From b0eff898b6ce0d083a7758e337879e4fa084d0b9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 10 Oct 2007 14:10:06 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2007-10-09 Tomas Mraz * modules/pam_tally/pam_tally.8.xml: Document audit option correctly. --- ChangeLog | 4 ++++ modules/pam_tally/pam_tally.8.xml | 12 +----------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index ebef2ce3..c609a109 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2007-10-09 Tomas Mraz + * modules/pam_tally/pam_tally.8.xml: Document audit option + correctly. + 2007-10-09 Thorsten Kukuk * release version 0.99.9.0 diff --git a/modules/pam_tally/pam_tally.8.xml b/modules/pam_tally/pam_tally.8.xml index 1261130a..4f89269e 100644 --- a/modules/pam_tally/pam_tally.8.xml +++ b/modules/pam_tally/pam_tally.8.xml @@ -146,7 +146,7 @@ - Will display the username typed if the user is not found. + Will log the user name into the system log if the user is not found. @@ -248,16 +248,6 @@ - - - - - - - Root account can become unavailable. - - - -- cgit v1.2.3 From 9109873b94bfe1ead79be79ce751b17d42f4d03e Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 12 Oct 2007 10:46:25 +0000 Subject: Relevant BUGIDs: Purpose of commit: new testcase Commit summary: --------------- 2007-10-12 Thorsten Kukuk * xtests/Makefile.am: Add tst-pam_dispatch5 sources * xtests/tst-pam_dispatch5.c: New test for jump too far. * xtests/tst-pam_dispatch5.pamd: New test configuration. --- ChangeLog | 6 +++ xtests/Makefile.am | 4 +- xtests/tst-pam_dispatch4.c | 6 +-- xtests/tst-pam_dispatch5.c | 86 +++++++++++++++++++++++++++++++++++++++++++ xtests/tst-pam_dispatch5.pamd | 4 ++ 5 files changed, 102 insertions(+), 4 deletions(-) create mode 100644 xtests/tst-pam_dispatch5.c create mode 100644 xtests/tst-pam_dispatch5.pamd diff --git a/ChangeLog b/ChangeLog index c609a109..a7284ca5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2007-10-12 Thorsten Kukuk + + * xtests/Makefile.am: Add tst-pam_dispatch5 sources + * xtests/tst-pam_dispatch5.c: New test for jump too far. + * xtests/tst-pam_dispatch5.pamd: New test configuration. + 2007-10-09 Tomas Mraz * modules/pam_tally/pam_tally.8.xml: Document audit option correctly. diff --git a/xtests/Makefile.am b/xtests/Makefile.am index b32ba76b..8b6dbd25 100644 --- a/xtests/Makefile.am +++ b/xtests/Makefile.am @@ -11,6 +11,7 @@ CLEANFILES = *~ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \ + tst-pam_dispatch5.pamd \ tst-pam_cracklib1.pamd tst-pam_cracklib2.pamd \ tst-pam_unix1.pamd tst-pam_unix2.pamd tst-pam_unix3.pamd \ tst-pam_unix1.sh tst-pam_unix2.sh tst-pam_unix3.sh \ @@ -23,7 +24,8 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ group.conf tst-pam_group1.pamd tst-pam_group1.sh XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \ - tst-pam_dispatch4 tst-pam_cracklib1 tst-pam_cracklib2 \ + tst-pam_dispatch4 tst-pam_dispatch5 \ + tst-pam_cracklib1 tst-pam_cracklib2 \ tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 \ tst-pam_access1 tst-pam_access2 tst-pam_access3 \ tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \ diff --git a/xtests/tst-pam_dispatch4.c b/xtests/tst-pam_dispatch4.c index 12bc362a..745e9cfc 100644 --- a/xtests/tst-pam_dispatch4.c +++ b/xtests/tst-pam_dispatch4.c @@ -64,7 +64,7 @@ main(int argc, char *argv[]) if (retval != PAM_SUCCESS) { if (debug) - fprintf (stderr, "test4: pam_start returned %d\n", retval); + fprintf (stderr, "pam_dispatch4: pam_start returned %d\n", retval); return 1; } @@ -72,7 +72,7 @@ main(int argc, char *argv[]) if (retval != PAM_SUCCESS) { if (debug) - fprintf (stderr, "test4: pam_authenticate returned %d\n", retval); + fprintf (stderr, "pam_dispatch4: pam_authenticate returned %d\n", retval); return 1; } @@ -80,7 +80,7 @@ main(int argc, char *argv[]) if (retval == PAM_SUCCESS) { if (debug) - fprintf (stderr, "test4: pam_authenticate returned %d\n", retval); + fprintf (stderr, "pam_dispatch4: pam_acct_mgmt returned %d\n", retval); return 1; } diff --git a/xtests/tst-pam_dispatch5.c b/xtests/tst-pam_dispatch5.c new file mode 100644 index 00000000..f1197b38 --- /dev/null +++ b/xtests/tst-pam_dispatch5.c @@ -0,0 +1,86 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include + +static struct pam_conv conv = { + misc_conv, + NULL +}; + + +/* jump after the end of the stack and make sure we don't seg.fault. */ + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="nobody"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_dispatch5", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_dispatch5: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_authenticate (pamh, 0); + if (retval != PAM_PERM_DENIED) + { + if (debug) + fprintf (stderr, "pam_dispatch5: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_dispatch5: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/xtests/tst-pam_dispatch5.pamd b/xtests/tst-pam_dispatch5.pamd new file mode 100644 index 00000000..ea781f77 --- /dev/null +++ b/xtests/tst-pam_dispatch5.pamd @@ -0,0 +1,4 @@ +#%PAM-1.0 +# Jump after the end of the stack +auth [success=2 default=bad] pam_permit.so +auth required pam_deny.so -- cgit v1.2.3 From 4507528d83d454b9b9c32a5e94a939f125020aa9 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 18 Oct 2007 10:02:33 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- Add new tests to .cvsignore --- xtests/.cvsignore | 1 + 1 file changed, 1 insertion(+) diff --git a/xtests/.cvsignore b/xtests/.cvsignore index ee175609..00c9ad07 100644 --- a/xtests/.cvsignore +++ b/xtests/.cvsignore @@ -10,6 +10,7 @@ tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 tst-pam_dispatch4 +tst-pam_dispatch5 tst-pam_cracklib1 tst-pam_cracklib2 tst-pam_limits1 -- cgit v1.2.3 From 5aafd4bcca561a58c49913f3c338df6ef924505a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 18 Oct 2007 11:02:57 +0000 Subject: Relevant BUGIDs: Purpose of commit: testcase Commit summary: --------------- 2007-10-18 Tomas Mraz * xtests/tst-pam_dispatch4.c: Fix comment about the test. * xtests/tst-pam_dispatch4.pamd: Improve the testcase. --- ChangeLog | 4 ++++ xtests/tst-pam_dispatch4.c | 3 +-- xtests/tst-pam_dispatch4.pamd | 6 +++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index a7284ca5..14ac26e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2007-10-18 Tomas Mraz + * xtests/tst-pam_dispatch4.c: Fix comment about the test. + * xtests/tst-pam_dispatch4.pamd: Improve the testcase. + 2007-10-12 Thorsten Kukuk * xtests/Makefile.am: Add tst-pam_dispatch5 sources diff --git a/xtests/tst-pam_dispatch4.c b/xtests/tst-pam_dispatch4.c index 745e9cfc..a4db8a88 100644 --- a/xtests/tst-pam_dispatch4.c +++ b/xtests/tst-pam_dispatch4.c @@ -46,8 +46,7 @@ static struct pam_conv conv = { }; -/* Check that errors of optional modules are ignored and that - required modules after a sufficient one are not executed. */ +/* Check that jumps are processed correctly. */ int main(int argc, char *argv[]) diff --git a/xtests/tst-pam_dispatch4.pamd b/xtests/tst-pam_dispatch4.pamd index 7c08372b..ac995add 100644 --- a/xtests/tst-pam_dispatch4.pamd +++ b/xtests/tst-pam_dispatch4.pamd @@ -1,8 +1,8 @@ #%PAM-1.0 -# We jump to pam_permit.so, should pass +# We jump to end of the stack with previous pam_permit.so, should pass +auth required pam_permit.so auth [success=1 default=ignore] pam_debug.so auth=success auth required pam_deny.so -auth required pam_permit.so -# We jump to a non-existing slot, fail, but don't seg.fault +# We jump to end of the stack without any module in OK state, should fail account [success=1 default=ignore] pam_debug.so account=success account required pam_deny.so -- cgit v1.2.3 From fba28bf5631dac07841542dd81f6f2ede3198b6e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 18 Oct 2007 12:33:16 +0000 Subject: Relevant BUGIDs: Purpose of commit: testcase Commit summary: --------------- * xtests/tst-pam_cracklib2.c: Make the testcase more robust. --- ChangeLog | 1 + xtests/tst-pam_cracklib2.c | 20 +++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 14ac26e3..49379e6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 2007-10-18 Tomas Mraz * xtests/tst-pam_dispatch4.c: Fix comment about the test. * xtests/tst-pam_dispatch4.pamd: Improve the testcase. + * xtests/tst-pam_cracklib2.c: Make the testcase more robust. 2007-10-12 Thorsten Kukuk diff --git a/xtests/tst-pam_cracklib2.c b/xtests/tst-pam_cracklib2.c index 49166a4e..a3d3ff88 100644 --- a/xtests/tst-pam_cracklib2.c +++ b/xtests/tst-pam_cracklib2.c @@ -43,10 +43,12 @@ #include #include +int debug = 0; + /* A conversation function which uses an internally-stored value for the responses. */ static int -fake_conv (int num_msg, const struct pam_message **msgm UNUSED, +fake_conv (int num_msg, const struct pam_message **msgm, struct pam_response **response, void *appdata_ptr UNUSED) { static int calls = 0; @@ -65,6 +67,8 @@ fake_conv (int num_msg, const struct pam_message **msgm UNUSED, /* Each prompt elicits the same response. */ for (count = 0; count < num_msg; ++count) { + if (debug) + fprintf(stderr,"Query: %s\n", (*msgm)[count].msg); reply[count].resp_retcode = 0; /* first tow calls get a correct password, second a too easy one. */ @@ -75,6 +79,8 @@ fake_conv (int num_msg, const struct pam_message **msgm UNUSED, ++calls; reply[count].resp = strdup ("1a9C*8dK"); } + if (debug) + fprintf(stderr,"Response: %s\n", reply[count].resp); } /* Set the pointers in the response structure and return. */ @@ -94,10 +100,6 @@ main(int argc, char *argv[]) pam_handle_t *pamh=NULL; const char *user="root"; int retval; - int debug = 0; - - /* Simulate passwd call by normal user */ - setuid (65534); if (argc > 1 && strcmp (argv[1], "-d") == 0) debug = 1; @@ -110,8 +112,8 @@ main(int argc, char *argv[]) return 1; } - /* Try one, first input is correct, second is NULL */ - retval = pam_chauthtok (pamh, 0); + /* Try one, first input is correct */ + retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (retval != PAM_SUCCESS) { if (debug) @@ -119,8 +121,8 @@ main(int argc, char *argv[]) return 1; } - /* Try two, second input is NULL */ - retval = pam_chauthtok (pamh, 0); + /* Try two, second input is wrong */ + retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (retval != PAM_AUTHTOK_ERR) { if (debug) -- cgit v1.2.3 From 695f6e358dd1e8c05e77bd13f93d85e5963c9c3e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 19 Oct 2007 17:06:29 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2007-10-19 Tomas Mraz * xtests/tst-pam_access1.c: Use different name for user and group. * xtests/tst-pam_access1.sh: Likewise. * xtests/tst-pam_access2.c: Likewise. * xtests/tst-pam_access2.sh: Likewise. * xtests/tst-pam_access4.c: Likewise. * xtests/tst-pam_access4.sh: Likewise. * xtests/group.conf: Likewise. * xtests/tst-pam_group1.c: Likewise. * xtests/tst-pam_group1.sh: Likewise. * libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks, record substack level, skip over virtual substack modules, implement evaluation of done, die, reset and jumps in substacks. Also fixes too far jumps in substacks. * libpam/pam_end.c (pam_end): Drop substack evaluation states. * libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level parameter, instead of must_fail use handler_type needed for virtual substack modules. (_pam_load_conf_file): Add substack level parameter. (_pam_init_handlers): Substack level parameter added to _pam_parse_conf_file() calls. (_pam_load_module): New function. (_pam_add_handler): Refactor code into the _pam_load_module(). Add support for virtual substack modules. * libpam/pam_private.h: Rename must_fail to handler_type, add stack_level to struct handler. Define handler type constants. Add struct for substack evaluation states. Define constant for maximum substack level. Add substack states pointer to former state struct. * libpam/pam_start.c (pam_start): Initialize pointer to substack states. * doc/man/pam.conf-syntax.xml: Document substack control. * xtests/Makefile.am: Add new tests for substack evaluation. * xtests/run_xtests.sh: Support multiple .pamd files in a test. * xtests/tst-pam_authfail.pamd: New tests for substack evaluation. * xtests/tst-pam_authsucceed.pamd: Likewise. * xtests/tst-pam_substack1.pamd: Likewise. * xtests/tst-pam_substack1a.pamd: Likewise. * xtests/tst-pam_substack1.sh: Likewise. * xtests/tst-pam_substack2.pamd: Likewise. * xtests/tst-pam_substack2a.pamd: Likewise. * xtests/tst-pam_substack2.sh: Likewise. * xtests/tst-pam_substack3.pamd: Likewise. * xtests/tst-pam_substack3a.pamd: Likewise. * xtests/tst-pam_substack3.sh: Likewise. * xtests/tst-pam_substack4.pamd: Likewise. * xtests/tst-pam_substack4a.pamd: Likewise. * xtests/tst-pam_substack4.sh: Likewise. * xtests/tst-pam_substack5.pamd: Likewise. * xtests/tst-pam_substack5a.pamd: Likewise. * xtests/tst-pam_substack5.sh: Likewise. --- ChangeLog | 52 ++++++++++ NEWS | 1 + doc/man/pam.conf-syntax.xml | 18 ++++ libpam/pam_dispatch.c | 66 +++++++++---- libpam/pam_end.c | 2 + libpam/pam_handlers.c | 210 +++++++++++++++++++++++----------------- libpam/pam_private.h | 18 +++- libpam/pam_start.c | 1 + xtests/.cvsignore | 2 + xtests/Makefile.am | 16 ++- xtests/group.conf | 2 +- xtests/run-xtests.sh | 6 +- xtests/tst-pam_access1.c | 2 +- xtests/tst-pam_access1.sh | 6 +- xtests/tst-pam_access2.c | 2 +- xtests/tst-pam_access2.sh | 6 +- xtests/tst-pam_access4.c | 2 +- xtests/tst-pam_access4.sh | 4 +- xtests/tst-pam_authfail.c | 96 ++++++++++++++++++ xtests/tst-pam_authfail.pamd | 5 + xtests/tst-pam_authsucceed.c | 96 ++++++++++++++++++ xtests/tst-pam_authsucceed.pamd | 5 + xtests/tst-pam_group1.c | 6 +- xtests/tst-pam_group1.sh | 4 +- xtests/tst-pam_substack1.pamd | 5 + xtests/tst-pam_substack1.sh | 3 + xtests/tst-pam_substack1a.pamd | 2 + xtests/tst-pam_substack2.pamd | 6 ++ xtests/tst-pam_substack2.sh | 3 + xtests/tst-pam_substack2a.pamd | 2 + xtests/tst-pam_substack3.pamd | 5 + xtests/tst-pam_substack3.sh | 3 + xtests/tst-pam_substack3a.pamd | 3 + xtests/tst-pam_substack4.pamd | 5 + xtests/tst-pam_substack4.sh | 3 + xtests/tst-pam_substack4a.pamd | 4 + xtests/tst-pam_substack5.pamd | 4 + xtests/tst-pam_substack5.sh | 3 + xtests/tst-pam_substack5a.pamd | 3 + 39 files changed, 554 insertions(+), 128 deletions(-) create mode 100644 xtests/tst-pam_authfail.c create mode 100644 xtests/tst-pam_authfail.pamd create mode 100644 xtests/tst-pam_authsucceed.c create mode 100644 xtests/tst-pam_authsucceed.pamd create mode 100644 xtests/tst-pam_substack1.pamd create mode 100755 xtests/tst-pam_substack1.sh create mode 100644 xtests/tst-pam_substack1a.pamd create mode 100644 xtests/tst-pam_substack2.pamd create mode 100755 xtests/tst-pam_substack2.sh create mode 100644 xtests/tst-pam_substack2a.pamd create mode 100644 xtests/tst-pam_substack3.pamd create mode 100755 xtests/tst-pam_substack3.sh create mode 100644 xtests/tst-pam_substack3a.pamd create mode 100644 xtests/tst-pam_substack4.pamd create mode 100755 xtests/tst-pam_substack4.sh create mode 100644 xtests/tst-pam_substack4a.pamd create mode 100644 xtests/tst-pam_substack5.pamd create mode 100755 xtests/tst-pam_substack5.sh create mode 100644 xtests/tst-pam_substack5a.pamd diff --git a/ChangeLog b/ChangeLog index 49379e6e..93ccb080 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,55 @@ +2007-10-19 Tomas Mraz + + * xtests/tst-pam_access1.c: Use different name for user and group. + * xtests/tst-pam_access1.sh: Likewise. + * xtests/tst-pam_access2.c: Likewise. + * xtests/tst-pam_access2.sh: Likewise. + * xtests/tst-pam_access4.c: Likewise. + * xtests/tst-pam_access4.sh: Likewise. + * xtests/group.conf: Likewise. + * xtests/tst-pam_group1.c: Likewise. + * xtests/tst-pam_group1.sh: Likewise. + + * libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks, + record substack level, skip over virtual substack modules, implement + evaluation of done, die, reset and jumps in substacks. Also fixes + too far jumps in substacks. + * libpam/pam_end.c (pam_end): Drop substack evaluation states. + * libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level + parameter, instead of must_fail use handler_type needed for virtual + substack modules. + (_pam_load_conf_file): Add substack level parameter. + (_pam_init_handlers): Substack level parameter added to + _pam_parse_conf_file() calls. + (_pam_load_module): New function. + (_pam_add_handler): Refactor code into the _pam_load_module(). Add + support for virtual substack modules. + * libpam/pam_private.h: Rename must_fail to handler_type, add stack_level + to struct handler. Define handler type constants. Add struct + for substack evaluation states. Define constant for maximum + substack level. Add substack states pointer to former state struct. + * libpam/pam_start.c (pam_start): Initialize pointer to substack states. + * doc/man/pam.conf-syntax.xml: Document substack control. + * xtests/Makefile.am: Add new tests for substack evaluation. + * xtests/run_xtests.sh: Support multiple .pamd files in a test. + * xtests/tst-pam_authfail.pamd: New tests for substack evaluation. + * xtests/tst-pam_authsucceed.pamd: Likewise. + * xtests/tst-pam_substack1.pamd: Likewise. + * xtests/tst-pam_substack1a.pamd: Likewise. + * xtests/tst-pam_substack1.sh: Likewise. + * xtests/tst-pam_substack2.pamd: Likewise. + * xtests/tst-pam_substack2a.pamd: Likewise. + * xtests/tst-pam_substack2.sh: Likewise. + * xtests/tst-pam_substack3.pamd: Likewise. + * xtests/tst-pam_substack3a.pamd: Likewise. + * xtests/tst-pam_substack3.sh: Likewise. + * xtests/tst-pam_substack4.pamd: Likewise. + * xtests/tst-pam_substack4a.pamd: Likewise. + * xtests/tst-pam_substack4.sh: Likewise. + * xtests/tst-pam_substack5.pamd: Likewise. + * xtests/tst-pam_substack5a.pamd: Likewise. + * xtests/tst-pam_substack5.sh: Likewise. + 2007-10-18 Tomas Mraz * xtests/tst-pam_dispatch4.c: Fix comment about the test. * xtests/tst-pam_dispatch4.pamd: Improve the testcase. diff --git a/NEWS b/NEWS index 2b14fec9..acc6d0f2 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,6 @@ Linux-PAM NEWS -- history of user-visible changes. +* New substack directive in config file syntax. Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml index f098a26a..1460c6f6 100644 --- a/doc/man/pam.conf-syntax.xml +++ b/doc/man/pam.conf-syntax.xml @@ -180,6 +180,24 @@ + + substack + + + include all lines of given type from the configuration + file specified as an argument to this control. This differs from + include in that evaluation of the + done and die actions + in a substack does not cause skipping the rest of the complete + module stack, but only of the substack. Jumps in a substack + also can not make evaluation jump out of it, and the whole substack + is counted as one module when the jump is done in a parent stack. + The reset action will reset the state of a + module stack to the state it was in as of beginning of the substack + evaluation. + + + diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c index ab032d74..fa4e5ed4 100644 --- a/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c @@ -34,7 +34,8 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, _pam_boolean resumed, int use_cached_chain) { - int depth, impression, status, skip_depth; + int depth, impression, status, skip_depth, prev_level, stack_level; + struct _pam_substack_state *substates = NULL; IF_NO_PAMH("_pam_dispatch_aux", pamh, PAM_SYSTEM_ERR); @@ -54,27 +55,51 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, skip_depth = pamh->former.depth; status = pamh->former.status; impression = pamh->former.impression; + substates = pamh->former.substates; /* forget all that */ pamh->former.impression = _PAM_UNDEF; pamh->former.status = PAM_MUST_FAIL_CODE; pamh->former.depth = 0; + pamh->former.substates = NULL; } else { skip_depth = 0; - impression = _PAM_UNDEF; - status = PAM_MUST_FAIL_CODE; + substates = malloc(PAM_SUBSTACK_MAX_LEVEL * sizeof(*substates)); + if (substates == NULL) { + pam_syslog(pamh, LOG_CRIT, + "_pam_dispatch_aux: no memory for substack states"); + return PAM_BUF_ERR; + } + substates[0].impression = impression = _PAM_UNDEF; + substates[0].status = status = PAM_MUST_FAIL_CODE; } + prev_level = 0; + /* Loop through module logic stack */ - for (depth=0 ; h != NULL ; h = h->next, ++depth) { + for (depth=0 ; h != NULL ; prev_level = stack_level, h = h->next, ++depth) { int retval, cached_retval, action; + stack_level = h->stack_level; + /* skip leading modules if they have already returned */ if (depth < skip_depth) { continue; } + /* remember state if we are entering a substack */ + if (prev_level < stack_level) { + substates[stack_level].impression = impression; + substates[stack_level].status = status; + } + /* attempt to call the module */ - if (h->func == NULL) { + if (h->handler_type == PAM_HT_MUST_FAIL) { + D(("module poorly listed in PAM config; forcing failure")); + retval = PAM_MUST_FAIL_CODE; + } else if (h->handler_type == PAM_HT_SUBSTACK) { + D(("skipping substack handler")); + continue; + } else if (h->func == NULL) { D(("module function is not defined, indicating failure")); retval = PAM_MODULE_UNKNOWN; } else { @@ -83,10 +108,6 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, retval = h->func(pamh, flags, h->argc, h->argv); pamh->mod_name=NULL; D(("module returned: %s", pam_strerror(pamh, retval))); - if (h->must_fail) { - D(("module poorly listed in PAM config; forcing failure")); - retval = PAM_MUST_FAIL_CODE; - } } /* @@ -100,6 +121,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, pamh->former.impression = impression; pamh->former.status = status; pamh->former.depth = depth; + pamh->former.substates = substates; D(("module %d returned PAM_INCOMPLETE", depth)); return retval; @@ -176,8 +198,8 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, switch (action) { case _PAM_ACTION_RESET: - impression = _PAM_UNDEF; - status = PAM_MUST_FAIL_CODE; + impression = substates[stack_level].impression; + status = substates[stack_level].status; break; case _PAM_ACTION_OK: @@ -244,9 +266,13 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } /* this means that we need to skip #action stacked modules */ - do { - h = h->next; - } while ( --action > 0 && h != NULL ); + while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) { + do { + h = h->next; + ++depth; + } while (h->next != NULL && h->next->stack_level > stack_level); + --action; + } /* note if we try to skip too many modules action is still non-zero and we snag the next if. */ @@ -254,14 +280,19 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, /* this case is a syntax error: we can't succeed */ if (action) { - D(("action syntax error")); + pam_syslog(pamh, LOG_ERR, "bad jump in stack"); impression = _PAM_NEGATIVE; status = PAM_MUST_FAIL_CODE; } } - } - + continue; + decision_made: /* by getting here we have made a decision */ + while (h->next != NULL && h->next->stack_level >= stack_level) { + h = h->next; + ++depth; + } + } /* Sanity check */ if ( status == PAM_SUCCESS && impression != _PAM_POSITIVE ) { @@ -269,6 +300,7 @@ decision_made: /* by getting here we have made a decision */ status = PAM_MUST_FAIL_CODE; } + free(substates); /* We have made a decision about the modules executed */ return status; } diff --git a/libpam/pam_end.c b/libpam/pam_end.c index e46dd0c4..de1c26ed 100644 --- a/libpam/pam_end.c +++ b/libpam/pam_end.c @@ -71,6 +71,8 @@ int pam_end(pam_handle_t *pamh, int pam_status) _pam_drop(pamh->pam_conversation); pamh->fail_delay.delay_fn_ptr = NULL; + _pam_drop(pamh->former.substates); + /* and finally liberate the memory for the pam_handle structure */ _pam_drop(pamh); diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 87d781d2..11508145 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -18,7 +18,7 @@ #define BUF_SIZE 1024 #define MODULE_CHUNK 4 -#define UNKNOWN_MODULE_PATH "<*unknown module path*>" +#define UNKNOWN_MODULE "<*unknown module*>" #ifndef _PAM_ISA #define _PAM_ISA "." #endif @@ -28,7 +28,7 @@ static int _pam_assemble_line(FILE *f, char *buf, int buf_len); static void _pam_free_handlers_aux(struct handler **hp); static int _pam_add_handler(pam_handle_t *pamh - , int must_fail, int other, int type + , int must_fail, int other, int stack_level, int type , int *actions, const char *mod_path , int argc, char **argv, int argvlen); @@ -43,6 +43,7 @@ static int _pam_add_handler(pam_handle_t *pamh static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name , const char *service /* specific file */ , int module_type /* specific type */ + , int stack_level /* level of substack */ #ifdef PAM_READ_BOTH_CONFS , int not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -51,6 +52,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f , const char *known_service /* specific file */ , int requested_module_type /* specific type */ + , int stack_level /* level of substack */ #ifdef PAM_READ_BOTH_CONFS , int not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -68,7 +70,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f int module_type, actions[_PAM_RETURN_VALUES]; int other; /* set if module is for PAM_DEFAULT_SERVICE */ int res; /* module added successfully? */ - int must_fail=0; /* a badly formatted line must fail when used */ + int handler_type = PAM_HT_MODULE; /* regular handler from a module */ int argc; char **argv; int argvlen; @@ -92,6 +94,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f /* accept "service name" or PAM_DEFAULT_SERVICE modules */ if (!strcasecmp(this_service, pamh->service_name) || other) { int pam_include = 0; + int substack = 0; /* This is a service we are looking for */ D(("_pam_init_handlers: Found PAM config entry for: %s" @@ -105,7 +108,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f "(%s) empty module type", this_service); module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ - must_fail = 1; /* install as normal but fail when dispatched */ + handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ } else if (!strcasecmp("auth", tok)) { module_type = PAM_T_AUTH; } else if (!strcasecmp("session", tok)) { @@ -121,9 +124,9 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f this_service, tok); module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ - must_fail = 1; /* install as normal but fail when dispatched */ + handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ } - D(("Using %s config entry: %s", must_fail?"BAD ":"", tok)); + D(("Using %s config entry: %s", handler_type?"BAD ":"", tok)); if (requested_module_type != PAM_T_ANY && module_type != requested_module_type) { D(("Skipping config entry: %s (requested=%d, found=%d)", @@ -145,7 +148,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f pam_syslog(pamh, LOG_ERR, "(%s) no control flag supplied", this_service); _pam_set_default_control(actions, _PAM_ACTION_BAD); - must_fail = 1; + handler_type = PAM_HT_MUST_FAIL; } else if (!strcasecmp("required", tok)) { D(("*PAM_F_REQUIRED*")); actions[PAM_SUCCESS] = _PAM_ACTION_OK; @@ -171,6 +174,11 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f } else if (!strcasecmp("include", tok)) { D(("*PAM_F_INCLUDE*")); pam_include = 1; + substack = 0; + } else if (!strcasecmp("substack", tok)) { + D(("*PAM_F_SUBSTACK*")); + pam_include = 1; + substack = 1; } else { D(("will need to parse %s", tok)); _pam_parse_control(actions, tok); @@ -180,7 +188,18 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f tok = _pam_StrTok(NULL, " \n\t", &nexttok); if (pam_include) { - if (_pam_load_conf_file(pamh, tok, this_service, module_type + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, + 0, NULL, 0); + if (res != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "error adding substack %s", tok); + D(("failed to load module - aborting")); + return PAM_ABORT; + } + } + if (_pam_load_conf_file(pamh, tok, this_service, module_type, + stack_level + substack #ifdef PAM_READ_BOTH_CONFS , !other #endif /* PAM_READ_BOTH_CONFS */ @@ -188,7 +207,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f continue; _pam_set_default_control(actions, _PAM_ACTION_BAD); mod_path = NULL; - must_fail = 1; + handler_type = PAM_HT_MUST_FAIL; nexttok = NULL; } else if (tok != NULL) { mod_path = tok; @@ -199,7 +218,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f pam_syslog(pamh, LOG_ERR, "(%s) no module name supplied", this_service); mod_path = NULL; - must_fail = 1; + handler_type = PAM_HT_MUST_FAIL; } /* nexttok points to remaining arguments... */ @@ -219,7 +238,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f int y; D(("CONF%s: %s%s %d %s %d" - , must_fail?"<*will fail*>":"" + , handler_type==PAM_HT_MUST_FAIL?"<*will fail*>":"" , this_service, other ? "(backup)":"" , module_type , mod_path, argc)); @@ -235,7 +254,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f } #endif - res = _pam_add_handler(pamh, must_fail, other + res = _pam_add_handler(pamh, handler_type, other, stack_level , module_type, actions, mod_path , argc, argv, argvlen); if (res != PAM_SUCCESS) { @@ -252,6 +271,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name , const char *service /* specific file */ , int module_type /* specific type */ + , int stack_level /* level of substack */ #ifdef PAM_READ_BOTH_CONFS , int not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -263,6 +283,12 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name D(("_pam_load_conf_file called")); + if (stack_level >= PAM_SUBSTACK_MAX_LEVEL) { + D(("maximum level of substacks reached")); + pam_syslog(pamh, LOG_ERR, "maximum level of substacks reached"); + return PAM_ABORT; + } + if (config_name == NULL) { D(("no config file supplied")); pam_syslog(pamh, LOG_ERR, "(%s) no config file supplied", service); @@ -280,7 +306,7 @@ static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name D(("opening %s", config_name)); f = fopen(config_name, "r"); if (f != NULL) { - retval = _pam_parse_conf_file(pamh, f, service, module_type + retval = _pam_parse_conf_file(pamh, f, service, module_type, stack_level #ifdef PAM_READ_BOTH_CONFS , not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -379,7 +405,8 @@ int _pam_init_handlers(pam_handle_t *pamh) f = fopen(filename, "r"); if (f != NULL) { /* would test magic here? */ - retval = _pam_parse_conf_file(pamh, f, pamh->service_name, PAM_T_ANY + retval = _pam_parse_conf_file(pamh, f, pamh->service_name, + PAM_T_ANY, 0 #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -400,7 +427,7 @@ int _pam_init_handlers(pam_handle_t *pamh) D(("checking %s", PAM_CONFIG)); if ((f = fopen(PAM_CONFIG,"r")) != NULL) { - retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 1); + retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1); fclose(f); } else #endif /* PAM_READ_BOTH_CONFS */ @@ -419,9 +446,8 @@ int _pam_init_handlers(pam_handle_t *pamh) f = fopen(PAM_DEFAULT_SERVICE_FILE, "r"); if (f != NULL) { /* would test magic here? */ - retval = _pam_parse_conf_file(pamh, f - , PAM_DEFAULT_SERVICE - , PAM_T_ANY + retval = _pam_parse_conf_file(pamh, f, PAM_DEFAULT_SERVICE, + PAM_T_ANY, 0 #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -454,7 +480,7 @@ int _pam_init_handlers(pam_handle_t *pamh) return PAM_ABORT; } - retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY + retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0 #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -581,46 +607,19 @@ extract_modulename(const char *mod_path) return retval; } -int _pam_add_handler(pam_handle_t *pamh - , int must_fail, int other, int type - , int *actions, const char *mod_path - , int argc, char **argv, int argvlen) +static struct loaded_module * +_pam_load_module(pam_handle_t *pamh, const char *mod_path) { - struct loaded_module *mod; int x = 0; - struct handler **handler_p; - struct handler **handler_p2; - struct handlers *the_handlers; - const char *sym, *sym2; - char *mod_full_path=NULL; + int success; #ifndef PAM_STATIC char *mod_full_isa_path=NULL, *isa=NULL; #endif - servicefn func, func2; - int success; - - D(("called.")); - IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR); - - /* if NULL set to something that can be searched for */ - switch (mod_path != NULL) { - default: - if (mod_path[0] == '/') { - break; - } - if (asprintf(&mod_full_path, "%s%s", - DEFAULT_MODULE_PATH, mod_path) >= 0) { - mod_path = mod_full_path; - break; - } - mod_full_path = NULL; - pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); - case 0: - mod_path = UNKNOWN_MODULE_PATH; - } + struct loaded_module *mod; - D(("_pam_add_handler: adding type %d, module `%s'",type,mod_path)); - mod = pamh->handlers.module; + D(("_pam_load_module: loading module `%s'", mod_path)); + + mod = pamh->handlers.module; /* First, ensure the module is loaded */ while (x < pamh->handlers.modules_used) { @@ -639,9 +638,8 @@ int _pam_add_handler(pam_handle_t *pamh if (tmp == NULL) { D(("cannot enlarge module pointer memory")); pam_syslog(pamh, LOG_ERR, - "realloc returned NULL in _pam_add_handler"); - _pam_drop(mod_full_path); - return PAM_ABORT; + "realloc returned NULL in _pam_load_module"); + return NULL; } pamh->handlers.module = tmp; pamh->handlers.modules_allocated += MODULE_CHUNK; @@ -654,10 +652,10 @@ int _pam_add_handler(pam_handle_t *pamh /* Only load static function if function was not found dynamically. * This code should work even if no dynamic loading is available. */ if (success != PAM_SUCCESS) { - D(("_pam_add_handler: open static handler %s", mod_path)); + D(("_pam_load_module: open static handler %s", mod_path)); mod->dl_handle = _pam_open_static_handler(pamh, mod_path); if (mod->dl_handle == NULL) { - D(("_pam_add_handler: unable to find static handler %s", + D(("_pam_load_module: unable to find static handler %s", mod_path)); pam_syslog(pamh, LOG_ERR, "unable to open static handler %s", mod_path); @@ -670,15 +668,15 @@ int _pam_add_handler(pam_handle_t *pamh } } #else - D(("_pam_add_handler: _pam_dlopen(%s)", mod_path)); + D(("_pam_load_module: _pam_dlopen(%s)", mod_path)); mod->dl_handle = _pam_dlopen(mod_path); - D(("_pam_add_handler: _pam_dlopen'ed")); - D(("_pam_add_handler: dlopen'ed")); + D(("_pam_load_module: _pam_dlopen'ed")); + D(("_pam_load_module: dlopen'ed")); if (mod->dl_handle == NULL) { if (strstr(mod_path, "$ISA")) { mod_full_isa_path = malloc(strlen(mod_path) + strlen(_PAM_ISA) + 1); if (mod_full_isa_path == NULL) { - D(("_pam_handler: couldn't get memory for mod_path")); + D(("_pam_load_module: couldn't get memory for mod_path")); pam_syslog(pamh, LOG_ERR, "no memory for module path"); success = PAM_ABORT; } else { @@ -694,9 +692,9 @@ int _pam_add_handler(pam_handle_t *pamh } } if (mod->dl_handle == NULL) { - D(("_pam_add_handler: _pam_dlopen(%s) failed", mod_path)); - pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s)", mod_path); - pam_syslog(pamh, LOG_ERR, "[error: %s]", _pam_dlerror()); + D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path)); + pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, + _pam_dlerror()); /* Don't abort yet; static code may be able to find function. * But defaults to abort if nothing found below... */ } else { @@ -717,7 +715,7 @@ int _pam_add_handler(pam_handle_t *pamh /* indicate its name - later we will search for it by this */ if ((mod->name = _pam_strdup(mod_path)) == NULL) { - D(("_pam_handler: couldn't get memory for mod_path")); + D(("_pam_load_module: couldn't get memory for mod_path")); pam_syslog(pamh, LOG_ERR, "no memory for module path"); success = PAM_ABORT; } @@ -726,18 +724,54 @@ int _pam_add_handler(pam_handle_t *pamh mod += x; /* the located module */ success = PAM_SUCCESS; } + return success == PAM_SUCCESS ? mod : NULL; +} + +int _pam_add_handler(pam_handle_t *pamh + , int handler_type, int other, int stack_level, int type + , int *actions, const char *mod_path + , int argc, char **argv, int argvlen) +{ + struct loaded_module *mod = NULL; + struct handler **handler_p; + struct handler **handler_p2; + struct handlers *the_handlers; + const char *sym, *sym2; + char *mod_full_path; + servicefn func, func2; + int mod_type = PAM_MT_FAULTY_MOD; + + D(("called.")); + IF_NO_PAMH("_pam_add_handler",pamh,PAM_SYSTEM_ERR); - _pam_drop(mod_full_path); - mod_path = NULL; /* no longer needed or trusted */ + D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'", + type, handler_type, mod_path)); - /* Now return error if necessary after trying all possible ways... */ - if (success != PAM_SUCCESS) - return(success); + if (handler_type == PAM_HT_MODULE && mod_path != NULL) { + if (mod_path[0] == '/') { + mod = _pam_load_module(pamh, mod_path); + } else if (asprintf(&mod_full_path, "%s%s", + DEFAULT_MODULE_PATH, mod_path) >= 0) { + mod = _pam_load_module(pamh, mod_full_path); + _pam_drop(mod_full_path); + } else { + pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); + return PAM_ABORT; + } + + if (mod == NULL) { + /* if we get here with NULL it means allocation error */ + return PAM_ABORT; + } + + mod_type = mod->type; + } + + if (mod_path == NULL) + mod_path = UNKNOWN_MODULE; /* - * At this point 'mod' points to the stored/loaded module. If its - * dl_handle is unknown, then we must be able to indicate dispatch - * failure with 'must_fail' + * At this point 'mod' points to the stored/loaded module. */ /* Now define the handler(s) based on mod->dlhandle and type */ @@ -780,43 +814,43 @@ int _pam_add_handler(pam_handle_t *pamh /* are the modules reliable? */ if ( #ifdef PAM_STATIC - mod->type != PAM_MT_STATIC_MOD + mod_type != PAM_MT_STATIC_MOD && #else - mod->type != PAM_MT_DYNAMIC_MOD + mod_type != PAM_MT_DYNAMIC_MOD && #endif - mod->type != PAM_MT_FAULTY_MOD + mod_type != PAM_MT_FAULTY_MOD ) { - D(("_pam_add_handlers: illegal module library type; %d", mod->type)); + D(("_pam_add_handlers: illegal module library type; %d", mod_type)); pam_syslog(pamh, LOG_ERR, "internal error: module library type not known: %s;%d", - sym, mod->type); + sym, mod_type); return PAM_ABORT; } /* now identify this module's functions - for non-faulty modules */ #ifdef PAM_STATIC - if ((mod->type == PAM_MT_STATIC_MOD) && + if ((mod_type == PAM_MT_STATIC_MOD) && (func = (servicefn)_pam_get_static_sym(mod->dl_handle, sym)) == NULL) { pam_syslog(pamh, LOG_ERR, "unable to resolve static symbol: %s", sym); } #else - if ((mod->type == PAM_MT_DYNAMIC_MOD) && + if ((mod_type == PAM_MT_DYNAMIC_MOD) && !(func = _pam_dlsym(mod->dl_handle, sym)) ) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym); } #endif if (sym2) { #ifdef PAM_STATIC - if ((mod->type == PAM_MT_STATIC_MOD) && + if ((mod_type == PAM_MT_STATIC_MOD) && (func2 = (servicefn)_pam_get_static_sym(mod->dl_handle, sym2)) == NULL) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); } #else - if ((mod->type == PAM_MT_DYNAMIC_MOD) && + if ((mod_type == PAM_MT_DYNAMIC_MOD) && !(func2 = _pam_dlsym(mod->dl_handle, sym2)) ) { pam_syslog(pamh, LOG_ERR, "unable to resolve symbol: %s", sym2); } @@ -835,14 +869,15 @@ int _pam_add_handler(pam_handle_t *pamh return (PAM_ABORT); } - (*handler_p)->must_fail = must_fail; /* failure forced? */ + (*handler_p)->handler_type = handler_type; + (*handler_p)->stack_level = stack_level; (*handler_p)->func = func; memcpy((*handler_p)->actions,actions,sizeof((*handler_p)->actions)); (*handler_p)->cached_retval = _PAM_INVALID_RETVAL; (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval); (*handler_p)->argc = argc; (*handler_p)->argv = argv; /* not a copy */ - (*handler_p)->mod_name = extract_modulename(mod->name); + (*handler_p)->mod_name = extract_modulename(mod_path); (*handler_p)->next = NULL; /* some of the modules have a second calling function */ @@ -857,7 +892,8 @@ int _pam_add_handler(pam_handle_t *pamh return (PAM_ABORT); } - (*handler_p2)->must_fail = must_fail; /* failure forced? */ + (*handler_p2)->handler_type = handler_type; + (*handler_p2)->stack_level = stack_level; (*handler_p2)->func = func2; memcpy((*handler_p2)->actions,actions,sizeof((*handler_p2)->actions)); (*handler_p2)->cached_retval = _PAM_INVALID_RETVAL; /* ignored */ @@ -873,7 +909,7 @@ int _pam_add_handler(pam_handle_t *pamh } else { (*handler_p2)->argv = NULL; /* no arguments */ } - (*handler_p2)->mod_name = extract_modulename(mod->name); + (*handler_p2)->mod_name = extract_modulename(mod_path); (*handler_p2)->next = NULL; } diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 8b7d9146..bf32ad44 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -44,7 +44,7 @@ #define _PAM_INVALID_RETVAL -1 /* default value for cached_retval */ struct handler { - int must_fail; + int handler_type; int (*func)(pam_handle_t *pamh, int flags, int argc, char **argv); int actions[_PAM_RETURN_VALUES]; /* set by authenticate, open_session, chauthtok(1st) @@ -54,8 +54,13 @@ struct handler { char **argv; struct handler *next; char *mod_name; + int stack_level; }; +#define PAM_HT_MODULE 0 +#define PAM_HT_MUST_FAIL 1 +#define PAM_HT_SUBSTACK 2 + struct loaded_module { char *name; int type; /* PAM_STATIC_MOD or PAM_DYNAMIC_MOD */ @@ -76,7 +81,7 @@ struct handlers { }; struct service { - struct loaded_module *module; /* Only used for dynamic loading */ + struct loaded_module *module; /* Array of modules */ int modules_allocated; int modules_used; int handlers_loaded; @@ -111,6 +116,12 @@ struct _pam_fail_delay { const void *delay_fn_ptr; }; +/* initial state in substack */ +struct _pam_substack_state { + int impression; + int status; +}; + struct _pam_former_state { /* this is known and set by _pam_dispatch() */ int choice; /* which flavor of module function did we call? */ @@ -119,6 +130,7 @@ struct _pam_former_state { int depth; /* how deep in the stack were we? */ int impression; /* the impression at that time */ int status; /* the status before returning incomplete */ + struct _pam_substack_state *substates; /* array of initial substack states */ /* state info used by pam_get_user() function */ int fail_user; @@ -175,6 +187,8 @@ struct pam_handle { #define _PAM_ACTION_UNDEF -6 /* this is treated as an error ( = _PAM_ACTION_BAD) */ +#define PAM_SUBSTACK_MAX_LEVEL 16 /* maximum level of substacks */ + /* character tables for parsing config files */ extern const char * const _pam_token_actions[-_PAM_ACTION_UNDEF]; extern const char * const _pam_token_returns[_PAM_RETURN_VALUES+1]; diff --git a/libpam/pam_start.c b/libpam/pam_start.c index 6f6df6b1..7b0d3aa4 100644 --- a/libpam/pam_start.c +++ b/libpam/pam_start.c @@ -88,6 +88,7 @@ int pam_start ( (*pamh)->oldauthtok = NULL; (*pamh)->fail_delay.delay_fn_ptr = NULL; (*pamh)->former.choice = PAM_NOT_STACKED; + (*pamh)->former.substates = NULL; #ifdef HAVE_LIBAUDIT (*pamh)->audit_state = 0; #endif diff --git a/xtests/.cvsignore b/xtests/.cvsignore index 00c9ad07..530ce890 100644 --- a/xtests/.cvsignore +++ b/xtests/.cvsignore @@ -19,3 +19,5 @@ tst-pam_unix2 tst-pam_unix3 tst-pam_succeed_if1 tst-pam_group1 +tst-pam_authfail +tst-pam_authsucceed diff --git a/xtests/Makefile.am b/xtests/Makefile.am index 8b6dbd25..62e32643 100644 --- a/xtests/Makefile.am +++ b/xtests/Makefile.am @@ -21,7 +21,13 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ tst-pam_access4.pamd tst-pam_access4.sh \ limits.conf tst-pam_limits1.pamd tst-pam_limits1.sh \ tst-pam_succeed_if1.pamd tst-pam_succeed_if1.sh \ - group.conf tst-pam_group1.pamd tst-pam_group1.sh + group.conf tst-pam_group1.pamd tst-pam_group1.sh \ + tst-pam_authfail.pamd tst-pam_authsucceed.pamd \ + tst-pam_substack1.pamd tst-pam_substack1a.pamd tst-pam_substack1.sh \ + tst-pam_substack2.pamd tst-pam_substack2a.pamd tst-pam_substack2.sh \ + tst-pam_substack3.pamd tst-pam_substack3a.pamd tst-pam_substack3.sh \ + tst-pam_substack4.pamd tst-pam_substack4a.pamd tst-pam_substack4.sh \ + tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \ tst-pam_dispatch4 tst-pam_dispatch5 \ @@ -29,9 +35,13 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \ tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 \ tst-pam_access1 tst-pam_access2 tst-pam_access3 \ tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \ - tst-pam_group1 + tst-pam_group1 tst-pam_authfail tst-pam_authsucceed + +NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \ + tst-pam_substack4 tst-pam_substack5 + noinst_PROGRAMS = $(XTESTS) xtests: $(XTESTS) run-xtests.sh - "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} + "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS} diff --git a/xtests/group.conf b/xtests/group.conf index bcfe3755..04fe3ef7 100644 --- a/xtests/group.conf +++ b/xtests/group.conf @@ -1,3 +1,3 @@ -tst-pam_group1;tty1;tstpamgrp;Al0000-2400;tstpamgrp +tst-pam_group1;tty1;tstpamgrp;Al0000-2400;tstpamgrpg diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh index 53dbdf06..4e981858 100755 --- a/xtests/run-xtests.sh +++ b/xtests/run-xtests.sh @@ -24,7 +24,9 @@ install -m 644 "${SRCDIR}"/group.conf /etc/security/group.conf cp /etc/security/limits.conf /etc/security/limits.conf-pam-xtests install -m 644 "${SRCDIR}"/limits.conf /etc/security/limits.conf for testname in $XTESTS ; do - install -m 644 "${SRCDIR}"/$testname.pamd /etc/pam.d/$testname + for cfg in "${SRCDIR}"/$testname*.pamd ; do + install -m 644 $cfg /etc/pam.d/$(basename $cfg .pamd) + done if test -x "${SRCDIR}"/$testname.sh ; then "${SRCDIR}"/$testname.sh > /dev/null else @@ -42,7 +44,7 @@ for testname in $XTESTS ; do pass=`expr $pass + 1` fi all=`expr $all + 1` - rm -f /etc/pam.d/$testname + rm -f /etc/pam.d/$testname* done mv /etc/security/access.conf-pam-xtests /etc/security/access.conf mv /etc/security/group.conf-pam-xtests /etc/security/group.conf diff --git a/xtests/tst-pam_access1.c b/xtests/tst-pam_access1.c index 06b65f0c..457b95d4 100644 --- a/xtests/tst-pam_access1.c +++ b/xtests/tst-pam_access1.c @@ -87,7 +87,7 @@ int main(int argc, char *argv[]) { pam_handle_t *pamh = NULL; - const char *user="tstpamaccess"; + const char *user="tstpamaccess1"; int retval; int debug = 0; diff --git a/xtests/tst-pam_access1.sh b/xtests/tst-pam_access1.sh index 48d8cb3e..180d2563 100755 --- a/xtests/tst-pam_access1.sh +++ b/xtests/tst-pam_access1.sh @@ -1,9 +1,9 @@ #!/bin/bash -/usr/sbin/groupadd -p '!!' tstpamaccess -/usr/sbin/useradd -G tstpamaccess -p '!!' tstpamaccess +/usr/sbin/groupadd tstpamaccess +/usr/sbin/useradd -G tstpamaccess -p '!!' tstpamaccess1 ./tst-pam_access1 RET=$? -/usr/sbin/userdel -r tstpamaccess 2> /dev/null +/usr/sbin/userdel -r tstpamaccess1 2> /dev/null /usr/sbin/groupdel tstpamaccess 2> /dev/null exit $RET diff --git a/xtests/tst-pam_access2.c b/xtests/tst-pam_access2.c index 194d07d7..b6e18812 100644 --- a/xtests/tst-pam_access2.c +++ b/xtests/tst-pam_access2.c @@ -87,7 +87,7 @@ int main(int argc, char *argv[]) { pam_handle_t *pamh = NULL; - const char *user="tstpamaccess"; + const char *user="tstpamaccess2"; int retval; int debug = 0; diff --git a/xtests/tst-pam_access2.sh b/xtests/tst-pam_access2.sh index c1b3c992..0a302759 100755 --- a/xtests/tst-pam_access2.sh +++ b/xtests/tst-pam_access2.sh @@ -1,9 +1,9 @@ #!/bin/bash -/usr/sbin/groupadd -p '!!' tstpamaccess -/usr/sbin/useradd -p '!!' tstpamaccess +/usr/sbin/groupadd tstpamaccess +/usr/sbin/useradd -p '!!' tstpamaccess2 ./tst-pam_access2 RET=$? -/usr/sbin/userdel -r tstpamaccess 2> /dev/null +/usr/sbin/userdel -r tstpamaccess2 2> /dev/null /usr/sbin/groupdel tstpamaccess 2> /dev/null exit $RET diff --git a/xtests/tst-pam_access4.c b/xtests/tst-pam_access4.c index 1e53a364..acdb46f1 100644 --- a/xtests/tst-pam_access4.c +++ b/xtests/tst-pam_access4.c @@ -87,7 +87,7 @@ int main(int argc, char *argv[]) { pam_handle_t *pamh = NULL; - const char *user="tstpamaccess"; + const char *user="tstpamaccess4"; int retval; int debug = 0; diff --git a/xtests/tst-pam_access4.sh b/xtests/tst-pam_access4.sh index 58bf260d..61e7b448 100755 --- a/xtests/tst-pam_access4.sh +++ b/xtests/tst-pam_access4.sh @@ -1,7 +1,7 @@ #!