| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
| |
* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
"$(MAN5) $(MAN8)" with "$(MANS)" as the former is conditional
on HAVE_DOC.
|
| |
|
|
|
|
|
| |
* modules/pam_usertype/Makefile.am (man_MANS): Make conditional
on HAVE_DOC.
Resolves: https://github.com/linux-pam/linux-pam/pull/193
|
| |
|
|
|
|
| |
* modules/pam_namespace/.gitignore: New file.
Resolves: https://github.com/linux-pam/linux-pam/pull/192
|
| |
|
|
|
|
| |
Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the build is configured using --disable-nis option, gcc complains:
pam_unix_passwd.c: In function '_do_setpass':
pam_unix_passwd.c:398:8: warning: unused variable 'master' [-Wunused-variable]
support.c: In function '_unix_getpwnam':
support.c:305:21: warning: parameter 'nis' set but not used [-Wunused-but-set-parameter]
* modules/pam_unix/pam_unix_passwd.c (_do_setpass): Move the definition
of "master" variable to [HAVE_NIS].
* modules/pam_unix/support.c (_unix_getpwnam) [!(HAVE_YP_GET_DEFAULT_DOMAIN
&& HAVE_YP_BIND && HAVE_YP_MATCH && HAVE_YP_UNBIND)]: Do not assign
the unused parameter but mark it as used.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove trailing whitespace introduced by commit
f9c9c72121eada731e010ab3620762bcf63db08f.
Remove blank lines at EOF introduced by commit
65d6735c5949ec233df9813f734e918a93fa36cf.
This makes the project free of warnings reported by
git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
* doc/custom-html.xsl: Remove blank line at EOF.
* doc/custom-man.xsl: Likewise.
* modules/pam_motd/pam_motd.c: Remove trailing whitespace.
|
| |
|
|
|
|
| |
If kernel audit is disabled the socket open will return
EPROTONOSUPPORT.
Return PAM_IGNORE from pam_tty_audit and log a warning
in this situation so login is not blocked by the module.
|
| |
|
|
| |
u_intX_t is a glibcism this fixes the issue of compiling against musl libc.
|
| |
|
|
|
| |
* modules/pam_group/group.conf.5.xml: Replace bare & with &.
* modules/pam_time/time.conf.5.xml: Likewise.
|
| | |
|
| |
|
|
|
|
|
|
| |
* modules/pam_group/group.conf.5.xml: Document what logic list means.
* modules/pam_time/time.conf.5.xml: Likewise.
* modules/pam_group/pam_group.c (logic_field): Clear the not operator for the
further operations.
* modules/pam_time/pam_time.c (logic_field): Likewise.
|
| |
|
|
|
|
| |
If the shell is empty in /etc/passwd entry it means /bin/sh.
* modules/pam_shells/pam_shells.c (perform_check): Use /bin/sh as default shell.
|
| |
|
|
|
| |
* modules/pam_env/pam_env.8.xml: Document the change.
* modules/pam_env/pam_env.c: Set DEFAULT_USER_READ_ENVFILE to 0.
|
| |
|
|
|
|
|
|
|
| |
Raise BUF_SIZE to 8192 bytes.
* modules/pam_env/pam_env.c (_parse_env_file): Ignore lines starting with '='.
(_assemble_line): Detect long lines and binary files.
(_check_var): Avoid overwriting global variable.
(_expand_arg): Avoid repeated strlen calls.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
|
| |
* modules/pam_succeed_if/pam_succeed_if.c: Fix const issues.
* modules/pam_usertype/pam_usertype.c: Avoid maybe used uninitialized warning.
|
| |
|
|
|
|
|
|
|
|
| |
Adding nullresetok to auth phase of pam_unix module will allow users
with blank password to authenticate in order to immediatelly change
their password even if nullok is not set.
This allows to have blank password authentication disabled but still
allows administrator to create new user accounts with expired blank
password that must be change on the first login.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Examples:
account requisite pam_succeed_if.so user ingroup group1:group2
OR
account requisite pam_succeed_if.so user notingroup group1:group2
OR
account requisite pam_succeed_if.so user ingroup wheel
OR
account requisite pam_succeed_if.so user notingroup wheel
Can be very convenient to grant access based on complex group memberships (LDAP, etc)
|
| |
|
|
|
| |
There are some source code including the same header file redundantly.
