules/pam_issue/pam_issue.c:26: modules/pam_issue/pam_issue.c: In function 'read_issue_quoted': /usr/include/x86_64-linux-gnu/sys/utsname.h:54:10: note: subobject 'nodename' declared here 54 | char nodename[_UTSNAME_NODENAME_LENGTH]; | ^~~~~~~~ In file included from /usr/include/string.h:494, from modules/pam_issue/pam_issue.c:19: In function 'strncat', inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:200:3: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [325, 389] from the object at 'uts' is out of the bounds of referenced subobject 'machine' with type 'char[65]' at offset 260 [-Werror=array-bounds] 136 | return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from modules/pam_issue/pam_issue.c:26: modules/pam_issue/pam_issue.c: In function 'read_issue_quoted': /usr/include/x86_64-linux-gnu/sys/utsname.h:62:10: note: subobject 'machine' declared here 62 | char machine[_UTSNAME_MACHINE_LENGTH]; | ^~~~~~~ * modules/pam_issue/pam_issue.c (read_issue_quoted): Rewrite to avoid strncat from potentially not null-terminated string buffer fields of struct utsname.
* pam_motd: fix NULL dereference when at least one of motd directories is not ↵Dmitry V. Levin2020-04-26
| | | | | | | | | | | available * modules/pam_motd/pam_motd.c (try_to_display_directories_with_overrides): Do not assign -1U to dirscans_sizes[i] when scandir(motd_dir_path_split[i]) returns an error. Resolves: https://bugzilla.altlinux.org/38389 Fixes: d57ab221 ("pam_motd: Cleanup the code and avoid unnecessary logging")
* pam_motd: cleanup calloc invocationsDmitry V. Levin2020-04-26
| | | | | | | | | | Apply the following calloc invocation idiom: ptr = calloc(nmemb, sizeof(*ptr)); * modules/pam_motd/pam_motd.c (pam_split_string, try_to_display_directories_with_overrides): Cleanup calloc invocations. Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
* pam_motd: fix NULL dereference on error pathDmitry V. Levin2020-04-26
| | | | | | | | | * modules/pam_motd/pam_motd.c (try_to_display_directories_with_overrides): Do not access elements of dirscans_sizes array if dirscans_sizes == NULL due to an earlier memory allocation error. Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
* pam_motd: remove redundant return statementDmitry V. Levin2020-04-26
| | | | | | | | * modules/pam_motd/pam_motd.c (try_to_display_directories_with_overrides): Remove return statement at the end of the function returning void. Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
* pam_motd: remove redundant prefix from syslog messagesDmitry V. Levin2020-04-26
| | | | | | | | | | pam_syslog already does all the prefixing we need. * modules/pam_motd/pam_motd.c (pam_split_string, try_to_display_directories_with_overrides): Remove "pam_motd: " prefix from strings passed to pam_syslog. Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
* pam_motd: fix memory leakDmitry V. Levin2020-04-26
| | | | | | | | | | pam_motd used to leak memory allocated for each motd file successfully opened in try_to_display_directories_with_overrides. * modules/pam_motd/pam_motd.c (try_to_display_directories_with_overrides): Free abs_path. Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
* pam_motd: fix misleading error diagnosticsDmitry V. Levin2020-04-26
| | | | | | | | | | | | Do not invoke calloc with the first argument equal to zero as the return value can be NULL which is undistinguishable from memory allocation error. * modules/pam_motd/pam_motd.c (try_to_display_directories_with_overrides): Skip if there are no directory entries (dirscans_size_total == 0). Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
* pam_motd: do not zero the memory allocated by callocDmitry V. Levin2020-04-26
| | | | | | | | | | As dirnames_all is allocated with calloc, zeroing it out is pointless. * modules/pam_motd/pam_motd.c (try_to_display_directories_with_overrides): Remove redundant zeroing of dirnames_all. Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
* build: cleanup: do not add -DWITH_SELINUX to CFLAGSDmitry V. Levin2020-04-26
| | | | | | | | | | As WITH_SELINUX is already AC_DEFINE'd in configure.ac, there is no point in adding -DWITH_SELINUX to CFLAGS. * libpam/Makefile.am [HAVE_LIBSELINUX] (AM_CFLAGS): Do not add -DWITH_SELINUX. * modules/pam_rootok/Makefile.am: Likewise. * modules/pam_unix/Makefile.am: Likewise.
