| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes a regression introduced by #69, where motd_path was set
to NULL and passed into strdup() if the motd_dir argument was
not specified in the configuration file. This caused a segmentation
fault.
* modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
* xtests/Makefile.am: add test scripts and config file
* xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
* xtests/tst-pam_motd4.pamd: create
* xtests/tst-pam_motd4.sh: create
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds specifying multiple paths to motd files and motd.d
directories to be displayed. A colon-separated list of
paths is specified as arguments motd and motd_dir to the
pam_motd module.
This gives packages several options to install motd files to.
By default, the paths are, with highest priority first:
/etc/motd
/run/motd
/usr/lib/motd
/etc/motd.d/
/run/motd.d/
/usr/lib/motd.d/
Which is equivalent to the following arguments:
motd=/etc/motd:/run/motd:/usr/lib/motd
motd_dir=/etc/motd.d:/run/motd.d:/usr/lib/motd.d
Files with the same filename in a lower-priority directory,
as specified by the order in the colon-separated list, are
overridden, meaning PAM will not display them.
This allows a package to contain motd files under
/usr/lib instead of the host configuration in /etc.
A service may also write a dynamically generated motd in
/run/motd.d/ and have PAM display it without needing a
symlink from /etc/motd.d/ installed.
Closes #68
* modules/pam_motd/pam_motd.8.xml: update documentation
* modules/pam_motd/pam_motd.c: add specifying multiple motd paths
* xtests/.gitignore: add generated test script
* xtests/Makefile.am: add test source, scripts and config files
* xtests/tst-pam_motd.c: create
* xtests/tst-pam_motd.sh: create
* xtests/tst-pam_motd1.pamd: create
* xtests/tst-pam_motd1.sh: create
* xtests/tst-pam_motd2.pamd: create
* xtests/tst-pam_motd2.sh: create
* xtests/tst-pam_motd3.pamd: create
* xtests/tst-pam_motd3.sh: create
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bcrypt hashes used the "$2a$" prefix since 1997.
However, in 2011 an implementation bug was discovered in bcrypt
affecting the handling of characters in passphrases with the 8th
bit set.
Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
for a behavior that exactly matches crypt_blowfish's "$2y$", and
the crypt_blowfish implementation supports it as well since v1.1.
That said new computed bcrypt hashes should use the "$2b$" prefix.
* modules/pam_unix/passverify.c: Use bcrypt b-variant.
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_tally/pam_tally.c (tally_check): Replace
"Account is temporary locked" with "The account is temporarily locked"
in translated messages.
* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
* po/Linux-PAM.pot: Update pam_tally and pam_tally2 messages.
Closes: https://github.com/linux-pam/linux-pam/issues/54
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turn into proper sentences those messages that are printed without
further modifications using pam_prompt in contexts where proper
sentences are expected.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar
of the message passed to pam_error.
* modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
grammar of error messages passed to pam_error.
* modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message
passed to pam_info.
* modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise.
* modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix
grammar of messages passed to pam_prompt.
* modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages
passed to pam_info.
* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar
of messages passed to _make_remark.
* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass,
pam_sm_chauthtok): Likewise.
* po/Linux-PAM.pot: Regenerate.
|
| |
|
|
|
|
|
|
|
|
| |
pam_stress is not a regular module that needs to be translated.
Besides that, its messages are not easy to understand
and even harder to translate properly.
* modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Do not mark
messages for translation.
* po/Linux-PAM.pot: Remove pam_stress messages.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
_UNIX_NEW_AUTHTOK macros
The last use of these macros was removed by commit Linux-PAM-1.3.0~5
so their definitions should go as well.
* modules/pam_unix/pam_unix_auth.c (_UNIX_AUTHTOK): Remove.
* modules/pam_unix/pam_unix_passwd.c (_UNIX_OLD_AUTHTOK,
_UNIX_NEW_AUTHTOK): Likewise.
Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
direct pam_prompt() calls.")
|
| |
|
|
|
|
|
|
|
|
| |
The function was removed by commit Linux-PAM-1.3.0~5
so the function prototype should go as well.
* modules/pam_unix/support.h (_unix_read_password): Remove.
Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
direct pam_prompt() calls.")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new feature to pam_motd to allow packages to install their own
message files in a "motd.d" directory, to be displayed after the primary
motd.
Add an option motd_d= to specify the location of this directory.
Modify the defaults, in the case where no options are given, to display
both /etc/motd and /etc/motd.d.
Fixes #47
* modules/pam_motd/pam_motd.c: add support for motd.d
* modules/pam_motd/pam_motd.8.xml: update the manpage
|
| |
|
|
|
| |
* modules/pam_umask/pam_umask.8.xml: Document the real order of loading
umask.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no need for pam_tally2 in --reset=0 mode to create a missing
tallylog file because its absence has the same meaning as its existence
with the appropriate entry reset.
This was not a big deal until useradd(8) from shadow suite release 4.5
started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
configuration.
The positive effect of this change is noticeable when using tools like
cpio(1) that cannot archive huge sparse files efficiently.
* modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
cline_filename when cline_reset == 0, exit early if the file is missing.
|
| |
|
|
|
| |
* modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not
skip creating the directory if we are under /.
|
| |
|
|
|
|
|
| |
* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
remove unneeded code carried from pam_limits.
(pam_sm_open_session): When multiple enable/disable options are present do not
stop after first match.
|
| |
|
|
| |
* modules/pam_access/access.conf.5.xml: Add note about spaces around ':'
|
| |
|
|
|
|
|
|
| |
Check the return value of malloc and if it failed print debug info, send
a syslog message and return an error code.
