summaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAge
...
| * Enhance group.conf examples (Ticket#35)Thorsten Kukuk2015-03-24
| | | | | | | | * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
| * Document timestampdir option (Ticket#33)Thorsten Kukuk2015-03-24
| | | | | | | | * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
| * pam_succeed_if: Fix copy&paste error in rhost and tty values.Tomas Mraz2014-10-17
| | | | | | | | | | modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST and PAM_TTY properly for the rhost and tty values.
| * pam_succeed_if: Use long long type for numeric valuesTomas Mraz2014-10-17
| | | | | | | | | | | | | | | | | | The currently used long with additional conversion to int is too small for uids and gids. modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace strtol() with strtoll() and int with long long in the parameters of comparison functions.
| * pam_mkhomedir: Drop superfluous stat() call.Tomas Mraz2014-08-26
| | | | | | | | | | modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous stat() call.
| * pam_exec: Do not depend on open() returning STDOUT_FILENO.Tomas Mraz2014-08-26
| | | | | | | | | | modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to STDOUT_FILENO if needed.
| * pam_keyinit: Check return value of setregid.Robin Hack2014-08-25
| | | | | | | | modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.
| * pam_filter: Avoid leaking descriptors when fork() fails.Robin Hack2014-08-25
| | | | | | | | modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
| * pam_echo: Avoid leaking file descriptor.Robin Hack2014-08-14
| | | | | | | | modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.
| * pam_tty_audit: Silence Coverity reporting uninitialized use.Robin Hack2014-08-13
| | | | | | | | | | modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also msg_flags.
| * pam_tally2: Avoid uninitialized use of fileinfo.Tomas Mraz2014-08-13
| | | | | | | | | | | | Problem found by Robin Hack <rhack@redhat.com>. modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size just try to read it.
| * pam_access: Avoid uninitialized access of line.Tomas Mraz2014-08-13
| | | | | | | | | | * modules/pam_access/pam_access.c (login_access): Reorder condition so line is not accessed when uninitialized.
| * pam_lastlog: Properly clean up last_login structure before use.Tomas Mraz2014-08-05
| | | | | | | | | | modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login structure before use.
| * Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.Tomas Mraz2014-07-21
| | | | | | | | | | | | | | * modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields in opasswd entry and return error. * modules/pam_unix/passverify.c (save_old_password): Test for missing fields in opasswd entry and skip it.
| * pam_limits: nofile refers to file descriptors not filesTomas Mraz2014-06-19
| | | | | | | | | | modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit. modules/pam_limits/limits.conf: Likewise.
| * pam_limits: clarify documentation of maxlogins and maxsyslogins limits.Tomas Mraz2014-06-19
| | | | | | | | | | modules/pam_limits/limits.conf.5.xml: clarify documentation of maxlogins and maxsyslogins limits.
| * pam_unix: Check for NULL return from Goodcrypt_md5().Tomas Mraz2014-06-19
| | | | | | | | | | modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for NULL return from Goodcrypt_md5().
| * pam_unix: check for NULL return from malloc()Tomas Mraz2014-06-19
| | | | | | | | * modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().
| * pam_loginuid: Document one more possible case of PAM_IGNORE return.Tomas Mraz2014-05-22
| | | | | | | | | | modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case of PAM_IGNORE return value.
| * pam_loginuid: Document other possible return values.Tomas Mraz2014-05-22
| | | | | | | | | | modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return values.
| * pam_timestamp: fix potential directory traversal issue (ticket #27)Dmitry V. Levin2014-03-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of the timestamp pathname it creates, so extra care should be taken to avoid potential directory traversal issues. * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat "." and ".." tty values as invalid. (get_ruser): Treat "." and ".." ruser values, as well as any ruser value containing '/', as invalid. Fixes CVE-2014-2583. Reported-by: Sebastian Krahmer <krahmer@suse.de>
| * pam_userdb: document that .db suffix should not be usedTomas Mraz2014-03-20
| | | | | | | | | | modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix should not be used and correct the example.
| * pam_selinux: canonicalize user nameTomas Mraz2014-03-11
| | | | | | | | | | | | SELinux expects canonical user name for example without domain component. * modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().