* pam_filter: fix potential off-by-one heap buffer overflowDmitry V. Levin2020-04-24
| | | | | | | | | | | | | | | | | | | | Reported by gcc-10 -Wstringop-overflow: In file included from /usr/include/string.h:494, from modules/pam_filter/pam_filter.c:14: In function 'strcpy', inlined from 'process_args' at modules/pam_filter/pam_filter.c:137:2, inlined from 'need_a_filter.isra' at modules/pam_filter/pam_filter.c:618:12: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90:10: warning: '__builtin_memcpy' writing 6 bytes into a region of size 5 [-Wstringop-overflow=] 90 | return __builtin___strcpy_chk (__dest, __src, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ modules/pam_filter/pam_filter.c: In function 'need_a_filter.isra': modules/pam_filter/pam_filter.c:128:21: note: at offset 0 to an object with size 5 allocated by 'malloc' here 128 | levp[0] = (char *) malloc(size); | ^~~~~~~~~~~~ * modules/pam_filter/pam_filter.c (process_args): Fix off-by-one heap buffer overflow in case of a filter without arguments (argc == 0).
* pam_setquota: remove PAM_EXTERN and PAM_STATIC partsDmitry V. Levin2020-04-24
| | | | | | | In other modules they were removed by commit Linux-PAM-1.3.0~14. * modules/pam_setquota/pam_setquota.c: Remove PAM_EXTERN and PAM_STATIC parts.
* pam_setquota: fix more harmless compilation warningsDmitry V. Levin2020-04-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On ppc64le the compiler complains with the following diagnostics: pam_setquota.c: In function 'debug': pam_setquota.c:48:59: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64' {aka 'const long unsigned int'} [-Wformat=] 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu " | ~~~^ | | | long long unsigned int | %lu ...... 51 | p->dqb_bsoftlimit, p->dqb_bhardlimit, | ~~~~~~~~~~~~~~~~~ | | | __u64 {aka const long unsigned int} pam_setquota.c:48:75: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 7 has type '__u64' {aka 'const long unsigned int'} [-Wformat=] 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu " | ~~~^ | | | long long unsigned int | %lu ...... 51 | p->dqb_bsoftlimit, p->dqb_bhardlimit, | ~~~~~~~~~~~~~~~~~ | | | __u64 {aka const long unsigned int} pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type '__u64' {aka 'const long unsigned int'} [-Wformat=] 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu " | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...... 52 | p->dqb_isoftlimit, p->dqb_ihardlimit, | ~~~~~~~~~~~~~~~~~ | | | __u64 {aka const long unsigned int} pam_setquota.c:49:46: note: format string is defined here 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu", | ~~~^ | | | long long unsigned int | %lu pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 9 has type '__u64' {aka 'const long unsigned int'} [-Wformat=] 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu " | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...... 52 | p->dqb_isoftlimit, p->dqb_ihardlimit, | ~~~~~~~~~~~~~~~~~ | | | __u64 {aka const long unsigned int} pam_setquota.c:49:62: note: format string is defined here 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu", | ~~~^ | | | long long unsigned int | %lu pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 10 has type '__u64' {aka 'const long unsigned int'} [-Wformat=] 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu " | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...... 53 | p->dqb_btime, p->dqb_itime); | ~~~~~~~~~~~~ | | | __u64 {aka const long unsigned int} pam_setquota.c:49:73: note: format string is defined here 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu", | ~~~^ | | | long long unsigned int | %lu pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 11 has type '__u64' {aka 'const long unsigned int'} [-Wformat=] 48 | pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu " | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...... 53 | p->dqb_btime, p->dqb_itime); | ~~~~~~~~~~~~ | | | __u64 {aka const long unsigned int} pam_setquota.c:49:84: note: format string is defined here 49 | "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu", | ~~~^ | | | long long unsigned int | %lu * modules/pam_setquota/pam_setquota.c (debug): Cast fields of type __u64 to unsigned long long.
* pam_timestamp: include "config.h" in hmacsha1.c as the first headerDmitry V. Levin2020-04-24
| | | | | | | | | This ensures "config.h" is included before any system header which fixes the following bug reported by ALT diagnostics: verify-elf: ERROR: ./lib/security/pam_timestamp.so: uses non-LFS functions: __fxstat open * modules/pam_timestamp/hmacsha1.c: Include "config.h".