The test in AUTH_RETURN for ret_data not being NULL becomes redundant.
Signed-off-by: Peter Urbanec <git.user@urbanec.net>
|
| |
|
|
| |
* modules/pam_cracklib/pam_cracklib.c: Drop the unused macros.
|
| |
|
|
|
|
|
| |
* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
parse the uid range.
(pam_sm_open_session): Call parse_uid_range() and behave according to its result.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.
|
| |
|
|
|
|
|
|
|
| |
* modules/pam_access/pam_access.c (login_access): Return NOMATCH if
there was no match in the parsed file.
(pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
subdirectory and call login_access() on the individual files matched.
* modules/pam_access/pam_access.8.xml: Document the addition.
* modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.
|
| |
|
|
|
| |
* modules/pam_localuser/pam_localuser.8.xml: The example configuration
does something different.
|
| |
|
|
|
| |
* modules/pam_localuser/pam_localuser.8.xml: The module returns
PAM_PERM_DENIED when the user is not listed.
|
| |
|
| |
* modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.
|
| |
|
|
|
| |
* modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set
to beginning and not NULL.
|
| |
|
|
|
|
|
|
|
|
| |
Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS
but the response is set to NULL.
* modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa
with a null pointer.
Closes: https://github.com/linux-pam/linux-pam/pull/2
|
| |
|
|
| |
* modules/pam_limits/limits.conf.5.xml: add a missing comma
|
| |
|
|
|
|
|
| |
The (group) match is performed first to allow for groups
containing '@'.
* modules/pam_access/pam_access.c (user_match): First check for the (group) match.
|
| |
|
|
|
|
| |
* modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
of anonymous users if user name matches.
(pam_sm_authenticate): Free the returned value allocated in lookup().
|
| |
|
|
| |
* modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
with LOG_ERR.
* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
LOG_ERR.
* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
with LOG_NOTICE.
* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
LOG_CRIT, other errors LOG_ERR.
* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
with LOG_NOTICE, non-memory errors with LOG_ERR.
* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
LOG_ERR.
* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
other errors LOG_ERR.
* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
max retries ignorance by application likewise.
* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
with LOG_NOTICE.
* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Before this fix, a typo in check_login_time resulted to ruser and
struct utmp.ut_user being compared by the first character only,
which in turn could lead to a too low timestamp value being assigned
to oldest_login, effectively causing bypass of check_login_time.
* modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
in strncmp usage.
Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
|
| |
|
|
|
|
|
|
| |
The spaces are ignored only with the default listsep. To remove confusion
if non-default listsep is used they are removed from the examples.
* modules/pam_access/access.conf: Remove all spaces around ':' in examples.
* modules/pam_access/access.conf.5.xml: Likewise.
|
| |
|
|
|
| |
* modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the
root_only option.
|
| |
|
|
|
| |
modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
to store the old passwords when remember option is set.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to drop support for not_set_pass option which is not much useful
anyway. Instead we get proper support for authtok_type option.
* modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
pe
option.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
sword()
call with equivalent pam_get_authtok() call.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
support for not_set_pass.
* modules/pam_unix/support.c (_unix_read_password): Remove.
* modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
expiration messages more user-friendly.
|
| |
|
|
|
|
|
|
|
|
|
| |
then we inform about it and not use it. [ticket#46]
* modules/pam_group/pam_group.c: ditto
* modules/pam_succeed_if/pam_succeed_if.c: ditto
* modules/pam_time/pam_time.c: ditto
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove blank lines at EOF introduced by commit
a684595c0bbd88df71285f43fb27630e3829121e,
making the project free of warnings reported by
git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
* libpam/pam_dynamic.c: Remove blank line at EOF.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
|
| |
|
|
|
|
|
|
| |
The old SunRPC functions don't work with IPv6.
* configure.ac: Set and restore CPPFLAGS
* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
rpcb_getaddr if available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux-PAM. It was never official supported and was broken since years.
* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.
|
| |
|
|
|
|
|
| |
new libnsl.
* configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
* modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
|
| |
|
|
|
|
|
|
| |
and such not needed.
* modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
* modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
it will never be used.
|
| |
|
|
|
|
|
| |
* modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r
returning NULL.
* modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning
NULL.
|
| |
|
|
|
|
|
|
|
| |
Fixes a minor bug in behavior when is_selinux_enabled()
returned negative value.
* modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
(unix_update_shadow): Safe cast forwho to non-const char *.
* modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
|
| |
|
|
|
|
|
| |
* modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
* modules/pam_env/pam_env.8.xml: Add environ(7) reference.
* modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
Add a paragraph about /etc/environment. Add environ(7) reference.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
is on and return value data is not set to PAM_SUCCESS then ignore
PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
return value data.
(pam_sm_setcred): Test for likeauth option and use the return value data
only if set.
* modules/pam_unix/support.h: Add the no_pass_expiry option.
|
| |
|
|
|
| |
* modules/pam_unix/passverify.c (create_password_hash): Change the
salt length for new hashes to 16 characters.
|
| |
|
|
|
| |
* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.
|
| |
|
|
|
| |
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
if required auditd is not detected.
|
| |
|
|
|
| |
* modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
passwd permission.
|
| |
|
|
|
|
|
| |
* modules/pam_timestamp/hmacsha1.c(hmac_key_create):
close 'keyfd' when failed to own it.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security fix: CVE-2015-3238
If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise
|