| * Introduce pam_modutil_sanitize_helper_fdsDmitry V. Levin2014-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change introduces pam_modutil_sanitize_helper_fds - a new function that redirects standard descriptors and closes all other descriptors. pam_modutil_sanitize_helper_fds supports three types of input and output redirection: - PAM_MODUTIL_IGNORE_FD: do not redirect at all. - PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented by creating a pipe, closing its write end, and redirecting stdin to its read end. Likewise, for stdout/stderr it is implemented by creating a pipe, closing its read end, and redirecting to its write end. Unlike stdin redirection, stdout/stderr redirection to a pipe has a side effect that a process writing to such descriptor should be prepared to handle SIGPIPE appropriately. - PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is implemented via PAM_MODUTIL_PIPE_FD because there is no functional difference. For stdout/stderr, it is classic redirection to /dev/null. PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel security restrictions, but when the helper process might be writing to the corresponding descriptor and termination of the helper process by SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD. * libpam/pam_modutil_sanitize.c: New file. * libpam/Makefile.am (libpam_la_SOURCES): Add it. * libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd, pam_modutil_sanitize_helper_fds): New declarations. * libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface. * modules/pam_exec/pam_exec.c (call_exec): Use pam_modutil_sanitize_helper_fds. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise. * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise. * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. * modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise. * modules/pam_unix/support.h (MAX_FD_NO): Remove.
| * pam_xauth: avoid potential SIGPIPE when writing to xauth processDmitry V. Levin2014-01-27
| | | | | | | | | | | | | | Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8. * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process, close the read end of input pipe after writing to its write end.
| * pam_loginuid: log significant loginuid write errorsDmitry V. Levin2014-01-27
| | | | | | | | | | * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors during /proc/self/loginuid update that are not ignored.
| * Fix gratuitous use of strdup and x_strdupDmitry V. Levin2014-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is no need to copy strings passed as arguments to execve, the only potentially noticeable effect of using strdup/x_strdup would be a malformed argument list in case of memory allocation error. Also, x_strdup, being a thin wrapper around strdup, is of no benefit when its argument is known to be non-NULL, and should not be used in such cases. * modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup instead of x_strdup, the latter is of no benefit in this case. * modules/pam_ftp/pam_ftp.c (lookup): Likewise. * modules/pam_userdb/pam_userdb.c (user_lookup): Likewise. * modules/pam_userdb/pam_userdb.h (x_strdup): Remove. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use x_strdup for strings passed as arguments to execve. * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise. * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. (_unix_verify_password): Use strdup instead of x_strdup, the latter is of no benefit in this case. * modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for strings passed as arguments to execv.
| * pam_userdb: fix password hash comparisonDmitry V. Levin2014-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed passwords support in pam_userdb, hashes are compared case-insensitively. This bug leads to accepting hashes for completely different passwords in addition to those that should be accepted. Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for modern password hashes with different lengths and settings, did not update the hash comparison accordingly, which leads to accepting computed hashes longer than stored hashes when the latter is a prefix of the former. * modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed hash whose length differs from the stored hash length. Compare computed and stored hashes case-sensitively. Fixes CVE-2013-7041. Bug-Debian: http://bugs.debian.org/731368
| * pam_xauth: log fatal errors preventing xauth process executionDmitry V. Levin2014-01-24
| | | | | | | | | | * modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe() and fork() calls.
| * pam_loginuid: cleanup loginuid buffer initializationDmitry V. Levin2014-01-22
| | | | | | | | | | * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid buffer initialization closer to its first use.
| * pam_limits: fix utmp->ut_user handlingDmitry V. Levin2014-01-20
| | | | | | | | | | | | | | | | | | ut_user member of struct utmp is a string that is not necessarily null-terminated, so extra care should be taken when using it. * modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to a null-terminated string and consistently use it where a null-terminated string is expected.
| * pam_mkhomedir: check and create home directory for the same user (ticket #22)Dmitry V. Levin2014-01-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before pam_mkhomedir helper was introduced in commit 7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for existance and creating the same directory - the home directory of the user NAME returned by pam_get_item(PAM_USER). The change in behaviour accidentally introduced along with mkhomedir_helper is not consistent: while the module still checks for getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily the same as the directory being checked. This change brings check and creation back in sync, both handling getpwnam(NAME)->pw_dir. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace "struct passwd *" argument with user's name and home directory. Pass user's name to MKHOMEDIR_HELPER. (pam_sm_open_session): Update create_homedir call.
| * pam_limits: detect and ignore stale utmp entriesTomas Mraz2014-01-20
| | | | | | | | | | | | | | | | Original idea by Christopher Hailey * modules/pam_limits/pam_limits.c (check_logins): Use kill() to detect if pid of the utmp entry is still running and ignore the entry if it is not.