* pam_setquota: apply WARN_CFLAGSDmitry V. Levin2020-04-24
| | | | | | All other modules already build with WARN_CFLAGS. * modules/pam_setquota/Makefile.am (AM_CFLAGS): Add $(WARN_CFLAGS).
* pam_setquota: fix harmless compilation warningsDmitry V. Levin2020-04-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix -Wunused-variable compilation warnings: pam_setquota.c: In function 'pam_sm_open_session': pam_setquota.c:173:9: warning: unused variable 'ep' [-Wunused-variable] 173 | char *ep, *val, *mntdevice = NULL; | ^~ pam_setquota.c:172:17: warning: unused variable 'ul' [-Wunused-variable] 172 | unsigned long ul; | ^~ Fix -Wunused-parameter compilation warnings: pam_setquota.c: In function 'pam_sm_open_session': pam_setquota.c:169:60: warning: unused parameter 'flags' [-Wunused-parameter] 169 | PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, | ~~~~^~~~~ pam_setquota.c: In function 'pam_sm_close_session': pam_setquota.c:382:40: warning: unused parameter 'pamh' [-Wunused-parameter] 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, | ~~~~~~~~~~~~~~^~~~ pam_setquota.c:382:50: warning: unused parameter 'flags' [-Wunused-parameter] 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, | ~~~~^~~~~ pam_setquota.c:382:61: warning: unused parameter 'argc' [-Wunused-parameter] 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, | ~~~~^~~~ pam_setquota.c:383:39: warning: unused parameter 'argv' [-Wunused-parameter] 383 | const char **argv) { | ~~~~~~~~~~~~~^~~~ * modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Mark 'flags' parameter as unused. Remove unused 'ep' and 'ul' variables. (pam_sm_close_session): Mark all parameters as unused.
* pam_setquota: new module to set or modify disk quotas on session startSven Hartge2020-04-17
| | | | | | | This makes disk quotas usable with central user databases, such as MySQL or LDAP. Resolves: https://github.com/linux-pam/linux-pam/issues/92
* pam_access, pam_issue: do not assume that getdomainname always existsDmitry V. Levin2020-04-15
| | | | | | | | * modules/pam_access/pam_access.c (netgroup_match): Place the code that calls getdomainname under HAVE_GETDOMAINNAME guard. * modules/pam_issue/pam_issue.c (read_issue_quoted): Likewise. Resolves: https://github.com/linux-pam/linux-pam/issues/43
* pam_unix: modernize example in manual pageTopi Miettinen2020-04-12
| | | | | | | According to crypt(5), md5 should not be used for new hashes. Let's give a modern example with yescrypt. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* pam_access: add an example of using groups in access.conf to permit accessLucas Ramage2020-04-07
| | | | | Resolves: https://github.com/linux-pam/linux-pam/issues/65 Resolves: https://github.com/linux-pam/linux-pam/pull/199
* pam_timestamp: Fix // in TIMESTAMPDIRPetr Lautrbach2020-03-31
| | | | | | | | | _PATH_VARRUN already provides trailing slash for building paths Fixes: $ strings /usr/lib64/security/pam_timestamp.so | grep /run/ /var/run//pam_timestamp /var/run//pam_timestamp/_pam_timestamp_key
* pam_unix: Return PAM_AUTHINFO_UNAVAIL when appropriate.James Ralston2020-03-30
| | | | | | | | | | | | | | | | | | | | | The pam_unix.so will never return PAM_AUTHINFO_UNAVAIL on systems that use the unix_chkpwd helper. The reason is that in unix_chkpwd.c, towards the end of main(), if helper_verify_password() does not return PAM_SUCCESS, main() ignores the actual error that helper_verify_password() returned and instead returns PAM_AUTH_ERR. This commit corrects this behavior. Specifically, if helper_verify_password() returns PAM_USER_UNKNOWN, which it does when /etc/passwd entry indicates that shadow information is present but the /etc/shadow entry is missing, the unix_chkpwd now exits with PAM_AUTHINFO_UNAVAIL. For any other error from helper_verify_password(), unix_chkpwd continues to exit with PAM_AUTH_ERR. * modules/pam_unix/unix_chkpwd.c (main): Return PAM_AUTHINFO_UNAVAIL when helper_verify_password() returns PAM_USER_UNKNOWN.