/bin/bash -/usr/sbin/useradd -p '!!' tstpamaccess +/usr/sbin/useradd -p '!!' tstpamaccess4 ./tst-pam_access4 RET=$? -/usr/sbin/userdel -r tstpamaccess 2> /dev/null +/usr/sbin/userdel -r tstpamaccess4 2> /dev/null exit $RET diff --git a/xtests/tst-pam_authfail.c b/xtests/tst-pam_authfail.c new file mode 100644 index 00000000..afdbd6a4 --- /dev/null +++ b/xtests/tst-pam_authfail.c @@ -0,0 +1,96 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include + +static struct pam_conv conv = { + misc_conv, + NULL +}; + + +/* Check that auth stack fails. */ + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="nobody"; + const char *stack="tst-pam_authfail"; + int retval; + int debug = 0; + + if (argc > 2) { + stack = argv[2]; + } + + if (argc > 1) { + if (strcmp (argv[1], "-d") == 0) + debug = 1; + else + stack = argv[1]; + } + + + retval = pam_start(stack, user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_authenticate(pamh, 0); + if (retval == PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end(pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/xtests/tst-pam_authfail.pamd b/xtests/tst-pam_authfail.pamd new file mode 100644 index 00000000..8ff1a40f --- /dev/null +++ b/xtests/tst-pam_authfail.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +# test that successful sufficient module cannot affect stack +# after failed required module +auth required pam_debug.so auth=perm_denied +auth sufficient pam_debug.so auth=success diff --git a/xtests/tst-pam_authsucceed.c b/xtests/tst-pam_authsucceed.c new file mode 100644 index 00000000..8666f3f7 --- /dev/null +++ b/xtests/tst-pam_authsucceed.c @@ -0,0 +1,96 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include + +static struct pam_conv conv = { + misc_conv, + NULL +}; + + +/* Check that auth stack succeeds. */ + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="nobody"; + const char *stack="tst-pam_authsucceed"; + int retval; + int debug = 0; + + if (argc > 2) { + stack = argv[2]; + } + + if (argc > 1) { + if (strcmp (argv[1], "-d") == 0) + debug = 1; + else + stack = argv[1]; + } + + + retval = pam_start(stack, user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_authenticate(pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end(pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/xtests/tst-pam_authsucceed.pamd b/xtests/tst-pam_authsucceed.pamd new file mode 100644 index 00000000..abaa1eff --- /dev/null +++ b/xtests/tst-pam_authsucceed.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +# test that failed sufficient module cannot affect stack +# with following successful required module +auth sufficient pam_debug.so auth=auth_err +auth required pam_debug.so auth=success diff --git a/xtests/tst-pam_group1.c b/xtests/tst-pam_group1.c index e4e3ca48..f5a04bc0 100644 --- a/xtests/tst-pam_group1.c +++ b/xtests/tst-pam_group1.c @@ -36,10 +36,10 @@ Check the following line in group.conf: - tst-pam_group1;*;tstpamgrp;Al0000-2400;tstpamgrp + tst-pam_group1;*;tstpamgrp;Al0000-2400;tstpamgrpg - pam_group should add group tstpamgrp to user tstpamgrp, but not + pam_group should add group tstpamgrpg to user tstpamgrp, but not to tstpamgrp2. */ @@ -193,7 +193,7 @@ main(int argc, char *argv[]) if (argc > 1 && strcmp (argv[1], "-d") == 0) debug = 1; - grp = getgrnam ("tstpamgrp"); + grp = getgrnam ("tstpamgrpg"); if (grp == NULL) return 1; grpid = grp->gr_gid; diff --git a/xtests/tst-pam_group1.sh b/xtests/tst-pam_group1.sh index 2d38a6ad..b76377f5 100755 --- a/xtests/tst-pam_group1.sh +++ b/xtests/tst-pam_group1.sh @@ -1,11 +1,11 @@ #!/bin/bash -/usr/sbin/groupadd -p '!!' tstpamgrp +/usr/sbin/groupadd tstpamgrpg /usr/sbin/useradd -p '!!' tstpamgrp /usr/sbin/useradd -p '!!' tstpamgrp2 ./tst-pam_group1 RET=$? /usr/sbin/userdel -r tstpamgrp 2> /dev/null /usr/sbin/userdel -r tstpamgrp2 2> /dev/null -/usr/sbin/groupdel tstpamgrp 2> /dev/null +/usr/sbin/groupdel tstpamgrpg 2> /dev/null exit $RET diff --git a/xtests/tst-pam_substack1.pamd b/xtests/tst-pam_substack1.pamd new file mode 100644 index 00000000..6eab233e --- /dev/null +++ b/xtests/tst-pam_substack1.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +# Even if the substack succeeds with sufficient +# the whole stack should fail. +auth substack tst-pam_substack1a +auth required pam_debug.so auth=auth_err diff --git a/xtests/tst-pam_substack1.sh b/xtests/tst-pam_substack1.sh new file mode 100755 index 00000000..52601755 --- /dev/null +++ b/xtests/tst-pam_substack1.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +exec ./tst-pam_authfail tst-pam_substack1 diff --git a/xtests/tst-pam_substack1a.pamd b/xtests/tst-pam_substack1a.pamd new file mode 100644 index 00000000..51c8c8fd --- /dev/null +++ b/xtests/tst-pam_substack1a.pamd @@ -0,0 +1,2 @@ +#%PAM-1.0 +auth sufficient pam_debug.so auth=success diff --git a/xtests/tst-pam_substack2.pamd b/xtests/tst-pam_substack2.pamd new file mode 100644 index 00000000..618e2986 --- /dev/null +++ b/xtests/tst-pam_substack2.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +# Even if the substack fails with requisite +# the whole stack should succeed. +auth substack tst-pam_substack2a +auth [success=reset] pam_permit.so +auth required pam_debug.so auth=success diff --git a/xtests/tst-pam_substack2.sh b/xtests/tst-pam_substack2.sh new file mode 100755 index 00000000..c02f597e --- /dev/null +++ b/xtests/tst-pam_substack2.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +exec ./tst-pam_authsucceed tst-pam_substack2 diff --git a/xtests/tst-pam_substack2a.pamd b/xtests/tst-pam_substack2a.pamd new file mode 100644 index 00000000..db853542 --- /dev/null +++ b/xtests/tst-pam_substack2a.pamd @@ -0,0 +1,2 @@ +#%PAM-1.0 +auth requisite pam_debug.so auth=auth_err diff --git a/xtests/tst-pam_substack3.pamd b/xtests/tst-pam_substack3.pamd new file mode 100644 index 00000000..4fc6016c --- /dev/null +++ b/xtests/tst-pam_substack3.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +# Reset in the substack resets to state as of it was +# in the beginning of substack evaluation +auth required pam_permit.so +auth substack tst-pam_substack3a diff --git a/xtests/tst-pam_substack3.sh b/xtests/tst-pam_substack3.sh new file mode 100755 index 00000000..0e572aae --- /dev/null +++ b/xtests/tst-pam_substack3.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +exec ./tst-pam_authsucceed tst-pam_substack3 diff --git a/xtests/tst-pam_substack3a.pamd b/xtests/tst-pam_substack3a.pamd new file mode 100644 index 00000000..a2ae915c --- /dev/null +++ b/xtests/tst-pam_substack3a.pamd @@ -0,0 +1,3 @@ +#%PAM-1.0 +auth required pam_debug.so auth=auth_err +auth [success=reset] pam_permit.so diff --git a/xtests/tst-pam_substack4.pamd b/xtests/tst-pam_substack4.pamd new file mode 100644 index 00000000..f0017c75 --- /dev/null +++ b/xtests/tst-pam_substack4.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +# Substack is counted as one module in jumps +auth [success=1] pam_permit.so +auth substack tst-pam_substack4a +auth required pam_permit.so diff --git a/xtests/tst-pam_substack4.sh b/xtests/tst-pam_substack4.sh new file mode 100755 index 00000000..a3ef08a7 --- /dev/null +++ b/xtests/tst-pam_substack4.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +exec ./tst-pam_authsucceed tst-pam_substack4 diff --git a/xtests/tst-pam_substack4a.pamd b/xtests/tst-pam_substack4a.pamd new file mode 100644 index 00000000..3b91c1ba --- /dev/null +++ b/xtests/tst-pam_substack4a.pamd @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth required pam_debug.so auth=auth_err +auth required pam_debug.so auth=auth_err +auth required pam_debug.so auth=auth_err diff --git a/xtests/tst-pam_substack5.pamd b/xtests/tst-pam_substack5.pamd new file mode 100644 index 00000000..04f07aeb --- /dev/null +++ b/xtests/tst-pam_substack5.pamd @@ -0,0 +1,4 @@ +#%PAM-1.0 +# Requisite terminates substack +auth required pam_permit.so +auth substack tst-pam_substack5a diff --git a/xtests/tst-pam_substack5.sh b/xtests/tst-pam_substack5.sh new file mode 100755 index 00000000..e2714fda --- /dev/null +++ b/xtests/tst-pam_substack5.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +exec ./tst-pam_authfail tst-pam_substack5 diff --git a/xtests/tst-pam_substack5a.pamd b/xtests/tst-pam_substack5a.pamd new file mode 100644 index 00000000..a6850f40 --- /dev/null +++ b/xtests/tst-pam_substack5a.pamd @@ -0,0 +1,3 @@ +#%PAM-1.0 +auth requisite pam_debug.so auth=auth_err +auth [success=reset] pam_permit.so -- cgit v1.2.3 From 675a1e8f0b0227cae757fdfa197fff944730b516 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 25 Oct 2007 21:32:48 +0000 Subject: Relevant BUGIDs: Debian bug #446327 Purpose of commit: bugfix Commit summary: --------------- 2007-10-25 Steve Langasek * modules/pam_tally/pam_tally.c: fix the definition of OPT_AUDIT to be octal instead of decimal, so that it works properly in a bit field instead of forcing the "even_deny_root_account" and "no_reset" options to on. Patch from Corey Wright . --- ChangeLog | 8 ++++++++ modules/pam_tally/pam_tally.c | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 93ccb080..782fd160 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2007-10-25 Steve Langasek + + * modules/pam_tally/pam_tally.c: fix the definition of OPT_AUDIT + to be octal instead of decimal, so that it works properly in a + bit field instead of forcing the "even_deny_root_account" and + "no_reset" options to on. + Patch from Corey Wright . + 2007-10-19 Tomas Mraz * xtests/tst-pam_access1.c: Use different name for user and group. diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index 66fc5f35..fc818ffe 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -94,7 +94,7 @@ struct tally_options { #define OPT_PER_USER 010 #define OPT_NO_LOCK_TIME 020 #define OPT_NO_RESET 040 -#define OPT_AUDIT 100 +#define OPT_AUDIT 0100 /*---------------------------------------------------------------------*/ -- cgit v1.2.3 From a38a8eae25ee1d7adb5a5eafcf1c41e94974ed90 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 6 Nov 2007 14:46:57 +0000 Subject: Relevant BUGIDs: 1822779 Purpose of commit: bugfix Commit summary: --------------- 2007-11-06 Thorsten Kukuk * libpam/pam_static_modules.h: Fix name of pam_namespace variable. 2007-10-30 Peter Breitenlohner * tests/tst-dlopen.c: Return 77 in case of static modules, such that all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL. * libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead of "`ls ...`", to allow for static modules. * libpam/pam_static_modules.h: Make pam_keyinit module depend on HAVE_KEY_MANAGEMENT; correct name of pam_faildelay pam_module struct. * modules/pam_faildelay/pam_faildelay.c: Correct name of pam_module struct. --- ChangeLog | 15 +++ doc/man/pam.conf.5 | 152 +++++++++++++------------ libpam/Makefile.am | 2 +- libpam/pam_static_modules.h | 10 +- modules/pam_faildelay/pam_faildelay.c | 2 +- modules/pam_tally/README | 6 +- modules/pam_tally/pam_tally.8 | 205 ++++++++++++++++++++-------------- tests/tst-dlopen.c | 4 + 8 files changed, 230 insertions(+), 166 deletions(-) diff --git a/ChangeLog b/ChangeLog index 782fd160..446b1f33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2007-11-06 Thorsten Kukuk + + * libpam/pam_static_modules.h: Fix name of pam_namespace variable. + +2007-10-30 Peter Breitenlohner + + * tests/tst-dlopen.c: Return 77 in case of static modules, such that + all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL. + * libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead + of "`ls ...`", to allow for static modules. + * libpam/pam_static_modules.h: Make pam_keyinit module depend on + HAVE_KEY_MANAGEMENT; correct name of pam_faildelay pam_module struct. + * modules/pam_faildelay/pam_faildelay.c: Correct name of pam_module + struct. + 2007-10-25 Steve Langasek * modules/pam_tally/pam_tally.c: fix the definition of OPT_AUDIT diff --git a/doc/man/pam.conf.5 b/doc/man/pam.conf.5 index 850a8fa1..11fd86e7 100644 --- a/doc/man/pam.conf.5 +++ b/doc/man/pam.conf.5 @@ -1,34 +1,34 @@ .\" Title: pam.conf .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 01/16/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM.CONF" "5" "01/16/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM\.CONF" "5" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam.conf, pam.d \- PAM configuration files +pam.conf, pam.d - PAM configuration files .SH "DESCRIPTION" .PP When a \fIPAM\fR -aware privilege granting application is started, it activates its attachment to the PAM\-API. This activation performs a number of tasks, the most important being the reading of the configuration file(s): -\fI/etc/pam.conf\fR. Alternatively, this may be the contents of the -\fI/etc/pam.d/\fR -directory. The presence of this directory will cause Linux\-PAM to ignore -\fI/etc/pam.conf\fR. +aware privilege granting application is started, it activates its attachment to the PAM\-API\. This activation performs a number of tasks, the most important being the reading of the configuration file(s): +\fI/etc/pam\.conf\fR\. Alternatively, this may be the contents of the +\fI/etc/pam\.d/\fR +directory\. The presence of this directory will cause Linux\-PAM to ignore +\fI/etc/pam\.conf\fR\. .PP These files list the \fIPAM\fRs that will do the authentication tasks required by this service, and the appropriate behavior of the PAM\-API in the event that individual -\fIPAM\fRs fail. +\fIPAM\fRs fail\. .PP The syntax of the -\fI/etc/pam.conf\fR -configuration file is as follows. The file is made up of a list of rules, each rule is typically placed on a single line, but may be extended with an escaped end of line: `\\'. Comments are preceded with `#' marks and extend to the next end of line. +\fI/etc/pam\.conf\fR +configuration file is as follows\. The file is made up of a list of rules, each rule is typically placed on a single line, but may be extended with an escaped end of line: `\e\'\. Comments are preceded with `#\' marks and extend to the next end of line\. .PP The format of each rule is a space separated collection of tokens, the first three being case\-insensitive: .PP @@ -36,19 +36,19 @@ The format of each rule is a space separated collection of tokens, the first thr \fB service type control module\-path module\-arguments\fR .PP The syntax of files contained in the -\fI/etc/pam.d/\fR +\fI/etc/pam\.d/\fR directory, are identical except for the absence of any \fIservice\fR -field. In this case, the +field\. In this case, the \fIservice\fR is the name of the file in the -\fI/etc/pam.d/\fR -directory. This filename must be in lower case. +\fI/etc/pam\.d/\fR +directory\. This filename must be in lower case\. .PP An important feature of \fIPAM\fR, is that a number of rules may be \fIstacked\fR -to combine the services of a number of PAMs for a given authentication task. +to combine the services of a number of PAMs for a given authentication task\. .PP The \fIservice\fR @@ -56,42 +56,42 @@ is typically the familiar name of the corresponding application: \fIlogin\fR and \fIsu\fR -are good examples. The +are good examples\. The \fIservice\fR\-name, \fIother\fR, is reserved for giving \fIdefault\fR -rules. Only lines that mention the current service (or in the absence of such, the +rules\. Only lines that mention the current service (or in the absence of such, the \fIother\fR -entries) will be associated with the given service\-application. +entries) will be associated with the given service\-application\. .PP The \fItype\fR -is the management group that the rule corresponds to. It is used to specify which of the management groups the subsequent module is to be associated with. Valid entries are: +is the management group that the rule corresponds to\. It is used to specify which of the management groups the subsequent module is to be associated with\. Valid entries are: .PP account .RS 4 -this module type performs non\-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user \-\- 'root' login only on the console. +this module type performs non\-authentication based account management\. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user \-\- \'root\' login only on the console\. .RE .PP auth .RS 4 -this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other privileges through its credential granting properties. +this module type provides two aspects of authenticating the user\. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification\. Secondly, the module can grant group membership or other privileges through its credential granting properties\. .RE .PP password .RS 4 -this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication (auth) type. +this module type is required for updating the authentication token associated with the user\. Typically, there is one module for each \'challenge/response\' based authentication (auth) type\. .RE .PP session .RS 4 -this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc. +this module type is associated with doing things that need to be done for the user before/after they can be given service\. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc\. .RE .PP The third field, -\fIcontrol\fR, indicates the behavior of the PAM\-API should the module fail to succeed in its authentication task. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square\-bracketed selection of +\fIcontrol\fR, indicates the behavior of the PAM\-API should the module fail to succeed in its authentication task\. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square\-bracketed selection of \fIvalue=action\fR -pairs. +pairs\. .PP For the simple (historical) syntax valid \fIcontrol\fR @@ -104,13 +104,13 @@ failure of such a PAM will ultimately lead to the PAM\-API returning failure but modules (for this \fIservice\fR and -\fItype\fR) have been invoked. +\fItype\fR) have been invoked\. .RE .PP requisite .RS 4 like -\fIrequired\fR, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment. +\fIrequired\fR, however, in the case that such a module returns a failure, control is directly returned to the application\. The return value is that associated with the first required or requisite module to fail\. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium\. It is conceivable that such behavior might inform an attacker of valid accounts on a system\. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment\. .RE .PP sufficient @@ -118,18 +118,31 @@ sufficient success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior \fIrequired\fR module has failed the success of this one is -\fIignored\fR). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules. +\fIignored\fR)\. A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded\. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules\. .RE .PP optional .RS 4 the success or failure of this module is only important if it is the only module in the stack associated with this -\fIservice\fR+\fItype\fR. +\fIservice\fR+\fItype\fR\. .RE .PP include .RS 4 -include all lines of given type from the configuration file specified as an argument to this control. +include all lines of given type from the configuration file specified as an argument to this control\. +.RE +.PP +substack +.RS 4 +include all lines of given type from the configuration file specified as an argument to this control\. This differs from +\fIinclude\fR +in that evaluation of the +\fIdone\fR +and +\fIdie\fR +actions in a substack does not cause skipping the rest of the complete module stack, but only of the substack\. Jumps in a substack also can not make evaluation jump out of it, and the whole substack is counted as one module when the jump is done in a parent stack\. The +\fIreset\fR +action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation\. .RE .PP For the more complicated syntax valid @@ -138,14 +151,14 @@ values have the following form: .sp .RS 4 .nf - [value1=action1 value2=action2 ...] + [value1=action1 value2=action2 \.\.\.] .fi .RE .PP Where \fIvalueN\fR -corresponds to the return code from the function invoked in the module for which the line is defined. It is selected from one of these: +corresponds to the return code from the function invoked in the module for which the line is defined\. It is selected from one of these: \fIsuccess\fR, \fIopen_err\fR, \fIsymbol_err\fR, @@ -177,52 +190,51 @@ corresponds to the return code from the function invoked in the module for which \fImodule_unknown\fR, \fIbad_item\fR, \fIconv_again\fR, -\fIincomplete\fR, -and -\fIdefault\fR. +\fIincomplete\fR, and +\fIdefault\fR\. .PP The last of these, -\fIdefault\fR, implies 'all -\fIvalueN\fR's not mentioned explicitly. Note, the full list of PAM errors is available in -\fI/usr/include/security/_pam_types.h\fR. The +\fIdefault\fR, implies \'all +\fIvalueN\fR\'s not mentioned explicitly\. Note, the full list of PAM errors is available in +\fI/usr/include/security/_pam_types\.h\fR\. The \fIactionN\fR can be: an unsigned integer, -\fIn\fR, signifying an action of 'jump over the next +\fIn\fR, signifying an action of \'jump over the next \fIn\fR -modules in the stack', or take one of the following forms: +modules in the stack\'; or take one of the following forms: .PP ignore .RS 4 -when used with a stack of modules, the module's return status will not contribute to the return code the application obtains. +when used with a stack of modules, the module\'s return status will not contribute to the return code the application obtains\. .RE .PP bad .RS 4 -this action indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack. +this action indicates that the return code should be thought of as indicative of the module failing\. If this module is the first in the stack to fail, its status value will be used for that of the whole stack\. .RE .PP die .RS 4 -equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application. +equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application\. .RE .PP ok .RS 4 -this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules. In other words, if the former state of the stack would lead to a return of -\fIPAM_SUCCESS\fR, the module's return code will override this value. Note, if the former state of the stack holds some value that is indicative of a modules failure, this 'ok' value will not be used to override that value. +this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules\. In other words, if the former state of the stack would lead to a return of +\fIPAM_SUCCESS\fR, the module\'s return code will override this value\. Note, if the former state of the stack holds some value that is indicative of a modules failure, this \'ok\' value will not be used to override that value\. .RE .PP done .RS 4 -equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application. +equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application\. .RE .PP reset .RS 4 -clear all memory of the state of the module stack and start again with the next stacked module. +clear all memory of the state of the module stack and start again with the next stacked module\. .RE .PP -Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax. They are as follows: +Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [\.\.\.] syntax\. They are as follows: .PP required .RS 4 @@ -246,43 +258,43 @@ optional .PP \fImodule\-path\fR -is either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location: +is either the full filename of the PAM to be used by the application (it begins with a \'/\'), or a relative pathname from the default module location: \fI/lib/security/\fR or -\fI/lib64/security/\fR, depending on the architecture. +\fI/lib64/security/\fR, depending on the architecture\. .PP \fImodule\-arguments\fR -are a space separated list of tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets. +are a space separated list of tokens that can be used to modify the specific behavior of the given PAM\. Such arguments will be documented for each individual module\. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets\. .sp .RS 4 .nf - squid auth required pam_mysql.so user=passwd_query passwd=mada \\ - db=eminence [query=select user_name from internet_service \\ - where user_name='%u' and password=PASSWORD('%p') and \\ - service='web_proxy'] + squid auth required pam_mysql\.so user=passwd_query passwd=mada \e + db=eminence [query=select user_name from internet_service \e + where user_name=\'%u\' and password=PASSWORD(\'%p\') and \e + service=\'web_proxy\'] .fi .RE .PP -When using this convention, you can include `[' characters inside the string, and if you wish to include a `]' character inside the string that will survive the argument parsing, you should use `\\['. In other words: +When using this convention, you can include `[\' characters inside the string, and if you wish to include a `]\' character inside the string that will survive the argument parsing, you should use `\e]\'\. In other words: .sp .RS 4 .nf - [..[..\\]..] \-\-> ..[..].. + [\.\.[\.\.\e]\.\.] \-\-> \.\.[\.\.]\.\. .fi .RE .PP -Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail. A corresponding error is written to the system log files with a call to -\fBsyslog\fR(3). +Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail\. A corresponding error is written to the system log files with a call to +\fBsyslog\fR(3)\. .PP More flexible than the single configuration file is it to configure libpam via the contents of the -\fI/etc/pam.d/\fR -directory. In this case the directory is filled with files each of which has a filename equal to a service\-name (in lower\-case): it is the personal configuration file for the named service. +\fI/etc/pam\.d/\fR +directory\. In this case the directory is filled with files each of which has a filename equal to a service\-name (in lower\-case): it is the personal configuration file for the named service\. .PP -The syntax of each file in /etc/pam.d/ is similar to that of the -\fI/etc/pam.conf\fR +The syntax of each file in /etc/pam\.d/ is similar to that of the +\fI/etc/pam\.conf\fR file and is made up of lines of the following form: .sp .RS 4 @@ -292,11 +304,11 @@ type control module\-path module\-arguments .fi .RE .PP -The only difference being that the service\-name is not present. The service\-name is of course the name of the given configuration file. For example, -\fI/etc/pam.d/login\fR +The only difference being that the service\-name is not present\. The service\-name is of course the name of the given configuration file\. For example, +\fI/etc/pam\.d/login\fR contains the configuration for the \fBlogin\fR -service. +service\. .SH "SEE ALSO" .PP diff --git a/libpam/Makefile.am b/libpam/Makefile.am index a0955441..0c188fdc 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -24,7 +24,7 @@ libpam_la_LDFLAGS = -no-undefined -version-info 81:9:81 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ if STATIC_MODULES - libpam_la_LIBADD += `ls ../modules/pam_*/*.lo` \ + libpam_la_LIBADD += $(shell ls ../modules/pam_*/*.lo) \ @LIBDB@ @LIBCRYPT@ @LIBNSL@ @LIBCRACK@ -lutil endif if HAVE_VERSIONING diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h index 27b70826..5445c5fe 100644 --- a/libpam/pam_static_modules.h +++ b/libpam/pam_static_modules.h @@ -45,7 +45,9 @@ extern struct pam_module _pam_filter_modstruct; extern struct pam_module _pam_ftp_modstruct; extern struct pam_module _pam_group_modstruct; extern struct pam_module _pam_issue_modstruct; +#ifdef HAVE_KEY_MANAGEMENT extern struct pam_module _pam_keyinit_modstruct; +#endif extern struct pam_module _pam_lastlog_modstruct; extern struct pam_module _pam_limits_modstruct; extern struct pam_module _pam_listfile_modstruct; @@ -55,7 +57,7 @@ extern struct pam_module _pam_mail_modstruct; extern struct pam_module _pam_mkhomedir_modstruct; extern struct pam_module _pam_motd_modstruct; #ifdef HAVE_UNSHARE -extern struct pam_module _pam_namespace; +extern struct pam_module _pam_namespace_modstruct; #endif extern struct pam_module _pam_nologin_modstruct; extern struct pam_module _pam_permit_modstruct; @@ -92,12 +94,14 @@ static struct pam_module *static_modules[] = { &_pam_echo_modstruct, &_pam_env_modstruct, &_pam_exec_modstruct, - &_pam_faildelay, + &_pam_faildelay_modstruct, &_pam_filter_modstruct, &_pam_ftp_modstruct, &_pam_group_modstruct, &_pam_issue_modstruct, +#ifdef HAVE_KEY_MANAGEMENT &_pam_keyinit_modstruct, +#endif &_pam_lastlog_modstruct, &_pam_limits_modstruct, &_pam_listfile_modstruct, @@ -107,7 +111,7 @@ static struct pam_module *static_modules[] = { &_pam_mkhomedir_modstruct, &_pam_motd_modstruct, #ifdef HAVE_UNSHARE - &_pam_namespace, + &_pam_namespace_modstruct, #endif &_pam_nologin_modstruct, &_pam_permit_modstruct, diff --git a/modules/pam_faildelay/pam_faildelay.c b/modules/pam_faildelay/pam_faildelay.c index 16cb7458..072b7dd3 100644 --- a/modules/pam_faildelay/pam_faildelay.c +++ b/modules/pam_faildelay/pam_faildelay.c @@ -216,7 +216,7 @@ int pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, /* static module data */ -struct pam_module _pam_rootok_modstruct = { +struct pam_module _pam_faildelay_modstruct = { "pam_faildelay", pam_sm_authenticate, pam_sm_setcred, diff --git a/modules/pam_tally/README b/modules/pam_tally/README index cfd8a468..d3bf5354 100644 --- a/modules/pam_tally/README +++ b/modules/pam_tally/README @@ -39,7 +39,7 @@ GLOBAL OPTIONS audit - Will display the username typed if the user is not found. + Will log the user name into the system log if the user is not found. AUTH OPTIONS @@ -81,10 +81,6 @@ AUTH OPTIONS Root account can become unavailable. - even_deny_root_account - - Root account can become unavailable. - per_user If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field diff --git a/modules/pam_tally/pam_tally.8 b/modules/pam_tally/pam_tally.8 index a4476b6b..69b95624 100644 --- a/modules/pam_tally/pam_tally.8 +++ b/modules/pam_tally/pam_tally.8 @@ -1,133 +1,158 @@ .\" Title: pam_tally .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/18/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 10/12/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_TALLY" "8" "06/18/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TALLY" "8" "10/12/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_tally \- The login counter (tallying) module +pam_tally - The login counter (tallying) module .SH "SYNOPSIS" .HP 13 -\fBpam_tally.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] +\fBpam_tally\.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] .HP 10 \fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] .SH "DESCRIPTION" .PP -This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. +This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\. .PP pam_tally comes in two parts: -\fBpam_tally.so\fR +\fBpam_tally\.so\fR and -\fBpam_tally\fR. The former is the PAM module and the latter, a stand\-alone program. +\fBpam_tally\fR\. The former is the PAM module and the latter, a stand\-alone program\. \fBpam_tally\fR -is an (optional) application which can be used to interrogate and manipulate the counter file. It can display users' counts, set individual counts, or clear all counts. Setting artificially high counts may be useful for blocking users without changing their passwords. For example, one might find it useful to clear all counts every midnight from a cron job. The +is an (optional) application which can be used to interrogate and manipulate the counter file\. It can display users\' counts, set individual counts, or clear all counts\. Setting artificially high counts may be useful for blocking users without changing their passwords\. For example, one might find it useful to clear all counts every midnight from a cron job\. The \fBfaillog\fR(8) -command can be used instead of pam_tally to to maintain the counter file. +command can be used instead of pam_tally to to maintain the counter file\. .PP Normally, failed attempts to access \fIroot\fR will \fBnot\fR -cause the root account to become blocked, to prevent denial\-of\-service: if your users aren't given shell accounts and root may only login via +cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via \fBsu\fR -or at the machine console (not telnet/rsh, etc), this is safe. +or at the machine console (not telnet/rsh, etc), this is safe\. .SH "OPTIONS" -.TP 3n +.PP GLOBAL OPTIONS +.RS 4 This can be used for \fIauth\fR and \fIaccount\fR -services. -.RS 3n -.TP 3n +services\. +.PP \fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR +.RS 4 If something weird happens (like unable to open the file), return with \fBPAM_SUCESS\fR if \fBonerr=\fR\fB\fIsucceed\fR\fR -is given, else with the corresponding PAM error code. -.TP 3n +is given, else with the corresponding PAM error code\. +.RE +.PP \fBfile=\fR\fB\fI/path/to/counter\fR\fR -File where to keep counts. Default is -\fI/var/log/faillog\fR. -.TP 3n +.RS 4 +File where to keep counts\. Default is +\fI/var/log/faillog\fR\. +.RE +.PP \fBaudit\fR -Will display the username typed if the user is not found. +.RS 4 +Will log the user name into the system log if the user is not found\. +.RE .RE -.TP 3n +.PP AUTH OPTIONS -Authentication phase first checks if user should be denied access and if not it increments attempted login counter. Then on call to +.RS 4 +Authentication phase first checks if user should be denied access and if not it increments attempted login counter\. Then on call to \fBpam_setcred\fR(3) -it resets the attempts counter. -.RS 3n -.TP 3n +it resets the attempts counter\. +.PP \fBdeny=\fR\fB\fIn\fR\fR +.RS 4 Deny access if tally for this user exceeds -\fIn\fR. -.TP 3n +\fIn\fR\. +.RE +.PP \fBlock_time=\fR\fB\fIn\fR\fR +.RS 4 Always deny for \fIn\fR -seconds after failed attempt. -.TP 3n +seconds after failed attempt\. +.RE +.PP \fBunlock_time=\fR\fB\fIn\fR\fR +.RS 4 Allow access after \fIn\fR -seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator. -.TP 3n +seconds after failed attempt\. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\. +.RE +.PP \fBmagic_root\fR -If the module is invoked by a user with uid=0 the counter is not incremented. The sys\-admin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted. -.TP 3n +.RS 4 +If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted\. +.RE +.PP \fBno_lock_time\fR -Do not use the .fail_locktime field in +.RS 4 +Do not use the \.fail_locktime field in \fI/var/log/faillog\fR -for this user. -.TP 3n +for this user\. +.RE +.PP \fBno_reset\fR -Don't reset count on successful entry, only decrement. -.TP 3n -\fBeven_deny_root_account\fR -Root account can become unavailable. -.TP 3n +.RS 4 +Don\'t reset count on successful entry, only decrement\. +.RE +.PP \fBeven_deny_root_account\fR -Root account can become unavailable. -.TP 3n +.RS 4 +Root account can become unavailable\. +.RE +.PP \fBper_user\fR +.RS 4 If \fI/var/log/faillog\fR -contains a non\-zero .fail_max/.fail_locktime field for this user then use it instead of +contains a non\-zero \.fail_max/\.fail_locktime field for this user then use it instead of \fBdeny=\fR\fB\fIn\fR\fR/ \fBlock_time=\fR\fB\fIn\fR\fR -parameter. -.TP 3n +parameter\. +.RE +.PP \fBno_lock_time\fR -Don't use .fail_locktime filed in +.RS 4 +Don\'t use \.fail_locktime filed in \fI/var/log/faillog\fR -for this user. +for this user\. +.RE .RE -.TP 3n +.PP ACCOUNT OPTIONS +.RS 4 Account phase resets attempts counter if the user is \fBnot\fR -magic root. This phase can be used optionaly for services which don't call +magic root\. This phase can be used optionaly for services which don\'t call \fBpam_setcred\fR(3) -correctly or if the reset should be done regardless of the failure of the account phase of other modules. -.RS 3n -.TP 3n +correctly or if the reset should be done regardless of the failure of the account phase of other modules\. +.PP \fBmagic_root\fR -If the module is invoked by a user with uid=0 the counter is not incremented. The sys\-admin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted. -.TP 3n +.RS 4 +If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted\. +.RE +.PP \fBno_reset\fR -Don't reset count on successful entry, only decrement. +.RS 4 +Don\'t reset count on successful entry, only decrement\. +.RE .RE .SH "MODULE SERVICES PROVIDED" .PP @@ -135,47 +160,55 @@ The \fBauth\fR and \fBaccount\fR -services are supported. +services are supported\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_AUTH_ERR -A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins. -.TP 3n +.RS 4 +A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins\. +.RE +.PP PAM_SUCCESS -Everything was successfull. -.TP 3n +.RS 4 +Everything was successfull\. +.RE +.PP PAM_USER_UNKNOWN -User not known. +.RS 4 +User not known\. +.RE .SH "EXAMPLES" .PP Add the following line to -\fI/etc/pam.d/login\fR -to lock the account after too many failed logins. The number of allowed fails is specified by +\fI/etc/pam\.d/login\fR +to lock the account after too many failed logins\. The number of allowed fails is specified by \fI/var/log/faillog\fR and needs to be set with pam_tally or \fBfaillog\fR(8) -before. +before\. .sp -.RS 3n +.RS 4 .nf -auth required pam_securetty.so -auth required pam_tally.so per_user -auth required pam_env.so -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_limits.so -session required pam_unix.so -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard +auth required pam_securetty\.so +auth required pam_tally\.so per_user +auth required pam_env\.so +auth required pam_unix\.so +auth required pam_nologin\.so +account required pam_unix\.so +password required pam_unix\.so +session required pam_limits\.so +session required pam_unix\.so +session required pam_lastlog\.so nowtmp +session optional pam_mail\.so standard .fi .RE .SH "FILES" -.TP 3n +.PP \fI/var/log/faillog\fR +.RS 4 failure logging file +.RE .SH "SEE ALSO" .PP @@ -185,4 +218,4 @@ failure logging file \fBpam\fR(8) .SH "AUTHOR" .PP -pam_tally was written by Tim Baverstock and Tomas Mraz. +pam_tally was written by Tim Baverstock and Tomas Mraz\. diff --git a/tests/tst-dlopen.c b/tests/tst-dlopen.c index 272d58bc..e4770eea 100644 --- a/tests/tst-dlopen.c +++ b/tests/tst-dlopen.c @@ -19,6 +19,9 @@ /* Simple program to see if dlopen() would succeed. */ int main(int argc, char **argv) { +#ifdef PAM_STATIC + return 77; +#else int i; struct stat st; char buf[PATH_MAX]; @@ -40,5 +43,6 @@ int main(int argc, char **argv) } } return 0; +#endif } -- cgit v1.2.3 From d6e1da52bb5b01a93a60d3aff1223eb6a19082cd Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 6 Nov 2007 14:58:53 +0000 Subject: Relevant BUGIDs: 1822762 Purpose of commit: bugfix Commit summary: --------------- 2007-11-01 Peter Breitenlohner * doc/man/pam_conv.3.xml: Correct typo. 2007-10-30 Peter Breitenlohner * modules/pam_cracklib/pam_cracklib.8.xml: Correct typo. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_listfile/pam_listfile.8.xml: Likewise. * modules/pam_xauth/pam_xauth.8.xml: Likewise. * modules/pam_deny/pam_deny.8.xml: Correct spelling. * modules/pam_group/pam_group.8.xml: Likewise. * modules/pam_permit/pam_permit.8.xml: Likewise. * modules/pam_shells/pam_shells.8.xml: Likewise. * modules/pam_time/pam_time.8.xml: Likewise. * modules/pam_warn/pam_warn.8.xml: Likewise. --- ChangeLog | 18 ++++ doc/man/pam_conv.3 | 104 +++++++++++++---------- doc/man/pam_conv.3.xml | 4 +- modules/pam_cracklib/pam_cracklib.8 | 142 ++++++++++++++++---------------- modules/pam_cracklib/pam_cracklib.8.xml | 2 +- modules/pam_deny/pam_deny.8 | 74 +++++++++-------- modules/pam_deny/pam_deny.8.xml | 2 +- modules/pam_group/pam_group.8 | 80 ++++++++++-------- modules/pam_group/pam_group.8.xml | 2 +- modules/pam_limits/limits.conf.5 | 56 ++++++------- modules/pam_limits/limits.conf.5.xml | 2 +- modules/pam_listfile/README | 2 +- modules/pam_listfile/pam_listfile.8 | 74 ++++++++--------- modules/pam_listfile/pam_listfile.8.xml | 2 +- modules/pam_permit/README | 2 +- modules/pam_permit/pam_permit.8 | 40 ++++----- modules/pam_permit/pam_permit.8.xml | 2 +- modules/pam_shells/README | 2 +- modules/pam_shells/pam_shells.8 | 52 +++++++----- modules/pam_shells/pam_shells.8.xml | 2 +- modules/pam_time/pam_time.8 | 68 ++++++++------- modules/pam_time/pam_time.8.xml | 2 +- modules/pam_warn/README | 2 +- modules/pam_warn/pam_warn.8 | 56 +++++++------ modules/pam_warn/pam_warn.8.xml | 2 +- modules/pam_xauth/README | 6 +- modules/pam_xauth/pam_xauth.8 | 138 ++++++++++++++++++------------- modules/pam_xauth/pam_xauth.8.xml | 2 +- 28 files changed, 523 insertions(+), 417 deletions(-) diff --git a/ChangeLog b/ChangeLog index 446b1f33..fd3dbe12 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,8 +2,24 @@ * libpam/pam_static_modules.h: Fix name of pam_namespace variable. +2007-11-01 Peter Breitenlohner + + * doc/man/pam_conv.3.xml: Correct typo. + 2007-10-30 Peter Breitenlohner + * modules/pam_cracklib/pam_cracklib.8.xml: Correct typo. + * modules/pam_limits/limits.conf.5.xml: Likewise. + * modules/pam_listfile/pam_listfile.8.xml: Likewise. + * modules/pam_xauth/pam_xauth.8.xml: Likewise. + + * modules/pam_deny/pam_deny.8.xml: Correct spelling. + * modules/pam_group/pam_group.8.xml: Likewise. + * modules/pam_permit/pam_permit.8.xml: Likewise. + * modules/pam_shells/pam_shells.8.xml: Likewise. + * modules/pam_time/pam_time.8.xml: Likewise. + * modules/pam_warn/pam_warn.8.xml: Likewise. + * tests/tst-dlopen.c: Return 77 in case of static modules, such that all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL. * libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead @@ -74,6 +90,7 @@ * xtests/tst-pam_substack5.sh: Likewise. 2007-10-18 Tomas Mraz + * xtests/tst-pam_dispatch4.c: Fix comment about the test. * xtests/tst-pam_dispatch4.pamd: Improve the testcase. * xtests/tst-pam_cracklib2.c: Make the testcase more robust. @@ -85,6 +102,7 @@ * xtests/tst-pam_dispatch5.pamd: New test configuration. 2007-10-09 Tomas Mraz + * modules/pam_tally/pam_tally.8.xml: Document audit option correctly. diff --git a/doc/man/pam_conv.3 b/doc/man/pam_conv.3 index 34b61fb3..4465adfc 100644 --- a/doc/man/pam_conv.3 +++ b/doc/man/pam_conv.3 @@ -1,26 +1,26 @@ .\" Title: pam_conv .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_CONV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_CONV" "3" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_conv \- PAM conversation function +pam_conv - PAM conversation function .SH "SYNOPSIS" .sp .ft B .nf -#include +#include .fi .ft .sp -.RS 3n +.RS 4 .nf struct pam_message { int msg_style; @@ -42,83 +42,99 @@ struct pam_conv { .RE .SH "DESCRIPTION" .PP -The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the +The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\. This callback is specified by the \fIstruct pam_conv\fR passed to \fBpam_start\fR(3) -at the start of the transaction. +at the start of the transaction\. .PP When a module calls the referenced conv() function, the argument \fIappdata_ptr\fR -is set to the second element of this structure. +is set to the second element of this structure\. .PP -The other arguments of a call to conv() concern the information exchanged by module and application. That is to say, +The other arguments of a call to conv() concern the information exchanged by module and application\. That is to say, \fInum_msg\fR holds the length of the array of pointers, -\fImsg\fR. After a successful return, the pointer +\fImsg\fR\. After a successful return, the pointer \fIresp\fR -points to an array of pam_response structures, holding the application supplied text. The +points to an array of pam_response structures, holding the application supplied text\. The \fIresp_retcode\fR -member of this struct is unused and should be set to zero. It is the caller's responsibility to release both, this array and the responses themselves, using -\fBfree\fR(3). Note, +member of this struct is unused and should be set to zero\. It is the caller\'s responsibility to release both, this array and the responses themselves, using +\fBfree\fR(3)\. Note, \fI*resp\fR is a \fIstruct pam_response\fR -array and not an array of pointers. +array and not an array of pointers\. .PP The number of responses is always equal to the \fInum_msg\fR -conversation function argument. This does require that the response array is -\fBfree\fR(3)'d after every call to the conversation function. The index of the responses corresponds directly to the prompt index in the pam_message array. +conversation function argument\. This does require that the response array is +\fBfree\fR(3)\'d after every call to the conversation function\. The index of the responses corresponds directly to the prompt index in the pam_message array\. .PP -On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes. +On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\. .PP Each message can have one of four types, specified by the \fImsg_style\fR member of \fIstruct pam_message\fR: -.TP 3n +.PP PAM_PROMPT_ECHO_OFF -Obtain a string without echoing any text. -.TP 3n +.RS 4 +Obtain a string without echoing any text\. +.RE +.PP PAM_PROMPT_ECHO_ON -Obtain a string whilst echoing text. -.TP 3n +.RS 4 +Obtain a string whilst echoing text\. +.RE +.PP PAM_ERROR_MSG -Display an error message. -.TP 3n +.RS 4 +Display an error message\. +.RE +.PP PAM_TEXT_INFO -Display some text. +.RS 4 +Display some text\. +.RE .PP -The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once. +The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\. .PP -In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris' PAM (and derivitives, known to include HP/UX, are there others?) does. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[]). Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_meg read only 'struct pam_message' pointers. Solaris' PAM implementation interprets this argument as a pointer to a pointer to an array of num_meg pam_message structures. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems. +In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\' PAM (and derivitives, known to include HP/UX, are there others?) does\. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \'struct pam_message\' pointers\. Solaris\' PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\. .PP For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are: -.TP 3n -\(bu -never call the conversation function with num_msg greater than one. -.TP 3n -\(bu -set up msg as doubly referenced so both types of conversation function can find the messages. That is, make .sp -.RS 3n +.RS 4 +\h'-04'\(bu\h'+03'never call the conversation function with num_msg greater than one\. +.RE +.sp +.RS 4 +\h'-04'\(bu\h'+03'set up msg as doubly referenced so both types of conversation function can find the messages\. That is, make +.sp +.RS 4 .nf msg[n] = & (( *msg )[n]) .fi .RE +.RE .SH "RETURN VALUES" -.TP 3n +.PP PAM_BUF_ERR -Memory buffer error. -.TP 3n +.RS 4 +Memory buffer error\. +.RE +.PP PAM_CONV_ERR -Conversation failure. The application should not set -\fI*resp\fR. -.TP 3n +.RS 4 +Conversation failure\. The application should not set +\fI*resp\fR\. +.RE +.PP PAM_SUCCESS -Success. +.RS 4 +Success\. +.RE .SH "SEE ALSO" .PP diff --git a/doc/man/pam_conv.3.xml b/doc/man/pam_conv.3.xml index 73bb37cc..0098ff94 100644 --- a/doc/man/pam_conv.3.xml +++ b/doc/man/pam_conv.3.xml @@ -142,10 +142,10 @@ struct pam_conv { const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[]). Said another way Linux-PAM - interprets the msg argument as a pointer to an array of num_meg read + interprets the msg argument as a pointer to an array of num_msg read only 'struct pam_message' pointers. Solaris' PAM implementation interprets this argument as a pointer to a pointer to an array of - num_meg pam_message structures. Fortunately, perhaps, for most + num_msg pam_message structures. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent. Unfortunately, casually raising this number to two has led to unanticipated compatibility diff --git a/modules/pam_cracklib/pam_cracklib.8 b/modules/pam_cracklib/pam_cracklib.8 index 8ccf8059..f9ccea46 100644 --- a/modules/pam_cracklib/pam_cracklib.8 +++ b/modules/pam_cracklib/pam_cracklib.8 @@ -1,33 +1,33 @@ .\" Title: pam_cracklib .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 06/20/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_CRACKLIB" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_CRACKLIB" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_cracklib \- PAM module to check the password against dictionary words +pam_cracklib - PAM module to check the password against dictionary words .SH "SYNOPSIS" .HP 16 -\fBpam_cracklib.so\fR [\fI...\fR] +\fBpam_cracklib\.so\fR [\fI\.\.\.\fR] .SH "DESCRIPTION" .PP This module can be plugged into the \fIpassword\fR -stack of a given application to provide some plug\-in strength\-checking for passwords. +stack of a given application to provide some plug\-in strength\-checking for passwords\. .PP -The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices. +The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\. .PP -The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token. +The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\. .PP The strength checks works in the following manner: at first the \fBCracklib\fR -routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are: +routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\. These checks are: .PP Palindrome .RS 4 @@ -43,15 +43,15 @@ Similar .RS 4 Is the new password too much like the old one? This is primarily controlled by one argument, \fBdifok\fR -which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller. +which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\. .sp To avoid the lockup associated with trying to change a long and complicated password, \fBdifignore\fR -is available. This argument can be used to specify the minimum length a new password needs to be before the +is available\. This argument can be used to specify the minimum length a new password needs to be before the \fBdifok\fR -value is ignored. The default value for +value is ignored\. The default value for \fBdifignore\fR -is 23. +is 23\. .RE .PP Simple @@ -61,7 +61,7 @@ Is the new password too small? This is controlled by 5 arguments \fBdcredit\fR, \fBucredit\fR, \fBlcredit\fR, and -\fBocredit\fR. See the section on the arguments for the details of how these work and there defaults. +\fBocredit\fR\. See the section on the arguments for the details of how these work and there defaults\. .RE .PP Rotated @@ -72,10 +72,10 @@ Is the new password a rotated version of the old password? Already used .RS 4 Was the password used in the past? Previously used passwords are to be found in -\fI/etc/security/opasswd\fR. +\fI/etc/security/opasswd\fR\. .RE .PP -This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password. +This module with no arguments will work well for standard unix password encryption\. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\.\.\. In addition, the default action is to allow passwords as small as 5 characters in length\. For a md5 systems it can be a good idea to increase the required minimum size of a password\. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\. .SH "OPTIONS" .PP .PP @@ -83,21 +83,21 @@ This module with no arguments will work well for standard unix password encrypti .RS 4 This option makes the module write information to \fBsyslog\fR(3) -indicating the behavior of the module (this option does not write password information to the log file). +indicating the behavior of the module (this option does not write password information to the log file)\. .RE .PP \fBtype=\fR\fB\fIXXX\fR\fR .RS 4 -The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The default word +The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\. The default word \fIUNIX\fR -can be replaced with this option. +can be replaced with this option\. .RE .PP \fBretry=\fR\fB\fIN\fR\fR .RS 4 Prompt user at most \fIN\fR -times before returning with error. The default is +times before returning with error\. The default is \fI1\fR .RE .PP @@ -105,98 +105,98 @@ times before returning with error. The default is .RS 4 This argument will change the default of \fI5\fR -for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway. +for the number of characters in the new password that must not be present in the old password\. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\. .RE .PP \fBdifignore=\fR\fB\fIN\fR\fR .RS 4 -How many characters should the password have before difok will be ignored. The default is -\fI23\fR. +How many characters should the password have before difok will be ignored\. The default is +\fI23\fR\. .RE .PP \fBminlen=\fR\fB\fIN\fR\fR .RS 4 -The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, +The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, \fIupper\fR, \fIlower\fR and -\fIdigit\fR). The default for this parameter is +\fIdigit\fR)\. The default for this parameter is \fI9\fR -which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in +which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\. Note that there is a pair of length limits in \fICracklib\fR itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to -\fBminlen\fR. If you want to allow passwords as short as 5 characters you should not use this module. +\fBminlen\fR\. If you want to allow passwords as short as 5 characters you should not use this module\. .RE .PP \fBdcredit=\fR\fB\fIN\fR\fR .RS 4 -(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or +(N >= 0) This is the maximum credit for having digits in the new password\. If you have less than or \fIN\fR digits, each digit will count +1 towards meeting the current \fBminlen\fR -value. The default for +value\. The default for \fBdcredit\fR is 1 which is the recommended value for \fBminlen\fR -less than 10. +less than 10\. .sp -(N < 0) This is the minimum number of digits that must be met for a new password. +(N < 0) This is the minimum number of digits that must be met for a new password\. .RE .PP \fBucredit=\fR\fB\fIN\fR\fR .RS 4 -(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or +(N >= 0) This is the maximum credit for having upper case letters in the new password\. If you have less than or \fIN\fR upper case letters each letter will count +1 towards meeting the current \fBminlen\fR -value. The default for +value\. The default for \fBucredit\fR is \fI1\fR which is the recommended value for \fBminlen\fR -less than 10. +less than 10\. .sp -(N > 0) This is the minimum number of upper case letters that must be met for a new password. +(N > 0) This is the minimum number of upper case letters that must be met for a new password\. .RE .PP \fBlcredit=\fR\fB\fIN\fR\fR .RS 4 -(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or +(N >= 0) This is the maximum credit for having lower case letters in the new password\. If you have less than or \fIN\fR lower case letters, each letter will count +1 towards meeting the current \fBminlen\fR -value. The default for +value\. The default for \fBlcredit\fR is 1 which is the recommended value for \fBminlen\fR -less than 10. +less than 10\. .sp -(N < 0) This is the minimum number of lower case letters that must be met for a new password. +(N < 0) This is the minimum number of lower case letters that must be met for a new password\. .RE .PP \fBocredit=\fR\fB\fIN\fR\fR .RS 4 -(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or +(N >= 0) This is the maximum credit for having other characters in the new password\. If you have less than or \fIN\fR other characters, each character will count +1 towards meeting the current \fBminlen\fR -value. The default for +value\. The default for \fBocredit\fR is 1 which is the recommended value for \fBminlen\fR -less than 10. +less than 10\. .sp -(N < 0) This is the minimum number of other characters that must be met for a new password. +(N < 0) This is the minimum number of other characters that must be met for a new password\. .RE .PP \fBminclass=\fR\fB\fIN\fR\fR .RS 4 -The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the +The minimum number of required classes of characters for the new password\. The default number is zero\. The four classes are digits, upper and lower letters and other characters\. The difference to the \fBcredit\fR -check is that a specific class if of characters is not required. Instead +check is that a specific class if of characters is not required\. Instead \fIN\fR -out of four of the classes are required. +out of four of the classes are required\. .RE .PP \fBuse_authtok\fR @@ -205,41 +205,41 @@ This argument is used to \fIforce\fR the module to not prompt the user for a new password but use the one provided by the previously stacked \fIpassword\fR -module. +module\. .RE .PP \fBdictpath=\fR\fB\fI/path/to/dict\fR\fR .RS 4 -Path to the cracklib dictionaries. +Path to the cracklib dictionaries\. .RE .SH "MODULE SERVICES PROVIDED" .PP Only he \fBpassword\fR -service is supported. +service is supported\. .SH "RETURN VALUES" .PP .PP PAM_SUCCESS .RS 4 -The new password passes all checks. +The new password passes all checks\. .RE .PP PAM_AUTHTOK_ERR .RS 4 -No new password was entered, the username could not be determined or the new password fails the strength checks. +No new password was entered, the username could not be determined or the new password fails the strength checks\. .RE .PP PAM_AUTHTOK_RECOVERY_ERR .RS 4 -The old password was not supplied by a previous stackked module or got not requested from the user. The first error can happen if +The old password was not supplied by a previous stacked module or got not requested from the user\. The first error can happen if \fBuse_authtok\fR -is specified. +is specified\. .RE .PP PAM_SERVICE_ERR .RS 4 -A internal error occured. +A internal error occured\. .RE .SH "EXAMPLES" .PP @@ -249,53 +249,51 @@ For an example of the use of this module, we show how it may be stacked with the .RS 4 .nf # -# These lines stack two password type modules. In this example the -# user is given 3 opportunities to enter a strong password. The +# These lines stack two password type modules\. In this example the +# user is given 3 opportunities to enter a strong password\. The # "use_authtok" argument ensures that the pam_unix module does not # prompt for a password, but instead uses the one provided by -# pam_cracklib. +# pam_cracklib\. # -passwd password required pam_cracklib.so retry=3 -passwd password required pam_unix.so use_authtok +passwd password required pam_cracklib\.so retry=3 +passwd password required pam_unix\.so use_authtok .fi .RE -.sp .PP Another example (in the -\fI/etc/pam.d/passwd\fR +\fI/etc/pam\.d/passwd\fR format) is for the case that you want to use md5 password encryption: .sp .RS 4 .nf -#%PAM\-1.0 +#%PAM\-1\.0 # # These lines allow a md5 systems to support passwords of at least 14 # bytes with extra credit of 2 for digits and 2 for others the new # password must have at least three bytes that are not present in the # old password # -password required pam_cracklib.so \\ +password required pam_cracklib\.so \e difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix.so use_authtok nullok md5 +password required pam_unix\.so use_authtok nullok md5 .fi .RE -.sp .PP -And here is another example in case you don't want to use credits: +And here is another example in case you don\'t want to use credits: .sp .RS 4 .nf -#%PAM\-1.0 +#%PAM\-1\.0 # # These lines require the user to select a password with a minimum # length of 8 and with at least 1 digit number, 1 upper case letter, # and 1 other character # -password required pam_cracklib.so \\ +password required pam_cracklib\.so \e dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8 -password required pam_unix.so use_authtok nullok md5 +password required pam_unix\.so use_authtok nullok md5 .fi .RE @@ -308,4 +306,4 @@ password required pam_unix.so use_authtok nullok md5 \fBpam\fR(8) .SH "AUTHOR" .PP -pam_cracklib was written by Cristian Gafton +pam_cracklib was written by Cristian Gafton diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index f97ad8fb..589e7b44 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -412,7 +412,7 @@ PAM_AUTHTOK_RECOVERY_ERR - The old password was not supplied by a previous stackked + The old password was not supplied by a previous stacked module or got not requested from the user. The first error can happen if is specified. diff --git a/modules/pam_deny/pam_deny.8 b/modules/pam_deny/pam_deny.8 index f9f2d439..e3d34414 100644 --- a/modules/pam_deny/pam_deny.8 +++ b/modules/pam_deny/pam_deny.8 @@ -1,65 +1,73 @@ .\" Title: pam_deny .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/21/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_DENY" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_DENY" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_deny \- The locking\-out PAM module +pam_deny - The locking-out PAM module .SH "SYNOPSIS" .HP 12 -\fBpam_deny.so\fR +\fBpam_deny\.so\fR .SH "DESCRIPTION" .PP -This module can be used to deny access. It always indicates a failure to the application through the PAM framework. It might be suitable for using for default (the -\fIOTHER\fR) entries. +This module can be used to deny access\. It always indicates a failure to the application through the PAM framework\. It might be suitable for using for default (the +\fIOTHER\fR) entries\. .SH "OPTIONS" .PP -This module does not recognice any options. +This module does not recognise any options\. .SH "MODULE SERVICES PROVIDED" .PP All services (\fBaccount\fR, \fBauth\fR, \fBpassword\fR and -\fBsession\fR) are supported. +\fBsession\fR) are supported\. .SH "RETURN VALUES" .PP -.TP 3n +.PP PAM_AUTH_ERR -This is returned by the account and auth services. -.TP 3n +.RS 4 +This is returned by the account and auth services\. +.RE +.PP PAM_CRED_ERR -This is returned by the setcred function. -.TP 3n +.RS 4 +This is returned by the setcred function\. +.RE +.PP PAM_AUTHTOK_ERR -This is returned by the password service. -.TP 3n +.RS 4 +This is returned by the password service\. +.RE +.PP PAM_SESSION_ERR -This is returned by the session service. +.RS 4 +This is returned by the session service\. +.RE .SH "EXAMPLES" .sp -.RS 3n +.RS 4 .nf -#%PAM\-1.0 +#%PAM\-1\.0 # -# If we don't have config entries for a service, the -# OTHER entries are used. To be secure, warn and deny -# access to everything. -other auth required pam_warn.so -other auth required pam_deny.so -other account required pam_warn.so -other account required pam_deny.so -other password required pam_warn.so -other password required pam_deny.so -other session required pam_warn.so -other session required pam_deny.so +# If we don\'t have config entries for a service, the +# OTHER entries are used\. To be secure, warn and deny +# access to everything\. +other auth required pam_warn\.so +other auth required pam_deny\.so +other account required pam_warn\.so +other account required pam_deny\.so +other password required pam_warn\.so +other password required pam_deny\.so +other session required pam_warn\.so +other session required pam_deny\.so .fi .RE @@ -71,4 +79,4 @@ other session required pam_deny.so \fBpam\fR(8) .SH "AUTHOR" .PP -pam_deny was written by Andrew G. Morgan +pam_deny was written by Andrew G\. Morgan diff --git a/modules/pam_deny/pam_deny.8.xml b/modules/pam_deny/pam_deny.8.xml index 91916003..e50beb2d 100644 --- a/modules/pam_deny/pam_deny.8.xml +++ b/modules/pam_deny/pam_deny.8.xml @@ -35,7 +35,7 @@ OPTIONS - This module does not recognice any options. + This module does not recognise any options. diff --git a/modules/pam_group/pam_group.8 b/modules/pam_group/pam_group.8 index 7058f1aa..249d5683 100644 --- a/modules/pam_group/pam_group.8 +++ b/modules/pam_group/pam_group.8 @@ -1,80 +1,94 @@ .\" Title: pam_group .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/22/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_GROUP" "8" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_GROUP" "8" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_group \- PAM module for group access +pam_group - PAM module for group access .SH "SYNOPSIS" .HP 13 -\fBpam_group.so\fR +\fBpam_group\.so\fR .SH "DESCRIPTION" .PP -The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. +The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\. .PP By default rules for group memberships are taken from config file -\fI/etc/security/group.conf\fR. +\fI/etc/security/group\.conf\fR\. .PP -This module's usefulness relies on the file\-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a +This module\'s usefulness relies on the file\-systems accessible to the user\. The point being that once granted the membership of a group, the user may attempt to create a \fBsetgid\fR -binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted +binary with a restricted group ownership\. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted \fInosuid\fR -the user is unable to create or execute such a binary file. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted -\fInosuid\fR. +the user is unable to create or execute such a binary file\. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted +\fInosuid\fR\. .PP The pam_group module fuctions in parallel with the \fI/etc/group\fR -file. If the user is granted any groups based on the behavior of this module, they are granted +file\. If the user is granted any groups based on the behavior of this module, they are granted \fIin addition\fR to those entries \fI/etc/group\fR -(or equivalent). +(or equivalent)\. .SH "OPTIONS" .PP -This module does not recognice any options. +This module does not recognise any options\. .SH "MODULE SERVICES PROVIDED" .PP Only the \fBauth\fR -service is supported. +service is supported\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_SUCCESS -group membership was granted. -.TP 3n +.RS 4 +group membership was granted\. +.RE +.PP PAM_ABORT -Not all relevant data could be gotten. -.TP 3n +.RS 4 +Not all relevant data could be gotten\. +.RE +.PP PAM_BUF_ERR -Memory buffer error. -.TP 3n +.RS 4 +Memory buffer error\. +.RE +.PP PAM_CRED_ERR -Group membership was not granted. -.TP 3n +.RS 4 +Group membership was not granted\. +.RE +.PP PAM_IGNORE +.RS 4 \fBpam_sm_authenticate\fR -was called which does nothing. -.TP 3n +was called which does nothing\. +.RE +.PP PAM_USER_UNKNOWN -The user is not known to the system. +.RS 4 +The user is not known to the system\. +.RE .SH "FILES" -.TP 3n -\fI/etc/security/group.conf\fR +.PP +\fI/etc/security/group\.conf\fR +.RS 4 Default configuration file +.RE .SH "SEE ALSO" .PP \fBgroup.conf\fR(5), \fBpam.d\fR(8), -\fBpam\fR(8). +\fBpam\fR(8)\. .SH "AUTHORS" .PP -pam_group was written by Andrew G. Morgan . +pam_group was written by Andrew G\. Morgan \. diff --git a/modules/pam_group/pam_group.8.xml b/modules/pam_group/pam_group.8.xml index 61c7eef1..f7488fb3 100644 --- a/modules/pam_group/pam_group.8.xml +++ b/modules/pam_group/pam_group.8.xml @@ -62,7 +62,7 @@ OPTIONS - This module does not recognice any options. + This module does not recognise any options. diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 index 9fef98d7..7c5a3d5e 100644 --- a/modules/pam_limits/limits.conf.5 +++ b/modules/pam_limits/limits.conf.5 @@ -1,17 +1,17 @@ .\" Title: limits.conf .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.72.0 -.\" Date: 08/30/2007 +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" -.TH "LIMITS.CONF" "5" "08/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "LIMITS\.CONF" "5" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -limits.conf \- configuration file for the pam_limits module +limits.conf - configuration file for the pam_limits module .SH "DESCRIPTION" .PP The syntax of the lines is as follows: @@ -26,46 +26,49 @@ The fields listed above should be filled as follows: .PP \fB\fR .RS 4 +.sp .RS 4 \h'-04'\(bu\h'+03'a username .RE +.sp .RS 4 \h'-04'\(bu\h'+03'a groupname, with \fB@group\fR -syntax. This should not be confused with netgroups. +syntax\. This should not be confused with netgroups\. .RE +.sp .RS 4 \h'-04'\(bu\h'+03'the wildcard -\fB*\fR, for default entry. +\fB*\fR, for default entry\. .RE +.sp .RS 4 \h'-04'\(bu\h'+03'the wildcard \fB%\fR, for maxlogins limit only, can also be used with \fI%group\fR -syntax. +syntax\. .RE .RE .PP \fB\fR .RS 4 -.RS 4 .PP \fBhard\fR .RS 4 for enforcing \fBhard\fR -resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. +resource limits\. These limits are set by the superuser and enforced by the Kernel\. The user cannot raise his requirement of system resources above such values\. .RE .PP \fBsoft\fR .RS 4 for enforcing \fBsoft\fR -resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting +resource limits\. These limits are ones that the user can move up or down within the permitted range by any pre\-existing \fBhard\fR -limits. The values specified with this token can be thought of as +limits\. The values specified with this token can be thought of as \fIdefault\fR -values, for normal system usage. +values, for normal system usage\. .RE .PP \fB\-\fR @@ -74,16 +77,14 @@ for enforcing both \fBsoft\fR and \fBhard\fR -resource limits together. +resource limits together\. .sp -Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. . -.RE +Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\. \. .RE .RE .PP \fB\fR .RS 4 -.RS 4 .PP \fBcore\fR .RS 4 @@ -153,48 +154,47 @@ the priority to run user process with (negative values boost process priority) .PP \fBlocks\fR .RS 4 -maximum locked files (Linux 2.4 and higher) +maximum locked files (Linux 2\.4 and higher) .RE .PP \fBsigpending\fR .RS 4 -maximum number of pending signals (Linux 2.6 and higher) +maximum number of pending signals (Linux 2\.6 and higher) .RE .PP \fBmsqqueue\fR .RS 4 -maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher) +maximum memory used by POSIX message queues (bytes) (Linux 2\.6 and higher) .RE .PP \fBnice\fR .RS 4 -maximum nice priority allowed to raise to (Linux 2.6.12 and higher) +maximum nice priority allowed to raise to (Linux 2\.6\.12 and higher) .RE .PP \fBrtprio\fR .RS 4 -maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher) -.RE +maximum realtime priority allowed for non\-privileged processes (Linux 2\.6\.12 and higher) .RE .RE .PP In general, individual limits have priority over group limits, so if you impose no limits for \fIadmin\fR -group, but one of the members in this group have a limits line, the user will have its limits set according to this line. +group, but one of the members in this group have a limits line, the user will have its limits set according to this line\. .PP Also, please note that all limit settings are set -\fIper login\fR. They are not global, nor are they permanent; existing only for the duration of the session. +\fIper login\fR\. They are not global, nor are they permanent; existing only for the duration of the session\. .PP In the \fIlimits\fR -configuration file, the '\fB#\fR' character introduces a comment \- after which the rest of the line is ignored. +configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\. .PP The pam_limits module does its best to report configuration problems found in its configuration file via -\fBsyslog\fR(3). +\fBsyslog\fR(3)\. .SH "EXAMPLES" .PP These are some example lines which might be specified in -\fI/etc/security/limits.conf\fR. +\fI/etc/security/limits\.conf\fR\. .sp .RS 4 .nf @@ -216,4 +216,4 @@ ftp hard nproc 0 \fBpam\fR(8) .SH "AUTHOR" .PP -pam_limits was initially written by Cristian Gafton +pam_limits was initially written by Cristian Gafton diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index 48798470..8983bee3 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -82,7 +82,7 @@ for enforcing soft resource limits. These limits are ones that the user can move up or down within the - permitted range by any pre-exisiting hard + permitted range by any pre-existing hard limits. The values specified with this token can be thought of as default values, for normal system usage. diff --git a/modules/pam_listfile/README b/modules/pam_listfile/README index 51bb13d2..7fe7051b 100644 --- a/modules/pam_listfile/README +++ b/modules/pam_listfile/README @@ -55,7 +55,7 @@ onerr=[succeed|fail] apply=[user|@group] Restrict the user class for which the restriction apply. Note that with - item=[user|ruser|group] this oes not make sense, but for item=[tty|rhost| + item=[user|ruser|group] this does not make sense, but for item=[tty|rhost| shell] it have a meaning. quiet diff --git a/modules/pam_listfile/pam_listfile.8 b/modules/pam_listfile/pam_listfile.8 index 0103aa5e..f7425653 100644 --- a/modules/pam_listfile/pam_listfile.8 +++ b/modules/pam_listfile/pam_listfile.8 @@ -1,23 +1,23 @@ .\" Title: pam_listfile .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.72.0 -.\" Date: 08/25/2007 +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" -.TH "PAM_LISTFILE" "8" "08/25/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LISTFILE" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_listfile \- deny or allow services based on an arbitrary file +pam_listfile - deny or allow services based on an arbitrary file .SH "SYNOPSIS" .HP 16 -\fBpam_listfile.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] +\fBpam_listfile\.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] .SH "DESCRIPTION" .PP -pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file. +pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\. .PP The module gets the \fBitem\fR @@ -29,15 +29,15 @@ specifies the username, \fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request, \fIPAM_RUSER\fR \-\- and looks for an instance of that item in the -\fBfile=\fR\fB\fIfilename\fR\fR. +\fBfile=\fR\fB\fIfilename\fR\fR\. \fIfilename\fR -contains one line per item listed. If the item is found, then if +contains one line per item listed\. If the item is found, then if \fBsense=\fR\fB\fIallow\fR\fR, \fIPAM_SUCCESS\fR is returned, causing the authorization request to succeed; else if \fBsense=\fR\fB\fIdeny\fR\fR, \fIPAM_AUTH_ERR\fR -is returned, causing the authorization request to fail. +is returned, causing the authorization request to fail\. .PP If an error is encountered (for instance, if \fIfilename\fR @@ -49,54 +49,54 @@ is returned, otherwise if \fIPAM_AUTH_ERR\fR or \fIPAM_SERVICE_ERR\fR -(as appropriate) will be returned. +(as appropriate) will be returned\. .PP An additional argument, -\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR). This added restriction is only meaningful when used with the +\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\. This added restriction is only meaningful when used with the \fItty\fR, \fIrhost\fR and \fIshell\fR -items. +items\. .PP -Besides this last one, all arguments should be specified; do not count on any default behavior. +Besides this last one, all arguments should be specified; do not count on any default behavior\. .PP -No credentials are awarded by this module. +No credentials are awarded by this module\. .SH "OPTIONS" .PP .PP \fBitem=[tty|user|rhost|ruser|group|shell]\fR .RS 4 -What is listed in the file and should be checked for. +What is listed in the file and should be checked for\. .RE .PP \fBsense=[allow|deny]\fR .RS 4 -Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested. +Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\. .RE .PP \fBfile=\fR\fB\fI/path/filename\fR\fR .RS 4 -File containing one item per line. The file needs to be a plain file and not world writeable. +File containing one item per line\. The file needs to be a plain file and not world writeable\. .RE .PP \fBonerr=[succeed|fail]\fR .RS 4 -What to do if something weird happens like being unable to open the file. +What to do if something weird happens like being unable to open the file\. .RE .PP \fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR .RS 4 -Restrict the user class for which the restriction apply. Note that with +Restrict the user class for which the restriction apply\. Note that with \fBitem=[user|ruser|group]\fR -this oes not make sense, but for +this does not make sense, but for \fBitem=[tty|rhost|shell]\fR -it have a meaning. +it have a meaning\. .RE .PP \fBquiet\fR .RS 4 -Do not treat service refusals or missing list files as errors that need to be logged. +Do not treat service refusals or missing list files as errors that need to be logged\. .RE .SH "MODULE SERVICES PROVIDED" .PP @@ -106,47 +106,47 @@ The services \fBpassword\fR and \fBsession\fR -are supported. +are supported\. .SH "RETURN VALUES" .PP .PP PAM_AUTH_ERR .RS 4 -Authentication failure. +Authentication failure\. .RE .PP PAM_BUF_ERR .RS 4 -Memory buffer error. +Memory buffer error\. .RE .PP PAM_IGNORE .RS 4 The rule does not apply to the \fBapply\fR -option. +option\. .RE .PP PAM_SERVICE_ERR .RS 4 -Error in service module. +Error in service module\. .RE .PP PAM_SUCCESS .RS 4 -Success. +Success\. .RE .SH "EXAMPLES" .PP -Classic 'ftpusers' authentication can be implemented with this entry in -\fI/etc/pam.d/ftpd\fR: +Classic \'ftpusers\' authentication can be implemented with this entry in +\fI/etc/pam\.d/ftpd\fR: .sp .RS 4 .nf # # deny ftp\-access to users listed in the /etc/ftpusers file # -auth required pam_listfile.so \e +auth required pam_listfile\.so \e onerr=succeed item=user sense=deny file=/etc/ftpusers .fi @@ -156,10 +156,10 @@ Note, users listed in \fI/etc/ftpusers\fR file are (counterintuitively) \fInot\fR -allowed access to the ftp service. +allowed access to the ftp service\. .PP To allow login access only for certain users, you can use a -\fI/etc/pam.d/login\fR +\fI/etc/pam\.d/login\fR entry like this: .sp .RS 4 @@ -167,17 +167,17 @@ entry like this: # # permit login to users listed in /etc/loginusers # -auth required pam_listfile.so \e +auth required pam_listfile\.so \e onerr=fail item=user sense=allow file=/etc/loginusers .fi .RE .sp For this example to work, all users who are allowed to use the login service should be listed in the file -\fI/etc/loginusers\fR. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in +\fI/etc/loginusers\fR\. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in \fI/etc/loginusers\fR, or by listing a user who is able to \fIsu\fR -to the root account. +to the root account\. .SH "SEE ALSO" .PP @@ -186,4 +186,4 @@ to the root account. \fBpam\fR(8) .SH "AUTHOR" .PP -pam_listfile was written by Michael K. Johnson and Elliot Lee . +pam_listfile was written by Michael K\. Johnson and Elliot Lee \. diff --git a/modules/pam_listfile/pam_listfile.8.xml b/modules/pam_listfile/pam_listfile.8.xml index 2aab4962..e54e80a4 100644 --- a/modules/pam_listfile/pam_listfile.8.xml +++ b/modules/pam_listfile/pam_listfile.8.xml @@ -153,7 +153,7 @@ Restrict the user class for which the restriction apply. Note that - with this oes not make sense, + with this does not make sense, but for it have a meaning. diff --git a/modules/pam_permit/README b/modules/pam_permit/README index e09ec9cf..d479dccd 100644 --- a/modules/pam_permit/README +++ b/modules/pam_permit/README @@ -14,7 +14,7 @@ This module is very dangerous. It should be used with extreme caution. OPTIONS -This module does not recognice any options. +This module does not recognise any options. EXAMPLES diff --git a/modules/pam_permit/pam_permit.8 b/modules/pam_permit/pam_permit.8 index ce3c3290..135db335 100644 --- a/modules/pam_permit/pam_permit.8 +++ b/modules/pam_permit/pam_permit.8 @@ -1,32 +1,32 @@ .\" Title: pam_permit .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/04/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_PERMIT" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_PERMIT" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_permit \- The promiscuous module +pam_permit - The promiscuous module .SH "SYNOPSIS" .HP 14 -\fBpam_permit.so\fR +\fBpam_permit\.so\fR .SH "DESCRIPTION" .PP -pam_permit is a PAM module that always permit access. It does nothing else. +pam_permit is a PAM module that always permit access\. It does nothing else\. .PP -In the case of authentication, the user's name will be set to +In the case of authentication, the user\'s name will be set to \fInobody\fR -if the application didn't set one. Many applications and PAM modules become confused if this name is unknown. +if the application didn\'t set one\. Many applications and PAM modules become confused if this name is unknown\. .PP -This module is very dangerous. It should be used with extreme caution. +This module is very dangerous\. It should be used with extreme caution\. .SH "OPTIONS" .PP -This module does not recognice any options. +This module does not recognise any options\. .SH "MODULE SERVICES PROVIDED" .PP The services @@ -35,18 +35,20 @@ The services \fBpassword\fR and \fBsession\fR -are supported. +are supported\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_SUCCESS -This module always returns this value. +.RS 4 +This module always returns this value\. +.RE .SH "EXAMPLES" .PP -Add this line to your other login entries to disable account management, but continue to permit users to log in. +Add this line to your other login entries to disable account management, but continue to permit users to log in\. .sp -.RS 3n +.RS 4 .nf -account required pam_permit.so +account required pam_permit\.so .fi .RE @@ -59,4 +61,4 @@ account required pam_permit.so \fBpam\fR(8) .SH "AUTHOR" .PP -pam_permit was written by Andrew G. Morgan, . +pam_permit was written by Andrew G\. Morgan, \. diff --git a/modules/pam_permit/pam_permit.8.xml b/modules/pam_permit/pam_permit.8.xml index 3992f43f..4db7a963 100644 --- a/modules/pam_permit/pam_permit.8.xml +++ b/modules/pam_permit/pam_permit.8.xml @@ -44,7 +44,7 @@ OPTIONS - This module does not recognice any options. + This module does not recognise any options. diff --git a/modules/pam_shells/README b/modules/pam_shells/README index 38e6484c..f4658be3 100644 --- a/modules/pam_shells/README +++ b/modules/pam_shells/README @@ -11,7 +11,7 @@ It also checks if /etc/shells is a plain file and not world writable. OPTIONS -This module does not recognice any options. +This module does not recognise any options. EXAMPLES diff --git a/modules/pam_shells/pam_shells.8 b/modules/pam_shells/pam_shells.8 index f41a1ed4..016af07b 100644 --- a/modules/pam_shells/pam_shells.8 +++ b/modules/pam_shells/pam_shells.8 @@ -1,59 +1,73 @@ -.\" ** You probably do not want to edit this file directly ** -.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). -.\" Instead of manually editing it, you probably should edit the DocBook XML -.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. -.TH "PAM_SHELLS" "8" "06/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" Title: pam_shells +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "PAM_SHELLS" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_shells \- PAM module to check for valid login shell +pam_shells - PAM module to check for valid login shell .SH "SYNOPSIS" .HP 14 -\fBpam_shells.so\fR +\fBpam_shells\.so\fR .SH "DESCRIPTION" .PP pam_shells is a PAM module that only allows access to the system if the users shell is listed in -\fI/etc/shells\fR. +\fI/etc/shells\fR\. .PP It also checks if \fI/etc/shells\fR -is a plain file and not world writable. +is a plain file and not world writable\. .SH "OPTIONS" .PP -This module does not recognice any options. +This module does not recognise any options\. .SH "MODULE SERVICES PROVIDED" .PP The services \fBauth\fR and \fBaccount\fR -are supported. +are supported\. .SH "RETURN VALUES" -.TP +.PP PAM_AUTH_ERR -Access to the system was denied. -.TP +.RS 4 +Access to the system was denied\. +.RE +.PP PAM_SUCCESS +.RS 4 The users login shell was listed as valid shell in -\fI/etc/shells\fR. -.TP +\fI/etc/shells\fR\. +.RE +.PP PAM_SERVICE_ERR -The module was not able to get the name of the user. +.RS 4 +The module was not able to get the name of the user\. +.RE .SH "EXAMPLES" .PP + +.sp +.RS 4 .nf -auth required pam_shells.so +auth required pam_shells\.so .fi +.RE .sp .SH "SEE ALSO" .PP + \fBshells\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(8), \fBpam\fR(8) .SH "AUTHOR" .PP -pam_shells was written by Erik Troan . +pam_shells was written by Erik Troan \. diff --git a/modules/pam_shells/pam_shells.8.xml b/modules/pam_shells/pam_shells.8.xml index 604e3572..abbd5cbd 100644 --- a/modules/pam_shells/pam_shells.8.xml +++ b/modules/pam_shells/pam_shells.8.xml @@ -38,7 +38,7 @@ OPTIONS - This module does not recognice any options. + This module does not recognise any options. diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 index 89506830..ea0c8d34 100644 --- a/modules/pam_time/pam_time.8 +++ b/modules/pam_time/pam_time.8 @@ -1,63 +1,75 @@ .\" Title: pam_time .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/21/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_TIME" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIME" "8" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_time \- PAM module for time control access +pam_time - PAM module for time control access .SH "SYNOPSIS" .HP 12 -\fBpam_time.so\fR +\fBpam_time\.so\fR .SH "DESCRIPTION" .PP -The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request. +The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\. .PP By default rules for time/port access are taken from config file -\fI/etc/security/time.conf\fR. +\fI/etc/security/time\.conf\fR\. .SH "OPTIONS" .PP -This module does not recognice any options. +This module does not recognise any options\. .SH "MODULE SERVICES PROVIDED" .PP Only the \fBaccount\fR -service is supported. +service is supported\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_SUCCESS -Access was granted. -.TP 3n +.RS 4 +Access was granted\. +.RE +.PP PAM_ABORT -Not all relevant data could be gotten. -.TP 3n +.RS 4 +Not all relevant data could be gotten\. +.RE +.PP PAM_BUF_ERR -Memory buffer error. -.TP 3n +.RS 4 +Memory buffer error\. +.RE +.PP PAM_PERM_DENIED -Access was not granted. -.TP 3n +.RS 4 +Access was not granted\. +.RE +.PP PAM_USER_UNKNOWN -The user is not known to the system. +.RS 4 +The user is not known to the system\. +.RE .SH "FILES" -.TP 3n -\fI/etc/security/time.conf\fR +.PP +\fI/etc/security/time\.conf\fR +.RS 4 Default configuration file +.RE .SH "EXAMPLES" .sp -.RS 3n +.RS 4 .nf -#%PAM\-1.0 +#%PAM\-1\.0 # # apply pam_time accounting to login requests # -login account required pam_time.so +login account required pam_time\.so .fi .RE @@ -66,7 +78,7 @@ login account required pam_time.so \fBtime.conf\fR(5), \fBpam.d\fR(8), -\fBpam\fR(8). +\fBpam\fR(8)\. .SH "AUTHOR" .PP -pam_time was written by Andrew G. Morgan . +pam_time was written by Andrew G\. Morgan \. diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml index 1ec7eb0e..de7bcad3 100644 --- a/modules/pam_time/pam_time.8.xml +++ b/modules/pam_time/pam_time.8.xml @@ -45,7 +45,7 @@ OPTIONS - This module does not recognice any options. + This module does not recognise any options. diff --git a/modules/pam_warn/README b/modules/pam_warn/README index d9619b53..a0713173 100644 --- a/modules/pam_warn/README +++ b/modules/pam_warn/README @@ -11,7 +11,7 @@ that it does not want to affect the authentication process. OPTIONS -This module does not recognice any options. +This module does not recognise any options. EXAMPLES diff --git a/modules/pam_warn/pam_warn.8 b/modules/pam_warn/pam_warn.8 index 4e2c67c5..4bc3f203 100644 --- a/modules/pam_warn/pam_warn.8 +++ b/modules/pam_warn/pam_warn.8 @@ -1,28 +1,28 @@ .\" Title: pam_warn .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_WARN" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_WARN" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_warn \- PAM module which logs all PAM items if called +pam_warn - PAM module which logs all PAM items if called .SH "SYNOPSIS" .HP 12 -\fBpam_warn.so\fR +\fBpam_warn\.so\fR .SH "DESCRIPTION" .PP pam_warn is a PAM module that logs the service, terminal, user, remote user and remote host to -\fBsyslog\fR(3). The items are not probed for, but instead obtained from the standard PAM items. The module always returns -\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process. +\fBsyslog\fR(3)\. The items are not probed for, but instead obtained from the standard PAM items\. The module always returns +\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process\. .SH "OPTIONS" .PP -This module does not recognice any options. +This module does not recognise any options\. .SH "MODULE SERVICES PROVIDED" .PP The services @@ -31,28 +31,30 @@ The services \fBpassword\fR and \fBsession\fR -are supported. +are supported\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_IGNORE -This module always returns PAM_IGNORE. +.RS 4 +This module always returns PAM_IGNORE\. +.RE .SH "EXAMPLES" .sp -.RS 3n +.RS 4 .nf -#%PAM\-1.0 +#%PAM\-1\.0 # -# If we don't have config entries for a service, the -# OTHER entries are used. To be secure, warn and deny -# access to everything. -other auth required pam_warn.so -other auth required pam_deny.so -other account required pam_warn.so -other account required pam_deny.so -other password required pam_warn.so -other password required pam_deny.so -other session required pam_warn.so -other session required pam_deny.so +# If we don\'t have config entries for a service, the +# OTHER entries are used\. To be secure, warn and deny +# access to everything\. +other auth required pam_warn\.so +other auth required pam_deny\.so +other account required pam_warn\.so +other account required pam_deny\.so +other password required pam_warn\.so +other password required pam_deny\.so +other session required pam_warn\.so +other session required pam_deny\.so .fi .RE @@ -64,4 +66,4 @@ other session required pam_deny.so \fBpam\fR(8) .SH "AUTHOR" .PP -pam_warn was written by Andrew G. Morgan . +pam_warn was written by Andrew G\. Morgan \. diff --git a/modules/pam_warn/pam_warn.8.xml b/modules/pam_warn/pam_warn.8.xml index 1aa70f59..b3261b86 100644 --- a/modules/pam_warn/pam_warn.8.xml +++ b/modules/pam_warn/pam_warn.8.xml @@ -35,7 +35,7 @@ OPTIONS - This module does not recognice any options. + This module does not recognise any options. diff --git a/modules/pam_xauth/README b/modules/pam_xauth/README index 1e134d70..4e0e3ec4 100644 --- a/modules/pam_xauth/README +++ b/modules/pam_xauth/README @@ -77,9 +77,9 @@ pam_open_session() and pam_close_session() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user. -pam_xauth calls xauth(1) the source user to extract the key for $DISPLAY, then -calls xauth as the target user to merge the key into the a temporary database -and later remove the database. +pam_xauth calls xauth(1) as the source user to extract the key for $DISPLAY, +then calls xauth as the target user to merge the key into the a temporary +database and later remove the database. pam_xauth cannot be told to not remove the keys when the session is closed. diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 index 85f5dbf3..f316ad7b 100644 --- a/modules/pam_xauth/pam_xauth.8 +++ b/modules/pam_xauth/pam_xauth.8 @@ -1,109 +1,127 @@ .\" Title: pam_xauth .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 11/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_XAUTH" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_XAUTH" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_xauth \- PAM module to forward xauth keys between users +pam_xauth - PAM module to forward xauth keys between users .SH "SYNOPSIS" .HP 13 -\fBpam_xauth.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] +\fBpam_xauth\.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] .SH "DESCRIPTION" .PP -The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users. +The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users\. .PP Without pam_xauth, when xauth is enabled and a user uses the \fBsu\fR(1) -command to assume another user's priviledges, that user is no longer able to access the original user's X display because the new user does not have the key needed to access the display. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down. +command to assume another user\'s priviledges, that user is no longer able to access the original user\'s X display because the new user does not have the key needed to access the display\. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down\. .PP This means, for example, that when you run \fBsu\fR(1) from an xterm sesssion, you will be able to run X programs without explicitly dealing with the \fBxauth\fR(1) -xauth command or ~/.Xauthority files. +xauth command or ~/\.Xauthority files\. .PP -pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable. +pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable\. .PP Primitive access control is provided by -\fI~/.xauth/export\fR -in the invoking user's home directory and -\fI~/.xauth/import\fR -in the target user's home directory. +\fI~/\.xauth/export\fR +in the invoking user\'s home directory and +\fI~/\.xauth/import\fR +in the target user\'s home directory\. .PP If a user has a -\fI~/.xauth/import\fR -file, the user will only receive cookies from users listed in the file. If there is no -\fI~/.xauth/import\fR -file, the user will accept cookies from any other user. +\fI~/\.xauth/import\fR +file, the user will only receive cookies from users listed in the file\. If there is no +\fI~/\.xauth/import\fR +file, the user will accept cookies from any other user\. .PP If a user has a -\fI.xauth/export\fR -file, the user will only forward cookies to users listed in the file. If there is no -\fI~/.xauth/export\fR +\fI\.xauth/export\fR +file, the user will only forward cookies to users listed in the file\. If there is no +\fI~/\.xauth/export\fR file, and the invoking user is not -\fBroot\fR, the user will forward cookies to any other user. If there is no -\fI~/.xauth/export\fR +\fBroot\fR, the user will forward cookies to any other user\. If there is no +\fI~/\.xauth/export\fR file, and the invoking user is \fBroot\fR, the user will \fInot\fR -forward cookies to other users. +forward cookies to other users\. .PP Both the import and export files support wildcards (such as -\fI*\fR). Both the import and export files can be empty, signifying that no users are allowed. +\fI*\fR)\. Both the import and export files can be empty, signifying that no users are allowed\. .SH "OPTIONS" -.TP 3n +.PP \fBdebug\fR -Print debug information. -.TP 3n +.RS 4 +Print debug information\. +.RE +.PP \fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR +.RS 4 Specify the path the xauth program (it is expected in \fI/usr/X11R6/bin/xauth\fR, \fI/usr/bin/xauth\fR, or \fI/usr/bin/X11/xauth\fR -by default). -.TP 3n +by default)\. +.RE +.PP \fBsystemuser=\fR\fB\fIUID\fR\fR -Specify the highest UID which will be assumed to belong to a "system" user. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified. -.TP 3n +.RS 4 +Specify the highest UID which will be assumed to belong to a "system" user\. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\. +.RE +.PP \fBtargetuser=\fR\fB\fIUID\fR\fR -Specify a single target UID which is exempt from the systemuser check. +.RS 4 +Specify a single target UID which is exempt from the systemuser check\. +.RE .SH "MODULE SERVICES PROVIDED" .PP Only the \fBsession\fR -service is supported. +service is supported\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_BUF_ERR -Memory buffer error. -.TP 3n +.RS 4 +Memory buffer error\. +.RE +.PP PAM_PERM_DENIED -Permission denied by import/export file. -.TP 3n +.RS 4 +Permission denied by import/export file\. +.RE +.PP PAM_SESSION_ERR -Cannot determine user name, UID or access users home directory. -.TP 3n +.RS 4 +Cannot determine user name, UID or access users home directory\. +.RE +.PP PAM_SUCCESS -Success. -.TP 3n +.RS 4 +Success\. +.RE +.PP PAM_USER_UNKNOWN -User not known. +.RS 4 +User not known\. +.RE .SH "EXAMPLES" .PP Add the following line to -\fI/etc/pam.d/su\fR +\fI/etc/pam\.d/su\fR to forward xauth keys between users when calling su: .sp -.RS 3n +.RS 4 .nf -session optional pam_xauth.so +session optional pam_xauth\.so .fi .RE @@ -113,23 +131,27 @@ session optional pam_xauth.so pam_xauth will work \fIonly\fR if it is used from a setuid application in which the -\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume. The typical application of this type is -\fBsu\fR(1). The application must call both +\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume\. The typical application of this type is +\fBsu\fR(1)\. The application must call both \fBpam_open_session\fR() and -\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user. +\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user\. .PP pam_xauth calls \fBxauth\fR(1) -the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database. +as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database\. .PP -pam_xauth cannot be told to not remove the keys when the session is closed. +pam_xauth cannot be told to not remove the keys when the session is closed\. .SH "FILES" -.TP 3n -\fI~/.xauth/import\fR +.PP +\fI~/\.xauth/import\fR +.RS 4 XXX -.TP 3n -\fI~/.xauth/export\fR +.RE +.PP +\fI~/\.xauth/export\fR +.RS 4 XXX +.RE .SH "SEE ALSO" .PP @@ -138,4 +160,4 @@ XXX \fBpam\fR(8) .SH "AUTHOR" .PP -pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K. Johnson . +pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\. Johnson \. diff --git a/modules/pam_xauth/pam_xauth.8.xml b/modules/pam_xauth/pam_xauth.8.xml index 94453d00..f6323f26 100644 --- a/modules/pam_xauth/pam_xauth.8.xml +++ b/modules/pam_xauth/pam_xauth.8.xml @@ -237,7 +237,7 @@ session optional pam_xauth.so pam_xauth calls xauth1 - the source user to extract the key for $DISPLAY, + as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database. -- cgit v1.2.3 From dee497d659371fdb793c8ec8e220d72ccaa02332 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 6 Nov 2007 15:24:26 +0000 Subject: Relevant BUGIDs: 1822761 Purpose of commit: bugfix Commit summary: --------------- 2007-11-06 Thorsten Kukuk * xtests/tst-pam_group1.c: Include stdlib.h * xtests/tst-pam_succeed_if1.c: Likewise. * xtests/tst-pam_limits1.c: Likewise. * xtests/tst-pam_access1.c: Likewise. * xtests/tst-pam_access2.c: Likewise. * xtests/tst-pam_access3.c: Likewise. * xtests/tst-pam_access4.c: Likewise. * xtests/tst-pam_unix1.c: Likewise. * xtests/tst-pam_unix2.c: Likewise. * xtests/tst-pam_unix3.c: Likewise. * xtests/tst-pam_cracklib1.c: Likewise. * xtests/tst-pam_cracklib2.c: Likewise. 2007-10-30 Peter Breitenlohner * modules/pam_rhosts/pam_rhosts_auth.c (__icheckhost): Correct misplaced parenthesis. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Prevent use of dngettext() when NLS is disabled. * modules/pam_exec/pam_exec.c (call_exec): Avoid gcc warning. * doc/specs/parse_y.y (set_label, new_counter): Break trigraphs to avoid gcc warning. * modules/pam_wheel/pam_wheel.c: Remove excessive initializer elements. --- ChangeLog | 23 +++++++++++++++++++++++ doc/specs/parse_y.y | 4 ++-- modules/pam_exec/pam_exec.c | 2 +- modules/pam_rhosts/pam_rhosts_auth.c | 2 +- modules/pam_unix/pam_unix_acct.c | 2 +- modules/pam_wheel/pam_wheel.c | 3 +-- xtests/tst-pam_access1.c | 1 + xtests/tst-pam_access2.c | 1 + xtests/tst-pam_access3.c | 1 + xtests/tst-pam_access4.c | 1 + xtests/tst-pam_cracklib1.c | 1 + xtests/tst-pam_cracklib2.c | 1 + xtests/tst-pam_group1.c | 1 + xtests/tst-pam_limits1.c | 1 + xtests/tst-pam_succeed_if1.c | 1 + xtests/tst-pam_unix1.c | 1 + xtests/tst-pam_unix2.c | 1 + xtests/tst-pam_unix3.c | 1 + 18 files changed, 41 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index fd3dbe12..1209c9ea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,18 @@ 2007-11-06 Thorsten Kukuk + * xtests/tst-pam_group1.c: Include stdlib.h + * xtests/tst-pam_succeed_if1.c: Likewise. + * xtests/tst-pam_limits1.c: Likewise. + * xtests/tst-pam_access1.c: Likewise. + * xtests/tst-pam_access2.c: Likewise. + * xtests/tst-pam_access3.c: Likewise. + * xtests/tst-pam_access4.c: Likewise. + * xtests/tst-pam_unix1.c: Likewise. + * xtests/tst-pam_unix2.c: Likewise. + * xtests/tst-pam_unix3.c: Likewise. + * xtests/tst-pam_cracklib1.c: Likewise. + * xtests/tst-pam_cracklib2.c: Likewise. + * libpam/pam_static_modules.h: Fix name of pam_namespace variable. 2007-11-01 Peter Breitenlohner @@ -8,6 +21,16 @@ 2007-10-30 Peter Breitenlohner + * modules/pam_rhosts/pam_rhosts_auth.c (__icheckhost): Correct + misplaced parenthesis. + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Prevent use of + dngettext() when NLS is disabled. + * modules/pam_exec/pam_exec.c (call_exec): Avoid gcc warning. + * doc/specs/parse_y.y (set_label, new_counter): Break trigraphs to + avoid gcc warning. + * modules/pam_wheel/pam_wheel.c: Remove excessive initializer + elements. + * modules/pam_cracklib/pam_cracklib.8.xml: Correct typo. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_listfile/pam_listfile.8.xml: Likewise. diff --git a/doc/specs/parse_y.y b/doc/specs/parse_y.y index 9ea51654..87fc54ea 100644 --- a/doc/specs/parse_y.y +++ b/doc/specs/parse_y.y @@ -229,7 +229,7 @@ void set_label(const char *label, const char *target) { if (target == NULL) { yyerror("no hanging value for label"); - target = ""; + target = ""; /* avoid trigraph warning */ } label_root = set_key(label_root, label, target); } @@ -242,7 +242,7 @@ char *new_counter(const char *key) if (key[i++] != '#') { yyerror("bad index"); - return strdup(""); + return strdup(""); /* avoid trigraph warning */ } while (key[i] == '$') { diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 34ba7404..49790d80 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -208,7 +208,7 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) exit (ENOMEM); for (i = 0; i < (argc - optargc); i++) - arggv[i] = argv[i+optargc]; + arggv[i] = strdup(argv[i+optargc]); arggv[i] = NULL; if (debug) diff --git a/modules/pam_rhosts/pam_rhosts_auth.c b/modules/pam_rhosts/pam_rhosts_auth.c index 48fdeced..db28290a 100644 --- a/modules/pam_rhosts/pam_rhosts_auth.c +++ b/modules/pam_rhosts/pam_rhosts_auth.c @@ -267,7 +267,7 @@ __icheckhost (pam_handle_t *pamh, struct _options *opts, u_int32_t raddr /* Try for raw ip address first. */ - if (isdigit(*lhost) && (int32_t)(laddr = inet_addr(lhost) != -1)) + if (isdigit(*lhost) && (int32_t)(laddr = inet_addr(lhost)) != -1) return (negate*(! (raddr ^ laddr))); /* Better be a hostname. */ diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index cb2550df..6b04ed2f 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -317,7 +317,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, pam_syslog(pamh, LOG_DEBUG, "password for user %s will expire in %d days", uname, daysleft); -#ifdef HAVE_DNGETTEXT +#if defined HAVE_DNGETTEXT && defined ENABLE_NLS snprintf (buf, sizeof (buf), dngettext(PACKAGE, "Warning: your password will expire in %d day", diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index ca0e171d..d7d8096e 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -274,8 +274,7 @@ struct pam_module _pam_wheel_modstruct = { pam_sm_acct_mgmt, NULL, NULL, - NULL, - NULL, + NULL }; #endif /* PAM_STATIC */ diff --git a/xtests/tst-pam_access1.c b/xtests/tst-pam_access1.c index 457b95d4..15711297 100644 --- a/xtests/tst-pam_access1.c +++ b/xtests/tst-pam_access1.c @@ -45,6 +45,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_access2.c b/xtests/tst-pam_access2.c index b6e18812..293d72ab 100644 --- a/xtests/tst-pam_access2.c +++ b/xtests/tst-pam_access2.c @@ -45,6 +45,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_access3.c b/xtests/tst-pam_access3.c index cd989bb3..817ce930 100644 --- a/xtests/tst-pam_access3.c +++ b/xtests/tst-pam_access3.c @@ -45,6 +45,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_access4.c b/xtests/tst-pam_access4.c index acdb46f1..2b887a4d 100644 --- a/xtests/tst-pam_access4.c +++ b/xtests/tst-pam_access4.c @@ -45,6 +45,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_cracklib1.c b/xtests/tst-pam_cracklib1.c index 1600df97..b0e52051 100644 --- a/xtests/tst-pam_cracklib1.c +++ b/xtests/tst-pam_cracklib1.c @@ -36,6 +36,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_cracklib2.c b/xtests/tst-pam_cracklib2.c index a3d3ff88..84b4ef64 100644 --- a/xtests/tst-pam_cracklib2.c +++ b/xtests/tst-pam_cracklib2.c @@ -39,6 +39,7 @@ #endif #include +#include #include #include #include diff --git a/xtests/tst-pam_group1.c b/xtests/tst-pam_group1.c index f5a04bc0..ca0c2ac9 100644 --- a/xtests/tst-pam_group1.c +++ b/xtests/tst-pam_group1.c @@ -49,6 +49,7 @@ #include #include +#include #include #include #include diff --git a/xtests/tst-pam_limits1.c b/xtests/tst-pam_limits1.c index ed3d3679..d8952400 100644 --- a/xtests/tst-pam_limits1.c +++ b/xtests/tst-pam_limits1.c @@ -46,6 +46,7 @@ #endif #include +#include #include #include #include diff --git a/xtests/tst-pam_succeed_if1.c b/xtests/tst-pam_succeed_if1.c index 24f42302..c0187743 100644 --- a/xtests/tst-pam_succeed_if1.c +++ b/xtests/tst-pam_succeed_if1.c @@ -46,6 +46,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_unix1.c b/xtests/tst-pam_unix1.c index 7b884997..5ee24082 100644 --- a/xtests/tst-pam_unix1.c +++ b/xtests/tst-pam_unix1.c @@ -40,6 +40,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_unix2.c b/xtests/tst-pam_unix2.c index bf6cd8e7..65a75f3e 100644 --- a/xtests/tst-pam_unix2.c +++ b/xtests/tst-pam_unix2.c @@ -42,6 +42,7 @@ #endif #include +#include #include #include diff --git a/xtests/tst-pam_unix3.c b/xtests/tst-pam_unix3.c index bd5ffca4..50a94587 100644 --- a/xtests/tst-pam_unix3.c +++ b/xtests/tst-pam_unix3.c @@ -43,6 +43,7 @@ #endif #include +#include #include #include -- cgit v1.2.3 From 16b369e3ffcac0a88065b0393067bb28d166904d Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 20 Nov 2007 10:58:10 +0000 Subject: Relevant BUGIDs: 1822779 Purpose of commit: bugfix Commit summary: --------------- Don't link pam_tally application against libpam, if linked static, libpam is not yet available. 2007-11-20 Thorsten Kukuk * modules/pam_tally/pam_tally.c (tally_log): Map pam_modutil_getpwnam to getpwnam if we don't compile as module. * modules/pam_tally/Makefile.am: Don't link pam_tally_app against libpam (#1822779). --- ChangeLog | 8 ++++++++ modules/pam_tally/Makefile.am | 2 -- modules/pam_tally/pam_tally.c | 9 +++++++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1209c9ea..ace526d5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2007-11-20 Thorsten Kukuk + + * modules/pam_tally/pam_tally.c (tally_log): Map + pam_modutil_getpwnam to getpwnam if we don't compile + as module. + * modules/pam_tally/Makefile.am: Don't link pam_tally_app + against libpam (#1822779). + 2007-11-06 Thorsten Kukuk * xtests/tst-pam_group1.c: Include stdlib.h diff --git a/modules/pam_tally/Makefile.am b/modules/pam_tally/Makefile.am index 4fad738f..c4c181a9 100644 --- a/modules/pam_tally/Makefile.am +++ b/modules/pam_tally/Makefile.am @@ -28,11 +28,9 @@ securelib_LTLIBRARIES = pam_tally.la sbin_PROGRAMS = pam_tally pam_tally_SOURCES = pam_tally_app.c -pam_tally_LDADD = -L$(top_builddir)/libpam -lpam if ENABLE_REGENERATE_MAN noinst_DATA = README README: pam_tally.8.xml -include $(top_srcdir)/Make.xml.rules endif - diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index fc818ffe..8814659a 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -37,14 +37,16 @@ * modules include file to define the function prototypes. */ +#ifndef MAIN #define PAM_SM_AUTH #define PAM_SM_ACCOUNT /* #define PAM_SM_SESSION */ /* #define PAM_SM_PASSWORD */ -#include #include #include +#endif +#include #ifndef TRUE #define TRUE 1L @@ -115,6 +117,9 @@ tally_log (const pam_handle_t *pamh UNUSED, int priority UNUSED, fprintf(stderr,"\n"); va_end(args); } + +#define pam_modutil_getpwnam(pamh,user) getpwnam(user) + #endif /*---------------------------------------------------------------------*/ @@ -353,7 +358,7 @@ get_tally(pam_handle_t *pamh, tally_t *tally, uid_t uid, return PAM_AUTH_ERR; } - if ( fileinfo.st_size <= uid * sizeof(struct faillog) ) { + if ( (size_t)fileinfo.st_size <= uid * sizeof(struct faillog) ) { memset(fsp, 0, sizeof(struct faillog)); *tally=0; -- cgit v1.2.3 From 2431111ad5a49bce6bb943f599b7ab3509e9f181 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 20 Nov 2007 11:01:23 +0000 Subject: Relevant BUGIDs: 1822779 Purpose of commit: bugfix Commit summary: --------------- 2007-11-20 Thorsten Kukuk * modules/pam_unix/Makefile.am (unix_chkpwd_LDADD): Don't link unix_chkpwd unnecessary against libpam (#1822779). --- ChangeLog | 3 +++ modules/pam_unix/Makefile.am | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ace526d5..b572b38b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 2007-11-20 Thorsten Kukuk + * modules/pam_unix/Makefile.am (unix_chkpwd_LDADD): Don't link + unix_chkpwd unnecessary against libpam (#1822779). + * modules/pam_tally/pam_tally.c (tally_log): Map pam_modutil_getpwnam to getpwnam if we don't compile as module. diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index f9d77f4c..caccdf05 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -51,7 +51,7 @@ bigcrypt_LDADD = @LIBCRYPT@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -unix_chkpwd_LDADD = -L$(top_builddir)/libpam -lpam @LIBCRYPT@ @LIBSELINUX@ +unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ if ENABLE_REGENERATE_MAN noinst_DATA = README -- cgit v1.2.3 From 39483af547d33022ff9e18b741165f0551bdc090 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 5 Dec 2007 10:03:29 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- 2007-12-05 Tomas Mraz * modules/pam_unix/Makefile.am: Add passverify.h and passverify.c as first part of pam_unix refactorization. * modules/pam_unix/pam_unix/pam_unix_acct.c: Include passverify.h. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/passverify.c: New file with common functions. * modules/pam_unix/passverify.h: Prototypes for the common functions. * modules/pam_unix/support.c: Include passverify.h, move _unix_shadowed() to passverify.c. (_unix_verify_password): Refactor out verify_pwd_hash() function. * modules/pam_unix/support.h: Move _unix_shadowed() prototype to passverify.h * modules/pam_unix/unix_chkpwd.c: Use _unix_shadowed() and verify_pwd_hash() from passverify.c. --- ChangeLog | 16 +++++ modules/pam_unix/Makefile.am | 7 ++- modules/pam_unix/pam_unix_acct.c | 1 + modules/pam_unix/pam_unix_passwd.c | 1 + modules/pam_unix/passverify.c | 125 +++++++++++++++++++++++++++++++++++++ modules/pam_unix/passverify.h | 43 +++++++++++++ modules/pam_unix/support.c | 64 +------------------ modules/pam_unix/support.h | 1 - modules/pam_unix/unix_chkpwd.c | 82 ++---------------------- 9 files changed, 197 insertions(+), 143 deletions(-) create mode 100644 modules/pam_unix/passverify.c create mode 100644 modules/pam_unix/passverify.h diff --git a/ChangeLog b/ChangeLog index b572b38b..61b2e5e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2007-12-05 Tomas Mraz + + * modules/pam_unix/Makefile.am: Add passverify.h and passverify.c + as first part of pam_unix refactorization. + * modules/pam_unix/pam_unix/pam_unix_acct.c: Include passverify.h. + * modules/pam_unix/pam_unix_passwd.c: Likewise. + * modules/pam_unix/passverify.c: New file with common functions. + * modules/pam_unix/passverify.h: Prototypes for the common functions. + * modules/pam_unix/support.c: Include passverify.h, move + _unix_shadowed() to passverify.c. + (_unix_verify_password): Refactor out verify_pwd_hash() function. + * modules/pam_unix/support.h: Move _unix_shadowed() prototype to + passverify.h + * modules/pam_unix/unix_chkpwd.c: Use _unix_shadowed() and + verify_pwd_hash() from passverify.c. + 2007-11-20 Thorsten Kukuk * modules/pam_unix/Makefile.am (unix_chkpwd_LDADD): Don't link diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index caccdf05..a74d9762 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -34,7 +34,7 @@ pam_unix_la_LIBADD = @LIBCRACK@ @LIBNSL@ -L$(top_builddir)/libpam -lpam \ securelib_LTLIBRARIES = pam_unix.la -noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h +noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h sbin_PROGRAMS = unix_chkpwd @@ -42,13 +42,14 @@ noinst_PROGRAMS = bigcrypt pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ - yppasswd_xdr.c md5_good.c md5_broken.c + passverify.c yppasswd_xdr.c md5_good.c md5_broken.c bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) bigcrypt_LDADD = @LIBCRYPT@ -unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c +unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ + passverify.c unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 6b04ed2f..aeecb132 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -63,6 +63,7 @@ #include #include "support.h" +#include "passverify.h" #ifdef WITH_SELINUX diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index c8ee5492..3a61925e 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -84,6 +84,7 @@ static security_context_t prev_context=NULL; #include "yppasswd.h" #include "md5.h" #include "support.h" +#include "passverify.h" #include "bigcrypt.h" #if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1)) diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c new file mode 100644 index 00000000..6587bace --- /dev/null +++ b/modules/pam_unix/passverify.c @@ -0,0 +1,125 @@ +/* + * Copyright information at end of file. + */ +#include "config.h" +#include +#include +#include "support.h" +#include +#include +#include + +#include "md5.h" +#include "bigcrypt.h" +#include "passverify.h" + +int +verify_pwd_hash(const char *p, const char *hash, unsigned int nullok) +{ + size_t hash_len = strlen(hash); + char *pp = NULL; + int retval; + D(("called")); + + if (!hash_len) { + /* the stored password is NULL */ + if (nullok) { /* this means we've succeeded */ + D(("user has empty password - access granted")); + retval = PAM_SUCCESS; + } else { + D(("user has empty password - access denied")); + retval = PAM_AUTH_ERR; + } + } else if (!p || *hash == '*' || *hash == '!') { + retval = PAM_AUTH_ERR; + } else { + if (!strncmp(hash, "$1$", 3)) { + pp = Goodcrypt_md5(p, hash); + if (pp && strcmp(pp, hash) != 0) { + _pam_delete(pp); + pp = Brokencrypt_md5(p, hash); + } + } else if (*hash != '$' && hash_len >= 13) { + pp = bigcrypt(p, hash); + if (pp && hash_len == 13 && strlen(pp) > hash_len) { + _pam_overwrite(pp + hash_len); + } + } else { + /* + * Ok, we don't know the crypt algorithm, but maybe + * libcrypt nows about it? We should try it. + */ + pp = x_strdup(crypt(p, hash)); + } + p = NULL; /* no longer needed here */ + + /* the moment of truth -- do we agree with the password? */ + D(("comparing state of pp[%s] and salt[%s]", pp, salt)); + + if (pp && strcmp(pp, hash) == 0) { + retval = PAM_SUCCESS; + } else { + retval = PAM_AUTH_ERR; + } + } + + if (pp) + _pam_delete(pp); + D(("done [%d].", retval)); + + return retval; +} + +int _unix_shadowed(const struct passwd *pwd) +{ + if (pwd != NULL) { + if (strcmp(pwd->pw_passwd, "x") == 0) { + return 1; + } + if ((pwd->pw_passwd[0] == '#') && + (pwd->pw_passwd[1] == '#') && + (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)) { + return 1; + } + } + return 0; +} + +/* ****************************************************************** * + * Copyright (c) Jan Rêkorajski 1999. + * Copyright (c) Andrew G. Morgan 1996-8. + * Copyright (c) Alex O. Yuriev, 1996. + * Copyright (c) Cristian Gafton 1996. + * Copyright (c) Red Hat, Inc. 2007. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h new file mode 100644 index 00000000..a3ae9210 --- /dev/null +++ b/modules/pam_unix/passverify.h @@ -0,0 +1,43 @@ +/* + * Copyright information at end of file. + */ +int +verify_pwd_hash(const char *p, const char *hash, unsigned int nullok); + +int +_unix_shadowed(const struct passwd *pwd); + +/* ****************************************************************** * + * Copyright (c) Red Hat, Inc. 2007. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 1472b966..60acc958 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -26,9 +26,8 @@ #include #include -#include "md5.h" #include "support.h" -#include "bigcrypt.h" +#include "passverify.h" #ifdef WITH_SELINUX #include #define SELINUX_ENABLED is_selinux_enabled()>0 @@ -579,7 +578,6 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name struct passwd *pwd = NULL; struct spwd *spwdent = NULL; char *salt = NULL; - char *pp = NULL; char *data_name; int retval; @@ -679,48 +677,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name } } } else { - size_t salt_len = strlen(salt); - if (!salt_len) { - /* the stored password is NULL */ - if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ - D(("user has empty password - access granted")); - retval = PAM_SUCCESS; - } else { - D(("user has empty password - access denied")); - retval = PAM_AUTH_ERR; - } - } else if (!p || *salt == '*' || *salt == '!') { - retval = PAM_AUTH_ERR; - } else { - if (!strncmp(salt, "$1$", 3)) { - pp = Goodcrypt_md5(p, salt); - if (pp && strcmp(pp, salt) != 0) { - _pam_delete(pp); - pp = Brokencrypt_md5(p, salt); - } - } else if (*salt != '$' && salt_len >= 13) { - pp = bigcrypt(p, salt); - if (pp && salt_len == 13 && strlen(pp) > salt_len) { - _pam_overwrite(pp + salt_len); - } - } else { - /* - * Ok, we don't know the crypt algorithm, but maybe - * libcrypt nows about it? We should try it. - */ - pp = x_strdup (crypt(p, salt)); - } - p = NULL; /* no longer needed here */ - - /* the moment of truth -- do we agree with the password? */ - D(("comparing state of pp[%s] and salt[%s]", pp, salt)); - - if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } else { - retval = PAM_AUTH_ERR; - } - } + retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); } if (retval == PAM_SUCCESS) { @@ -809,8 +766,6 @@ cleanup: _pam_delete(data_name); if (salt) _pam_delete(salt); - if (pp) - _pam_delete(pp); D(("done [%d].", retval)); @@ -971,21 +926,6 @@ int _unix_read_password(pam_handle_t * pamh return PAM_SUCCESS; } -int _unix_shadowed(const struct passwd *pwd) -{ - if (pwd != NULL) { - if (strcmp(pwd->pw_passwd, "x") == 0) { - return 1; - } - if ((pwd->pw_passwd[0] == '#') && - (pwd->pw_passwd[1] == '#') && - (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)) { - return 1; - } - } - return 0; -} - /* ****************************************************************** * * Copyright (c) Jan Rkorajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 9873b161..94a9b393 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -149,7 +149,6 @@ extern int _unix_read_password(pam_handle_t * pamh ,const char *prompt2 ,const char *data_name ,const void **pass); -extern int _unix_shadowed(const struct passwd *pwd); extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user); #endif /* _PAM_UNIX_SUPPORT_H */ diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 486a8498..1e8944e9 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -39,8 +39,7 @@ static int selinux_enabled=-1; #include #include -#include "md5.h" -#include "bigcrypt.h" +#include "passverify.h" /* syslogging function for errors and other information */ @@ -55,24 +54,6 @@ static void _log_err(int err, const char *format,...) closelog(); } -static int _unix_shadowed(const struct passwd *pwd) -{ - char hashpass[1024]; - if (pwd != NULL) { - if (strcmp(pwd->pw_passwd, "x") == 0) { - return 1; - } - if (strlen(pwd->pw_name) < sizeof(hashpass) - 2) { - strcpy(hashpass, "##"); - strcpy(hashpass + 2, pwd->pw_name); - if (strcmp(pwd->pw_passwd, hashpass) == 0) { - return 1; - } - } - } - return 0; -} - static void su_sighandler(int sig) { #ifndef SA_RESETHAND @@ -142,9 +123,7 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) struct passwd *pwd = NULL; struct spwd *spwdent = NULL; char *salt = NULL; - char *pp = NULL; int retval = PAM_AUTH_ERR; - size_t salt_len; /* UNIX passwords area */ setpwent(); @@ -180,69 +159,18 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) } if (pwd == NULL || salt == NULL) { _log_err(LOG_WARNING, "check pass; user unknown"); - p = NULL; - return PAM_USER_UNKNOWN; + retval = PAM_USER_UNKNOWN; + } else { + retval = verify_pwd_hash(p, salt, nullok); } - salt_len = strlen(salt); - if (salt_len == 0) { - return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS; - } - if (p == NULL || strlen(p) == 0) { + if (salt) { _pam_overwrite(salt); _pam_drop(salt); - return PAM_AUTHTOK_ERR; } - /* the moment of truth -- do we agree with the password? */ - retval = PAM_AUTH_ERR; - if (!strncmp(salt, "$1$", 3)) { - pp = Goodcrypt_md5(p, salt); - if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } else { - _pam_overwrite(pp); - _pam_drop(pp); - pp = Brokencrypt_md5(p, salt); - if (pp && strcmp(pp, salt) == 0) - retval = PAM_SUCCESS; - } - } else if (*salt == '$') { - /* - * Ok, we don't know the crypt algorithm, but maybe - * libcrypt nows about it? We should try it. - */ - pp = x_strdup (crypt(p, salt)); - if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } - } else if (*salt == '*' || *salt == '!' || salt_len < 13) { - retval = PAM_AUTH_ERR; - } else { - pp = bigcrypt(p, salt); - /* - * Note, we are comparing the bigcrypt of the password with - * the contents of the password field. If the latter was - * encrypted with regular crypt (and not bigcrypt) it will - * have been truncated for storage relative to the output - * of bigcrypt here. As such we need to compare only the - * stored string with the subset of bigcrypt's result. - * Bug 521314. - */ - if (pp && salt_len == 13 && strlen(pp) > salt_len) { - _pam_overwrite(pp+salt_len); - } - - if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } - } p = NULL; /* no longer needed here */ - /* clean up */ - _pam_overwrite(pp); - _pam_drop(pp); - return retval; } -- cgit v1.2.3 From d89432f7266106f61532115ac0fcf25d8167afa1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 5 Dec 2007 20:08:57 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2007-12-05 Miloslav Trmac * configure.in: Add test for audit_tty_status struct. Add pam_tty_audit module. * libpam/pam_static_modules.h: Add pam_tty_audit module. * modules/pam_tty_audit/Makefile.am: New file. * modules/pam_tty_audit/README.xml: Likewise. * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. --- ChangeLog | 10 + NEWS | 2 + configure.in | 16 +- libpam/pam_static_modules.h | 6 + modules/Makefile.am | 4 +- modules/pam_tty_audit/Makefile.am | 30 +++ modules/pam_tty_audit/README.xml | 36 ++++ modules/pam_tty_audit/pam_tty_audit.8.xml | 120 +++++++++++ modules/pam_tty_audit/pam_tty_audit.c | 348 ++++++++++++++++++++++++++++++ 9 files changed, 567 insertions(+), 5 deletions(-) create mode 100644 modules/pam_tty_audit/Makefile.am create mode 100644 modules/pam_tty_audit/README.xml create mode 100644 modules/pam_tty_audit/pam_tty_audit.8.xml create mode 100644 modules/pam_tty_audit/pam_tty_audit.c diff --git a/ChangeLog b/ChangeLog index 61b2e5e1..fcfb06ea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2007-12-05 Miloslav Trmac + + * configure.in: Add test for audit_tty_status struct. Add + pam_tty_audit module. + * libpam/pam_static_modules.h: Add pam_tty_audit module. + * modules/pam_tty_audit/Makefile.am: New file. + * modules/pam_tty_audit/README.xml: Likewise. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise. + * modules/pam_tty_audit/pam_tty_audit.c: Likewise. + 2007-12-05 Tomas Mraz * modules/pam_unix/Makefile.am: Add passverify.h and passverify.c diff --git a/NEWS b/NEWS index acc6d0f2..87aaa6c7 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ Linux-PAM NEWS -- history of user-visible changes. * New substack directive in config file syntax. +* New module pam_tty_audit.so for enabling and disabling tty + auditing. Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/configure.in b/configure.in index db00a62b..146e177a 100644 --- a/configure.in +++ b/configure.in @@ -331,15 +331,24 @@ AC_ARG_ENABLE([audit], WITH_LIBAUDIT=$enableval, WITH_LIBAUDIT=yes) if test x"$WITH_LIBAUDIT" != xno ; then AC_CHECK_HEADER([libaudit.h], - [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="")] + [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="") + AC_CHECK_TYPE([struct audit_tty_status], + [HAVE_AUDIT_TTY_STATUS=yes], + [HAVE_AUDIT_TTY_STATUS=""], + [#include ])] ) if test ! -z "$LIBAUDIT" -a "ac_cv_header_libaudit_h" != "no" ; then - AC_DEFINE([HAVE_LIBAUDIT], 1, [Defined if audit support should be compiled in]) + AC_DEFINE([HAVE_LIBAUDIT], 1, [Define to 1 if audit support should be compiled in.]) + fi + if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then + AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.]) fi else LIBAUDIT="" fi AC_SUBST(LIBAUDIT) +AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS], + [test "x$HAVE_AUDIT_TTY_STATUS" = xyes]) BACKUP_LIBS=$LIBS AC_SEARCH_LIBS([crypt],[xcrypt crypt], LIBCRYPT="-l$ac_lib", LIBCRYPT="") @@ -513,7 +522,8 @@ AC_OUTPUT(Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \ modules/pam_securetty/Makefile modules/pam_selinux/Makefile \ modules/pam_shells/Makefile modules/pam_stress/Makefile \ modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \ - modules/pam_time/Makefile modules/pam_umask/Makefile \ + modules/pam_time/Makefile modules/pam_tty_audit/Makefile \ + modules/pam_umask/Makefile \ modules/pam_unix/Makefile modules/pam_userdb/Makefile \ modules/pam_warn/Makefile modules/pam_wheel/Makefile \ modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \ diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h index 5445c5fe..42dcf8f0 100644 --- a/libpam/pam_static_modules.h +++ b/libpam/pam_static_modules.h @@ -73,6 +73,9 @@ extern struct pam_module _pam_stress_modstruct; extern struct pam_module _pam_succeed_if_modstruct; extern struct pam_module _pam_tally_modstruct; extern struct pam_module _pam_time_modstruct; +#ifdef HAVE_AUDIT_TTY_STATUS +extern struct pam_module _pam_tty_audit_modstruct; +#endif extern struct pam_module _pam_umask_modstruct; extern struct pam_module _pam_unix_acct_modstruct; extern struct pam_module _pam_unix_auth_modstruct; @@ -127,6 +130,9 @@ static struct pam_module *static_modules[] = { &_pam_succeed_if_modstruct, &_pam_tally_modstruct, &_pam_time_modstruct, +#ifdef HAVE_AUDIT_TTY_STATUS + &_pam_tty_audit_modstruct, +#endif &_pam_umask_modstruct, &_pam_unix_acct_modstruct, &_pam_unix_auth_modstruct, diff --git a/modules/Makefile.am b/modules/Makefile.am index 1272b0e8..88d7fe4e 100644 --- a/modules/Makefile.am +++ b/modules/Makefile.am @@ -7,8 +7,8 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ pam_lastlog pam_limits pam_listfile pam_localuser pam_mail \ pam_mkhomedir pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \ pam_securetty pam_selinux pam_shells pam_stress pam_succeed_if \ - pam_tally pam_time pam_umask pam_unix pam_userdb pam_warn \ - pam_wheel pam_xauth pam_exec pam_namespace pam_loginuid \ + pam_tally pam_time pam_tty_audit pam_umask pam_unix pam_userdb \ + pam_warn pam_wheel pam_xauth pam_exec pam_namespace pam_loginuid \ pam_faildelay CLEANFILES = *~ diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am new file mode 100644 index 00000000..5bb64585 --- /dev/null +++ b/modules/pam_tty_audit/Makefile.am @@ -0,0 +1,30 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) + +man_MANS = pam_tty_audit.8 +XMLS = README.xml pam_tty_audit.8.xml + +securelibdir = $(SECUREDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +if HAVE_AUDIT_TTY_STATUS + pam_tty_audit_la_LIBADD = -L$(top_builddir)/libpam -lpam + securelib_LTLIBRARIES = pam_tty_audit.la +endif + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_tty_audit.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/modules/pam_tty_audit/README.xml b/modules/pam_tty_audit/README.xml new file mode 100644 index 00000000..85b27733 --- /dev/null +++ b/modules/pam_tty_audit/README.xml @@ -0,0 +1,36 @@ + + + +
+ + + + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tty_audit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tty_audit-name"]/*)'/> + + + + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml new file mode 100644 index 00000000..7842ac66 --- /dev/null +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -0,0 +1,120 @@ + + + + + + + pam_tty_audit + 8 + Linux-PAM Manual + + + + pam_tty_audit + Enable or disable TTY auditing for specified users + + + + + pam_tty_audit.so + + disable=usernames + + + enable=usernames + + + + + + DESCRIPTION + + The pam_tty_audit PAM module is used to enable or disable TTY auditing. + By default, the kernel does not audit input on any TTY. + + + + + OPTIONS + + + + + + + + For each user matching one of comma-separated + , disable + TTY auditing. This overrides any previous + option for the same user name on the command line. + + + + + + + + + + For each user matching one of comma-separated + , enable + TTY auditing. This overrides any previous + option for the same user name on the command line. + + + + + + + + MODULE SERVICES PROVIDED + + Only the session service is supported. + + + + + RETURN VALUES + + + PAM_SESSION_ERR + + + Error reading or modifying the TTY audit flag. See the system log + for more details. + + + + + + PAM_SUCCESS + + + Success. + + + + + + + + + EXAMPLES + + Audit all administrative actions. + +auth required pam_tty_audit.so enable=root + + + + + + AUTHOR + + pam_tty_audit was written by Miloslav Trmač + <mitr@redhat.com>. + + + + diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c new file mode 100644 index 00000000..5e6211bc --- /dev/null +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -0,0 +1,348 @@ +/* Copyright © 2007 Red Hat, Inc. All rights reserved. + Red Hat author: Miloslav Trmač + + Redistribution and use in source and binary forms of Linux-PAM, with + or without modification, are permitted provided that the following + conditions are met: + + 1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + + 2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + + ALTERNATIVELY, this product may be distributed under the terms of the + GNU General Public License, in which case the provisions of the GNU + GPL are required INSTEAD OF the above restrictions. (This clause is + necessary due to a potential conflict between the GNU GPL and the + restrictions contained in a BSD-style copyright.) + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR + TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#define PAM_SM_SESSION + +#include +#include +#include + +#define DATANAME "pam_tty_audit_last_state" + +/* Open an audit netlink socket */ +static int +nl_open (void) +{ + return socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); +} + +static int +nl_send (int fd, unsigned type, unsigned flags, const void *data, size_t size) +{ + struct sockaddr_nl addr; + struct msghdr msg; + struct nlmsghdr nlm; + struct iovec iov[2]; + ssize_t res; + + nlm.nlmsg_len = NLMSG_LENGTH (size); + nlm.nlmsg_type = type; + nlm.nlmsg_flags = NLM_F_REQUEST | flags; + nlm.nlmsg_seq = 0; + nlm.nlmsg_pid = 0; + iov[0].iov_base = &nlm; + iov[0].iov_len = sizeof (nlm); + iov[1].iov_base = (void *)data; + iov[1].iov_len = size; + addr.nl_family = AF_NETLINK; + addr.nl_pid = 0; + addr.nl_groups = 0; + msg.msg_name = &addr; + msg.msg_namelen = sizeof (addr); + msg.msg_iov = iov; + msg.msg_iovlen = 2; + msg.msg_control = NULL; + msg.msg_controllen = 0; + msg.msg_flags = 0; + res = sendmsg (fd, &msg, 0); + if (res == -1) + return -1; + if ((size_t)res != nlm.nlmsg_len) + { + errno = EIO; + return -1; + } + return 0; +} + +static int +nl_recv (int fd, unsigned type, void *buf, size_t size) +{ + struct sockaddr_nl addr; + struct msghdr msg; + struct nlmsghdr nlm; + struct iovec iov[2]; + ssize_t res; + + again: + iov[0].iov_base = &nlm; + iov[0].iov_len = sizeof (nlm); + msg.msg_name = &addr; + msg.msg_namelen = sizeof (addr); + msg.msg_iov = iov; + msg.msg_iovlen = 1; + msg.msg_control = NULL; + msg.msg_controllen = 0; + if (type != NLMSG_ERROR) + { + res = recvmsg (fd, &msg, MSG_PEEK); + if (res == -1) + return -1; + if (res != NLMSG_LENGTH (0)) + { + errno = EIO; + return -1; + } + if (nlm.nlmsg_type == NLMSG_ERROR) + { + struct nlmsgerr err; + + iov[1].iov_base = &err; + iov[1].iov_len = sizeof (err); + msg.msg_iovlen = 2; + res = recvmsg (fd, &msg, 0); + if (res == -1) + return -1; + if ((size_t)res != NLMSG_LENGTH (sizeof (err)) + || nlm.nlmsg_type != NLMSG_ERROR) + { + errno = EIO; + return -1; + } + if (err.error == 0) + goto again; + errno = -err.error; + return -1; + } + } + if (size != 0) + { + iov[1].iov_base = buf; + iov[1].iov_len = size; + msg.msg_iovlen = 2; + } + res = recvmsg (fd, &msg, 0); + if (res == -1) + return -1; + if ((size_t)res != NLMSG_LENGTH (size) + || nlm.nlmsg_type != type) + { + errno = EIO; + return -1; + } + return 0; +} + +static int +nl_recv_ack (int fd) +{ + struct nlmsgerr err; + + if (nl_recv (fd, NLMSG_ERROR, &err, sizeof (err)) != 0) + return -1; + if (err.error != 0) + { + errno = -err.error; + return -1; + } + return 0; +} + +static void +cleanup_old_status (pam_handle_t *pamh, void *data, int error_status) +{ + (void)pamh; + (void)error_status; + free (data); +} + +int +pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + enum command { CMD_NONE, CMD_ENABLE, CMD_DISABLE }; + + enum command command; + struct audit_tty_status *old_status, new_status; + const char *user; + uid_t user_uid; + struct passwd *pwd; + int i, fd; + + (void)flags; + + if (pam_get_user (pamh, &user, NULL) != PAM_SUCCESS) + { + pam_syslog (pamh, LOG_ERR, "error determining target user's name"); + return PAM_SESSION_ERR; + } + pwd = pam_modutil_getpwnam (pamh, user); + if (pwd == NULL) + { + pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m"); + return PAM_SESSION_ERR; + } + user_uid = pwd->pw_uid; + + command = CMD_NONE; + for (i = 0; i < argc; i++) + { + if (strncmp (argv[i], "enable=", 7) == 0 + || strncmp (argv[i], "disable=", 8) == 0) + { + enum command this_command; + char *copy, *tok_data, *tok; + + this_command = *argv[i] == 'e' ? CMD_ENABLE : CMD_DISABLE; + copy = strdup (strchr (argv[i], '=') + 1); + if (copy == NULL) + return PAM_SESSION_ERR; + for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; + tok = strtok_r (NULL, ",", &tok_data)) + { + pwd = pam_modutil_getpwnam (pamh, tok); + if (pwd == NULL) + { + pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok); + continue; + } + if (pwd->pw_uid == user_uid) + { + command = this_command; + break; + } + } + free (copy); + } + } + if (command == CMD_NONE) + return PAM_SUCCESS; + + old_status = malloc (sizeof (*old_status)); + if (old_status == NULL) + return PAM_SESSION_ERR; + + fd = nl_open (); + if (fd == -1 + || nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0 + || nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0) + { + pam_syslog (pamh, LOG_ERR, "error reading current audit status: %m"); + if (fd != -1) + close (fd); + free (old_status); + return PAM_SESSION_ERR; + } + + if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0)) + { + free (old_status); + goto ok_fd; + } + + if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) + != PAM_SUCCESS) + { + pam_syslog (pamh, LOG_ERR, "error saving old audit status"); + close (fd); + free (old_status); + return PAM_SESSION_ERR; + } + + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status, + sizeof (new_status)) != 0 + || nl_recv_ack (fd) != 0) + { + pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m"); + close (fd); + return PAM_SESSION_ERR; + } + /* Fall through */ + ok_fd: + close (fd); + pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d", + old_status->enabled, new_status.enabled); + return PAM_SUCCESS; +} + +int +pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + const void *status_; + + (void)flags; + (void)argc; + (void)argv; + if (pam_get_data (pamh, DATANAME, &status_) == PAM_SUCCESS) + { + const struct audit_tty_status *status; + int fd; + + status = status_; + + fd = nl_open (); + if (fd == -1 + || nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, status, + sizeof (*status)) != 0 + || nl_recv_ack (fd) != 0) + { + pam_syslog (pamh, LOG_ERR, "error restoring audit status: %m"); + if (fd != -1) + close (fd); + return PAM_SESSION_ERR; + } + close (fd); + pam_syslog (pamh, LOG_ERR, "restored status to %d", status->enabled); + } + return PAM_SUCCESS; +} + +/* static module data */ +#ifdef PAM_STATIC +struct pam_module _pam_tty_audit_modstruct = { + "pam_tty_audit", + NULL, + NULL, + NULL, + pam_sm_open_session, + pam_sm_close_session, + NULL +}; +#endif -- cgit v1.2.3 From 337e34ff7407327700ae3ddf2bdda00698386e13 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 6 Dec 2007 07:24:23 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2007-12-05 Tomas Mraz * modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example. --- ChangeLog | 4 ++++ modules/pam_tty_audit/pam_tty_audit.8.xml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index fcfb06ea..32135cdd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2007-12-06 Tomas Mraz + + * modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example. + 2007-12-05 Miloslav Trmac * configure.in: Add test for audit_tty_status struct. Add diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 7842ac66..f65762ad 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -104,7 +104,7 @@ Audit all administrative actions. -auth required pam_tty_audit.so enable=root +session required pam_tty_audit.so enable=root -- cgit v1.2.3 From 632dffe99cc8e3aefb4410aec2a3091df48a6f46 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 6 Dec 2007 20:20:07 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2007-12-06 Eamon Walsh * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n() macro. * libpam/include/security/_pam_types.h: Add PAM_XDISPLAY, PAM_XAUTHDATA items, pam_xauth_data struct. * libpam/pam_item.c (pam_set_item, pam_get_item): Handle PAM_XDISPLAY and PAM_XAUTHDATA items. * libpam/pam_end.c (pam_end): Destroy the new items. * libpam/pam_private.h (pam_handle): Add data members for new items. Add prototype for _pam_memdup. * libpam/pam_misc.c: Add _pam_memdup. * doc/man/Makefile.am: Add pam_xauth_data.3. Replace pam_item_types.inc.xml with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml. * doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml. * doc/man/pam_set_item.3.xml: Likewise. * doc/man/pam_item_types.inc.xml: Removed file. * doc/man/pam_item_types_ext.inc.xml: New file. * doc/man/pam_item_types_std.inc.xml: New file. --- ChangeLog | 22 +++++ NEWS | 1 + doc/man/Makefile.am | 10 +-- doc/man/pam_get_item.3.xml | 13 ++- doc/man/pam_item_types.inc.xml | 151 ---------------------------------- doc/man/pam_item_types_ext.inc.xml | 45 ++++++++++ doc/man/pam_item_types_std.inc.xml | 138 +++++++++++++++++++++++++++++++ doc/man/pam_set_item.3.xml | 13 ++- libpam/include/security/_pam_macros.h | 9 ++ libpam/include/security/_pam_types.h | 14 ++++ libpam/pam_end.c | 9 ++ libpam/pam_item.c | 26 ++++++ libpam/pam_misc.c | 22 +++++ libpam/pam_private.h | 4 + 14 files changed, 317 insertions(+), 160 deletions(-) delete mode 100644 doc/man/pam_item_types.inc.xml create mode 100644 doc/man/pam_item_types_ext.inc.xml create mode 100644 doc/man/pam_item_types_std.inc.xml diff --git a/ChangeLog b/ChangeLog index 32135cdd..452001e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,25 @@ +2007-12-06 Eamon Walsh + + * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n() + macro. + * libpam/include/security/_pam_types.h: Add PAM_XDISPLAY, + PAM_XAUTHDATA items, pam_xauth_data struct. + * libpam/pam_item.c (pam_set_item, pam_get_item): Handle + PAM_XDISPLAY and PAM_XAUTHDATA items. + * libpam/pam_end.c (pam_end): Destroy the new items. + * libpam/pam_private.h (pam_handle): Add data members for new + items. Add prototype for _pam_memdup. + * libpam/pam_misc.c: Add _pam_memdup. + * doc/man/Makefile.am: Add pam_xauth_data.3. Replace + pam_item_types.inc.xml with pam_item_types_std.inc.xml and + pam_item_types_ext.inc.xml. + * doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml + with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml. + * doc/man/pam_set_item.3.xml: Likewise. + * doc/man/pam_item_types.inc.xml: Removed file. + * doc/man/pam_item_types_ext.inc.xml: New file. + * doc/man/pam_item_types_std.inc.xml: New file. + 2007-12-06 Tomas Mraz * modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example. diff --git a/NEWS b/NEWS index 87aaa6c7..e794525e 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,7 @@ Linux-PAM NEWS -- history of user-visible changes. * New substack directive in config file syntax. * New module pam_tty_audit.so for enabling and disabling tty auditing. +* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA. Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 7d17a439..926f1ae5 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -10,7 +10,7 @@ man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \ pam_acct_mgmt.3 pam_authenticate.3 \ pam_chauthtok.3 pam_close_session.3 pam_conv.3 \ pam_end.3 pam_error.3 \ - pam_fail_delay.3 \ + pam_fail_delay.3 pam_xauth_data.3 \ pam_get_data.3 pam_get_item.3 pam_get_user.3 pam_getenv.3 \ pam_getenvlist.3 \ pam_info.3 \ @@ -27,7 +27,7 @@ XMLS = pam.3.xml pam.8.xml \ pam_acct_mgmt.3.xml pam_authenticate.3.xml \ pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \ pam_end.3.xml pam_error.3.xml \ - pam_fail_delay.3.xml \ + pam_fail_delay.3.xml pam_xauth_data.3 \ pam_get_data.3.xml pam_get_item.3.xml pam_get_user.3.xml \ pam_getenv.3.xml pam_getenvlist.3.xml \ pam_info.3.xml \ @@ -38,14 +38,14 @@ XMLS = pam.3.xml pam.8.xml \ pam_sm_close_session.3.xml pam_sm_open_session.3.xml \ pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \ pam_sm_chauthtok.3.xml \ - pam_item_types.inc.xml \ + pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \ pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \ misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \ pam_misc_setenv.3.xml if ENABLE_REGENERATE_MAN -pam_get_item.3: pam_item_types.inc.xml -pam_set_data.3: pam_item_types.inc.xml +pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml +pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml -include $(top_srcdir)/Make.xml.rules endif diff --git a/doc/man/pam_get_item.3.xml b/doc/man/pam_get_item.3.xml index e5806d11..d07862e0 100644 --- a/doc/man/pam_get_item.3.xml +++ b/doc/man/pam_get_item.3.xml @@ -3,7 +3,8 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [ ]> @@ -55,7 +56,15 @@ + href="pam_item_types_std.inc.xml"/> + + + The following additional items are specific to Linux-PAM and should not be used in + portable applications: + + + If a service module wishes to obtain the name of the user, diff --git a/doc/man/pam_item_types.inc.xml b/doc/man/pam_item_types.inc.xml deleted file mode 100644 index 9d70087b..00000000 --- a/doc/man/pam_item_types.inc.xml +++ /dev/null @@ -1,151 +0,0 @@ - - - - - PAM_SERVICE - - - The service name (which identifies that PAM stack that - the PAM functions will use to authenticate the program). - - - - - - PAM_USER - - - The username of the entity under whose identity service - will be given. That is, following authentication, - PAM_USER identifies the local entity - that gets to use the service. Note, this value can be mapped - from something (eg., "anonymous") to something else (eg. - "guest119") by any module in the PAM stack. As such an - application should consult the value of - PAM_USER after each call to a PAM function. - - - - - - PAM_USER_PROMPT - - - The string used when prompting for a user's name. The default - value for this string is a localized version of "login: ". - - - - - - PAM_TTY - - - The terminal name: prefixed by /dev/ if - it is a device file; for graphical, X-based, applications the - value for this item should be the - $DISPLAY variable. - - - - - - PAM_RUSER - - - The requesting user name: local name for a locally - requesting user or a remote user name for a remote - requesting user. - - - Generally an application or module will attempt to supply - the value that is most strongly authenticated (a local account - before a remote one. The level of trust in this value is - embodied in the actual authentication stack associated with - the application, so it is ultimately at the discretion of the - system administrator. - - - PAM_RUSER@PAM_RHOST should always identify - the requesting user. In some cases, - PAM_RUSER may be NULL. In such situations, - it is unclear who the requesting entity is. - - - - - - PAM_RHOST - - - The requesting hostname (the hostname of the machine from - which the PAM_RUSER entity is requesting - service). That is PAM_RUSER@PAM_RHOST - does identify the requesting user. In some applications, - PAM_RHOST may be NULL. In such situations, - it is unclear where the authentication request is originating - from. - - - - - - PAM_AUTHTOK - - - The authentication token (often a password). This token - should be ignored by all module functions besides - - pam_sm_authenticate3 - and - - pam_sm_chauthtok3 - . - In the former function it is used to pass the most recent - authentication token from one stacked module to another. In - the latter function the token is used for another purpose. - It contains the currently active authentication token. - - - - - - PAM_OLDAUTHTOK - - - The old authentication token. This token should be ignored - by all module functions except - - pam_sm_chauthtok3 - . - - - - - - - PAM_CONV - - - The pam_conv structure. See - - pam_conv3 - . - - - - - - PAM_FAIL_DELAY - - - A function pointer to redirect centrally managed - failure delays. See - - pam_fail_delay3 - . - - - - - diff --git a/doc/man/pam_item_types_ext.inc.xml b/doc/man/pam_item_types_ext.inc.xml new file mode 100644 index 00000000..0c72f699 --- /dev/null +++ b/doc/man/pam_item_types_ext.inc.xml @@ -0,0 +1,45 @@ + + + + + PAM_FAIL_DELAY + + + A function pointer to redirect centrally managed + failure delays. See + + pam_fail_delay3 + . + + + + + + PAM_XDISPLAY + + + The name of the X display. For graphical, X-based applications the + value for this item should be the $DISPLAY + variable. This value should be used instead of + PAM_TTY for passing the + name of the display where possible. + + + + + + PAM_XAUTHDATA + + + A pointer to a structure containing the X authentication data + required to make a connection to the display specified by + PAM_XDISPLAY, if such information is + necessary. See + + pam_xauth_data3 + . + + + + + diff --git a/doc/man/pam_item_types_std.inc.xml b/doc/man/pam_item_types_std.inc.xml new file mode 100644 index 00000000..81f240b0 --- /dev/null +++ b/doc/man/pam_item_types_std.inc.xml @@ -0,0 +1,138 @@ + + + + + PAM_SERVICE + + + The service name (which identifies that PAM stack that + the PAM functions will use to authenticate the program). + + + + + + PAM_USER + + + The username of the entity under whose identity service + will be given. That is, following authentication, + PAM_USER identifies the local entity + that gets to use the service. Note, this value can be mapped + from something (eg., "anonymous") to something else (eg. + "guest119") by any module in the PAM stack. As such an + application should consult the value of + PAM_USER after each call to a PAM function. + + + + + + PAM_USER_PROMPT + + + The string used when prompting for a user's name. The default + value for this string is a localized version of "login: ". + + + + + + PAM_TTY + + + The terminal name: prefixed by /dev/ if + it is a device file; for graphical, X-based, applications the + value for this item should be the + $DISPLAY variable. + + + + + + PAM_RUSER + + + The requesting user name: local name for a locally + requesting user or a remote user name for a remote + requesting user. + + + Generally an application or module will attempt to supply + the value that is most strongly authenticated (a local account + before a remote one. The level of trust in this value is + embodied in the actual authentication stack associated with + the application, so it is ultimately at the discretion of the + system administrator. + + + PAM_RUSER@PAM_RHOST should always identify + the requesting user. In some cases, + PAM_RUSER may be NULL. In such situations, + it is unclear who the requesting entity is. + + + + + + PAM_RHOST + + + The requesting hostname (the hostname of the machine from + which the PAM_RUSER entity is requesting + service). That is PAM_RUSER@PAM_RHOST + does identify the requesting user. In some applications, + PAM_RHOST may be NULL. In such situations, + it is unclear where the authentication request is originating + from. + + + + + + PAM_AUTHTOK + + + The authentication token (often a password). This token + should be ignored by all module functions besides + + pam_sm_authenticate3 + and + + pam_sm_chauthtok3 + . + In the former function it is used to pass the most recent + authentication token from one stacked module to another. In + the latter function the token is used for another purpose. + It contains the currently active authentication token. + + + + + + PAM_OLDAUTHTOK + + + The old authentication token. This token should be ignored + by all module functions except + + pam_sm_chauthtok3 + . + + + + + + + PAM_CONV + + + The pam_conv structure. See + + pam_conv3 + . + + + + + diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml index cbac8413..39758313 100644 --- a/doc/man/pam_set_item.3.xml +++ b/doc/man/pam_set_item.3.xml @@ -3,7 +3,8 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [ ]> @@ -52,7 +53,15 @@ + href="pam_item_types_std.inc.xml"/> + + + The following additional items are specific to Linux-PAM and should not be used in + portable applications: + + + For all item_types, other than PAM_CONV and diff --git a/libpam/include/security/_pam_macros.h b/libpam/include/security/_pam_macros.h index f7da10a7..72aaf468 100644 --- a/libpam/include/security/_pam_macros.h +++ b/libpam/include/security/_pam_macros.h @@ -25,6 +25,15 @@ do { \ *__xx__++ = '\0'; \ } while (0) +#define _pam_overwrite_n(x,n) \ +do { \ + register char *__xx__; \ + register int __i__ = 0; \ + if ((__xx__=(x))) \ + for (;__i__former.substates); + _pam_overwrite(pamh->xdisplay); + _pam_drop(pamh->xdisplay); + + _pam_overwrite(pamh->xauth.name); + _pam_drop(pamh->xauth.name); + _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen); + _pam_drop(pamh->xauth.data); + _pam_overwrite_n(&pamh->xauth, sizeof(pamh->xauth)); + /* and finally liberate the memory for the pam_handle structure */ _pam_drop(pamh); diff --git a/libpam/pam_item.c b/libpam/pam_item.c index 52efe80b..41d90087 100644 --- a/libpam/pam_item.c +++ b/libpam/pam_item.c @@ -138,6 +138,24 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) pamh->fail_delay.delay_fn_ptr = item; break; + case PAM_XDISPLAY: + RESET(pamh->xdisplay, item); + break; + + case PAM_XAUTHDATA: + if (pamh->xauth.namelen) { + _pam_overwrite(pamh->xauth.name); + free(pamh->xauth.name); + } + if (pamh->xauth.datalen) { + _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen); + free(pamh->xauth.data); + } + pamh->xauth = *((const struct pam_xauth_data *) item); + pamh->xauth.name = _pam_strdup(pamh->xauth.name); + pamh->xauth.data = _pam_memdup(pamh->xauth.data, pamh->xauth.datalen); + break; + default: retval = PAM_BAD_ITEM; } @@ -220,6 +238,14 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item) *item = pamh->fail_delay.delay_fn_ptr; break; + case PAM_XDISPLAY: + *item = pamh->xdisplay; + break; + + case PAM_XAUTHDATA: + *item = &pamh->xauth; + break; + default: retval = PAM_BAD_ITEM; } diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c index 770c9cce..574a570e 100644 --- a/libpam/pam_misc.c +++ b/libpam/pam_misc.c @@ -137,6 +137,28 @@ char *_pam_strdup(const char *x) return new; /* return the duplicate or NULL on error */ } +/* + * Safe duplication of memory buffers. "Paranoid"; don't leave + * evidence of old token around for later stack analysis. + */ + +char *_pam_memdup(const char *x, int len) +{ + register char *new=NULL; + + if (x != NULL) { + if ((new = malloc(len)) == NULL) { + len = 0; + pam_syslog(NULL, LOG_CRIT, "_pam_memdup: failed to get memory"); + } else { + memcpy (new, x, len); + } + x = NULL; + } + + return new; /* return the duplicate or NULL on error */ +} + /* Generate argv, argc from s */ /* caller must free(argv) */ diff --git a/libpam/pam_private.h b/libpam/pam_private.h index bf32ad44..333f4d0f 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -152,9 +152,11 @@ struct pam_handle { char *rhost; char *ruser; char *tty; + char *xdisplay; struct pam_data *data; struct pam_environ *env; /* structure to maintain environment list */ struct _pam_fail_delay fail_delay; /* helper function for easy delays */ + struct pam_xauth_data xauth; /* auth info for X display */ struct service handlers; struct _pam_former_state former; /* library state - support for event driven applications */ @@ -267,6 +269,8 @@ char *_pam_StrTok(char *from, const char *format, char **next); char *_pam_strdup(const char *s); +char *_pam_memdup(const char *s, int len); + int _pam_mkargv(char *s, char ***argv, int *argc); void _pam_sanitize(pam_handle_t *pamh); -- cgit v1.2.3 From ad3ad5cf1f25e1a192a3a8b00bd84b1678aaf2ab Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 7 Dec 2007 13:50:55 +0000 Subject: Relevant BUGIDs: Purpose of commit: translations Commit summary: --------------- 2007-12-07 Luca Bruno * po/it.po: Updated translations. --- ChangeLog | 4 ++ po/it.po | 211 +++++++++++++++++++++++++++----------------------------------- 2 files changed, 97 insertions(+), 118 deletions(-) diff --git a/ChangeLog b/ChangeLog index 452001e7..90473185 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2007-12-07 Luca Bruno + + * po/it.po: Updated translations. + 2007-12-06 Eamon Walsh * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n() diff --git a/po/it.po b/po/it.po index 6ee6f0ce..63ea3248 100644 --- a/po/it.po +++ b/po/it.po @@ -1,19 +1,20 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR Linux-PAM Project +# Italian translation of Linux-PAM. +# Copyright (C) 2007 Linux-PAM Project # This file is distributed under the same license as the PACKAGE package. -# FIRST AUTHOR , YEAR. -# +# Novell Language , 2007. +# Luca Bruno , 2007. +# TODO: uniformare la traduzione di alcune stringhe con shadow. msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" "POT-Creation-Date: 2007-10-01 12:19+0200\n" -"PO-Revision-Date: 2006-05-03 22:05+0200\n" -"Last-Translator: Novell Language \n" -"Language-Team: Novell Language \n" +"PO-Revision-Date: 2007-11-24 13:39+0100\n" +"Last-Translator: Luca Bruno \n" +"Language-Team: Italian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" +"Content-Transfer-Encoding: 8bit" #: libpam_misc/misc_conv.c:33 msgid "...Time is running out...\n" @@ -42,7 +43,7 @@ msgstr "Errore critico - interruzione immediata" #: libpam/pam_strerror.c:44 msgid "Failed to load module" -msgstr "" +msgstr "Caricamento del modulo fallito" #: libpam/pam_strerror.c:46 msgid "Symbol not found" @@ -50,7 +51,7 @@ msgstr "Simbolo non trovato" #: libpam/pam_strerror.c:48 msgid "Error in service module" -msgstr "Errore in modulo di servizio" +msgstr "Errore nel modulo di servizio" #: libpam/pam_strerror.c:50 msgid "System error" @@ -66,7 +67,7 @@ msgstr "Permesso negato" #: libpam/pam_strerror.c:56 msgid "Authentication failure" -msgstr "Errore di autenticazione" +msgstr "Autenticazione fallita" #: libpam/pam_strerror.c:58 msgid "Insufficient credentials to access authentication data" @@ -80,15 +81,15 @@ msgstr "" #: libpam/pam_strerror.c:62 msgid "User not known to the underlying authentication module" -msgstr "Utente sconosciuto nel modulo di autenticazione sottostante" +msgstr "Utente sconosciuto al modulo di autenticazione sottostante" #: libpam/pam_strerror.c:64 msgid "Have exhausted maximum number of retries for service" -msgstr "Numero massimo di tentativi per il servizio superato" +msgstr "Superato il numero massimo di tentativi per il servizio" #: libpam/pam_strerror.c:66 msgid "Authentication token is no longer valid; new one required" -msgstr "Token di autenticazione non più valido; richiesto uno nuovo" +msgstr "Token di autenticazione non più valido; ne è richiesto uno nuovo" #: libpam/pam_strerror.c:68 msgid "User account has expired" @@ -97,7 +98,7 @@ msgstr "Account utente scaduto" #: libpam/pam_strerror.c:70 msgid "Cannot make/remove an entry for the specified session" msgstr "" -"Impossibile creare/rimuovere una registrazione per la sessione specificata" +"Impossibile creare/rimuovere una voce per la sessione specificata" #: libpam/pam_strerror.c:72 msgid "Authentication service cannot retrieve user credentials" @@ -111,7 +112,7 @@ msgstr "Credenziali utente scadute" #: libpam/pam_strerror.c:76 msgid "Failure setting user credentials" -msgstr "Errore impostazione credenziali utente" +msgstr "Impostazione delle credenziali utente fallita" #: libpam/pam_strerror.c:78 msgid "No module specific data is present" @@ -123,31 +124,31 @@ msgstr "Elemento errato passato a pam_*_item()" #: libpam/pam_strerror.c:82 msgid "Conversation error" -msgstr "Errore conversazione" +msgstr "Errore di conversazione" #: libpam/pam_strerror.c:84 msgid "Authentication token manipulation error" -msgstr "Errore manipolazione token autenticazione" +msgstr "Errore manipolazione token di autenticazione" #: libpam/pam_strerror.c:86 msgid "Authentication information cannot be recovered" -msgstr "Impossibile ripristinare informazioni autenticazione" +msgstr "Impossibile ripristinare informazioni di autenticazione" #: libpam/pam_strerror.c:88 msgid "Authentication token lock busy" -msgstr "Blocco token autenticazione occupato" +msgstr "Blocco token di autenticazione occupato" #: libpam/pam_strerror.c:90 msgid "Authentication token aging disabled" -msgstr "Aging token autenticazione disabilitato" +msgstr "Invecchiamento del token di autenticazione disabilitato" #: libpam/pam_strerror.c:92 msgid "Failed preliminary check by password service" -msgstr "Errore controllo preliminare per servizio parola d'ordine" +msgstr "Controllo preliminare del servizio password fallito" #: libpam/pam_strerror.c:94 msgid "The return value should be ignored by PAM dispatch" -msgstr "Il valore restituito deve essere ignorato da dispatch PAM" +msgstr "Il valore restituito dovrebbe essere ignorato dal dispatch PAM" #: libpam/pam_strerror.c:96 msgid "Module is unknown" @@ -155,15 +156,15 @@ msgstr "Modulo sconosciuto" #: libpam/pam_strerror.c:98 msgid "Authentication token expired" -msgstr "Token autenticazione scaduto" +msgstr "Token di autenticazione scaduto" #: libpam/pam_strerror.c:100 msgid "Conversation is waiting for event" -msgstr "Conversazione in attesa di evento" +msgstr "Conversazione in attesa di un evento" #: libpam/pam_strerror.c:102 msgid "Application needs to call libpam again" -msgstr "L'applicazione richiede chiamata a libpam" +msgstr "L'applicazione richiede una nuova chiamata a libpam" #: libpam/pam_strerror.c:105 msgid "Unknown PAM error" @@ -172,16 +173,16 @@ msgstr "Errore PAM sconosciuto" #: modules/pam_cracklib/pam_cracklib.c:64 #, c-format msgid "New %s%spassword: " -msgstr "Nuova parola d'ordine%s%s:" +msgstr "Nuova password%s%s: " #: modules/pam_cracklib/pam_cracklib.c:66 #, c-format msgid "Retype new %s%spassword: " -msgstr "Reimmettere la nuova parola d'ordine%s%s:" +msgstr "Reimmettere la nuova password%s%s: " #: modules/pam_cracklib/pam_cracklib.c:67 msgid "Sorry, passwords do not match." -msgstr "Le parole d'ordine non corrispondono." +msgstr "Le password non corrispondono." #: modules/pam_cracklib/pam_cracklib.c:432 msgid "is the same as the old one" @@ -205,11 +206,11 @@ msgstr "è troppo semplice" #: modules/pam_cracklib/pam_cracklib.c:457 msgid "is rotated" -msgstr "è alternata" +msgstr "è una rotazione della precedente" #: modules/pam_cracklib/pam_cracklib.c:460 msgid "not enough character classes" -msgstr "" +msgstr "non ha abbastanza classi di caratteri" #: modules/pam_cracklib/pam_cracklib.c:498 msgid "has been already used" @@ -218,141 +219,137 @@ msgstr "è già stata utilizzata" #: modules/pam_cracklib/pam_cracklib.c:526 #: modules/pam_unix/pam_unix_passwd.c:977 msgid "No password supplied" -msgstr "Nessuna parola d'ordine fornita" +msgstr "Nessuna password fornita" #: modules/pam_cracklib/pam_cracklib.c:526 #: modules/pam_unix/pam_unix_passwd.c:977 msgid "Password unchanged" -msgstr "Parola d'ordine non modificata" +msgstr "Password non modificata" #: modules/pam_cracklib/pam_cracklib.c:549 #: modules/pam_cracklib/pam_cracklib.c:676 #, c-format msgid "BAD PASSWORD: %s" -msgstr "PAROLA D'ORDINE ERRTATA: %s" +msgstr "PASSWORD ERRATA: %s" #: modules/pam_exec/pam_exec.c:118 #, c-format msgid "%s failed: exit code %d" -msgstr "" +msgstr "% fallita: codice d'uscita %d" #: modules/pam_exec/pam_exec.c:126 #, c-format msgid "%s failed: caught signal %d%s" -msgstr "" +msgstr "% fallita: intercettato il segnale %d" #: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: unknown status 0x%x" -msgstr "" +msgstr "% fallita: stato sconosciuto 0x%x" #. TRANSLATORS: "strftime options for date of last login" #: modules/pam_lastlog/pam_lastlog.c:190 msgid " %a %b %e %H:%M:%S %Z %Y" -msgstr "%a %b %e %H:%M:%S %Z %Y" +msgstr " %a %b %e %H.%M.%S %Z %Y" #. TRANSLATORS: " from " #: modules/pam_lastlog/pam_lastlog.c:199 #, c-format msgid " from %.*s" -msgstr "da %.*s" +msgstr " da %.*s" #. TRANSLATORS: " on " #: modules/pam_lastlog/pam_lastlog.c:211 #, c-format msgid " on %.*s" -msgstr "in %.*s" +msgstr " su %.*s" #. TRANSLATORS: "Last login: from on " #: modules/pam_lastlog/pam_lastlog.c:220 #, c-format msgid "Last login:%s%s%s" -msgstr "Ultimo login:%s%s%s" +msgstr "Ultimo accesso:%s%s%s" #: modules/pam_lastlog/pam_lastlog.c:226 msgid "Welcome to your new account!" -msgstr "Nuovo conto." +msgstr "Benvenuti nel nuovo account!" #: modules/pam_limits/pam_limits.c:698 #, c-format msgid "Too many logins for '%s'." -msgstr "Ci sono troppi login per '%s'." +msgstr "Ci sono troppi accessi per \"%s\"." #: modules/pam_mail/pam_mail.c:313 msgid "No mail." -msgstr "Nessuna e-mail." +msgstr "Nessuna email." #: modules/pam_mail/pam_mail.c:316 msgid "You have new mail." -msgstr "Nuova e-mail." +msgstr "Nuove email." #: modules/pam_mail/pam_mail.c:319 msgid "You have old mail." -msgstr "E-mail vecchie." +msgstr "Email vecchie." #: modules/pam_mail/pam_mail.c:323 msgid "You have mail." -msgstr "E-mail esistenti." +msgstr "Email esistenti." #: modules/pam_mail/pam_mail.c:330 #, c-format msgid "You have no mail in folder %s." -msgstr "La cartella %s non contiene alcuna e-mail." +msgstr "La cartella %s non contiene alcuna email." #: modules/pam_mail/pam_mail.c:334 #, c-format msgid "You have new mail in folder %s." -msgstr "La cartella %s non contiene alcuna e-mail nuova." +msgstr "La cartella %s contiene nuove email." #: modules/pam_mail/pam_mail.c:338 #, c-format msgid "You have old mail in folder %s." -msgstr "La cartella %s non contiene alcuna e-mail vecchia." +msgstr "La cartella %s contiene vecchie email." #: modules/pam_mail/pam_mail.c:343 #, c-format msgid "You have mail in folder %s." -msgstr "La cartella %s contiene e-mail." +msgstr "La cartella %s contiene email." #: modules/pam_mkhomedir/pam_mkhomedir.c:142 #, c-format msgid "Creating directory '%s'." -msgstr "" +msgstr "Creazione della directory \"%s\"." #: modules/pam_mkhomedir/pam_mkhomedir.c:147 #, c-format msgid "Unable to create directory %s: %m" -msgstr "" +msgstr "Impossibile creare la directory %s: %m" #: modules/pam_selinux/pam_selinux.c:94 msgid "Error connecting to audit system." -msgstr "" +msgstr "Errore nella connessione al sistema di audit." #: modules/pam_selinux/pam_selinux.c:98 -#, fuzzy msgid "Error translating default context." -msgstr "Il contesto di default è %s. \n" +msgstr "Errore nella traduzione del contesto predefinito." #: modules/pam_selinux/pam_selinux.c:102 msgid "Error translating selected context." -msgstr "" +msgstr "Errore nella traduzione del contesto selezionato." #: modules/pam_selinux/pam_selinux.c:113 msgid "Error sending audit message." -msgstr "" +msgstr "Errore nell'invio del messaggio di audit." #: modules/pam_selinux/pam_selinux.c:164 -#, fuzzy msgid "Would you like to enter a security context? [N] " -msgstr "Immettere un contesto di sicurezza? [s]" +msgstr "Attivare un contesto di sicurezza? [N] " #: modules/pam_selinux/pam_selinux.c:181 modules/pam_selinux/pam_selinux.c:265 -#, fuzzy msgid "role:" msgstr "ruolo:" #: modules/pam_selinux/pam_selinux.c:193 modules/pam_selinux/pam_selinux.c:282 -#, fuzzy msgid "level:" msgstr "livello:" @@ -361,32 +358,31 @@ msgid "Not a valid security context" msgstr "Non è un contesto di sicurezza valido" #: modules/pam_selinux/pam_selinux.c:251 -#, fuzzy, c-format +#, c-format msgid "Default Security Context %s\n" -msgstr "Contesto di sicurezza %s assegnato" +msgstr "Contesto di sicurezza predefinito %s\n" #: modules/pam_selinux/pam_selinux.c:255 -#, fuzzy msgid "Would you like to enter a different role or level?" -msgstr "Immettere un contesto di sicurezza? [s]" +msgstr "Immettere un ruolo o livello differente?" #: modules/pam_selinux/pam_selinux.c:269 #, c-format msgid "No default type for role %s\n" -msgstr "" +msgstr "Nessun tipo predefinito per il ruolo %s\n" #: modules/pam_selinux/pam_selinux.c:512 msgid "Out of memory" -msgstr "" +msgstr "Memoria esaurita" #: modules/pam_selinux/pam_selinux.c:520 modules/pam_selinux/pam_selinux.c:522 #, c-format msgid "Unable to get valid context for %s" -msgstr "" +msgstr "Impossibile ottenere un contesto valido per %s" #: modules/pam_selinux/pam_selinux.c:578 msgid "Requested MLS level not in permitted range" -msgstr "" +msgstr "Il livello MLS richiesto non è nell'intervallo permesso" #: modules/pam_selinux/pam_selinux.c:628 #, c-format @@ -394,9 +390,9 @@ msgid "Security Context %s Assigned" msgstr "Contesto di sicurezza %s assegnato" #: modules/pam_selinux/pam_selinux.c:649 -#, fuzzy, c-format +#, c-format msgid "Key Creation Context %s Assigned" -msgstr "Contesto di sicurezza %s assegnato" +msgstr "Contesto di creazione chiave %s assegnato" #: modules/pam_selinux/pam_selinux_check.c:99 #, c-format @@ -406,29 +402,29 @@ msgstr "impossibile inizializzare PAM\n" #: modules/pam_selinux/pam_selinux_check.c:105 #, c-format msgid "failed to pam_set_item()\n" -msgstr "impossibile pam_set_item()\n" +msgstr "Impossibile eseguire pam_set_item()\n" #: modules/pam_selinux/pam_selinux_check.c:133 #, c-format msgid "login: failure forking: %m" -msgstr "login: errore forking: %m" +msgstr "login: forking fallito: %m" #: modules/pam_stress/pam_stress.c:476 -#, fuzzy, c-format +#, c-format msgid "Changing STRESS password for %s." -msgstr "Cambio parola d'ordine STRESS per" +msgstr "Cambio password STRESS per %s." #: modules/pam_stress/pam_stress.c:490 msgid "Enter new STRESS password: " -msgstr "Immettere nuova parola d'ordine STRESS:" +msgstr "Immettere nuova password STRESS: " #: modules/pam_stress/pam_stress.c:493 msgid "Retype new STRESS password: " -msgstr "Ridigitare nuova parola d'ordine STRESS:" +msgstr "Reimmettere la nuova password STRESS: " #: modules/pam_stress/pam_stress.c:522 msgid "Verification mis-typed; password unchanged" -msgstr "Errore digitazione verifica; parola d'ordine non cambiata" +msgstr "Errore di digitazione per verifica; password non cambiata" #: modules/pam_tally/pam_tally.c:741 msgid "Authentication error" @@ -436,7 +432,7 @@ msgstr "Errore di autenticazione" #: modules/pam_tally/pam_tally.c:742 msgid "Service error" -msgstr "Errore servizio" +msgstr "Errore del servizio" #: modules/pam_tally/pam_tally.c:743 msgid "Unknown user" @@ -461,7 +457,7 @@ msgstr "%s: Opzione non riconosciuta %s\n" msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" -"%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" +"%s: [--file NOMEFILE] [--user NOMEUTENTE] [--reset[=N]] [--quiet]\n" #: modules/pam_tally/pam_tally.c:850 #, c-format @@ -476,80 +472,59 @@ msgstr "Account scaduto; contattare l'amministratore di sistema" #: modules/pam_unix/pam_unix_acct.c:283 msgid "You are required to change your password immediately (root enforced)" msgstr "" -"È richiesta la modifica immediata della parola d'ordine (applicato da root)" +"È richiesta la modifica immediata della password (imposto dall'amministratore)" #: modules/pam_unix/pam_unix_acct.c:310 msgid "You are required to change your password immediately (password aged)" msgstr "" -"È richiesta la modifica immediata della parola d'ordine (parola d'ordine " -"obsoleta)" +"È richiesta la modifica immediata della password (password troppo vecchia)" #: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 -#, fuzzy, c-format +#, c-format msgid "Warning: your password will expire in %d day" -msgid_plural "Warning: your password will expire in %d days" -msgstr[0] "Avviso: la parola d'ordine scadrà tra %d giorni%.2s" -msgstr[1] "Avviso: la parola d'ordine scadrà tra %d giorni%.2s" +msgstr "Avviso: la password scadrà tra %d giorno" #. TRANSLATORS: only used if dngettext is not support #. ed #: modules/pam_unix/pam_unix_acct.c:336 -#, fuzzy, c-format +#, c-format msgid "Warning: your password will expire in %d days" -msgstr "Avviso: la parola d'ordine scadrà tra %d giorni%.2s" +msgstr "Avviso: la password scadrà tra %d giorni" #: modules/pam_unix/pam_unix_auth.c:159 modules/pam_userdb/pam_userdb.c:61 msgid "Password: " -msgstr "Parola d'ordine:" +msgstr "Password: " #: modules/pam_unix/pam_unix_passwd.c:821 msgid "NIS password could not be changed." -msgstr "[f1]Impossibile modificare parola d'ordine NIS." +msgstr "Impossibile modificare la password NIS." #: modules/pam_unix/pam_unix_passwd.c:998 msgid "You must choose a longer password" -msgstr "Scegliere una parola d'ordine più lunga" +msgstr "Scegliere una password più lunga" #: modules/pam_unix/pam_unix_passwd.c:1003 msgid "Password has been already used. Choose another." -msgstr "Parola d'ordine già utilizzata. Sceglierne un'altra." +msgstr "Password già utilizzata. Sceglierne un'altra." #: modules/pam_unix/pam_unix_passwd.c:1103 -#, fuzzy, c-format +#, c-format msgid "Changing password for %s." -msgstr "Cambio parola d'ordine STRESS per" +msgstr "Cambio password per %s." #: modules/pam_unix/pam_unix_passwd.c:1114 msgid "(current) UNIX password: " -msgstr "Parola d'ordine UNIX (corrente):" +msgstr "Password UNIX (corrente): " #: modules/pam_unix/pam_unix_passwd.c:1149 msgid "You must wait longer to change your password" -msgstr "Attendere ancora per cambiare la parola d'ordine " +msgstr "Attendere ancora per cambiare la password" #: modules/pam_unix/pam_unix_passwd.c:1209 msgid "Enter new UNIX password: " -msgstr "Immettere nuova parola d'ordine UNIX:" +msgstr "Immettere nuova password UNIX: " #: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Retype new UNIX password: " -msgstr "Reimmettere la nuova parola d'ordine UNIX:" - -#~ msgid "Do you want to choose a different one? [n]" -#~ msgstr "Sceglierne un altro? [n]" - -#~ msgid "Enter number of choice: " -#~ msgstr "Immettere il numero di scelta:" - -#~ msgid "type: " -#~ msgstr "tipo:" - -#, fuzzy -#~ msgid "Warning: your password will expire in one day" -#~ msgstr "Avviso: la parola d'ordine scadrà tra %d giorni%.2s" - -#~ msgid "dlopen() failure" -#~ msgstr "errore dlopen()" +msgstr "Reimmettere la nuova password UNIX: " -#~ msgid "%s: set %s security context to %s" -#~ msgstr "Non è un contesto di sicurezza valido" -- cgit v1.2.3 From 67b5cdd945120d8b0fe4c40fe9df576fa5c2a9a2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 7 Dec 2007 14:56:49 +0000 Subject: Relevant BUGIDs: Purpose of commit: translations Commit summary: --------------- 2007-12-07 Tomas Mraz * po/cs.po: Updated translations. --- ChangeLog | 4 ++++ po/cs.po | 43 +++++++++++++++---------------------------- 2 files changed, 19 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index 90473185..cf54ed5e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2007-12-07 Tomas Mraz + + * po/cs.po: Updated translations. + 2007-12-07 Luca Bruno * po/it.po: Updated translations. diff --git a/po/cs.po b/po/cs.po index a6430727..f1a98f8f 100644 --- a/po/cs.po +++ b/po/cs.po @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" "POT-Creation-Date: 2007-10-01 12:19+0200\n" -"PO-Revision-Date: 2007-01-17 11:54+0100\n" +"PO-Revision-Date: 2007-10-01 15:54+0100\n" "Last-Translator: Tomas Mraz \n" "Language-Team: cs_CZ \n" "MIME-Version: 1.0\n" @@ -206,7 +206,7 @@ msgstr "je posunuté" #: modules/pam_cracklib/pam_cracklib.c:460 msgid "not enough character classes" -msgstr "" +msgstr "nemá dostatek různých druhů znaků" #: modules/pam_cracklib/pam_cracklib.c:498 msgid "has been already used" @@ -339,51 +339,47 @@ msgid "Error sending audit message." msgstr "" #: modules/pam_selinux/pam_selinux.c:164 -#, fuzzy msgid "Would you like to enter a security context? [N] " -msgstr "Chcete zadat bezpečnostní kontext? [y]" +msgstr "Chcete zadat bezpečnostní kontext? [N] " #: modules/pam_selinux/pam_selinux.c:181 modules/pam_selinux/pam_selinux.c:265 -#, fuzzy msgid "role:" -msgstr "role: " +msgstr "role:" #: modules/pam_selinux/pam_selinux.c:193 modules/pam_selinux/pam_selinux.c:282 -#, fuzzy msgid "level:" -msgstr "úroveň: " +msgstr "úroveň:" #: modules/pam_selinux/pam_selinux.c:206 modules/pam_selinux/pam_selinux.c:313 msgid "Not a valid security context" msgstr "Neplatný bezpečnostní kontext" #: modules/pam_selinux/pam_selinux.c:251 -#, fuzzy, c-format +#, c-format msgid "Default Security Context %s\n" -msgstr "Bezpečnostní kontext %s přidělen" +msgstr "Výchozí bezpečnostní kontext %s\n" #: modules/pam_selinux/pam_selinux.c:255 -#, fuzzy msgid "Would you like to enter a different role or level?" -msgstr "Chcete zadat bezpečnostní kontext? [y]" +msgstr "Chcete zadat jinou roli nebo úroveň?" #: modules/pam_selinux/pam_selinux.c:269 #, c-format msgid "No default type for role %s\n" -msgstr "" +msgstr "Chybí výchozí typ pro roli %s\n" #: modules/pam_selinux/pam_selinux.c:512 msgid "Out of memory" -msgstr "" +msgstr "Nedostatek paměti" #: modules/pam_selinux/pam_selinux.c:520 modules/pam_selinux/pam_selinux.c:522 -#, fuzzy, c-format +#, c-format msgid "Unable to get valid context for %s" -msgstr "Nezdařilo se vytvořit adresář %s: %m" +msgstr "Nezdařilo se najít platný bezpečnostní kontext pro %s" #: modules/pam_selinux/pam_selinux.c:578 msgid "Requested MLS level not in permitted range" -msgstr "" +msgstr "Požadovaná úroveň MLS není v povoleném rozsahu" #: modules/pam_selinux/pam_selinux.c:628 #, c-format @@ -391,9 +387,9 @@ msgid "Security Context %s Assigned" msgstr "Bezpečnostní kontext %s přidělen" #: modules/pam_selinux/pam_selinux.c:649 -#, fuzzy, c-format +#, c-format msgid "Key Creation Context %s Assigned" -msgstr "Bezpečnostní kontext %s přidělen" +msgstr "Bezpečnostní kontext pro vytváření klíčů %s přidělen" #: modules/pam_selinux/pam_selinux_check.c:99 #, c-format @@ -529,12 +525,3 @@ msgstr "Zadejte nové UNIX heslo: " #: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Retype new UNIX password: " msgstr "Opakujte nové UNIX heslo: " - -#~ msgid "Do you want to choose a different one? [n]" -#~ msgstr "Chcete zvolit jiný? [n]" - -#~ msgid "Enter number of choice: " -#~ msgstr "Zadejte číslo volby: " - -#~ msgid "type: " -#~ msgstr "typ: " -- cgit v1.2.3 From 8ae5f5769c4c611ca6918450bbe6e55dfa4e5926 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 7 Dec 2007 15:40:01 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature and cleanup Commit summary: --------------- 2007-12-07 Tomas Mraz * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version. * libpam/pam_audit.c: Add _pam_audit_open() and pam_modutil_audit_write(). (_pam_auditlog): Call _pam_audit_open(). * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write(). * modules/pam_access/pam_access.8.xml: Add noaudit option. Document auditing. * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and only_new_group_syntax variables to struct login_info. Add noaudit member. (_parse_args): Adjust for the move of variables and add support for noaudit option. (group_match): Add debug parameter. (string_match): Likewise. (network_netmask_match): Likewise. (login_access): Adjust for the move of variables. Add nonall_match. Add call to pam_modutil_audit_write(). (list_match): Adjust for the move of variables. (user_match): Likewise. (from_match): Likewise. (pam_sm_authenticate): Call _parse_args() earlier. * modules/pam_limits/pam_limits.8.xml: Add noaudit option. Document auditing. * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option. (setup_limits): Call pam_modutil_audit_write(). * modules/pam_time/pam_time.8.xml: Add debug and noaudit options. Document auditing. * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()). (check_account): Call _pam_parse(). Call pam_modutil_audit_write() and pam_syslog() on login denials. --- libpam/include/security/pam_modutil.h | 3 + libpam/libpam.map | 5 + libpam/pam_audit.c | 51 ++++++++-- modules/pam_access/README | 7 ++ modules/pam_access/pam_access.8 | 65 +++++++------ modules/pam_access/pam_access.8.xml | 18 ++++ modules/pam_access/pam_access.c | 170 ++++++++++++++++++++-------------- modules/pam_limits/README | 7 ++ modules/pam_limits/pam_limits.8 | 75 ++++++++------- modules/pam_limits/pam_limits.8.xml | 18 ++++ modules/pam_limits/pam_limits.c | 14 +++ modules/pam_time/README | 3 + modules/pam_time/pam_time.8.xml | 37 +++++++- modules/pam_time/pam_time.c | 50 +++++++++- 14 files changed, 379 insertions(+), 144 deletions(-) diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h index efb72436..ffdf5ad0 100644 --- a/libpam/include/security/pam_modutil.h +++ b/libpam/include/security/pam_modutil.h @@ -97,6 +97,9 @@ pam_modutil_read(int fd, char *buffer, int count); extern int pam_modutil_write(int fd, const char *buffer, int count); +extern int PAM_NONNULL((1,3)) +pam_modutil_audit_write(pam_handle_t *pamh, int type, + const char *message, int retval); #ifdef __cplusplus } #endif diff --git a/libpam/libpam.map b/libpam/libpam.map index 1c2c4480..e37fc356 100644 --- a/libpam/libpam.map +++ b/libpam/libpam.map @@ -45,3 +45,8 @@ LIBPAM_MODUTIL_1.0 { pam_modutil_read; pam_modutil_write; }; + +LIBPAM_MODUTIL_1.1 { + global: + pam_modutil_audit_write; +} LIBPAM_MODUTIL_1.0; diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c index 240d4a89..a9d72176 100644 --- a/libpam/pam_audit.c +++ b/libpam/pam_audit.c @@ -56,26 +56,39 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, return rc; } -int -_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +static int +_pam_audit_open(pam_handle_t *pamh) { - const char *message; - int type; int audit_fd; - audit_fd = audit_open(); if (audit_fd < 0) { /* You get these error codes only when the kernel doesn't have * audit compiled in. */ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) - return retval; + return -2; /* this should only fail in case of extreme resource shortage, * need to prevent login in that case for CAPP compliance. */ pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m"); + return -1; + } + + return audit_fd; +} + +int +_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +{ + const char *message; + int type; + int audit_fd; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { return PAM_SYSTEM_ERR; + } else if (audit_fd == -2) { + return retval; } switch (action) { @@ -142,4 +155,30 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) return 0; } +int +pam_modutil_audit_write(pam_handle_t *pamh, int type, + const char *message, int retval) +{ + int audit_fd; + int rc; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { + return PAM_SYSTEM_ERR; + } else if (audit_fd == -2) { + return retval; + } + + rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval); + + audit_close(audit_fd); + + return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS; +} + +#else +int pam_modutil_audit_write(pam_handle_t *pamh UNUSED, int type UNUSED, + const char *message UNUSED, int retval UNUSED) +{ + return PAM_SUCCESS; +} #endif /* HAVE_LIBAUDIT */ diff --git a/modules/pam_access/README b/modules/pam_access/README index a3adcc8f..ec0d67e0 100644 --- a/modules/pam_access/README +++ b/modules/pam_access/README @@ -12,6 +12,9 @@ of non-networked logins. By default rules for access management are taken from config file /etc/security /access.conf if you don't specify another file. +If Linux PAM is compiled with audit support the module will report when it +denies access based on origin (host or tty). + OPTIONS accessfile=/path/to/access.conf @@ -24,6 +27,10 @@ debug A lot of debug informations are printed with syslog(3). +noaudit + + Do not report logins from disallowed hosts and ttys to the audit subsystem. + fieldsep=separators This option modifies the field separator character that pam_access will diff --git a/modules/pam_access/pam_access.8 b/modules/pam_access/pam_access.8 index ca8cc5b0..f151859c 100644 --- a/modules/pam_access/pam_access.8 +++ b/modules/pam_access/pam_access.8 @@ -1,96 +1,103 @@ .\" Title: pam_access .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 06/22/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 11/30/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_ACCESS" "8" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ACCESS" "8" "11/30/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_access \- PAM module for logdaemon style login access control +pam_access - PAM module for logdaemon style login access control .SH "SYNOPSIS" .HP 14 -\fBpam_access.so\fR [debug] [nodefgroup] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] +\fBpam_access\.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] .SH "DESCRIPTION" .PP -The pam_access PAM module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins. +The pam_access PAM module is mainly for access management\. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\. .PP By default rules for access management are taken from config file -\fI/etc/security/access.conf\fR -if you don't specify another file. +\fI/etc/security/access\.conf\fR +if you don\'t specify another file\. +.PP +If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\. .SH "OPTIONS" .PP -\fBaccessfile=\fR\fB\fI/path/to/access.conf\fR\fR +\fBaccessfile=\fR\fB\fI/path/to/access\.conf\fR\fR .RS 4 Indicate an alternative -\fIaccess.conf\fR -style configuration file to override the default. This can be useful when different services need different access lists. +\fIaccess\.conf\fR +style configuration file to override the default\. This can be useful when different services need different access lists\. .RE .PP \fBdebug\fR .RS 4 A lot of debug informations are printed with -\fBsyslog\fR(3). +\fBsyslog\fR(3)\. +.RE +.PP +\fBnoaudit\fR +.RS 4 +Do not report logins from disallowed hosts and ttys to the audit subsystem\. .RE .PP \fBfieldsep=\fR\fB\fIseparators\fR\fR .RS 4 -This option modifies the field separator character that pam_access will recognize when parsing the access configuration file. For example: +This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\. For example: \fBfieldsep=|\fR -will cause the default `:' character to be treated as part of a field value and `|' becomes the field separator. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the +will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the \fBPAM_TTY\fR -item is likely to be of the form "hostname:0" which includes a `:' character in its value. But you should not need this. +item is likely to be of the form "hostname:0" which includes a `:\' character in its value\. But you should not need this\. .RE .PP \fBlistsep=\fR\fB\fIseparators\fR\fR .RS 4 -This option modifies the list separator character that pam_access will recognize when parsing the access configuration file. For example: +This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\. For example: \fBlistsep=,\fR -will cause the default ` ' (space) and `\\t' (tab) characters to be treated as part of a list element value and `,' becomes the only list element separator. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space. +will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\. .RE .PP \fBnodefgroup\fR .RS 4 -The group database will not be used for tokens not identified as account name. +The group database will not be used for tokens not identified as account name\. .RE .SH "MODULE SERVICES PROVIDED" .PP -All services are supported. +All services are supported\. .SH "RETURN VALUES" .PP PAM_SUCCESS .RS 4 -Access was granted. +Access was granted\. .RE .PP PAM_PERM_DENIED .RS 4 -Access was not granted. +Access was not granted\. .RE .PP PAM_IGNORE .RS 4 \fBpam_setcred\fR -was called which does nothing. +was called which does nothing\. .RE .PP PAM_ABORT .RS 4 -Not all relevant data or options could be gotten. +Not all relevant data or options could be gotten\. .RE .PP PAM_USER_UNKNOWN .RS 4 -The user is not known to the system. +The user is not known to the system\. .RE .SH "FILES" .PP -\fI/etc/security/access.conf\fR +\fI/etc/security/access\.conf\fR .RS 4 Default configuration file .RE @@ -99,7 +106,7 @@ Default configuration file \fBaccess.conf\fR(5), \fBpam.d\fR(8), -\fBpam\fR(8). +\fBpam\fR(8)\. .SH "AUTHORS" .PP -The logdaemon style login access control scheme was designed and implemented by Wietse Venema. The pam_access PAM module was developed by Alexei Nogin . The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher . +The logdaemon style login access control scheme was designed and implemented by Wietse Venema\. The pam_access PAM module was developed by Alexei Nogin \. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \. diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index 1d814e88..21970d49 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -28,6 +28,9 @@ nodefgroup + + noaudit + accessfile=file @@ -54,6 +57,10 @@ /etc/security/access.conf if you don't specify another file. + + If Linux PAM is compiled with audit support the module will report + when it denies access based on origin (host or tty). + @@ -85,6 +92,17 @@ + + + + + + + Do not report logins from disallowed hosts and ttys to the audit subsystem. + + + + diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index e12bc721..edb8fb0a 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -46,6 +46,10 @@ #include #include +#ifdef HAVE_LIBAUDIT +#include +#endif + /* * here, we make definitions for the externally accessible functions * in this file (these definitions are required for static modules @@ -81,17 +85,11 @@ /* Delimiters for fields and for lists of users, ttys or hosts. */ -static const char *fs = ":"; /* field separator */ -static const char *sep = ", \t"; /* list-element separator */ - - /* Constants to be used in assignments only, not in comparisons... */ +#define ALL 2 #define YES 1 #define NO 0 -/* Only allow group entries of the form "(xyz)" */ -static int only_new_group_syntax = NO; - /* * A structure to bundle up all login-related information to keep the * functional interfaces as generic as possible. @@ -100,12 +98,13 @@ struct login_info { const struct passwd *user; const char *from; const char *config_file; + int debug; /* Print debugging messages. */ + int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */ + int noaudit; /* Do not audit denials */ + const char *fs; /* field separator */ + const char *sep; /* list-element separator */ }; -/* Print debugging messages. - Default is NO which means don't print debugging messages. */ -static char pam_access_debug = NO; - /* Parse module config arguments */ static int @@ -113,17 +112,22 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, int argc, const char **argv) { int i; - + + loginfo->noaudit = NO; + loginfo->debug = NO; + loginfo->only_new_group_syntax = NO; + loginfo->fs = ":"; + loginfo->sep = ", \t"; for (i=0; idebug = YES; } else if (strcmp (argv[i], "nodefgroup") == 0) { - only_new_group_syntax = YES; + loginfo->only_new_group_syntax = YES; + } else if (strcmp (argv[i], "noaudit") == 0) { + loginfo->noaudit = YES; } else { pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); } @@ -156,10 +162,10 @@ typedef int match_func (pam_handle_t *, char *, struct login_info *); static int list_match (pam_handle_t *, char *, char *, struct login_info *, match_func *); static int user_match (pam_handle_t *, char *, struct login_info *); -static int group_match (pam_handle_t *, const char *, const char *); +static int group_match (pam_handle_t *, const char *, const char *, int); static int from_match (pam_handle_t *, char *, struct login_info *); -static int string_match (pam_handle_t *, const char *, const char *); -static int network_netmask_match (pam_handle_t *, const char *, const char *); +static int string_match (pam_handle_t *, const char *, const char *, int); +static int network_netmask_match (pam_handle_t *, const char *, const char *, int); /* isipaddr - find out if string provided is an IP address or not */ @@ -325,11 +331,12 @@ login_access (pam_handle_t *pamh, struct login_info *item) char *users; /* becomes list of login names */ char *froms; /* becomes list of terminals or hosts */ int match = NO; + int nonall_match = NO; int end; int lineno = 0; /* for diagnostics */ char *sptr; - if (pam_access_debug) + if (item->debug) pam_syslog (pamh, LOG_DEBUG, "login_access: user=%s, from=%s, file=%s", item->user->pw_name, @@ -361,8 +368,8 @@ login_access (pam_handle_t *pamh, struct login_info *item) continue; /* Allow field seperator in last field of froms */ - if (!