We remove these redundant header file inclusion.
|
| |
|
|
|
| |
* modules/pam_tally/pam_tally.8.xml: Mention account leakage without silent
* modules/pam_tally2/pam_tally2.8.xml: Mention account leakage without silent
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module will check if the user account type is system or regular based
on its uid. To evaluate the condition it will use 0-99 reserved range
together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
If these values are not set, it uses configure-time defaults
`--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
`SYS_UID_MAX` defaults to `UID_MIN - 1`.
This information can be used to skip specific module in pam stack
based on the account type. `pam_succeed_if uid < 1000` is used at the moment
however it does not reflect changes to `login.defs`.
|
| |
|
|
|
|
|
|
| |
Allow the user to disable documentation through --disable-doc (enabled
by default), this is especially useful when cross-compiling for embedded
targets
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new internal header file with definitions of
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL macros,
use them to temporary silence -Wcast-qual compilation warnings
in various modules.
* libpam/include/pam_cc_compat.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/pam_cc_compat.h.
* modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_cc_compat.h".
(create_homedir): Wrap execve invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_namespace/pam_namespace.c: Include "pam_cc_compat.h".
(pam_sm_close_session): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_tty_audit/pam_tty_audit.c: Include "pam_cc_compat.h".
(nl_send): Wrap the cast that discards ‘const’ qualifier in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_acct.c: Include "pam_cc_compat.h".
(_unix_run_verify_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_passwd.c: Include "pam_cc_compat.h".
(_unix_run_update_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/passverify.c: Include "pam_cc_compat.h".
(unix_update_shadow): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/support.c: Include "pam_cc_compat.h".
(_unix_run_helper_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_xauth/pam_xauth.c: Include "pam_cc_compat.h".
(run_coprocess): Wrap execv invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
|
| |
|
|
|
|
|
|
|
|
| |
* libpam/pam_modutil_searchkey.c: Avoid assigning empty string literal to
non-const char *.
* modules/pam_filter/pam_filter.c: Avoid using const char **.
* modules/pam_mkhomedir/pam_mkhomedir.c: Properly cast out const for execve().
* modules/pam_namespace/pam_namespace.c: Properly cast out const from pam data.
* modules/pam_tally2/pam_tally2.c: String literal must be assigned to
const char *.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the call to the crypt(3) function failed for some reason during
hashing a new login passphrase, the wrapper function for computing
a hash with the md5crypt method was called internally by the pam_unix
module in previous versions of linux-pam.
With CVE-2012-3287 in mind, the md5crypt method is not considered to
be a safe nor recommended hashing method for a new login passphrase
since at least 2012. Thus pam_unix should error out in case of a
failure in crypt(3) instead of silently computing a hashed passphrase
using a potentially unsafe method.
* modules/pam_unix/pam_unix.8.xml: Update documentation.
* modules/pam_unix/passverify.c (create_password_hash): Return NULL
on error instead of silently invoke crypt_md5_wrapper().
|
| |
|
| |
helper_verify_password's variable salt is not just the salt but the whole hash. Renamed for clarity and conformity with the rest of the code.
|
| |
|
|
|
| |
According to the man pages, "Each invocation of va_start() must be
matched by a corresponding invocation of va_end() in the same function."
|
| | |
|
| | |
|
| |
|
|
|
| |
Add a short description of the nousergroups to the pam_umask(8)
man-page.
|
| |
|
|
|
|
|
|
|
|
| |
This is particularly useful when pam has been built with the new
--enable-usergroups configure switch, allowing users to override
the default-enabled state and disabling usergroups at runtime.
This is synonymous but opposite to current and previous pam_umask
default that could be changed to enabled at runtime with the usergroups
argument.
|
| |
|
|
|
|
|
|
|
|
| |
This change adds a configure option to set the default value of the
usergroups option (of the pam_umask module) at build-time.
Distributions usually makes the decision if usergroups should be used or
not. This allows them to control the built-in default value, without
having to ship the value in a config file (cluttering up the view
of actually relevant user/system configuration overrides).
|
| |
|
|
|
|
|
| |
IPv6 address prefix sizes larger than 128 (i.e. not larger or equal to) should
be discarded. Additionally, for IPv4 addresses, the largest valid prefix size
should be 32.