* Fix various typos found using codespell toolDmitry V. Levin2020-03-28
|
* pam_time: add conffile option to specify an alternative configuration fileblueskycs2c2020-03-24
| | | | | Resolves: https://github.com/linux-pam/linux-pam/pull/163 Resolves: https://github.com/linux-pam/linux-pam/pull/191
* pam_exec: require user name to be ready for the commandAlexander Zubkov2020-03-23
| | | | | | | | | | pam_exec module can be called when a user name has not been prompted yet. And thus the command is called without a user name available. This fix asks PAM for the user name to ensure it is ready or to force the prompt. Resolves: https://github.com/linux-pam/linux-pam/issues/131 Resolves: https://github.com/linux-pam/linux-pam/pull/195
* pam_selinux: fall back to log to syslog if audit logging failsChristian Göttsche2020-03-23
| | | | Resolves: https://github.com/linux-pam/linux-pam/pull/194
* pam_selinux: sanitize asprintf argument on failureChristian Göttsche2020-03-23
|
* pam_selinux: print additional information on failuresChristian Göttsche2020-03-23
|
* pam_selinux: convert send_audit_message to void functionChristian Göttsche2020-03-23
| | | | | The result is nowhere checked and other logging functions like pam_syslog are also not checked.
* pam_selinux: fix indentationChristian Göttsche2020-03-23
|
* pam_selinux: substitute legacy security_context_t typeChristian Göttsche2020-03-23
| | | | | | | | `security_context_t` is a legacy typedef to `char *`, substitute all usage. See https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9 https://github.com/SELinuxProject/selinux/blob/f8c110c8a615eb640510eab39640a0957a6ba19c/libselinux/include/selinux/selinux.h#L16
* modules/pam_userdb: use pam_str_skip_icase_prefixDmitry V. Levin2020-03-19
| | | | | | * modules/pam_userdb/pam_userdb.c: Include "pam_inline.h". (_pam_parse, user_lookup): Use pam_str_skip_icase_prefix instead of ugly strncasecmp invocations.
* modules/pam_umask: use pam_str_skip_icase_prefixDmitry V. Levin2020-03-19
| | | | | | * modules/pam_umask/pam_umask.c: Include "pam_inline.h". (parse_option, setup_limits_from_gecos): Use pam_str_skip_icase_prefix instead of ugly strncasecmp invocations.
* modules/pam_pwhistory: use pam_str_skip_icase_prefixDmitry V. Levin2020-03-19
| | | | | | * modules/pam_pwhistory/pam_pwhistory.c: Include "pam_inline.h". (parse_option): Use pam_str_skip_icase_prefix instead of ugly strncasecmp invocations.
* modules/pam_exec: use pam_str_skip_icase_prefixDmitry V. Levin2020-03-19
| | | | | * modules/pam_exec/pam_exec.c (call_exec): Use pam_str_skip_icase_prefix instead of ugly strncasecmp invocations.
* modules/pam_xauth: use pam_str_skip_prefixDmitry V. Levin2020-03-19
| | | | | | * modules/pam_xauth/pam_xauth.c: Include "pam_inline.h". (pam_sm_open_session, pam_sm_close_session): Use pam_str_skip_prefix instead of ugly strncmp invocations.
* modules/pam_wheel: use pam_str_skip_prefixDmitry V. Levin2020-03-19
| | | | | | * modules/pam_wheel/pam_wheel.c: Include "pam_inline.h". (_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp invocations.
* modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_lenDmitry V. Levin2020-03-19
| | | | | | | | | | | | | * modules/pam_unix/passverify.c: Include "pam_inline.h". (verify_pwd_hash): Use pam_str_skip_prefix instead of ugly strncmp invocations. * modules/pam_unix/support.c: Include "pam_inline.h". (_set_ctrl): Use pam_str_skip_prefix_len instead of hardcoding string lengths. * modules/pam_unix/md5_crypt.c: Include "pam_inline.h". (crypt_md5): Use pam_str_skip_prefix_len. squash! modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len
* modules/pam_tty_audit: use pam_str_skip_prefixDmitry V. Levin2020-03-19
| | | | | | * modules/pam_tty_audit/pam_tty_audit.c: Include "pam_inline.h". (pam_sm_open_session): Use pam_str_skip_prefix instead of ugly strncmp invocations.
* modules/pam_timestamp: use pam_str_skip_prefixDmitry V. Levin2020-03-19
| | | | | | * modules/pam_timestamp/pam_timestamp.c: Include "pam_inline.h". (check_tty, get_timestamp_name, pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp invocations.