| * pam_loginuid: Always return PAM_IGNORE in usernsStéphane Graber2014-01-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous patch to support user namespaces works fine with containers that are started from a desktop/terminal session but fails when dealing with containers that were started from a remote session such as ssh. I haven't looked at the exact reason for that in the kernel but on the userspace side of things, the difference is that containers started from an ssh session will happily let pam open /proc/self/loginuid read-write, will let it read its content but will then fail with EPERM when trying to write to it. So to make the userns support bullet proof, this commit moves the userns check earlier in the function (which means a small performance impact as it'll now happen everytime on kernels that have userns support) and will set rc = PAM_IGNORE instead of rc = PAM_ERROR. The rest of the code is still executed in the event that PAM is run on a future kernel where we have some kind of audit namespace that includes a working loginuid. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
| * pam_namespace: don't use bashisms in default namespace.init scriptSteve Langasek2014-01-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * modules/pam_namespace/pam_namespace.c: call setuid() before execing the namespace init script, so that scripts run with maximum privilege regardless of the shell implementation. * modules/pam_namespace/namespace.init: drop the '-p' bashism from the shebang line This is not a POSIX standard option, it's a bashism. The bash manpage says that it's used to prevent the effective user id from being reset to the real user id on startup, and to ignore certain unsafe variables from the environment. In the case of pam_namespace, the -p is not necessary for environment sanitizing because the PAM module (properly) sanitizes the environment before execing the script. The stated reason given in CVS history for passing -p is to "preserve euid when called from setuid apps (su, newrole)." This should be done more portably, by calling setuid() before spawning the shell. Signed-off-by: Steve Langasek <vorlon@debian.org> Bug-Debian: http://bugs.debian.org/624842 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
| * pam_loginuid: Ignore failure in user namespacesStéphane Graber2014-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running pam_loginuid in a container using the user namespaces, even uid 0 isn't allowed to set the loginuid property. This change catches the EACCES from opening loginuid, checks if the user is in the host namespace (by comparing the uid_map with the host's one) and only if that's the case, sets rc to 1. Should uid_map not exist or be unreadable for some reason, it'll be assumed that the process is running on the host's namespace. The initial reason behind this change was failure to ssh into an unprivileged container (using a 3.13 kernel and current LXC) when using a standard pam profile for sshd (which requires success from pam_loginuid). I believe this solution doesn't have any drawback and will allow people to use unprivileged containers normally. An alternative would be to have all distros set pam_loginuid as optional but that'd be bad for any of the other potential failure case which people may care about. There has also been some discussions to get some of the audit features tied with the user namespaces but currently none of that has been merged upstream and the currently proposed implementation doesn't cover loginuid (nor is it clear how this should even work when loginuid is set as immutable after initial write). Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
| * pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not existDmitry V. Levin2014-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | When /proc/self/loginuid does not exist, return PAM_IGNORE instead of PAM_SUCCESS, so that we can distinguish between "loginuid set successfully" and "loginuid not set, but this is expected". Suggested by Steve Langasek. * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid does not exist, PAM_SESSION_ERR in case of any other error. (_pam_loginuid): Forward the PAM error code returned by set_loginuid.
| * pam_access: fix debug level logging (ticket #19)Dmitry V. Levin2013-11-20
| | | | | | | | | | * modules/pam_access/pam_access.c (group_match): Log the group token passed to the function, not an uninitialized data on the stack.
| * pam_warn: log flags passed to the module (ticket #25)Dmitry V. Levin2013-11-20
| | | | | | | | | | | | | | | | * modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and log it using pam_syslog. (pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok, pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass "flags" argument to log_items.
| * pam_securetty: check return value of fgetsDmitry V. Levin2013-11-20
| | | | | | | | | | | | | | | | Checking return value of fgets not only silences the warning from glibc but also leads to a cleaner code. * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Check return value of fgets.
| * pam_lastlog: fix format stringDmitry V. Levin2013-11-20
| | | | | | | | | | | | | | | | gcc -Wformat justly complains: format '%d' expects argument of type 'int', but argument 5 has type 'time_t' * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format string.
| * If the correct loginuid is set already, skip writing it.Darren Tucker2013-11-20
| | | | | | | | | | modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid and skip writing if already correctly set.
| * Always ask for old password if changing NIS accountThorsten Kukuk2013-11-11
| | | | | | | | | | * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask for old password if NIS account.
| * Allow DES as compatibility option for /etc/login.defsThorsten Kukuk2013-11-08
| | | | | | | | * modules/pam_unix/support.h: Add UNIX_DES
| * Make pam_tty_audit work with old kernels not supporting log_passwd.Tomas Mraz2013-10-14
| | | | | | | | | | | | | | modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros if message is short from older kernel. Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
| * Fix pam_tty_audit log_passwd support and regression.Tomas Mraz2013-09-25
| | | | | | | | | | modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include. (pam_sm_open_session): Always copy the old status as initialization of new.
* | New upstream version 1.1.8Steve Langasek2019-01-03
|\ \ | |/
| * Check return value of setuid to remove glibc warnings.Thorsten Kukuk2013-09-16
| | | | | | | | | | * modules/pam_unix/pam_unix_acct.c: Check setuid return value. * modules/pam_unix/support.c: Likewise.
| * Write to *rounds only if non-NULL.Tomas Mraz2013-09-13
| | | | | | | | modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
| * Add missing ')'Tomas Mraz2013-09-13
| | | | | | | | modules/pam_unix/pam_unix_passwd.c: Add missing ')'..