(perm = strtok_r(line, fs, &sptr)) - || !(users = strtok_r(NULL, fs, &sptr)) + if (!(perm = strtok_r(line, item->fs, &sptr)) + || !(users = strtok_r(NULL, item->fs, &sptr)) || !(froms = strtok_r(NULL, "\n", &sptr))) { pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count", item->config_file, lineno); @@ -373,17 +380,22 @@ login_access (pam_handle_t *pamh, struct login_info *item) item->config_file, lineno); continue; } - if (pam_access_debug) + if (item->debug) pam_syslog (pamh, LOG_DEBUG, "line %d: %s : %s : %s", lineno, perm, users, froms); - match = list_match(pamh, froms, NULL, item, from_match); - if (pam_access_debug) - pam_syslog (pamh, LOG_DEBUG, - "from_match=%d, \"%s\"", match, item->from); - match = match && list_match (pamh, users, NULL, item, user_match); - if (pam_access_debug) + match = list_match(pamh, users, NULL, item, user_match); + if (item->debug) pam_syslog (pamh, LOG_DEBUG, "user_match=%d, \"%s\"", match, item->user->pw_name); + if (match) { + match = list_match(pamh, froms, NULL, item, from_match); + if (!match && perm[0] == '+') { + nonall_match = YES; + } + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "from_match=%d, \"%s\"", match, item->from); + } } (void) fclose(fp); } else if (errno == ENOENT) { @@ -394,6 +406,13 @@ login_access (pam_handle_t *pamh, struct login_info *item) pam_syslog(pamh, LOG_ERR, "cannot open %s: %m", item->config_file); return NO; } +#ifdef HAVE_LIBAUDIT + if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL && + nonall_match == YES))) { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION, + "pam_access", 0); + } +#endif return (match == NO || (line[0] == '+')); } @@ -407,7 +426,7 @@ list_match(pam_handle_t *pamh, char *list, char *sptr, char *tok; int match = NO; - if (pam_access_debug && list != NULL) + if (item->debug && list != NULL) pam_syslog (pamh, LOG_DEBUG, "list_match: list=%s, item=%s", list, item->user->pw_name); @@ -418,8 +437,8 @@ list_match(pam_handle_t *pamh, char *list, char *sptr, * the match is affected by any exceptions. */ - for (tok = strtok_r(list, sep, &sptr); tok != 0; - tok = strtok_r(NULL, sep, &sptr)) { + for (tok = strtok_r(list, item->sep, &sptr); tok != 0; + tok = strtok_r(NULL, item->sep, &sptr)) { if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ break; if ((match = (*match_fn) (pamh, tok, item))) /* YES */ @@ -428,10 +447,12 @@ list_match(pam_handle_t *pamh, char *list, char *sptr, /* Process exceptions to matches. */ if (match != NO) { - while ((tok = strtok_r(NULL, sep, &sptr)) && strcasecmp(tok, "EXCEPT")) + while ((tok = strtok_r(NULL, item->sep, &sptr)) && strcasecmp(tok, "EXCEPT")) /* VOID */ ; - if (tok == 0 || list_match(pamh, NULL, sptr, item, match_fn) == NO) - return (match); + if (tok == 0) + return match; + if (list_match(pamh, NULL, sptr, item, match_fn) == NO) + return YES; /* drop special meaning of ALL */ } return (NO); } @@ -453,7 +474,7 @@ static char *myhostname(void) static int netgroup_match (pam_handle_t *pamh, const char *netgroup, - const char *machine, const char *user) + const char *machine, const char *user, int debug) { char *mydomain = NULL; int retval; @@ -462,7 +483,7 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, retval = innetgr (netgroup, machine, user, mydomain); - if (pam_access_debug == YES) + if (debug == YES) pam_syslog (pamh, LOG_DEBUG, "netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)", retval, netgroup ? netgroup : "NULL", @@ -480,8 +501,9 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) char *string = item->user->pw_name; struct login_info fake_item; char *at; + int rv; - if (pam_access_debug) + if (item->debug) pam_syslog (pamh, LOG_DEBUG, "user_match: tok=%s, item=%s", tok, string); @@ -500,12 +522,12 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) return (user_match (pamh, tok, item) && from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') /* netgroup */ - return (netgroup_match (pamh, tok + 1, (char *) 0, string)); + return (netgroup_match (pamh, tok + 1, (char *) 0, string, item->debug)); else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') - return (group_match (pamh, tok, string)); - else if (string_match (pamh, tok, string)) /* ALL or exact match */ - return YES; - else if (only_new_group_syntax == NO && + return (group_match (pamh, tok, string, item->debug)); + else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ + return rv; + else if (item->only_new_group_syntax == NO && pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)) /* try group membership */ @@ -518,11 +540,12 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) /* group_match - match a username against token named group */ static int -group_match (pam_handle_t *pamh, const char *tok, const char* usr) +group_match (pam_handle_t *pamh, const char *tok, const char* usr, + int debug) { char grptok[BUFSIZ]; - if (pam_access_debug) + if (debug) pam_syslog (pamh, LOG_DEBUG, "group_match: grp=%s, user=%s", grptok, usr); @@ -548,8 +571,9 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) const char *string = item->from; int tok_len; int str_len; + int rv; - if (pam_access_debug) + if (item->debug) pam_syslog (pamh, LOG_DEBUG, "from_match: tok=%s, item=%s", tok, string); @@ -565,10 +589,10 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) if (string == NULL) { return NO; } else if (tok[0] == '@') { /* netgroup */ - return (netgroup_match (pamh, tok + 1, string, (char *) 0)); - } else if (string_match(pamh, tok, string)) { + return (netgroup_match (pamh, tok + 1, string, (char *) 0, item->debug)); + } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) { /* ALL or exact match */ - return (YES); + return rv; } else if (tok[0] == '.') { /* domain: match last fields */ if ((str_len = strlen(string)) > (tok_len = strlen(tok)) && strcasecmp(tok, string + str_len - tok_len) == 0) @@ -614,7 +638,7 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) } } else if (isipaddr(string, NULL, NULL) == YES) { /* Assume network/netmask with a IP of a host. */ - if (network_netmask_match(pamh, tok, string)) + if (network_netmask_match(pamh, tok, string, item->debug)) return YES; } else { /* Assume network/netmask with a name of a host. */ @@ -641,7 +665,7 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, buf, sizeof (buf)); - if (network_netmask_match(pamh, tok, buf)) + if (network_netmask_match(pamh, tok, buf, item->debug)) { freeaddrinfo (res); return YES; @@ -658,10 +682,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) /* string_match - match a string against one token */ static int -string_match (pam_handle_t *pamh, const char *tok, const char *string) +string_match (pam_handle_t *pamh, const char *tok, const char *string, + int debug) { - if (pam_access_debug) + if (debug) pam_syslog (pamh, LOG_DEBUG, "string_match: tok=%s, item=%s", tok, string); @@ -672,7 +697,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string) */ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ - return (YES); + return (ALL); } else if (string != NULL) { if (strcasecmp(tok, string) == 0) { /* try exact match */ return (YES); @@ -690,9 +715,9 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string) */ static int network_netmask_match (pam_handle_t *pamh, - const char *tok, const char *string) + const char *tok, const char *string, int debug) { - if (pam_access_debug) + if (debug) pam_syslog (pamh, LOG_DEBUG, "network_netmask_match: tok=%s, item=%s", tok, string); @@ -771,6 +796,22 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_USER_UNKNOWN; } + if ((user_pw=pam_modutil_getpwnam(pamh, user))==NULL) + return (PAM_USER_UNKNOWN); + + /* + * Bundle up the arguments to avoid unnecessary clumsiness later on. + */ + loginfo.user = user_pw; + loginfo.config_file = PAM_ACCESS_CONFIG; + + /* parse the argument list */ + + if (!parse_args(pamh, &loginfo, argc, argv)) { + pam_syslog(pamh, LOG_ERR, "failed to parse the module arguments"); + return PAM_ABORT; + } + /* remote host name */ if (pam_get_item(pamh, PAM_RHOST, &void_from) @@ -799,7 +840,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_ABORT; } from = void_from; - if (pam_access_debug) + if (loginfo.debug) pam_syslog (pamh, LOG_DEBUG, "cannot determine tty or remote hostname, using service %s", from); @@ -817,22 +858,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } - if ((user_pw=pam_modutil_getpwnam(pamh, user))==NULL) - return (PAM_USER_UNKNOWN); - - /* - * Bundle up the arguments to avoid unnecessary clumsiness later on. - */ - loginfo.user = user_pw; loginfo.from = from; - loginfo.config_file = PAM_ACCESS_CONFIG; - - /* parse the argument list */ - - if (!parse_args(pamh, &loginfo, argc, argv)) { - pam_syslog(pamh, LOG_ERR, "failed to parse the module arguments"); - return PAM_ABORT; - } if (login_access(pamh, &loginfo)) { return (PAM_SUCCESS); diff --git a/modules/pam_limits/README b/modules/pam_limits/README index 26336711..3c59052a 100644 --- a/modules/pam_limits/README +++ b/modules/pam_limits/README @@ -16,6 +16,9 @@ module option then the files in the above directory are not parsed. The module must not be called by a multithreaded application. +If Linux PAM is compiled with audit support the module will report when it +denies access based on limit of maximum number of concurrent login sessions. + OPTIONS change_uid @@ -41,6 +44,10 @@ utmp_early to compensate for this behavior and at the same time maintain system-wide consistency with a single limits.conf file. +noaudit + + Do not report exceeded maximum logins count to the audit subsystem. + EXAMPLES These are some example lines which might be specified in /etc/security/ diff --git a/modules/pam_limits/pam_limits.8 b/modules/pam_limits/pam_limits.8 index 4f01e4cf..fa183d3a 100644 --- a/modules/pam_limits/pam_limits.8 +++ b/modules/pam_limits/pam_limits.8 @@ -1,125 +1,132 @@ .\" Title: pam_limits .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 04/30/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 12/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_LIMITS" "8" "04/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LIMITS" "8" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_limits \- PAM module to limit resources +pam_limits - PAM module to limit resources .SH "SYNOPSIS" .HP 14 -\fBpam_limits.so\fR [change_uid] [conf=\fI/path/to/limits.conf\fR] [debug] [utmp_early] +\fBpam_limits\.so\fR [change_uid] [conf=\fI/path/to/limits\.conf\fR] [debug] [utmp_early] [noaudit] .SH "DESCRIPTION" .PP -The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session. Users of +The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session\. Users of \fIuid=0\fR -are affected by this limits, too. +are affected by this limits, too\. .PP By default limits are taken from the -\fI/etc/security/limits.conf\fR -config file. Then individual files from the -\fI/etc/security/limits.d/\fR -directory are read. The files are parsed one after another in the order of "C" locale. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing. If a config file is explicitely specified with a module option then the files in the above directory are not parsed. +\fI/etc/security/limits\.conf\fR +config file\. Then individual files from the +\fI/etc/security/limits\.d/\fR +directory are read\. The files are parsed one after another in the order of "C" locale\. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\. If a config file is explicitely specified with a module option then the files in the above directory are not parsed\. .PP -The module must not be called by a multithreaded application. +The module must not be called by a multithreaded application\. +.PP +If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\. .SH "OPTIONS" .PP \fBchange_uid\fR .RS 4 -Change real uid to the user for who the limits are set up. Use this option if you have problems like login not forking a shell for user who has no processes. Be warned that something else may break when you do this. +Change real uid to the user for who the limits are set up\. Use this option if you have problems like login not forking a shell for user who has no processes\. Be warned that something else may break when you do this\. .RE .PP -\fBconf=\fR\fB\fI/path/to/limits.conf\fR\fR +\fBconf=\fR\fB\fI/path/to/limits\.conf\fR\fR .RS 4 -Indicate an alternative limits.conf style configuration file to override the default. +Indicate an alternative limits\.conf style configuration file to override the default\. .RE .PP \fBdebug\fR .RS 4 -Print debug information. +Print debug information\. .RE .PP \fButmp_early\fR .RS 4 -Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits.conf file. +Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\.conf file\. +.RE +.PP +\fBnoaudit\fR +.RS 4 +Do not report exceeded maximum logins count to the audit subsystem\. .RE .SH "MODULE SERVICES PROVIDED" .PP Only the \fBsession\fR -service is supported. +service is supported\. .SH "RETURN VALUES" .PP PAM_ABORT .RS 4 -Cannot get current limits. +Cannot get current limits\. .RE .PP PAM_IGNORE .RS 4 -No limits found for this user. +No limits found for this user\. .RE .PP PAM_PERM_DENIED .RS 4 -New limits could not be set. +New limits could not be set\. .RE .PP PAM_SERVICE_ERR .RS 4 -Cannot read config file. +Cannot read config file\. .RE .PP PAM_SESSEION_ERR .RS 4 -Error recovering account name. +Error recovering account name\. .RE .PP PAM_SUCCESS .RS 4 -Limits were changed. +Limits were changed\. .RE .PP PAM_USER_UNKNOWN .RS 4 -The user is not known to the system. +The user is not known to the system\. .RE .SH "FILES" .PP -\fI/etc/security/limits.conf\fR +\fI/etc/security/limits\.conf\fR .RS 4 Default configuration file .RE .SH "EXAMPLES" .PP For the services you need resources limits (login for example) put a the following line in -\fI/etc/pam.d/login\fR +\fI/etc/pam\.d/login\fR as the last line for that service (usually after the pam_unix session line): .sp .RS 4 .nf -#%PAM\-1.0 +#%PAM\-1\.0 # # Resource limits imposed on login sessions via pam_limits # -session required pam_limits.so +session required pam_limits\.so .fi .RE .PP -Replace "login" for each service you are using this module. +Replace "login" for each service you are using this module\. .SH "SEE ALSO" .PP \fBlimits.conf\fR(5), \fBpam.d\fR(8), -\fBpam\fR(8). +\fBpam\fR(8)\. .SH "AUTHORS" .PP -pam_limits was initially written by Cristian Gafton +pam_limits was initially written by Cristian Gafton diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml index 9f13bb68..98afdcd4 100644 --- a/modules/pam_limits/pam_limits.8.xml +++ b/modules/pam_limits/pam_limits.8.xml @@ -34,6 +34,9 @@ utmp_early + + noaudit + @@ -57,6 +60,11 @@ The module must not be called by a multithreaded application. + + If Linux PAM is compiled with audit support the module will report + when it denies access based on limit of maximum number of concurrent + login sessions. + @@ -111,6 +119,16 @@ + + + + + + + Do not report exceeded maximum logins count to the audit subsystem. + + + diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index d65e64bf..f1e29b85 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -41,6 +41,10 @@ #include #include +#ifdef HAVE_LIBAUDIT +#include +#endif + /* Module defines */ #define LINE_LENGTH 1024 @@ -101,6 +105,7 @@ struct pam_limit_s { #define PAM_DEBUG_ARG 0x0001 #define PAM_DO_SETREUID 0x0002 #define PAM_UTMP_EARLY 0x0004 +#define PAM_NO_AUDIT 0x0008 /* Limits from globbed files. */ #define LIMITS_CONF_GLOB LIMITS_FILE_DIR @@ -126,6 +131,8 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, ctrl |= PAM_DO_SETREUID; } else if (!strcmp(*argv,"utmp_early")) { ctrl |= PAM_UTMP_EARLY; + } else if (!strcmp(*argv,"noaudit")) { + ctrl |= PAM_NO_AUDIT; } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -595,6 +602,13 @@ static int setup_limits(pam_handle_t *pamh, D(("skip login limit check for uid=0")); } else if (pl->login_limit > 0) { if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) { +#ifdef HAVE_LIBAUDIT + if (!(ctrl & PAM_NO_AUDIT)) { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS, + "pam_limits", PAM_PERM_DENIED); + /* ignore return value as we fail anyway */ + } +#endif retval |= LOGIN_ERR; } } else if (pl->login_limit == 0) { diff --git a/modules/pam_time/README b/modules/pam_time/README index abafd936..05eaec2c 100644 --- a/modules/pam_time/README +++ b/modules/pam_time/README @@ -14,6 +14,9 @@ from which they are making their request. By default rules for time/port access are taken from config file /etc/security/ time.conf. +If Linux PAM is compiled with audit support the module will report when it +denies access. + EXAMPLES These are some example lines which might be specified in /etc/security/ diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml index de7bcad3..e0b149a7 100644 --- a/modules/pam_time/pam_time.8.xml +++ b/modules/pam_time/pam_time.8.xml @@ -22,6 +22,12 @@ pam_time.so + + debug + + + noaudit + @@ -41,11 +47,40 @@ By default rules for time/port access are taken from config file /etc/security/time.conf. + + If Linux PAM is compiled with audit support the module will report + when it denies access. + OPTIONS - This module does not recognise any options. + + + + + + + + + Some debug informations are printed with + syslog3. + + + + + + + + + + + Do not report logins at disallowed time to the audit subsystem. + + + + + diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index 56b418f4..8e3b2486 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -22,9 +22,16 @@ #include #include +#ifdef HAVE_LIBAUDIT +#include +#endif + #define PAM_TIME_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ +#define PAM_DEBUG_ARG 0x0001 +#define PAM_NO_AUDIT 0x0002 + #ifndef TRUE # define TRUE 1 #endif @@ -46,6 +53,29 @@ typedef enum { AND, OR } operator; #include #include #include +#include + +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) +{ + int ctrl = 0; + + /* step through arguments */ + for (; argc-- > 0; ++argv) { + + /* generic options */ + + if (!strcmp(*argv, "debug")) { + ctrl |= PAM_DEBUG_ARG; + } else if (!strcmp(*argv, "noaudit")) { + ctrl |= PAM_NO_AUDIT; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } + } + + return ctrl; +} /* --- static functions for checking whether the user should be let in --- */ @@ -567,11 +597,15 @@ check_account(pam_handle_t *pamh, const char *service, PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) + int argc, const char **argv) { const void *service=NULL, *void_tty=NULL; const char *tty; const char *user=NULL; + int ctrl; + int rv; + + ctrl = _pam_parse(pamh, argc, argv); /* set service name */ @@ -620,7 +654,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, D(("user=%s", user)); D(("tty=%s", tty)); - return check_account(pamh, service, tty, user); + rv = check_account(pamh, service, tty, user); + if (rv != PAM_SUCCESS) { +#ifdef HAVE_LIBAUDIT + if (!(ctrl & PAM_NO_AUDIT)) { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_TIME, + "pam_time", rv); /* ignore return value as we fail anyway */ + } +#endif + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, "user %s rejected", user); + } + } + return rv; } /* end of module definition */ -- cgit v1.2.3 From 75e765ba9d3a389743bc34c8d1e74812f46a726b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 12 Dec 2007 19:34:05 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- 2007-12-12 Eamon Walsh * doc/man/pam_item_types_ext.inc.xml: More appropriate wording for PAM_XDISPLAY doc. --- ChangeLog | 36 +++++++++ doc/man/pam_get_item.3 | 154 ++++++++++++++++++++++++------------- doc/man/pam_item_types_ext.inc.xml | 4 +- doc/man/pam_set_data.3 | 68 +++++++++------- doc/man/pam_set_item.3 | 148 +++++++++++++++++++++++------------ 5 files changed, 275 insertions(+), 135 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf54ed5e..af4bf132 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,43 @@ +2007-12-12 Eamon Walsh + + * doc/man/pam_item_types_ext.inc.xml: More appropriate wording + for PAM_XDISPLAY doc. + 2007-12-07 Tomas Mraz * po/cs.po: Updated translations. + * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version. + * libpam/pam_audit.c: Add _pam_audit_open() and + pam_modutil_audit_write(). + (_pam_auditlog): Call _pam_audit_open(). + * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write(). + * modules/pam_access/pam_access.8.xml: Add noaudit option. + Document auditing. + * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and + only_new_group_syntax variables to struct login_info. Add noaudit + member. + (_parse_args): Adjust for the move of variables and add support for + noaudit option. + (group_match): Add debug parameter. + (string_match): Likewise. + (network_netmask_match): Likewise. + (login_access): Adjust for the move of variables. Add nonall_match. + Add call to pam_modutil_audit_write(). + (list_match): Adjust for the move of variables. + (user_match): Likewise. + (from_match): Likewise. + (pam_sm_authenticate): Call _parse_args() earlier. + * modules/pam_limits/pam_limits.8.xml: Add noaudit option. + Document auditing. + * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option. + (setup_limits): Call pam_modutil_audit_write(). + * modules/pam_time/pam_time.8.xml: Add debug and noaudit options. + Document auditing. + * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()). + (check_account): Call _pam_parse(). Call pam_modutil_audit_write() + and pam_syslog() on login denials. + 2007-12-07 Luca Bruno * po/it.po: Updated translations. diff --git a/doc/man/pam_get_item.3 b/doc/man/pam_get_item.3 index ae63d298..27ea6cf3 100644 --- a/doc/man/pam_get_item.3 +++ b/doc/man/pam_get_item.3 @@ -1,22 +1,22 @@ .\" Title: pam_get_item .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 12/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_GET_ITEM" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_GET_ITEM" "3" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_get_item \- getting PAM informations +pam_get_item - getting PAM informations .SH "SYNOPSIS" .sp .ft B .nf -#include +#include .fi .ft .HP 17 @@ -26,98 +26,146 @@ pam_get_item \- getting PAM informations The \fBpam_get_item\fR function allows applications and PAM service modules to access and retrieve PAM informations of -\fIitem_type\fR. Upon successful return, +\fIitem_type\fR\. Upon successful return, \fIitem\fR -contains a pointer to the value of the corresponding item. Note, this is a pointer to the +contains a pointer to the value of the corresponding item\. Note, this is a pointer to the \fIactual\fR data and should \fBnot\fR be -\fIfree()\fR'ed or over\-written! The following values are supported for +\fIfree()\fR\'ed or over\-written! The following values are supported for \fIitem_type\fR: -.TP 3n +.PP PAM_SERVICE -The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program). -.TP 3n +.RS 4 +The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\. +.RE +.PP PAM_USER -The username of the entity under whose identity service will be given. That is, following authentication, +.RS 4 +The username of the entity under whose identity service will be given\. That is, following authentication, \fIPAM_USER\fR -identifies the local entity that gets to use the service. Note, this value can be mapped from something (eg., "anonymous") to something else (eg. "guest119") by any module in the PAM stack. As such an application should consult the value of +identifies the local entity that gets to use the service\. Note, this value can be mapped from something (eg\., "anonymous") to something else (eg\. "guest119") by any module in the PAM stack\. As such an application should consult the value of \fIPAM_USER\fR -after each call to a PAM function. -.TP 3n +after each call to a PAM function\. +.RE +.PP PAM_USER_PROMPT -The string used when prompting for a user's name. The default value for this string is a localized version of "login: ". -.TP 3n +.RS 4 +The string used when prompting for a user\'s name\. The default value for this string is a localized version of "login: "\. +.RE +.PP PAM_TTY +.RS 4 The terminal name: prefixed by \fI/dev/\fR if it is a device file; for graphical, X\-based, applications the value for this item should be the \fI$DISPLAY\fR -variable. -.TP 3n +variable\. +.RE +.PP PAM_RUSER -The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user. +.RS 4 +The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\. .sp -Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator. +Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\. .sp \fIPAM_RUSER@PAM_RHOST\fR -should always identify the requesting user. In some cases, +should always identify the requesting user\. In some cases, \fIPAM_RUSER\fR -may be NULL. In such situations, it is unclear who the requesting entity is. -.TP 3n +may be NULL\. In such situations, it is unclear who the requesting entity is\. +.RE +.PP PAM_RHOST +.RS 4 The requesting hostname (the hostname of the machine from which the \fIPAM_RUSER\fR -entity is requesting service). That is +entity is requesting service)\. That is \fIPAM_RUSER@PAM_RHOST\fR -does identify the requesting user. In some applications, +does identify the requesting user\. In some applications, \fIPAM_RHOST\fR -may be NULL. In such situations, it is unclear where the authentication request is originating from. -.TP 3n +may be NULL\. In such situations, it is unclear where the authentication request is originating from\. +.RE +.PP PAM_AUTHTOK -The authentication token (often a password). This token should be ignored by all module functions besides +.RS 4 +The authentication token (often a password)\. This token should be ignored by all module functions besides \fBpam_sm_authenticate\fR(3) and -\fBpam_sm_chauthtok\fR(3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token. -.TP 3n +\fBpam_sm_chauthtok\fR(3)\. In the former function it is used to pass the most recent authentication token from one stacked module to another\. In the latter function the token is used for another purpose\. It contains the currently active authentication token\. +.RE +.PP PAM_OLDAUTHTOK -The old authentication token. This token should be ignored by all module functions except -\fBpam_sm_chauthtok\fR(3). -.TP 3n +.RS 4 +The old authentication token\. This token should be ignored by all module functions except +\fBpam_sm_chauthtok\fR(3)\. +.RE +.PP PAM_CONV -The pam_conv structure. See -\fBpam_conv\fR(3). -.TP 3n +.RS 4 +The pam_conv structure\. See +\fBpam_conv\fR(3)\. +.RE +.PP +The following additional items are specific to Linux\-PAM and should not be used in portable applications: +.PP PAM_FAIL_DELAY -A function pointer to redirect centrally managed failure delays. See -\fBpam_fail_delay\fR(3). +.RS 4 +A function pointer to redirect centrally managed failure delays\. See +\fBpam_fail_delay\fR(3)\. +.RE +.PP +PAM_XDISPLAY +.RS 4 +The name of the X display\. For graphical, X\-based applications the value for this item should be the +\fI$DISPLAY\fR +variable\. This value should be used instead of +\fIPAM_TTY\fR +for passing the name of the display where possible\. +.RE +.PP +PAM_XAUTHDATA +.RS 4 +A pointer to a structure containing the X authentication data required to make a connection to the display specified by +\fIPAM_XDISPLAY\fR, if such information is necessary\. See +\fBpam_xauth_data\fR(3)\. +.RE .PP If a service module wishes to obtain the name of the user, it should not use this function, but instead perform a call to -\fBpam_get_user\fR(3). +\fBpam_get_user\fR(3)\. .PP -Only a service module is privileged to read the authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK. +Only a service module is privileged to read the authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_BAD_ITEM -The application attempted to set an undefined or inaccessible item. -.TP 3n +.RS 4 +The application attempted to set an undefined or inaccessible item\. +.RE +.PP PAM_BUF_ERR -Memory buffer error. -.TP 3n +.RS 4 +Memory buffer error\. +.RE +.PP PAM_PERM_DENIED +.RS 4 The value of \fIitem\fR -was NULL. -.TP 3n +was NULL\. +.RE +.PP PAM_SUCCESS -Data was successful updated. -.TP 3n +.RS 4 +Data was successful updated\. +.RE +.PP PAM_SYSTEM_ERR +.RS 4 The \fIpam_handle_t\fR -passed as first argument was invalid. +passed as first argument was invalid\. +.RE .SH "SEE ALSO" .PP diff --git a/doc/man/pam_item_types_ext.inc.xml b/doc/man/pam_item_types_ext.inc.xml index 0c72f699..89f19875 100644 --- a/doc/man/pam_item_types_ext.inc.xml +++ b/doc/man/pam_item_types_ext.inc.xml @@ -20,9 +20,9 @@ The name of the X display. For graphical, X-based applications the value for this item should be the $DISPLAY - variable. This value should be used instead of + variable. This value may be used independently of PAM_TTY for passing the - name of the display where possible. + name of the display. diff --git a/doc/man/pam_set_data.3 b/doc/man/pam_set_data.3 index c3a2a689..1991b92a 100644 --- a/doc/man/pam_set_data.3 +++ b/doc/man/pam_set_data.3 @@ -1,22 +1,22 @@ .\" Title: pam_set_data .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 12/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_SET_DATA" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SET_DATA" "3" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_set_data \- set module internal data +pam_set_data - set module internal data .SH "SYNOPSIS" .sp .ft B .nf -#include +#include .fi .ft .HP 17 @@ -29,30 +29,30 @@ function associates a pointer to an object with the (hopefully) unique string \fImodule_data_name\fR in the PAM context specified by the \fIpamh\fR -argument. +argument\. .PP -PAM modules may be dynamically loadable objects. In general such files should not contain +PAM modules may be dynamically loadable objects\. In general such files should not contain \fIstatic\fR -variables. This function and its counterpart +variables\. This function and its counterpart \fBpam_get_data\fR(3), provide a mechanism for a module to associate some data with the handle -\fIpamh\fR. Typically a module will call the +\fIpamh\fR\. Typically a module will call the \fBpam_set_data\fR function to register some data under a (hopefully) unique -\fImodule_data_name\fR. The data is available for use by other modules too but +\fImodule_data_name\fR\. The data is available for use by other modules too but \fInot\fR -by an application. Since this functions stores only a pointer to the -\fIdata\fR, the module should not modify or free the content of it. +by an application\. Since this functions stores only a pointer to the +\fIdata\fR, the module should not modify or free the content of it\. .PP The function \fBcleanup()\fR is associated with the \fIdata\fR and, if non\-NULL, it is called when this data is over\-written or following a call to -\fBpam_end\fR(3). +\fBpam_end\fR(3)\. .PP The \fIerror_status\fR -argument is used to indicate to the module the sort of action it is to take in cleaning this data item. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item. When +argument is used to indicate to the module the sort of action it is to take in cleaning this data item\. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item\. When \fBpam_end\fR(3) is called by the module, the \fIerror_status\fR @@ -60,31 +60,41 @@ carries the return value of the \fBpam_authenticate\fR(3) or other \fIlibpam\fR -function as appropriate. Based on this value the Kerberos module may choose to delete the ticket file (\fIauthentication failure\fR) or leave it in place. +function as appropriate\. Based on this value the Kerberos module may choose to delete the ticket file (\fIauthentication failure\fR) or leave it in place\. .PP The \fIerror_status\fR -may have been logically OR'd with either of the following two values: -.TP 3n +may have been logically OR\'d with either of the following two values: +.PP PAM_DATA_REPLACE +.RS 4 When a data item is being replaced (through a second call to -\fBpam_set_data\fR) this mask is used. Otherwise, the call is assumed to be from -\fBpam_end\fR(3). -.TP 3n +\fBpam_set_data\fR) this mask is used\. Otherwise, the call is assumed to be from +\fBpam_end\fR(3)\. +.RE +.PP PAM_DATA_SILENT +.RS 4 Which indicates that the process would prefer to perform the \fBcleanup()\fR -quietly. That is, discourages logging/messages to the user. +quietly\. That is, discourages logging/messages to the user\. +.RE .SH "RETURN VALUES" -.TP 3n +.PP PAM_BUF_ERR -Memory buffer error. -.TP 3n +.RS 4 +Memory buffer error\. +.RE +.PP PAM_SUCCESS -Data was successful stored. -.TP 3n +.RS 4 +Data was successful stored\. +.RE +.PP PAM_SYSTEM_ERR -A NULL pointer was submitted as PAM handle or the function was called by an application. +.RS 4 +A NULL pointer was submitted as PAM handle or the function was called by an application\. +.RE .SH "SEE ALSO" .PP diff --git a/doc/man/pam_set_item.3 b/doc/man/pam_set_item.3 index fa802747..a152cbbf 100644 --- a/doc/man/pam_set_item.3 +++ b/doc/man/pam_set_item.3 @@ -1,22 +1,22 @@ .\" Title: pam_set_item .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 12/06/2007 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual .\" -.TH "PAM_SET_ITEM" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SET_ITEM" "3" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_set_item \- set and update PAM informations +pam_set_item - set and update PAM informations .SH "SYNOPSIS" .sp .ft B .nf -#include +#include .fi .ft .HP 17 @@ -26,97 +26,143 @@ pam_set_item \- set and update PAM informations The \fBpam_set_item\fR function allows applications and PAM service modules to access and to update PAM informations of -\fIitem_type\fR. For this a copy of the object pointed to by the +\fIitem_type\fR\. For this a copy of the object pointed to by the \fIitem\fR -argument is created. The following +argument is created\. The following \fIitem_type\fRs are supported: -.TP 3n +.PP PAM_SERVICE -The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program). -.TP 3n +.RS 4 +The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\. +.RE +.PP PAM_USER -The username of the entity under whose identity service will be given. That is, following authentication, +.RS 4 +The username of the entity under whose identity service will be given\. That is, following authentication, \fIPAM_USER\fR -identifies the local entity that gets to use the service. Note, this value can be mapped from something (eg., "anonymous") to something else (eg. "guest119") by any module in the PAM stack. As such an application should consult the value of +identifies the local entity that gets to use the service\. Note, this value can be mapped from something (eg\., "anonymous") to something else (eg\. "guest119") by any module in the PAM stack\. As such an application should consult the value of \fIPAM_USER\fR -after each call to a PAM function. -.TP 3n +after each call to a PAM function\. +.RE +.PP PAM_USER_PROMPT -The string used when prompting for a user's name. The default value for this string is a localized version of "login: ". -.TP 3n +.RS 4 +The string used when prompting for a user\'s name\. The default value for this string is a localized version of "login: "\. +.RE +.PP PAM_TTY +.RS 4 The terminal name: prefixed by \fI/dev/\fR if it is a device file; for graphical, X\-based, applications the value for this item should be the \fI$DISPLAY\fR -variable. -.TP 3n +variable\. +.RE +.PP PAM_RUSER -The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user. +.RS 4 +The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\. .sp -Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator. +Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\. .sp \fIPAM_RUSER@PAM_RHOST\fR -should always identify the requesting user. In some cases, +should always identify the requesting user\. In some cases, \fIPAM_RUSER\fR -may be NULL. In such situations, it is unclear who the requesting entity is. -.TP 3n +may be NULL\. In such situations, it is unclear who the requesting entity is\. +.RE +.PP PAM_RHOST +.RS 4 The requesting hostname (the hostname of the machine from which the \fIPAM_RUSER\fR -entity is requesting service). That is +entity is requesting service)\. That is \fIPAM_RUSER@PAM_RHOST\fR -does identify the requesting user. In some applications, +does identify the requesting user\. In some applications, \fIPAM_RHOST\fR -may be NULL. In such situations, it is unclear where the authentication request is originating from. -.TP 3n +may be NULL\. In such situations, it is unclear where the authentication request is originating from\. +.RE +.PP PAM_AUTHTOK -The authentication token (often a password). This token should be ignored by all module functions besides +.RS 4 +The authentication token (often a password)\. This token should be ignored by all module functions besides \fBpam_sm_authenticate\fR(3) and -\fBpam_sm_chauthtok\fR(3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token. -.TP 3n +\fBpam_sm_chauthtok\fR(3)\. In the former function it is used to pass the most recent authentication token from one stacked module to another\. In the latter function the token is used for another purpose\. It contains the currently active authentication token\. +.RE +.PP PAM_OLDAUTHTOK -The old authentication token. This token should be ignored by all module functions except -\fBpam_sm_chauthtok\fR(3). -.TP 3n +.RS 4 +The old authentication token\. This token should be ignored by all module functions except +\fBpam_sm_chauthtok\fR(3)\. +.RE +.PP PAM_CONV -The pam_conv structure. See -\fBpam_conv\fR(3). -.TP 3n +.RS 4 +The pam_conv structure\. See +\fBpam_conv\fR(3)\. +.RE +.PP +The following additional items are specific to Linux\-PAM and should not be used in portable applications: +.PP PAM_FAIL_DELAY -A function pointer to redirect centrally managed failure delays. See -\fBpam_fail_delay\fR(3). +.RS 4 +A function pointer to redirect centrally managed failure delays\. See +\fBpam_fail_delay\fR(3)\. +.RE +.PP +PAM_XDISPLAY +.RS 4 +The name of the X display\. For graphical, X\-based applications the value for this item should be the +\fI$DISPLAY\fR +variable\. This value should be used instead of +\fIPAM_TTY\fR +for passing the name of the display where possible\. +.RE +.PP +PAM_XAUTHDATA +.RS 4 +A pointer to a structure containing the X authentication data required to make a connection to the display specified by +\fIPAM_XDISPLAY\fR, if such information is necessary\. See +\fBpam_xauth_data\fR(3)\. +.RE .PP For all \fIitem_type\fRs, other than PAM_CONV and PAM_FAIL_DELAY, \fIitem\fR -is a pointer to a terminated character string. In the case of PAM_CONV, +is a pointer to a terminated character string\. In the case of PAM_CONV, \fIitem\fR points to an initialized \fIpam_conv\fR -structure. In the case of PAM_FAIL_DELAY, +structure\. In the case of PAM_FAIL_DELAY, \fIitem\fR is a function pointer: \fBvoid (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)\fR .PP -Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before returning to the application. Which means an application is not able to access the authentication tokens. +Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before returning to the application\. Which means an application is not able to access the authentication tokens\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_BAD_ITEM -The application attempted to set an undefined or inaccessible item. -.TP 3n +.RS 4 +The application attempted to set an undefined or inaccessible item\. +.RE +.PP PAM_BUF_ERR -Memory buffer error. -.TP 3n +.RS 4 +Memory buffer error\. +.RE +.PP PAM_SUCCESS -Data was successful updated. -.TP 3n +.RS 4 +Data was successful updated\. +.RE +.PP PAM_SYSTEM_ERR +.RS 4 The \fIpam_handle_t\fR -passed as first argument was invalid. +passed as first argument was invalid\. +.RE .SH "SEE ALSO" .PP -- cgit v1.2.3 From 4463902ff272d0ee5be8757768a6491e681c332e Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 18 Dec 2007 12:55:38 +0000 Subject: Relevant BUGIDs: 1822779, 1822764 Purpose of commit: docufix Commit summary: --------------- 2007-12-18 Thorsten Kukuk * README: Document how to run make check with static modules (SF#1822779). 2007-12-18 Peter Breitenlohner * README: Document that "make check" requires a file /etc/pam.d/other (SF#1822764). --- ChangeLog | 9 +++++++++ README | 16 +++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index af4bf132..a5cc2818 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2007-12-18 Thorsten Kukuk + + * README: Document how to run make check with static modules + (SF#1822779). + +2007-12-18 Peter Breitenlohner + * README: Document that "make check" requires a file + /etc/pam.d/other (SF#1822764). + 2007-12-12 Eamon Walsh * doc/man/pam_item_types_ext.inc.xml: More appropriate wording diff --git a/README b/README index 364890db..86cf1838 100644 --- a/README +++ b/README @@ -15,7 +15,16 @@ To make sure everything was compiled correct, run: make check -If a test failes, you should not continue to install this build. +If a test fails, you should not continue to install this build. +These tests require a suitable file /etc/pam.d/other; if necessary, +create such a file containing, e.g., these five lines (not indented) + + #%PAM-1.0 + auth required pam_deny.so + account required pam_deny.so + password required pam_deny.so + session required pam_deny.so + Note, if you are worried - don't even think about doing the next line (most Linux distributions already support PAM out of the box, so if @@ -37,6 +46,7 @@ WARNING: Running "make xtests" can overwrite configuration data or make the system insecure/unfunctional for a short time! Backup all important data before! + If you do not wish to make the modules dynamically loadable, but build a static libpam including all PAM modules, you have to call: @@ -46,6 +56,10 @@ In this case you cannot use pam_unix in the PAM config files instead you have to use pam_unix_acct, pam_unix_auth, pam_unix_passwd and pam_unix_session. +To run the build checks with static modules, you need to run the +following command: make -C test check && make check + + To regenerate manual pages from the XML source files you need the docbook-xsl stylesheets in version 1.69.1 or newer, older versions had a bug which generates a broken layout. -- cgit v1.2.3 From a90d1809cfe2704a04761a601b0b40244a2d7f46 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 7 Jan 2008 14:30:37 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- 2008-01-07 Thorsten Kukuk * po/it.po: Fix typos. * po/de.po: Few new translations. * po/POTFILES.in: Add pam_tty_audit.c and passverify.c. * doc/man/pam_xauth_data.3.xml: Added to CVS. * doc/man/pam_xauth_data.3: Likewise. * modules/pam_tty_audit/README: Likewise. * modules/pam_tty_audit/pam_tty_audit.8: Likewise. --- ChangeLog | 10 +++++ doc/man/pam_xauth_data.3 | 70 ++++++++++++++++++++++++++++++ doc/man/pam_xauth_data.3.xml | 94 ++++++++++++++++++++++++++++++++++++++++ modules/pam_time/pam_time.8 | 19 ++++++-- modules/pam_tty_audit/.cvsignore | 6 +++ po/Linux-PAM.pot | 52 +++++++++++----------- po/POTFILES.in | 4 +- po/ar.po | 52 +++++++++++----------- po/ca.po | 52 +++++++++++----------- po/cs.po | 52 +++++++++++----------- po/da.po | 52 +++++++++++----------- po/de.po | 74 +++++++++++++++---------------- po/es.po | 52 +++++++++++----------- po/fi.po | 52 +++++++++++----------- po/fr.po | 52 +++++++++++----------- po/hu.po | 52 +++++++++++----------- po/it.po | 76 ++++++++++++++++---------------- po/ja.po | 52 +++++++++++----------- po/km.po | 52 +++++++++++----------- po/nb.po | 52 +++++++++++----------- po/nl.po | 52 +++++++++++----------- po/pa.po | 52 +++++++++++----------- po/pl.po | 52 +++++++++++----------- po/pt.po | 52 +++++++++++----------- po/pt_BR.po | 52 +++++++++++----------- po/ru.po | 52 +++++++++++----------- po/sv.po | 52 +++++++++++----------- po/tr.po | 52 +++++++++++----------- po/uk.po | 52 +++++++++++----------- po/zh_CN.po | 52 +++++++++++----------- po/zh_TW.po | 52 +++++++++++----------- po/zu.po | 52 +++++++++++----------- 32 files changed, 895 insertions(+), 706 deletions(-) create mode 100644 doc/man/pam_xauth_data.3 create mode 100644 doc/man/pam_xauth_data.3.xml create mode 100644 modules/pam_tty_audit/.cvsignore diff --git a/ChangeLog b/ChangeLog index a5cc2818..f9aa1b06 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2008-01-07 Thorsten Kukuk + + * po/it.po: Fix typos. + * po/de.po: Few new translations. + * po/POTFILES.in: Add pam_tty_audit.c and passverify.c. + * doc/man/pam_xauth_data.3.xml: Added to CVS. + * doc/man/pam_xauth_data.3: Likewise. + * modules/pam_tty_audit/README: Likewise. + * modules/pam_tty_audit/pam_tty_audit.8: Likewise. + 2007-12-18 Thorsten Kukuk * README: Document how to run make check with static modules diff --git a/doc/man/pam_xauth_data.3 b/doc/man/pam_xauth_data.3 new file mode 100644 index 00000000..49f9c9ec --- /dev/null +++ b/doc/man/pam_xauth_data.3 @@ -0,0 +1,70 @@ +.\" Title: pam_xauth_data +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 01/07/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "PAM_XAUTH_DATA" "3" "01/07/2008" "Linux-PAM Manual" "Linux-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_xauth_data - structure containing X authentication data +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include +.fi +.ft +.sp +.RS 4 +.nf +struct pam_xauth_data { + int namelen; + char *name; + int datalen; + char *data; +}; + +.fi +.RE +.SH "DESCRIPTION" +.PP +The +\fBpam_xauth_data\fR +structure contains X authentication data used to make a connection to an X display\. Using this mechanism, an application can communicate X authentication data to PAM service modules\. This allows modules to make a connection to the user\'s X display in order to label the user\'s session on login, display visual feedback or for other purposes\. +.PP +The +\fIname\fR +field contains the name of the authentication method, such as "MIT\-MAGIC\-COOKIE\-1"\. The +\fInamelen\fR +field contains the length of this string, not including the trailing NUL character\. +.PP +The +\fIdata\fR +field contains the authentication method\-specific data corresponding to the specified name\. The +\fIdatalen\fR +field contains its length in bytes\. +.PP +The X authentication data can be changed with the +\fIPAM_XAUTH_DATA\fR +item\. It can be queried and set with +\fBpam_get_item\fR(3) +and +\fBpam_set_item \fR(3) +respectively\. The value used to set it should be a pointer to a pam_xauth_data structure\. An internal copy of both the structure itself and its fields is made by PAM when setting the item\. +.SH "SEE ALSO" +.PP + +\fBpam_start\fR(3), +\fBpam_get_item\fR(3), +.SH "STANDARDS" +.PP +The +\fBpam_xauth_data\fR +structure and +\fIPAM_XAUTH_DATA\fR +item are Linux\-PAM extensions\. diff --git a/doc/man/pam_xauth_data.3.xml b/doc/man/pam_xauth_data.3.xml new file mode 100644 index 00000000..0cd6730b --- /dev/null +++ b/doc/man/pam_xauth_data.3.xml @@ -0,0 +1,94 @@ + + + + + + + pam_xauth_data + 3 + Linux-PAM Manual + + + + pam_xauth_data + structure containing X authentication data + + + + + + + #include <security/pam_appl.h> + + +struct pam_xauth_data { + int namelen; + char *name; + int datalen; + char *data; +}; + + + + + DESCRIPTION + + The pam_xauth_data structure contains X + authentication data used to make a connection to an X display. + Using this mechanism, an application can communicate X + authentication data to PAM service modules. This allows modules to + make a connection to the user's X display in order to label the + user's session on login, display visual feedback or for other + purposes. + + + The name field contains the name of the + authentication method, such as "MIT-MAGIC-COOKIE-1". The + namelen field contains the length of this string, + not including the trailing NUL character. + + + The data field contains the authentication + method-specific data corresponding to the specified name. The + datalen field contains its length in bytes. + + + The X authentication data can be changed with the + PAM_XAUTH_DATA item. It can be queried and + set with + + pam_get_item3 + + and + + pam_set_item 3 + respectively. The value used to set it should be + a pointer to a pam_xauth_data structure. An internal copy of both + the structure itself and its fields is made by PAM when setting the + item. + + + + + SEE ALSO + + + pam_start3 + , + + pam_get_item3 + , + + + + + STANDARDS + + The pam_xauth_data structure and + PAM_XAUTH_DATA item are + Linux-PAM extensions. + + + + diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 index ea0c8d34..21fb83d5 100644 --- a/modules/pam_time/pam_time.8 +++ b/modules/pam_time/pam_time.8 @@ -1,11 +1,11 @@ .