Fixes #161
|
| |
|
|
|
|
|
|
| |
To be able to set CFLAGS from make command-line but not to lose the
warning flags.
* configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
* */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
|
| |
|
|
|
| |
Follow-up for c81280b16e1831ab0bdd0383486c7e2d1eaf1b5e.
* modules/pam_motd/pam_motd.c: Return PAM_IGNORE if pam_putenv succeeds.
* modules/pam_motd/pam_motd.8.xml: Document additional possible return values of the module.
|
| |
|
|
|
|
|
|
|
|
|
| |
When xcrypt.h is available but -lxcrypt is not, pam_pwhistory fails to
build with the following diagnostics:
modules/pam_pwhistory/opasswd.c:111: undefined reference to `xcrypt_r'
Fix this by using the same check for xcrypt as in other modules.
* modules/pam_pwhistory/opasswd.c: Replace HAVE_XCRYPT_H with
HAVE_LIBXCRYPT.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS.
* doc/specs/Makefile.am: Likewise.
* libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL.
* modules/pam_access/pam_access.c: Avoid double const.
* modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy()
without copying the NUL byte.
* modules/pam_group/pam_group.c: Mark switch fallthrough with comment.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_limits/pam_limits.c: Remove unused units variable.
* modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers.
* modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter.
* modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead
of hardcoded value.
* modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing.
* modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters.
* modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly
cast for comparison.
* modules/pam_unix/support.c: Remove unused function.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a useful indication for update-motd profile.d snippet which can
also try to show MOTD when it is not already shown.
The use-case for that is showing MOTD in shells in containers without
PAM being involved.
* modules/pam_motd/pam_motd.c: Export MOTD_SHOWN=pam after showing MOTD
* modules/pam_motd/pam_motd.8.xml: Mention setting MOTD_SHOWN=pam in the man page
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an auth module to pam_keyinit, whose implementation of
pam_sm_setcred
is identical to the implementation of pam_sm_open_session.
It is useful with PAM applications, which call pam_setcred,
before calling pam_open_session.
* modules/pam_keyinit/pam_keyinit.c: Add an auth module to pam_keyinit.
* modules/pam_keyinit/pam_keyinit.8.xml: Update the manpage
to describe the new functionality.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_auth.c: Use LOG_NOTICE instead of LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
noexec, nosuid, and nodev flags support.
* modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
filter out the flags.
(parse_method): Call the function.
(ns_setup): Apply the flags to the tmpfs mount.
* modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two messages added about obtaining the username are guarded
by the debug option as these should not be normally
logged - they can be useful for debugging but they do not
indicate any special condition.
The message about authenticating user with blank password is
still just LOG_DEBUG priority but it is logged unconditionally
because it is somewhat extraordinary condition to have an user
with blank password.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
D() macro calls which are not enabled on production builds with
regular pam_syslog() calls.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where Linux-PAM should additional look
for pam.d/*, login.defs and securetty if this files are not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
|
| |
|
|
| |
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It a reduced fsize limit is set in /etc/security/limits.conf and
pam_limits is in use pam_lastlog may cause a crash, e.g.
----- begin /etc/pam.d/su ----
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth required pam_env.so
auth required pam_unix.so nullok
account required pam_unix.so
password required pam_unix.so nullok
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_lastlog.so
----- end /etc/pam.d/su -----
----- begin /etc/security/limits.d/fsize.conf -----
* soft fsize 1710
* hard fsize 1710
----- end /etc/security/limits.d/fsize.conf -----
# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1)
# su - user1
Last login: Wed Sep 11 01:52:44 UTC 2019 on console
$ exit
# id user2
uid=60000(user2) gid=60000(user2) groups=60000(user2)
# su - user2
File size limit exceeded
This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
In order to fix this, and an 'unlimited' option, which leads to saving
the 'fsize' limit and set it to unlimited before writing lastlog. After
that, restore the saved value. If 'fsize' is already unlimited nothing
is done.
Failing to set the 'fsize' limit is not a fatal error. With luck the
configured limit will suffice, so we try to write lastlog anyway, even
under the risk of dying due to a SIGXFSZ.
Failing to restore the 'fsize' limit is a fatal error, since we don't
want to keep it unlimited.
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