\" Title: pam_time .\" Author: .\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 +.\" Date: 01/07/2008 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" -.TH "PAM_TIME" "8" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" +.TH "PAM_TIME" "8" "01/07/2008" "Linux-PAM Manual" "Linux-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -14,16 +14,27 @@ pam_time - PAM module for time control access .SH "SYNOPSIS" .HP 12 -\fBpam_time\.so\fR +\fBpam_time\.so\fR [debug] [noaudit] .SH "DESCRIPTION" .PP The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\. .PP By default rules for time/port access are taken from config file \fI/etc/security/time\.conf\fR\. +.PP +If Linux PAM is compiled with audit support the module will report when it denies access\. .SH "OPTIONS" .PP -This module does not recognise any options\. +\fBdebug\fR +.RS 4 +Some debug informations are printed with +\fBsyslog\fR(3)\. +.RE +.PP +\fBnoaudit\fR +.RS 4 +Do not report logins at disallowed time to the audit subsystem\. +.RE .SH "MODULE SERVICES PROVIDED" .PP Only the diff --git a/modules/pam_tty_audit/.cvsignore b/modules/pam_tty_audit/.cvsignore new file mode 100644 index 00000000..9fb98574 --- /dev/null +++ b/modules/pam_tty_audit/.cvsignore @@ -0,0 +1,6 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in diff --git a/po/Linux-PAM.pot b/po/Linux-PAM.pot index d0b7760a..a5d0922b 100644 --- a/po/Linux-PAM.pot +++ b/po/Linux-PAM.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -30,7 +30,7 @@ msgstr "" msgid "erroneous conversation (%d)\n" msgstr "" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "" @@ -270,7 +270,7 @@ msgstr "" msgid "Welcome to your new account!" msgstr "" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "" @@ -422,56 +422,56 @@ msgstr "" msgid "Verification mis-typed; password unchanged" msgstr "" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -480,7 +480,7 @@ msgstr[1] "" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, c-format msgid "Warning: your password will expire in %d days" msgstr "" @@ -489,35 +489,35 @@ msgstr "" msgid "Password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, c-format msgid "Changing password for %s." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "" diff --git a/po/POTFILES.in b/po/POTFILES.in index 590e601d..8a668f56 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -1,8 +1,6 @@ ./libpamc/pamc_client.c ./libpamc/pamc_converse.c ./libpamc/pamc_load.c -./libpamc/test/modules/pam_secret.c -./libpamc/test/regress/test.libpamc.c ./libpam_misc/help_env.c ./libpam_misc/misc_conv.c ./libpam/pam_account.c @@ -72,6 +70,7 @@ ./modules/pam_tally/pam_tally_app.c ./modules/pam_tally/pam_tally.c ./modules/pam_time/pam_time.c +./modules/pam_tty_audit/pam_tty_audit.c ./modules/pam_umask/pam_umask.c ./modules/pam_unix/bigcrypt.c ./modules/pam_unix/bigcrypt_main.c @@ -83,6 +82,7 @@ ./modules/pam_unix/pam_unix_auth.c ./modules/pam_unix/pam_unix_passwd.c ./modules/pam_unix/pam_unix_sess.c +./modules/pam_unix/passverify.c ./modules/pam_unix/support.c ./modules/pam_unix/unix_chkpwd.c ./modules/pam_unix/yppasswd_xdr.c diff --git a/po/ar.po b/po/ar.po index 47543914..2734bcbe 100644 --- a/po/ar.po +++ b/po/ar.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2001-07-13 15:36+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -29,7 +29,7 @@ msgstr "...عذرًا، انتهى الوقت!\n" msgid "erroneous conversation (%d)\n" msgstr "محادثة خاطئة (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "تسجيل الدخول:" @@ -212,12 +212,12 @@ msgid "has been already used" msgstr "كلمة السر مستخدمة بالفعل" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "لم يتم إدخال كلمة السر" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "لم يتم تغيير كلمة السر" @@ -269,7 +269,7 @@ msgstr "تسجيل الدخول الأخير:%s%s%s" msgid "Welcome to your new account!" msgstr "مرحبًا بك في حسابك الجديد!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "مرات تسجيل دخول كثيرة جدًا لـ '%s'." @@ -426,57 +426,57 @@ msgstr "أعد كتابة كلمة سر STRESS الجديدة: " msgid "Verification mis-typed; password unchanged" msgstr "إعادة كتابة كلمة السر غير صحيحة؛ كلمة السر لم تتغير" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "خطأ في التصديق" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "خطأ في الخدمة" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "مستخدم غير معروف" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "خطأ غير معروف" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: تم إعطاء رقم خطأ لـ --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: خيار غير معروف %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: لا يمكن إعادة تعيين كافة المستخدمين إلى رقم غير الصفر\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "انتهت مدة صلاحية الحساب الخاص بك؛ الرجاء الاتصال بمسؤول النظام" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "مطلوب منك تغيير كلمة السر على الفور (مفروض بواسطة المسؤول)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "مطلوب منك تغيير كلمة السر على الفور (كلمة السر قديمة جدًا)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -485,7 +485,7 @@ msgstr[1] "تحذير: سوف تنتهي مدة صلاحية كلمة السر #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "تحذير: سوف تنتهي مدة صلاحية كلمة السر الخاصة بك خلال %d يوم%.2s" @@ -494,36 +494,36 @@ msgstr "تحذير: سوف تنتهي مدة صلاحية كلمة السر ال msgid "Password: " msgstr "كلمة السر: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "تعذر تغيير كلمة السر الخاصة بـ NIS." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "يجب اختيار كلمة سر أطول" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "كلمة السر التي تم إدخالها مستخدمة بالفعل. اختر كلمة سر أخرى." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "تغيير كلمة سر STRESS لـ" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "كلمة سر UNIX (الحالية): " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "يجب الانتظار فترة أطول لتغيير كلمة السر" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "أدخل كلمة سر UNIX الجديدة: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "أعد كتابة كلمة سر UNIX الجديدة: " diff --git a/po/ca.po b/po/ca.po index f5f5d247..a23ca548 100644 --- a/po/ca.po +++ b/po/ca.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2007-02-22 20:57+0100\n" "Last-Translator: Anna \n" "Language-Team: Catalan\n" @@ -30,7 +30,7 @@ msgstr "...S'ha acabat el temps.\n" msgid "erroneous conversation (%d)\n" msgstr "conversa errònia (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "entrada:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "ja s'ha fet servir" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "No s'ha proporcionat cap contrasenya" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "No s'ha canviat la contrasenya" @@ -271,7 +271,7 @@ msgstr "Darrera entrada:%s%s%s" msgid "Welcome to your new account!" msgstr "Benvingut al vostre nou compte." -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Massa entrades per a '%s'." @@ -428,59 +428,59 @@ msgstr "Torneu a escriure la nova contrasenya d'STRESS: " msgid "Verification mis-typed; password unchanged" msgstr "Error d'escriptura a la verificació; no s'ha canviat la contrasenya" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Error d'autenticació" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Error del servei" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Usuari desconegut" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Error desconegut" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: número incorrecte assignat a --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: opció %s no reconeguda\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file nom_fitxer_arrel] [--user nom_usuari] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: no es poden restablir tots els usuaris a un valor diferent de zero\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "El vostre compte ha caducat. Contacteu amb l'administrador del sistema" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Heu de canviar la contrasenya immediatament (us hi obliga l'usuari primari)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Heu de canviar la contrasenya immediatament (la contrasenya és antiga)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -489,7 +489,7 @@ msgstr[1] "Atenció: la contrasenya venç d'aquí a %d dia%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Atenció: la contrasenya venç d'aquí a %d dia%.2s" @@ -498,36 +498,36 @@ msgstr "Atenció: la contrasenya venç d'aquí a %d dia%.2s" msgid "Password: " msgstr "Contrasenya: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "No s'ha pogut canviar la contrasenya NIS." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Heu de triar una contrasenya més llarga" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Aquesta contrasenya ja s'ha fet servir. Trieu-ne una altra." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "S'està canviant la contrasenya d'STRESS per a " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "contrasenya (actual) d'UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Heu d'esperar més temps abans de canviar la contrasenya" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Introduïu la nova contrasenya d'UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Torneu a escriure la nova contrasenya d'UNIX: " diff --git a/po/cs.po b/po/cs.po index f1a98f8f..386883a5 100644 --- a/po/cs.po +++ b/po/cs.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2007-10-01 15:54+0100\n" "Last-Translator: Tomas Mraz \n" "Language-Team: cs_CZ \n" @@ -30,7 +30,7 @@ msgstr "...Čas vypršel!\n" msgid "erroneous conversation (%d)\n" msgstr "nesprávná konverzace (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login:" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "již bylo použito" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Nezadáno heslo" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Heslo nebylo změněno" @@ -270,7 +270,7 @@ msgstr "Poslední přihlášení:%s%s%s" msgid "Welcome to your new account!" msgstr "Vítejte na vašem novém účtu!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Příliš mnoho přihlášení pro '%s'." @@ -423,33 +423,33 @@ msgstr "Opakujte nové STRESS heslo: " msgid "Verification mis-typed; password unchanged" msgstr "Chybné potvrzení. Heslo nezměněno" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Chyba autentizace" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Chyba služby" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Neznámý uživatel" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Neznámá chyba" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Zadána špatná hodnota --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Neznámá volba %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" @@ -457,24 +457,24 @@ msgstr "" "%s: [--file jmeno_souboru] [--user uzivatelske_jmeno] [--reset[=n]] [--" "quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Nelze resetovat všechny uživatele nenulově\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Váš účet vypršel; kontaktujte prosím svého správce systému" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Musíte okamžitě změnit své heslo (vynuceno rootem)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Musíte okamžitě změnit své heslo (heslo vypršelo)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -484,7 +484,7 @@ msgstr[2] "Varování: Vaše heslo vyprší za %d dní" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Varování: Počet dní do vypršení hesla: %d" @@ -493,35 +493,35 @@ msgstr "Varování: Počet dní do vypršení hesla: %d" msgid "Password: " msgstr "Heslo: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NIS heslo se nepodařilo změnit." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Musíte zvolit delší heslo" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Heslo již bylo použito. Zvolte jiné." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, c-format msgid "Changing password for %s." msgstr "Změna hesla pro %s." -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(současné) UNIX heslo: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Na změnu svého hesla musíte počkat déle" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Zadejte nové UNIX heslo: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Opakujte nové UNIX heslo: " diff --git a/po/da.po b/po/da.po index 57adba98..0662bcb1 100644 --- a/po/da.po +++ b/po/da.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2005-08-16 20:00+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -31,7 +31,7 @@ msgstr "...Din tid er desværre gået!\n" msgid "erroneous conversation (%d)\n" msgstr "konversationsfejl (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login:" @@ -217,12 +217,12 @@ msgid "has been already used" msgstr "er allerede blevet brugt" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Der er ikke angivet nogen adgangskode" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Adgangskoden er uændret" @@ -274,7 +274,7 @@ msgstr "Sidste login:%s%s%s" msgid "Welcome to your new account!" msgstr "Velkommen til din nye konto!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Der er for mange logins til '%s'." @@ -433,57 +433,57 @@ msgstr "Genindtast ny STRESS-adgangskode: " msgid "Verification mis-typed; password unchanged" msgstr "Bekræftelsen blev angivet forkert. Adgangskoden forbliver uændret" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Fejl ved godkendelse" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Fejl ved tjeneste" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Ukendt bruger" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Ukendt fejl" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Der er angivet et forkert tal til --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Ukendt indstilling %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Alle brugere kunne ikke nulstilles til ikke-nul\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Din konto er udløbet. Kontakt din systemadministrator" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Du skal omgående ændre din adgangskode (gennemtvunget af roden)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Du skal omgående ændre din adgangskode (for gammel adgangskode)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -492,7 +492,7 @@ msgstr[1] "Advarsel: Din adgangskode udløber om %d dage%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Advarsel: Din adgangskode udløber om %d dage%.2s" @@ -501,36 +501,36 @@ msgstr "Advarsel: Din adgangskode udløber om %d dage%.2s" msgid "Password: " msgstr "Adgangskode: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NIS-adgangskoden kunne ikke ændres." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Du skal vælge en længere adgangskode" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Adgangskoden er allerede blevet brugt. Vælg en anden." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Ændrer STRESS-adgangskode for" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(nuværende) UNIX-adgangskode: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Du skal vente lidt længere for at ændre din adgangskode" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Indtast ny UNIX-adgangskode: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Genindtast ny UNIX-adgangskode: " diff --git a/po/de.po b/po/de.po index 709fbb0a..2126a361 100644 --- a/po/de.po +++ b/po/de.po @@ -7,8 +7,8 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" -"PO-Revision-Date: 2006-12-18 15:50+01:00\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"PO-Revision-Date: 2008-01-07 14:59+01:00\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" "MIME-Version: 1.0\n" @@ -29,7 +29,7 @@ msgstr "...Ihre Zeit ist abgelaufen.\n" msgid "erroneous conversation (%d)\n" msgstr "fehlerhafte Kommunikation (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login:" @@ -216,12 +216,12 @@ msgid "has been already used" msgstr "es wurde bereits verwendet" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Kein Passwort angegeben" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Passwort nicht geändert" @@ -273,7 +273,7 @@ msgstr "Letzte Anmeldung:%s%s%s" msgid "Welcome to your new account!" msgstr "Willkommen in Ihrem neuen Account!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Zu viele Anmeldungen für '%s'." @@ -329,9 +329,8 @@ msgid "Error connecting to audit system." msgstr "" #: modules/pam_selinux/pam_selinux.c:98 -#, fuzzy msgid "Error translating default context." -msgstr "Ihr Standardkontext lautet %s. \n" +msgstr "" #: modules/pam_selinux/pam_selinux.c:102 msgid "Error translating selected context." @@ -358,14 +357,13 @@ msgid "Not a valid security context" msgstr "Kein gültiger Sicherheitskontext" #: modules/pam_selinux/pam_selinux.c:251 -#, fuzzy, c-format +#, c-format msgid "Default Security Context %s\n" -msgstr "Sicherheitskontext %s zugewiesen" +msgstr "Standard Sicherheitskontext %s\n" #: modules/pam_selinux/pam_selinux.c:255 -#, fuzzy msgid "Would you like to enter a different role or level?" -msgstr "Möchten Sie einen Sicherheitskontext eingeben? [j] " +msgstr "" #: modules/pam_selinux/pam_selinux.c:269 #, c-format @@ -374,12 +372,12 @@ msgstr "" #: modules/pam_selinux/pam_selinux.c:512 msgid "Out of memory" -msgstr "" +msgstr "Kein freier Speicher mehr vorhanden" #: modules/pam_selinux/pam_selinux.c:520 modules/pam_selinux/pam_selinux.c:522 -#, fuzzy, c-format +#, c-format msgid "Unable to get valid context for %s" -msgstr "Verzeichnis %s kann nicht erstellt werden: %m" +msgstr "" #: modules/pam_selinux/pam_selinux.c:578 msgid "Requested MLS level not in permitted range" @@ -391,9 +389,9 @@ msgid "Security Context %s Assigned" msgstr "Sicherheitskontext %s zugewiesen" #: modules/pam_selinux/pam_selinux.c:649 -#, fuzzy, c-format +#, c-format msgid "Key Creation Context %s Assigned" -msgstr "Sicherheitskontext %s zugewiesen" +msgstr "" #: modules/pam_selinux/pam_selinux_check.c:99 #, c-format @@ -427,58 +425,58 @@ msgstr "Geben Sie das neue STRESS-Passwort erneut ein: " msgid "Verification mis-typed; password unchanged" msgstr "Bestätigungspasswort falsch eingegeben; Passwort nicht geändert" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Authentifizierungsfehler" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Dienstfehler" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Unbekannter Benutzer" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Unbekannter Fehler" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Ungültige Nummer für --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Nicht erkannte Option: %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: Es können nicht alle Benutzer auf Nicht-null zurückgesetzt werden\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Ihr Konto ist abgelaufen. Wenden Sie sich an den Systemadministrator" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Sie müssen Ihr Passwort sofort ändern (von Root erzwungen)." -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Sie müssen Ihr Passwort sofort ändern (Passwortablauf)." -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -487,7 +485,7 @@ msgstr[1] "Warnung: Ihr Passwort läuft in %d Tagen ab." #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Warnung: Ihr Passwort läuft in %d Tagen ab." @@ -496,36 +494,36 @@ msgstr "Warnung: Ihr Passwort läuft in %d Tagen ab." msgid "Password: " msgstr "Passwort: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Änderung des NIS-Passworts nicht möglich." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Sie müssen ein längeres Passwort auswählen." -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Passwort wurde bereits verwendet. Wählen Sie ein anderes aus." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, c-format msgid "Changing password for %s." msgstr "Ändern des Passworts für %s." -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(aktuelles) UNIX Passwort: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Sie können Ihr Passwort noch nicht ändern" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Geben Sie ein neues UNIX Passwort ein: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Geben Sie das neue UNIX Passwort erneut ein: " diff --git a/po/es.po b/po/es.po index a065c70f..2fe8d372 100644 --- a/po/es.po +++ b/po/es.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-04 08:32+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...Lo sentimos, el tiempo se ha agotado.\n" msgid "erroneous conversation (%d)\n" msgstr "conversación incorrecta (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "inicio de sesión:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "ya se ha utilizado" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "No se ha proporcionado ninguna contraseña" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "La contraseña no ha cambiado" @@ -271,7 +271,7 @@ msgstr "Último inicio de sesión:%s%s%s" msgid "Welcome to your new account!" msgstr "¡Bienvenido a su nueva cuenta!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Hay demasiados inicios de sesión para \"%s\"." @@ -428,33 +428,33 @@ msgstr "Vuelva a escribir la nueva contraseña STRESS:" msgid "Verification mis-typed; password unchanged" msgstr "Error al escribir la verificación; la contraseña no ha cambiado" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Error de autenticación" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Error de servicio" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Usuario desconocido" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Error desconocido" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Número incorrecto proporcionado a --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Opción no reconocida %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" @@ -462,28 +462,28 @@ msgstr "" "%s: [--file nombre de archivo-raíz] [--user nombre de usuario] [--reset[=n]] " "[--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: No es posible restaurar a todos los usuarios a un número distinto de " "cero\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" "La cuenta ha caducado, póngase en contacto con el administrador del sistema" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Debe cambiar la contraseña inmediatamente (aplicado por el usuario root)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Debe cambiar la contraseña inmediatamente (la contraseña ha caducado)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -492,7 +492,7 @@ msgstr[1] "Advertencia: la contraseña caducará dentro de %d día%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Advertencia: la contraseña caducará dentro de %d día%.2s" @@ -501,36 +501,36 @@ msgstr "Advertencia: la contraseña caducará dentro de %d día%.2s" msgid "Password: " msgstr "Contraseña:" -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "No es posible cambiar la contraseña NIS." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Debe elegir una contraseña más larga" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "La contraseña ya se ha utilizado. Seleccione otra." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Cambiando la contraseña STRESS para" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(actual) contraseña de UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Debe esperar más tiempo para cambiar la contraseña" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Introduzca la nueva contraseña de UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Vuelva a escribir la nueva contraseña de UNIX:" diff --git a/po/fi.po b/po/fi.po index 3582e3d9..24916d5a 100644 --- a/po/fi.po +++ b/po/fi.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-04 08:30+0200\n" "Last-Translator: Jyri Palokangas \n" "Language-Team: \n" @@ -32,7 +32,7 @@ msgstr "...Aikasi on loppunut!\n" msgid "erroneous conversation (%d)\n" msgstr "virheellinen keskustelu (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "kirjautuminen:" @@ -215,12 +215,12 @@ msgid "has been already used" msgstr "on jo käytetty" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Et antanut salasanaa" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Salasanaa ei vaihdettu" @@ -272,7 +272,7 @@ msgstr "Viimeinen kirjautuminen:%s%s%s" msgid "Welcome to your new account!" msgstr "Tervetuloa uudella käyttäjätilillä!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Liian monta kirjautumista '%s'." @@ -429,33 +429,33 @@ msgstr "Anna uusi STRESS-salasana uudelleen: " msgid "Verification mis-typed; password unchanged" msgstr "Salasanat eivät ole samat; salasanaa ei vaihdettu" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Tunnistautumisvirhe" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Palveluvirhe" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Tuntematon käyttäjä" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Tuntematon virhe" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Väärä numero annettu valinnalle --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Tunnistamaton valinta %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" @@ -463,24 +463,24 @@ msgstr "" "%s: [--file juurrutettu-tiedostonimi] [--user käyttäjätunnus] [--reset[=n]] " "[--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Ei voida palauttaa kaikkia käyttäjiä ei-nolliksi\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Käyttäjätilisi on vanhentunut; ota yhteyttä järjestelmän ylläpitäjään" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Salasanasi täytyy vaihtaa heti (pääkäyttäjän vaatimus)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Salasanasi täytyy vaihtaa heti (salasana vanhentunut)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -489,7 +489,7 @@ msgstr[1] "Varoitus: salasanasi vanhenee %d päivässä%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Varoitus: salasanasi vanhenee %d päivässä%.2s" @@ -498,36 +498,36 @@ msgstr "Varoitus: salasanasi vanhenee %d päivässä%.2s" msgid "Password: " msgstr "Salasana: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NIS-salasanaa ei voitu vaihtaa." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Salasanan tulee olla pidempi" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Salasana on jo käytetty. Valitse toinen." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Vaihdetaan STRESS-salasana " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(nykyinen) UNIX salasana: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Sinun täytyy odottaa kauemmin vaihtaaksesi salasanan" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Anna uusi UNIX-salasana: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Anna uusi UNIX-salasana uudelleen: " diff --git a/po/fr.po b/po/fr.po index f6158657..9c8bde5f 100644 --- a/po/fr.po +++ b/po/fr.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-04 08:29+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...Votre temps est épuisé !\n" msgid "erroneous conversation (%d)\n" msgstr "erreurs de conversation (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login : " @@ -219,12 +219,12 @@ msgid "has been already used" msgstr "a déjà été utilisé" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Aucun mot de passe fourni" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Mot de passe inchangé" @@ -276,7 +276,7 @@ msgstr "Dernière connexion :%s%s%s" msgid "Welcome to your new account!" msgstr "Bienvenue sur votre nouveau compte !" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Trop de connexions pour '%s'." @@ -433,58 +433,58 @@ msgstr "Retaper le nouveau mot de passe STRESS : " msgid "Verification mis-typed; password unchanged" msgstr "Verification erronée : mot de passe inchangé" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Erreur d'authentification" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Erreur de service" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Utilisateur inconnu" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Erreur inconnue" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Numéro incorrect attribué à --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s : Option non reconnue %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Impossible de réinitialiser tous les utilisateurs à non-zéro\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Votre compte a expiré. Contactez votre administrateur système" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Vous devez changer votre mot de passe immédiatement (imposé par root)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "" "Vous devez changer votre mot de passe immédiatement (mot de passe périmé)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -493,7 +493,7 @@ msgstr[1] "Avertissement : votre mot de passe expire dans %d jour%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Avertissement : votre mot de passe expire dans %d jour%.2s" @@ -502,36 +502,36 @@ msgstr "Avertissement : votre mot de passe expire dans %d jour%.2s" msgid "Password: " msgstr "Mot de passe : " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Le mot de passe NIS n'a pas pu être changé." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Vous devez choisir un mot de passe plus long" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Mot de passe déjà utilisé. Choisissez-en un autre." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Changement du mot de passe STRESS pour " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "Mot de passe UNIX (actuel) : " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Vous devez encore attendre avant de changer votre mot de passe" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Entrez le nouveau mot de passe UNIX : " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Retapez le nouveau mot de passe UNIX : " diff --git a/po/hu.po b/po/hu.po index cc066b85..24833981 100644 --- a/po/hu.po +++ b/po/hu.po @@ -11,7 +11,7 @@ msgid "" msgstr "" "Project-Id-Version: hu.new\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2007-02-15 17:40+0100\n" "Last-Translator: Kalman Kemenczy \n" "Language-Team: \n" @@ -34,7 +34,7 @@ msgstr "...Elnézést, de az idő lejárt!\n" msgid "erroneous conversation (%d)\n" msgstr "hibás beszélgetés (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "belépés:" @@ -220,12 +220,12 @@ msgid "has been already used" msgstr "A jelszót már használta. Válasszon egy másikat." #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Nem lett megadva jelszó" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "A jelszó nem változott" @@ -277,7 +277,7 @@ msgstr "Utolsó belépés:%s%s%s" msgid "Welcome to your new account!" msgstr "Üdvözöljük az új fiókjában!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Túl sok belépés '%s' részéről." @@ -434,57 +434,57 @@ msgstr "Írja be mégegyszer az új STRESS jelszót: " msgid "Verification mis-typed; password unchanged" msgstr "Az ellenőrző jelszó nem egyezik; a jelszó nem került módosításra" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Hitelesítési hiba" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Szolgáltatási hiba" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Ismeretlen felhasználó" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Ismeretlen hiba" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Rossz szám lett megadva: --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Fel nem ismert paraméter (%s)\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-fájlnév] [--user felhasználónév] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Nem állítható vissza minden felhasználó nem nullára\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "A fiók érvényessége lejárt; keresse meg a rendszergazdát" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Azonnal meg kell változtatnia a jelszavát (a root írta elő)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Azonnal meg kell változtatnia a jelszavát (a jelszó elévült)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -493,7 +493,7 @@ msgstr[1] "Figyelmeztetés: a jelszava lejár %d nap múlva" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Figyelmeztetés: a jelszava lejár %d nap múlva" @@ -502,36 +502,36 @@ msgstr "Figyelmeztetés: a jelszava lejár %d nap múlva" msgid "Password: " msgstr "Jelszó: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "A NIS-jelszó nem módosítható." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Hosszabb jelszót kell választania" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "A jelszót már használta. Válasszon egy másikat." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESS jelszó megváltoztatása - " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "A (jelenlegi) UNIX jelszó: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Tovább kell várnia a jelszó módosítására" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Adja meg az új UNIX jelszót: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Írja be újra a UNIX jelszót: " diff --git a/po/it.po b/po/it.po index 63ea3248..9b7c802e 100644 --- a/po/it.po +++ b/po/it.po @@ -8,13 +8,13 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2007-11-24 13:39+0100\n" "Last-Translator: Luca Bruno \n" "Language-Team: Italian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit" +"Content-Transfer-Encoding: 8bit\n" #: libpam_misc/misc_conv.c:33 msgid "...Time is running out...\n" @@ -29,7 +29,7 @@ msgstr "...Tempo scaduto!\n" msgid "erroneous conversation (%d)\n" msgstr "conversazione errata (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login:" @@ -97,8 +97,7 @@ msgstr "Account utente scaduto" #: libpam/pam_strerror.c:70 msgid "Cannot make/remove an entry for the specified session" -msgstr "" -"Impossibile creare/rimuovere una voce per la sessione specificata" +msgstr "Impossibile creare/rimuovere una voce per la sessione specificata" #: libpam/pam_strerror.c:72 msgid "Authentication service cannot retrieve user credentials" @@ -217,12 +216,12 @@ msgid "has been already used" msgstr "è già stata utilizzata" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Nessuna password fornita" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Password non modificata" @@ -235,17 +234,17 @@ msgstr "PASSWORD ERRATA: %s" #: modules/pam_exec/pam_exec.c:118 #, c-format msgid "%s failed: exit code %d" -msgstr "% fallita: codice d'uscita %d" +msgstr "%s fallita: codice d'uscita %d" #: modules/pam_exec/pam_exec.c:126 #, c-format msgid "%s failed: caught signal %d%s" -msgstr "% fallita: intercettato il segnale %d" +msgstr "%s fallita: intercettato il segnale %d%s" #: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: unknown status 0x%x" -msgstr "% fallita: stato sconosciuto 0x%x" +msgstr "%s fallita: stato sconosciuto 0x%x" #. TRANSLATORS: "strftime options for date of last login" #: modules/pam_lastlog/pam_lastlog.c:190 @@ -274,7 +273,7 @@ msgstr "Ultimo accesso:%s%s%s" msgid "Welcome to your new account!" msgstr "Benvenuti nel nuovo account!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Ci sono troppi accessi per \"%s\"." @@ -426,67 +425,69 @@ msgstr "Reimmettere la nuova password STRESS: " msgid "Verification mis-typed; password unchanged" msgstr "Errore di digitazione per verifica; password non cambiata" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Errore di autenticazione" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Errore del servizio" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Utente sconosciuto" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Errore sconosciuto" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Numero errato fornito a --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Opzione non riconosciuta %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -msgstr "" -"%s: [--file NOMEFILE] [--user NOMEUTENTE] [--reset[=N]] [--quiet]\n" +msgstr "%s: [--file NOMEFILE] [--user NOMEUTENTE] [--reset[=N]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: Impossibile ripristinare tutti gli utenti a valori diversi da zero\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Account scaduto; contattare l'amministratore di sistema" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" -"È richiesta la modifica immediata della password (imposto dall'amministratore)" +"È richiesta la modifica immediata della password (imposto " +"dall'amministratore)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "" "È richiesta la modifica immediata della password (password troppo vecchia)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 -#, c-format +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#, fuzzy, c-format msgid "Warning: your password will expire in %d day" -msgstr "Avviso: la password scadrà tra %d giorno" +msgid_plural "Warning: your password will expire in %d days" +msgstr[0] "Avviso: la password scadrà tra %d giorno" +msgstr[1] "Avviso: la password scadrà tra %d giorno" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Avviso: la password scadrà tra %d giorni" @@ -495,36 +496,35 @@ msgstr "Avviso: la password scadrà tra %d giorni" msgid "Password: " msgstr "Password: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Impossibile modificare la password NIS." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Scegliere una password più lunga" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Password già utilizzata. Sceglierne un'altra." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, c-format msgid "Changing password for %s." msgstr "Cambio password per %s." -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "Password UNIX (corrente): " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Attendere ancora per cambiare la password" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Immettere nuova password UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Reimmettere la nuova password UNIX: " - diff --git a/po/ja.po b/po/ja.po index 04abc750..18675f72 100644 --- a/po/ja.po +++ b/po/ja.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 22:00+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...時間切れです。\n" msgid "erroneous conversation (%d)\n" msgstr "誤った会話(%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "ログイン::" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "パスワードはすでに使用されています。" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "パスワードが与えられていません" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "パスワードが変更されていません" @@ -268,7 +268,7 @@ msgstr "最終ログイン:%s%s%s" msgid "Welcome to your new account!" msgstr "新しいアカウントへようこそ。" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "'%s'のログイン数が多すぎます。" @@ -425,58 +425,58 @@ msgstr "新しいSTRESSパスワードを再入力してください:" msgid "Verification mis-typed; password unchanged" msgstr "ミスタイプの確認、パスワードが変更されていません" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "認証エラー" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "サービスエラー" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "不明なユーザ" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "不明なエラー" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: 不正番号が--reset=に与えられました\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: 未認識オプション%s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: すべてのユーザを非ゼロにリセットできません\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" "アカウントの有効期限が切れました。システム管理者にお問い合わせください。" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "パスワードを直ちに変更する必要があります(強制されたルート)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "パスワードを直ちに変更する必要があります(古いパスワード)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -485,7 +485,7 @@ msgstr[1] "警告: パスワードは%d日で有効期限が切れます。%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "警告: パスワードは%d日で有効期限が切れます。%.2s" @@ -494,37 +494,37 @@ msgstr "警告: パスワードは%d日で有効期限が切れます。%.2s" msgid "Password: " msgstr "パスワード:" -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NISパスワードを変更できませんでした。" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "長いパスワードを選択する必要があります" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "" "パスワードはすでに使用されています。 別のパスワードを選択してください。" -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESSパスワードの変更元" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "現在のUNIXパスワード:" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "パスワードを変更するには長く待つ必要があります" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "新しいUNIXパスワードを入力してください:" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "新しいUNIX パスワードを再入力してください:" diff --git a/po/km.po b/po/km.po index 54f3ffb9..6062fef6 100644 --- a/po/km.po +++ b/po/km.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-03-17 10:32+0700\n" "Last-Translator: Khoem Sokhem \n" "Language-Team: Khmer \n" @@ -30,7 +30,7 @@ msgstr "...សូម​ទោស អ្នក​អស់​ពេល​ហើ msgid "erroneous conversation (%d)\n" msgstr "សន្ទនាច្រឡំ (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "ចូល ៖" @@ -216,12 +216,12 @@ msgid "has been already used" msgstr "បាន​ប្រើ​រួច​ហើយ" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "មិន​បាន​ផ្ដល់​ពាក្យសម្ងាត់" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "ពាក្យសម្ងាត់​មិន​បាន​ផ្លាស់ប្ដូរ​ឡើយ" @@ -273,7 +273,7 @@ msgstr "ចូល​ចុងក្រោយ ៖%s%s%s" msgid "Welcome to your new account!" msgstr "សូម​ស្វាគមន៍​មក​កាន់​គណនី​ថ្មី​របស់​អ្នក !" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "មាន​ការ​ចូល​ច្រើន​ពេក​សម្រាប់ '%s' ។" @@ -430,57 +430,57 @@ msgstr "វាយ​ពាក្យ​សម្ងាត់ STRESS ថ្មី msgid "Verification mis-typed; password unchanged" msgstr "ផ្ទៀងផ្ទាត់​អក្ខរាវិរុទ្ធ​ដែល​បាន​វាយខុស ពាក្យ​សម្ងាត់​មិន​បានផ្លាស់ប្ដូរ​" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "កំហុស​ក្នុង​ការ​ផ្ទៀងផ្ទាត់​ភាព​ត្រឹមត្រូវ" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "កំហុស​សេវា" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "មិន​ស្គាល់​អ្នក​ប្រើ" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "មិន​ស្គាល់​កំហុស" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s ៖ លេខ​មិន​ល្អ​បាន​ផ្ដល់​ទៅ --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s ៖ ជម្រើស​ដែល​មិន​ស្គាល់ %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s ៖ [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s ៖ មិន​អាច​កំណត់​អ្នក​ប្រើ​ទាំងអស់​ទៅ​មិនមែន​សូន្យ​ឡើងវិញ​បានទេ\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "គណនី​របស់​អ្នក​បាន​ផុតកំណត់​ហើយ សូម​ទាក់ទង​អ្នក​គ្រប់គ្រង​ប្រព័ន្ធ​របស់​អ្នក" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "អ្នក​ត្រូវ​តែ​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់​របស់​អ្នក​ឥឡូវ​នេះ (root បាន​ចេញ​បញ្ជា)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "អ្នក​ត្រូវ​តែ​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់​របស់​អ្នក​ឥឡូវ​នេះ (ពាក្យសម្ងាត់​ចាស់​ហើយ)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -489,7 +489,7 @@ msgstr[1] "ការ​ព្រមាន ៖ ពាក្យសម្ងាត #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "ការ​ព្រមាន ៖ ពាក្យសម្ងាត់​របស់​អ្នក​នឹង​ផុតកំណត់​ក្នុង​រយៈពេល %d ថ្ងៃ %.2s ។" @@ -498,36 +498,36 @@ msgstr "ការ​ព្រមាន ៖ ពាក្យសម្ងាត់ msgid "Password: " msgstr "ពាក្យសម្ងាត់ ៖ " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "មិន​អាច​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់ NIS បាន​ឡើយ ។" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "អ្នក​ត្រូវ​តែ​ជ្រើស​ពាក្យសម្ងាត់​វែង​ជាង​នេះ" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "ពាក្យសម្ងាត់​ត្រូវ​បាន​ប្រើ​រួច​ហើយ ។ សូម​ជ្រើស​មួយ​ទៀត ។" -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "ការ​ផ្លាស់ប្ដូរ​ពាក្យ​សម្ងាត់ STRESS សម្រាប់ " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(បច្ចុប្បន្ន) ពាក្យ​សម្ងាត់ UNIX ៖" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "អ្នក​ត្រូវ​តែ​រង់ចាំ​បន្តិច ដើម្បី​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់​របស់​អ្នក" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "បញ្ចូល​ពាក្យ​សម្ងាត់ UNIX ថ្មី ៖ " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "វាយ​ពាក្យ​សម្ងាត់ UNIX ថ្មី​ម្ដង​ទៀត ៖ " diff --git a/po/nb.po b/po/nb.po index cdf9e728..075cc292 100644 --- a/po/nb.po +++ b/po/nb.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 22:04+0200\n" "Last-Translator: Olav Pettershagen \n" "Language-Team: \n" @@ -28,7 +28,7 @@ msgstr "...Beklager, tiden er utløpt!\n" msgid "erroneous conversation (%d)\n" msgstr "mislykket dialog (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "logg inn:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "er allerede benyttet" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Passord ikke angitt" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Passord uendret" @@ -268,7 +268,7 @@ msgstr "Siste innlogging:%s%s%s" msgid "Welcome to your new account!" msgstr "Velkommen til din nye konto!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "For mange innlogginger for '%s'." @@ -425,57 +425,57 @@ msgstr "Bekreft nytt STRESS-passord: " msgid "Verification mis-typed; password unchanged" msgstr "Bekreftelse feil skrevet; passord uendret" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Autentiseringsfeil" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Tjenestefeil" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Ukjent bruker" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Ukjent feil" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Ugyldig tall angitt for --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Ukjent valg %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filnavn] [--user brukernavn] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Kan ikke tilbakestille alle brukere til non-zero\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Din konto er utløpt; kontakt systemadministratoren" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Du må straks endre passordet ditt (ordre fra rot)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Du må straks endre passordet ditt (passord for gammelt)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -484,7 +484,7 @@ msgstr[1] "Advarsel: passordet ditt vil utløpe om %d dager%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Advarsel: passordet ditt vil utløpe om %d dager%.2s" @@ -493,36 +493,36 @@ msgstr "Advarsel: passordet ditt vil utløpe om %d dager%.2s" msgid "Password: " msgstr "Passord: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NIS-passord kunne ikke endres." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Du må velge et lengre passord" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Passordet er allerede benyttet. Velg et annet." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Endrer STRESS-passord for " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(gjeldende) UNIX-passord: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Du må vente lenger før du kan endre passordet" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Angi nytt UNIX-passord: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Bekreft nytt UNIX-passord: " diff --git a/po/nl.po b/po/nl.po index 61c325b9..3ce5313f 100644 --- a/po/nl.po +++ b/po/nl.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.nl\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 22:02+0200\n" "Last-Translator: Rinse de Vries \n" "Language-Team: Dutch \n" @@ -31,7 +31,7 @@ msgstr "...Helaas, uw tijd is verlopen!\n" msgid "erroneous conversation (%d)\n" msgstr "foute conversatie (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "gebruikersnaam:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "is al gebruikt" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Geen wachtwoord opgegeven" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Wachtwoord is niet gewijzigd" @@ -271,7 +271,7 @@ msgstr "Laatste keer aangemeld: %s%s%s" msgid "Welcome to your new account!" msgstr "Welkom bij uw nieuwe account!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Te vaak aangemeld met '%s'." @@ -428,33 +428,33 @@ msgstr "Nieuw STRESS-wachtwoord herhalen: " msgid "Verification mis-typed; password unchanged" msgstr "Verificatie onjuist getypt. Wachtwoord blijft ongewijzigd." -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Verificatiefout" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Servicefout" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Onbekende gebruiker" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Onbekende fout" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: onjuist getal gegeven aan --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: niet-herkende optie %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" @@ -462,26 +462,26 @@ msgstr "" "%s [--file rooted-bestandsnaam] [ --user gebruikersnaam] [--reset[=n]] [--" "quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: kan niet alle gebruikers terugzetten naar non-zero\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Uw account is verlopen. Een contact op met uw systeembeheerder" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" "U dient onmiddellijk uw wachtwoord te wijzigen (op last van systeembeheerder)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "" "U dient onmiddellijk uw wachtwoord te wijzigen (wachtwoord is verouderd)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -490,7 +490,7 @@ msgstr[1] "Waarschuwing: uw wachtwoord zal over %d day%.2s verlopen" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Waarschuwing: uw wachtwoord zal over %d day%.2s verlopen" @@ -499,36 +499,36 @@ msgstr "Waarschuwing: uw wachtwoord zal over %d day%.2s verlopen" msgid "Password: " msgstr "Wachtwoord: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NIS-wachtwoord kon niet worden gewijzigd." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Kies een langer wachtwoord" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Dit wachtwoord is al gebruikt. Kies een ander wachtwoord." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESS-wachtwoord wijzigen voor " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(huidig) UNIX-wachtwoord: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "U moet langer wachten om uw wachtwoord te wijzigen" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Nieuw UNIX-wachtwoord invoeren: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Nieuw UNIX-wachtwoord herhalen: " diff --git a/po/pa.po b/po/pa.po index 28bf5408..d12add57 100644 --- a/po/pa.po +++ b/po/pa.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.pa\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2005-08-06 08:34+0530\n" "Last-Translator: Amanpreet Singh Alam[ਆਲਮ] \n" "Language-Team: Panjabi \n" @@ -31,7 +31,7 @@ msgstr "...ਅਫ਼ਸੋਸ, ਤੁਹਾਡਾ ਸਮਾਂ ਸਮਾਪਤ msgid "erroneous conversation (%d)\n" msgstr "" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "" @@ -217,12 +217,12 @@ msgid "has been already used" msgstr "ਗੁਪਤ-ਕੋਡ ਪਹਿਲਾਂ ਵੀ ਵਰਤਿਆ ਗਿਆ ਹੈ। ਵੱਖਰਾ ਚੁਣੋ।" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "ਕੋਈ ਗੁਪਤ-ਕੋਡ ਨਹੀਂ ਦਿੱਤਾ ਗਿਆ" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "ਗੁਪਤ-ਕੋਡ ਨਾ-ਤਬਦੀਲ ਹੈ" @@ -274,7 +274,7 @@ msgstr "" msgid "Welcome to your new account!" msgstr "" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "" @@ -431,57 +431,57 @@ msgstr "ਨਵਾਂ STRESS ਗੁਪਤ-ਕੋਡ ਮੁੜ-ਲਿਖੋ: " msgid "Verification mis-typed; password unchanged" msgstr "" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "ਪਰਮਾਣਕਿਤਾ ਗਲਤੀ" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "ਸੇਵਾ ਗਲਤੀ" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "ਅਣਜਾਣ ਉਪਭੋਗੀ" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "ਅਣਜਾਣੀ ਗਲਤੀ" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: --reset= ਲਈ ਗਲਤ ਨੰਬਰ ਦਿੱਤਾ ਗਿਆ\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: ਬੇਪਛਾਣ ਚੋਣ %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -490,7 +490,7 @@ msgstr[1] "ਸਾਵਧਾਨ: ਤੁਹਾਡਾ ਗੁਪਤ-ਕੋਡ ਦੀ #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "ਸਾਵਧਾਨ: ਤੁਹਾਡਾ ਗੁਪਤ-ਕੋਡ ਦੀ ਮਿਆਦ %d ਦਿਨ%.2s 'ਚ ਪੁੱਗ ਜਾਵੇਗੀ।" @@ -500,37 +500,37 @@ msgstr "ਸਾਵਧਾਨ: ਤੁਹਾਡਾ ਗੁਪਤ-ਕੋਡ ਦੀ ਮ msgid "Password: " msgstr "ਗੁਪਤ-ਕੋਡ ਨਾ-ਤਬਦੀਲ ਹੈ" -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NIS ਗੁਪਤ-ਕੋਡ ਤਬਦੀਲ ਨਹੀਂ ਕੀਤਾ ਜਾ ਸਕਿਆ ਹੈ।" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "ਤੁਹਾਨੂੰ ਲੰਮੇ ਗੁਪਤ-ਕੋਡ ਦੀ ਚੋਣ ਕਰਨੀ ਚਾਹੀਦੀ ਹੈ" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "ਗੁਪਤ-ਕੋਡ ਪਹਿਲਾਂ ਵੀ ਵਰਤਿਆ ਗਿਆ ਹੈ। ਵੱਖਰਾ ਚੁਣੋ।" -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, c-format msgid "Changing password for %s." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 #, fuzzy msgid "Enter new UNIX password: " msgstr "ਨਵਾਂ STRESS ਗੁਪਤ-ਕੋਡ ਦਿਓ: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 #, fuzzy msgid "Retype new UNIX password: " msgstr "ਨਵਾਂ STRESS ਗੁਪਤ-ਕੋਡ ਮੁੜ-ਲਿਖੋ: " diff --git a/po/pl.po b/po/pl.po index 6b8a8f01..0e3c4f5b 100644 --- a/po/pl.po +++ b/po/pl.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 21:58+0200\n" "Last-Translator: Wojciech Kapusta \n" "Language-Team: \n" @@ -33,7 +33,7 @@ msgstr "... czas minął.\n" msgid "erroneous conversation (%d)\n" msgstr "błędna konwersacja (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login:" @@ -216,12 +216,12 @@ msgid "has been already used" msgstr "było już używane" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Nie podano hasła" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Hasło nie zmienione" @@ -273,7 +273,7 @@ msgstr "Ostatnie logowanie:%s%s%s" msgid "Welcome to your new account!" msgstr "Witaj na swoim nowym koncie!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Zbyt wiele prób zalogowania na '%s'." @@ -430,57 +430,57 @@ msgstr "Powtórzenie hasła STRESS: " msgid "Verification mis-typed; password unchanged" msgstr "Błędna weryfikacja; hasło niezmienione" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Błąd uwierzytelniania" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Błąd usługi" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Nieznany użytkownik" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Nieznany błąd" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Błędny numer podany w opcji --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Nierozpoznana opcja %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Nie można przywrócić wszystkich użytkowników\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Konto użytkownika wygasło ; proszę skontaktować się z administratorem" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Należy natychmiast zmienić hasło (wymuszone przez administratora)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Należy natychmiast zmienić hasło (hasło wygasło)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -490,7 +490,7 @@ msgstr[2] "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" @@ -499,36 +499,36 @@ msgstr "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" msgid "Password: " msgstr "Hasło: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Nie można zmienić hasła NIS." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Proszę podać dłuższe hasło" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Hasło było już używane. Proszę wybrać inne." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Zmiana hasła STRESS dla " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "Bieżące hasło UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Proszę poczekać dłużej aby zmienić hasło" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Nowe hasło UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Powtórzenie hasła UNIX: " diff --git a/po/pt.po b/po/pt.po index aed050f1..6210f8cd 100644 --- a/po/pt.po +++ b/po/pt.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.pt\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 21:54+0200\n" "Last-Translator: Antonio Cardoso Martins \n" "Language-Team: portuguese\n" @@ -29,7 +29,7 @@ msgstr "...Lamento, o seu tempo esgotou-se!\n" msgid "erroneous conversation (%d)\n" msgstr "conversação errónea (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login:" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "já foi utilizada" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Não foi fornecida uma palavra passe" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Palavra passe inalterada" @@ -270,7 +270,7 @@ msgstr "Último início de sessão: %s%s%s" msgid "Welcome to your new account!" msgstr "Bemvindo à sua nova conta!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Demasiados inícios de sessão para '%s'." @@ -427,61 +427,61 @@ msgstr "Digite novamente a nova palavra passe de STRESS: " msgid "Verification mis-typed; password unchanged" msgstr "A verificação não coincide; palavra passe inalterada" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Erro de autenticação" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Erro de serviço" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Utilizador desconhecido" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Erro desconhecido" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Número errado fornecido a --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Opção não reconhecida %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file ficheiro-raiz] [--user nome-utilizador] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Não foi possível reiniciar todos os utilizadores para não zero\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" "A sua conta de utilizador expirou; por favor contacte o seu administrador de " "sistema" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" "É obrigatório que altere de imediato a sua palavra passe (forçado pelo root)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "" "É obrigatório que altere de imediato a sua palavra passe (forçado pela idade)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -490,7 +490,7 @@ msgstr[1] "Aviso: a sua palavra passe expira em %d dia%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Aviso: a sua palavra passe expira em %d dia%.2s" @@ -499,36 +499,36 @@ msgstr "Aviso: a sua palavra passe expira em %d dia%.2s" msgid "Password: " msgstr "Palavra passe: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "A palavra passe de NIS não pode ser alterada." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Deve escolher uma palavra passe mais longa" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "A palavra passe já foi anteriormente utilizada. Escolha outra." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "A alterar a palavra passe de STRESS para " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "palavra passe UNIX (actual): " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Tem de esperar mais antes de poder alterar a sua palavra passe" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Digite a nova palavra passe UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Digite novamente a nova palavra passe UNIX: " diff --git a/po/pt_BR.po b/po/pt_BR.po index 8fff4eef..fcde82aa 100644 --- a/po/pt_BR.po +++ b/po/pt_BR.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 21:55+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...Tempo contando.\n" msgid "erroneous conversation (%d)\n" msgstr "conversação errônea (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "login:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "já foi usada" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Nenhuma senha informada" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Senha inalterada" @@ -268,7 +268,7 @@ msgstr "Último login:%s%s%s" msgid "Welcome to your new account!" msgstr "Bem-vindo à sua nova conta!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Há logins demais para '%s'." @@ -425,57 +425,57 @@ msgstr "Digite novamente a nova senha STRESS:" msgid "Verification mis-typed; password unchanged" msgstr "Verificação digitada incorretamente; senha inalterada" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Erro de autenticação" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Erro de serviço" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Usuário desconhecido" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Erro desconhecido" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Número insuficiente fornecido a --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Opção não reconhecida %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Impossível redefinir todos os usuários para não-zero\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Sua conta expirou; entre em contato com o administrador do sistema" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Mude sua senha imediatamente (aplicado pela raiz)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Mude sua senha imediatamente (senha expirada)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -484,7 +484,7 @@ msgstr[1] "Aviso: sua senha expirará em %d dia%.2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Aviso: sua senha expirará em %d dia%.2s" @@ -493,36 +493,36 @@ msgstr "Aviso: sua senha expirará em %d dia%.2s" msgid "Password: " msgstr "Senha:" -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "A senha NIS não pôde ser mudada." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Escolha uma senha mais longa" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "A senha já foi usada. Escolha outra." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Mudando senha STRESS para" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "Senha UNIX (atual):" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Aguarde mais tempo para mudar a senha" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Digite a nova senha UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Redigite a nova senha UNIX:" diff --git a/po/ru.po b/po/ru.po index fc3a1b7d..a67f9047 100644 --- a/po/ru.po +++ b/po/ru.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-01-04 08:58+0100\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -31,7 +31,7 @@ msgstr "...Извините, ваше время истекло!\n" msgid "erroneous conversation (%d)\n" msgstr "ошибочный диалог (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "регистрация:" @@ -220,13 +220,13 @@ msgid "has been already used" msgstr "уже был использован" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Пароль не указан" # password dialog title #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Пароль не изменен" @@ -278,7 +278,7 @@ msgstr "Последний вход в систему:%s%s%s" msgid "Welcome to your new account!" msgstr "Добро пожаловать в новую учетную запись!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Слишком много регистраций в системе для '%s'." @@ -438,33 +438,33 @@ msgstr "Повторите ввод нового пароля STRESS: " msgid "Verification mis-typed; password unchanged" msgstr "Подтверждение введено неправильно; пароль не изменен" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Ошибка при проверке подлинности" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Ошибка службы" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Неизвестный пользователь" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Неизвестная ошибка" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: указано неверное число для --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: неопознанный параметр %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" @@ -472,27 +472,27 @@ msgstr "" "%s: [--file имя_корневого_файла] [--user имя_пользователя] [--reset[=n]] [--" "quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: не удается выполнить сброс всех пользователей в ненулевое значение\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" "Срок действия учетной записи истек; обратитесь к системному администратору" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Вам необходимо немедленно сменить пароль (по требованию пользователя root)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Вам необходимо немедленно сменить пароль (пароль устарел)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -502,7 +502,7 @@ msgstr[2] "Предупреждение: срок действия пароля #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Предупреждение: срок действия пароля истекает через %d дней" @@ -512,38 +512,38 @@ msgid "Password: " msgstr "Пароль: " # password dialog title -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Пароль NIS изменить нельзя." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Выберите пароль большей длины" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Этот пароль уже был использован. Выберите другой." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Смена пароля STRESS для" # Keep the newlines and spaces after ':'! -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(текущий) пароль UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "До смены пароля должно пройти больше времени" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Введите новый пароль UNIX: " # Keep the newlines and spaces after ':'! -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Повторите ввод нового пароля UNIX: " diff --git a/po/sv.po b/po/sv.po index 44223348..274a9bc1 100644 --- a/po/sv.po +++ b/po/sv.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2005-09-18 19:09+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -31,7 +31,7 @@ msgstr "...Tiden är ute!\n" msgid "erroneous conversation (%d)\n" msgstr "felaktigt samtal (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "inloggning:" @@ -216,13 +216,13 @@ msgid "has been already used" msgstr "har redan använts" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Inget lösenord har angetts" # password dialog title #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Lösenordet har inte ändrats" @@ -274,7 +274,7 @@ msgstr "Senaste inloggningen:%s%s%s" msgid "Welcome to your new account!" msgstr "Välkommen till ditt nya konto!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "För många inloggningar för %s." @@ -431,58 +431,58 @@ msgstr "Ange det nya STRESS-lösenordet igen: " msgid "Verification mis-typed; password unchanged" msgstr "Verifieringen misslyckades. Lösenordet har inte ändrats" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Autentiseringsfel" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Fel på tjänst" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Okänd användare" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Okänt fel" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Ett ogiltigt nummer skickades till --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Alternativet %s är okänt\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file filnamn-med-rot] [--user användarnamn] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: Det går inte att återställa alla användare till något annat än noll\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Ditt konto har upphört att gälla. Kontakta systemadministratören." -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Du måste ändra lösenord omedelbart (tvingad av root)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Du måste ändra lösenord omedelbart (lösenordet är för gammalt)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -491,7 +491,7 @@ msgstr[1] "Varning: lösenordet upphör att gälla om %d dag%.2ar" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Varning: lösenordet upphör att gälla om %d dag%.2ar" @@ -501,36 +501,36 @@ msgid "Password: " msgstr "Lösenord: " # password dialog title -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Det gick inte att ändra NIS-lösenordet" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Du måste välja ett längre lösenord" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Lösenordet har redan använts. Välj ett annat." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESS-lösenordet ändras för" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(aktuellt) UNIX-lösenord: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Du måste vänta längre innan du ändrar ditt lösenord" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Ange ett nytt UNIX-lösenord: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Ange det nya UNIX-lösenordet igen: " diff --git a/po/tr.po b/po/tr.po index 3c8c77ed..340e3851 100644 --- a/po/tr.po +++ b/po/tr.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 19:00+0200\n" "Last-Translator: Koray Löker \n" "Language-Team: Türkçe \n" @@ -30,7 +30,7 @@ msgstr "...Üzgünüm, süreniz doldu!\n" msgid "erroneous conversation (%d)\n" msgstr "hatalı etkileşim (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "giriş:" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "daha önce kullanıldı" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Parola girilmedi" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Parola değiştirilmedi" @@ -270,7 +270,7 @@ msgstr "Son giriş: %s%s%s" msgid "Welcome to your new account!" msgstr "Yeni hesabınıza hoşgeldiniz" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "%s için fazla giriş " @@ -427,57 +427,57 @@ msgstr "Yeni STRESS parolasını tekrar girin: " msgid "Verification mis-typed; password unchanged" msgstr "Doğrulama hatalı: parola değiştirilmedi" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Yetkilendirme hatası" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Servis hatası" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Bilinmeyen kullanıcı" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Bilinmeyen hata" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Sıfırlamak için geçersiz sayı=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Tanımlanamayan seçenek %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file DosyanınTamYolu] [--user KullanıcıAdı] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "Hesabınızın süresi doldu; lütfen sistem yöneticinizle bağlantıya geçin" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Parolanızı en kısa sürede değiştirmeniz gerekiyor (yönetici bildirimi)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Parolanızı en kısa sürede değiştirmeniz gerekiyor (parola eski)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -485,7 +485,7 @@ msgstr[0] "Dikkat: Parolanızın geçerlilik süresi %d gün%.2s sonra doluyor" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Dikkat: Parolanızın geçerlilik süresi %d gün%.2s sonra doluyor" @@ -494,36 +494,36 @@ msgstr "Dikkat: Parolanızın geçerlilik süresi %d gün%.2s sonra doluyor" msgid "Password: " msgstr "Parola: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "NIS parolası değiştirilemiyor" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Daha uzun bir parola girmelisiniz" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Parola kullanımda. Lütfen başka bir parola seçin." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESS parolası değiştiriliyor " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(geçerli) parola: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Parolanızı değiştirmek için daha sonra denemelisiniz" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Yeni parolayı girin: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Yeni parolayı tekrar girin: " diff --git a/po/uk.po b/po/uk.po index d10ef61d..5625804d 100644 --- a/po/uk.po +++ b/po/uk.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.uk\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 18:59+0200\n" "Last-Translator: Ivan Petrouchtchak \n" "Language-Team: Ukrainian \n" @@ -31,7 +31,7 @@ msgstr "...Вибачте, ваш час закінчився!\n" msgid "erroneous conversation (%d)\n" msgstr "помилкова розмова (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "користувач:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "вже вживався" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Не встановлений пароль" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Пароль не змінено" @@ -271,7 +271,7 @@ msgstr "Останній вхід: %s%s%s" msgid "Welcome to your new account!" msgstr "Ласкаво просимо до вашого нового рахунку!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Забагато входів в для \"%s\"." @@ -428,33 +428,33 @@ msgstr "Повторіть новий пароль STRESS: " msgid "Verification mis-typed; password unchanged" msgstr "Перевірку не пройдено; пароль не змінено" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Помилка автентифікації" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Помилка служби" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Невідомий користувач" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Невідома помилка" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Погане число дано для --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Нерозпізнано параметр %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" @@ -462,26 +462,26 @@ msgstr "" "%s: [--file rooted-filename] [--user ім'я користувача] [--reset[=n]] [--" "quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Не вдається скинути всіх користувачів до не-нуль\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" "Ваш рахунок застарів, будь ласка, зверніться до вашого системного " "адміністратора" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "Вам необхідно негайно змінити пароль (вимога адміністратора)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "Вам необхідно негайно змінити пароль (поточний пароль застарів)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -491,7 +491,7 @@ msgstr[2] "Попередження: ваш пароль застаріє чер #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Попередження: ваш пароль застаріє через %d дні(в) %.2s" @@ -500,36 +500,36 @@ msgstr "Попередження: ваш пароль застаріє чере msgid "Password: " msgstr "Пароль: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Не вдалося змінити пароль NIS." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Необхідно вибрати довший пароль" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Пароль вже вживається. Виберіть інший." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Зміна пароля STRESS для " -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(поточний) пароль UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Ви повинні зачекати довше, щоб змінити ваш пароль" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Введіть новий пароль UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Повторіть новий пароль UNIX: " diff --git a/po/zh_CN.po b/po/zh_CN.po index b3c9af8b..afdf54f9 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux_PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 18:59+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...对不起,您的时间已经耗尽!\n" msgid "erroneous conversation (%d)\n" msgstr "有错误的转换 (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "登录:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "已使用" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "口令未提供" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "口令未更改" @@ -268,7 +268,7 @@ msgstr "上一次登录:%s%s%s" msgid "Welcome to your new account!" msgstr "欢迎使用新帐户!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "'%s'登录过多。" @@ -425,56 +425,56 @@ msgstr "重新输入新的 STRESS 口令:" msgid "Verification mis-typed; password unchanged" msgstr "校验类型错误;口令未更改" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "鉴定错误" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "服务错误" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "未知的用户" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "未知的错误" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: 给定的数字无效 --重设置=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: 未识别的选项 %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "%s: [--文件 根文件名] [--用户 用户名] [--重设置[=n]] [--安静]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: 无法将所有用户重设置为非零\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "您的帐户已失效;请与系统管理员取得联系" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "您需要立即更改口令(root 强制)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "您需要立即更改口令(口令过期)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -483,7 +483,7 @@ msgstr[1] "" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, c-format msgid "Warning: your password will expire in %d days" msgstr "" @@ -492,36 +492,36 @@ msgstr "" msgid "Password: " msgstr "口令:" -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "无法更改 NIS 口令。" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "必须选择更长的口令" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "口令已使用。请选择其他口令。" -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "更改 STRESS 口令以" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(当前)UNIX 口令:" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "您必须等待更长时间以更改口令" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "输入新的 UNIX 口令:" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "重新输入新的 UNIX 口令:" diff --git a/po/zh_TW.po b/po/zh_TW.po index f42f8669..b287c5bd 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux_PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-05-03 18:55+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...抱歉,您的時間已到!\n" msgid "erroneous conversation (%d)\n" msgstr "錯誤的交談 (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "登入:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "已經由其他使用者使用" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "未提供密碼" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "密碼未變更" @@ -268,7 +268,7 @@ msgstr "上一次登入:%s%s%s" msgid "Welcome to your new account!" msgstr "歡迎使用您的新帳號!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "對 '%s' 進行太多次登入。" @@ -425,57 +425,57 @@ msgstr "再次輸入新的 STRESS 密碼:" msgid "Verification mis-typed; password unchanged" msgstr "確認錯誤輸入;密碼未變更" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "驗證錯誤" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "服務錯誤" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "未知的使用者" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "未知的錯誤" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: 不良的號碼提供至 --reset=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: 未識別的選項 %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: 無法將所有使用者重新設定為非零\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "您的帳戶已經逾期,請洽詢您的系統管理員" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "您必須立刻變更您的密碼 (root 強制執行)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "您必須立刻變更您的密碼 (密碼使用過久)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -484,7 +484,7 @@ msgstr[1] "警告:您的密碼將在 %d 天之後逾期。%2s" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "警告:您的密碼將在 %d 天之後逾期。%2s" @@ -493,36 +493,36 @@ msgstr "警告:您的密碼將在 %d 天之後逾期。%2s" msgid "Password: " msgstr "密碼:" -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "無法變更 NIS 密碼。" -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "您必須選擇更長的密碼" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "密碼已經由其他使用者使用。請選擇其他密碼。" -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "正在變更 STRESS 密碼" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "(目前) UNIX 密碼:" -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "您必須久候,以變更您的密碼。" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "輸入新的 UNIX 密碼:" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "再次輸入新的 UNIX 密碼:" diff --git a/po/zu.po b/po/zu.po index 19ebf440..1ba240f5 100644 --- a/po/zu.po +++ b/po/zu.po @@ -5,7 +5,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2007-10-01 12:19+0200\n" +"POT-Creation-Date: 2008-01-07 15:09+0100\n" "PO-Revision-Date: 2006-11-03 12:03\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -26,7 +26,7 @@ msgstr "...Uxolo, isikhathi sakho sesiphelile!\n" msgid "erroneous conversation (%d)\n" msgstr "ingxoxo enephutha (%d)\n" -#: libpam/pam_item.c:271 +#: libpam/pam_item.c:297 msgid "login:" msgstr "ngena:" @@ -209,12 +209,12 @@ msgid "has been already used" msgstr "isisetshenziswe ngothile." #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" msgstr "Ayikho iphasiwedi enikeziwe" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:977 +#: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" msgstr "Iphasiwedi ayishintshwanga" @@ -266,7 +266,7 @@ msgstr "Ukungena kokugcina:%s%s%s" msgid "Welcome to your new account!" msgstr "Uyamukelwa kwi-akhawunti yakho entsha!" -#: modules/pam_limits/pam_limits.c:698 +#: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." msgstr "Kuningi kakhulu ukungena kwi- '%s' osekwenziwe." @@ -423,64 +423,64 @@ msgstr "Thayipha iphasiwedi entsha ye-STRESS: " msgid "Verification mis-typed; password unchanged" msgstr "Ukufakazela akuthayiphiwanga kahle; iphasiwedi ayishintshwanga" -#: modules/pam_tally/pam_tally.c:741 +#: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" msgstr "Iphutha lokugunyaza" -#: modules/pam_tally/pam_tally.c:742 +#: modules/pam_tally/pam_tally.c:747 msgid "Service error" msgstr "Iphutha lesevisi" -#: modules/pam_tally/pam_tally.c:743 +#: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" msgstr "Umsebenzisi ongaziwa" -#: modules/pam_tally/pam_tally.c:744 +#: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" msgstr "Iphutha elingaziwa" -#: modules/pam_tally/pam_tally.c:760 +#: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" msgstr "%s: Inombolo eyiphutha enikeziwe ukuba --uqale kabusha=\n" -#: modules/pam_tally/pam_tally.c:764 +#: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" msgstr "%s: Okukhethile okungaziwa %s\n" -#: modules/pam_tally/pam_tally.c:776 +#: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -#: modules/pam_tally/pam_tally.c:850 +#: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: Ayikwazi ukusetha kabusha bonke abasebenzisi ibase enombolweni ongelona " "iqanda\n" -#: modules/pam_unix/pam_unix_acct.c:274 modules/pam_unix/pam_unix_acct.c:301 +#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" msgstr "" "I-akhawunti yakho isiphelelwe isikhathi, sicela uthintana nomqondisi " "wesistimu yakho" -#: modules/pam_unix/pam_unix_acct.c:283 +#: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Kudingeka ukuba ushintshe iphasiwedi yakho ngokushesha (iphoqelelwa " "ngumqondisi)" -#: modules/pam_unix/pam_unix_acct.c:310 +#: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" msgstr "" "Kudingeka ukuba ushintshe iphasiwedi yakho ngokushesha (iphasiwedi indala)" -#: modules/pam_unix/pam_unix_acct.c:323 modules/pam_unix/pam_unix_acct.c:330 +#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -489,7 +489,7 @@ msgstr[1] "Isexwayiso: Iphasiwedi yakho izophelelwa isikhathi %d usuku%.2s[T1]" #. TRANSLATORS: only used if dngettext is not support #. ed -#: modules/pam_unix/pam_unix_acct.c:336 +#: modules/pam_unix/pam_unix_acct.c:337 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Isexwayiso: Iphasiwedi yakho izophelelwa isikhathi %d usuku%.2s[T1]" @@ -498,36 +498,36 @@ msgstr "Isexwayiso: Iphasiwedi yakho izophelelwa isikhathi %d usuku%.2s[T1]" msgid "Password: " msgstr "Iphasiwedi: " -#: modules/pam_unix/pam_unix_passwd.c:821 +#: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." msgstr "Iphasiwedi ye-NIS ayivumanga ukushintshwa." -#: modules/pam_unix/pam_unix_passwd.c:998 +#: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" msgstr "Kumelwe ukhethe iphasiwedi ethe ukuba yinjana" -#: modules/pam_unix/pam_unix_passwd.c:1003 +#: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." msgstr "Le phasiwedi isetshenziswa ngothile. Khetha enye." -#: modules/pam_unix/pam_unix_passwd.c:1103 +#: modules/pam_unix/pam_unix_passwd.c:1104 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Ukushintsha iphasiwedi ye-STRESS ye-" -#: modules/pam_unix/pam_unix_passwd.c:1114 +#: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " msgstr "Iphasiwedi ye-UNIX (yamanje): " -#: modules/pam_unix/pam_unix_passwd.c:1149 +#: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" msgstr "Kumelwe ulinde isikhashana ukuze ushintshe iphasiwedi yakho" -#: modules/pam_unix/pam_unix_passwd.c:1209 +#: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " msgstr "Faka iphasiwedi entsha ye-UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " msgstr "Thayipha iphasiwedi entsha ye-UNIX: " -- cgit v1.2.3 From 0517835c148802d52d06fe5e4c3f771ad5b3fe5f Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 7 Jan 2008 14:48:38 +0000 Subject: Relevant BUGIDs: 1857531 Purpose of commit: cleanup Commit summary: --------------- 2008-01-07 Thorsten Kukuk * po/sv.po: Update swedish translation [#1857531] --- ChangeLog | 1 + po/sv.po | 278 ++++++++++++++++++++++++++++---------------------------------- 2 files changed, 128 insertions(+), 151 deletions(-) diff --git a/ChangeLog b/ChangeLog index f9aa1b06..6c217aa2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ * doc/man/pam_xauth_data.3: Likewise. * modules/pam_tty_audit/README: Likewise. * modules/pam_tty_audit/pam_tty_audit.8: Likewise. + * po/sv.po: Update swedish translation [#1857531] 2007-12-18 Thorsten Kukuk diff --git a/po/sv.po b/po/sv.po index 274a9bc1..9fad3c6d 100644 --- a/po/sv.po +++ b/po/sv.po @@ -1,35 +1,33 @@ -# @TITLE@ -# Copyright (C) 2006, SUSE Linux GmbH, Nuremberg -# FIRST AUTHOR , YEAR. -# -# This file is distributed under the same license as @PACKAGE@ package. FIRST +# Swedish translation of Linux-PAM messages. +# Copyright (C) 2007 Linux-PAM Project +# This file is distributed under the same license as the Linux-PAM package. +# Christer Andersson , 2007. # msgid "" msgstr "" -"Project-Id-Version: @PACKAGE@\n" +"Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" "POT-Creation-Date: 2008-01-07 15:09+0100\n" -"PO-Revision-Date: 2005-09-18 19:09+0200\n" -"Last-Translator: Novell Language \n" -"Language-Team: Novell Language \n" +"PO-Revision-Date: 2007-12-24 13:39+0100\n" +"Last-Translator: Christer Andersson \n" +"Language-Team: Swedish \n" "MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" +"Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" -"X-Generator: KBabel 1.10.1\n" -"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"Plural-Forms: nplurals=2; plural=n==1 ? 0 : 1;\n" #: libpam_misc/misc_conv.c:33 msgid "...Time is running out...\n" -msgstr "...Tiden är nästan slut...\n" +msgstr "...Tiden hller p att ta slut...\n" #: libpam_misc/misc_conv.c:34 msgid "...Sorry, your time is up!\n" -msgstr "...Tiden är ute!\n" +msgstr "...Ledsen, din tid r ute!\n" #: libpam_misc/misc_conv.c:342 #, c-format msgid "erroneous conversation (%d)\n" -msgstr "felaktigt samtal (%d)\n" +msgstr "felaktig konversation (%d)\n" #: libpam/pam_item.c:297 msgid "login:" @@ -41,20 +39,19 @@ msgstr "Lyckades" #: libpam/pam_strerror.c:42 msgid "Critical error - immediate abort" -msgstr "Kritiskt fel - omedelbart avbrott" +msgstr "Kritiskt fel - avbryter omedelbart" #: libpam/pam_strerror.c:44 -#, fuzzy msgid "Failed to load module" -msgstr "Misslyckades med att ladda modulen \"%s\"." +msgstr "Misslyckades med att ladda modul" #: libpam/pam_strerror.c:46 msgid "Symbol not found" -msgstr "Det gick inte att hitta symbolen" +msgstr "Symbol hittades inte" #: libpam/pam_strerror.c:48 msgid "Error in service module" -msgstr "Fel i tjänstmodulen" +msgstr "Fel i tjnstmodul" #: libpam/pam_strerror.c:50 msgid "System error" @@ -62,347 +59,340 @@ msgstr "Systemfel" #: libpam/pam_strerror.c:52 msgid "Memory buffer error" -msgstr "Minnesbuffertfel." +msgstr "Minnesbuffertfel" #: libpam/pam_strerror.c:54 msgid "Permission denied" -msgstr "Åtkomst nekas" +msgstr "tkomst nekad" #: libpam/pam_strerror.c:56 msgid "Authentication failure" -msgstr "Autentiseringen misslyckades" +msgstr "Misslyckad autentisering" #: libpam/pam_strerror.c:58 msgid "Insufficient credentials to access authentication data" -msgstr "" -"Identifieringsuppgifterna är otillräckliga för åtkomst av autentiseringsdata" +msgstr "Otillrckliga referenser fr tkomst av autentiseringsdata" #: libpam/pam_strerror.c:60 msgid "Authentication service cannot retrieve authentication info" -msgstr "Autentiseringstjänsten kan inte hämta autentiseringsinformation" +msgstr "Autentiseringstjnst kan inte hmta autentiseringsinformation" #: libpam/pam_strerror.c:62 msgid "User not known to the underlying authentication module" -msgstr "Den underliggande autentiseringsmodulen känner inte till användaren" +msgstr "Anvndaren oknd fr underliggande autentiseringsmodul" #: libpam/pam_strerror.c:64 msgid "Have exhausted maximum number of retries for service" -msgstr "Det maximala antalet nya försök för tjänsten har uppnåtts" +msgstr "Maximalt antal frsk har gjorts fr denna tjnst" #: libpam/pam_strerror.c:66 msgid "Authentication token is no longer valid; new one required" -msgstr "Autentiseringstoken är inte längre tillräcklig. En ny token krävs" +msgstr "Autentiseringselement r inte lngre giltigt. Ett nytt behvs" #: libpam/pam_strerror.c:68 msgid "User account has expired" -msgstr "Användarkontot har upphört att gälla" +msgstr "Anvndarkonto har gtt ut" #: libpam/pam_strerror.c:70 msgid "Cannot make/remove an entry for the specified session" -msgstr "Det går inte att skapa/ta bort en post för den angivna sessionen" +msgstr "Kan inte skapa/ta bort en post fr angiven session" #: libpam/pam_strerror.c:72 msgid "Authentication service cannot retrieve user credentials" -msgstr "Autentiseringstjänsten kan inte hämta användaruppgifter" +msgstr "Autentiseringstjnst kan inte hmta anvndarreferenser" #: libpam/pam_strerror.c:74 msgid "User credentials expired" -msgstr "Användaruppgifterna har upphört att gälla" +msgstr "Anvndarreferenser har gtt ut" #: libpam/pam_strerror.c:76 msgid "Failure setting user credentials" -msgstr "Det gick inte att ange användaruppgifter" +msgstr "Misslyckades med att ange anvndarreferenser" #: libpam/pam_strerror.c:78 msgid "No module specific data is present" -msgstr "Det finns inga modulspecifika data" +msgstr "Ingen modulspecifik data finns" #: libpam/pam_strerror.c:80 msgid "Bad item passed to pam_*_item()" -msgstr "Ett ogiltigt objekt har skickats till pam_*_item() " +msgstr "Ogiltigt objekt skickat till pam_*_item()" #: libpam/pam_strerror.c:82 msgid "Conversation error" -msgstr "Samtalsfel" +msgstr "Konversationsfel" #: libpam/pam_strerror.c:84 msgid "Authentication token manipulation error" -msgstr "Fel på ändring av autentiseringstoken" +msgstr "Manipuleringsfel fr autentiseringselement" #: libpam/pam_strerror.c:86 msgid "Authentication information cannot be recovered" -msgstr "Det går inte att återställa autentiseringsinformationen" +msgstr "Autentiseringsinformation kan inte terstllas" #: libpam/pam_strerror.c:88 msgid "Authentication token lock busy" -msgstr "Autentiseringstokens lås är upptaget" +msgstr "Autentiseringselementls upptaget" #: libpam/pam_strerror.c:90 msgid "Authentication token aging disabled" -msgstr "Åldrande av autentiseringstoken har inaktiverats" +msgstr "ldrande av autentiseringselement inaktiverat" #: libpam/pam_strerror.c:92 msgid "Failed preliminary check by password service" -msgstr "Lösenordstjänstens preliminära kontroll misslyckades" +msgstr "Lsenordstjnstens preliminra kontroll misslyckades" #: libpam/pam_strerror.c:94 msgid "The return value should be ignored by PAM dispatch" -msgstr "Returvärdet ska ignoreras av PAM-sändningen" +msgstr "Returvrdet borde ignoreras vid PAM-avsndande" #: libpam/pam_strerror.c:96 msgid "Module is unknown" -msgstr "Modulen är okänd" +msgstr "Modulen r oknd" #: libpam/pam_strerror.c:98 msgid "Authentication token expired" -msgstr "Autentiseringstoken har upphört att gälla" +msgstr "Autentiseringselement har gtt ut" #: libpam/pam_strerror.c:100 msgid "Conversation is waiting for event" -msgstr "Samtalet väntar för händelsen" +msgstr "Konversation vntar p hndelse" #: libpam/pam_strerror.c:102 msgid "Application needs to call libpam again" -msgstr "Programmet måste anropa libpam på nytt" +msgstr "Programmet behver anropa libpam igen" #: libpam/pam_strerror.c:105 msgid "Unknown PAM error" -msgstr "Okänt PAM-fel" +msgstr "Oknt PAM-fel" #: modules/pam_cracklib/pam_cracklib.c:64 #, c-format msgid "New %s%spassword: " -msgstr "Nytt lösenord för %s%s: " +msgstr "Nytt %s%slsenord: " #: modules/pam_cracklib/pam_cracklib.c:66 #, c-format msgid "Retype new %s%spassword: " -msgstr "Ange det nya %s%s-lösenordet igen: " +msgstr "Ange nytt %s%slsenord igen: " #: modules/pam_cracklib/pam_cracklib.c:67 msgid "Sorry, passwords do not match." -msgstr "Lösenorden stämmer inte överens." +msgstr "Ledsen, lsenorden stmmer inte verens." #: modules/pam_cracklib/pam_cracklib.c:432 msgid "is the same as the old one" -msgstr "är identiskt med det gamla" +msgstr "r samma som det gamla" #: modules/pam_cracklib/pam_cracklib.c:445 msgid "is a palindrome" -msgstr "är en palindrom" +msgstr "r ett palindrom" #: modules/pam_cracklib/pam_cracklib.c:448 msgid "case changes only" -msgstr "endast ändringar i skiftläget" +msgstr "endast ndringar i gemener och versaler" #: modules/pam_cracklib/pam_cracklib.c:451 msgid "is too similar to the old one" -msgstr "är för likt det gamla" +msgstr "r fr likt det gamla" #: modules/pam_cracklib/pam_cracklib.c:454 msgid "is too simple" -msgstr "är för enkelt" +msgstr "r fr enkelt" #: modules/pam_cracklib/pam_cracklib.c:457 msgid "is rotated" -msgstr "är roterat" +msgstr "r roterat" #: modules/pam_cracklib/pam_cracklib.c:460 msgid "not enough character classes" -msgstr "" +msgstr "fr f teckenklasser" #: modules/pam_cracklib/pam_cracklib.c:498 msgid "has been already used" -msgstr "har redan använts" +msgstr "har redan anvnts" #: modules/pam_cracklib/pam_cracklib.c:526 #: modules/pam_unix/pam_unix_passwd.c:978 msgid "No password supplied" -msgstr "Inget lösenord har angetts" +msgstr "Inget lsenord angivet" -# password dialog title #: modules/pam_cracklib/pam_cracklib.c:526 #: modules/pam_unix/pam_unix_passwd.c:978 msgid "Password unchanged" -msgstr "Lösenordet har inte ändrats" +msgstr "Ofrndrat lsenord" #: modules/pam_cracklib/pam_cracklib.c:549 #: modules/pam_cracklib/pam_cracklib.c:676 #, c-format msgid "BAD PASSWORD: %s" -msgstr "DÅLIGT LÖSENORD: %s" +msgstr "DLIGT LSENORD: %s" #: modules/pam_exec/pam_exec.c:118 #, c-format msgid "%s failed: exit code %d" -msgstr "" +msgstr "%s misslyckades: slutstatus %d" #: modules/pam_exec/pam_exec.c:126 #, c-format msgid "%s failed: caught signal %d%s" -msgstr "" +msgstr "%s misslyckades: fngade signalen %d%s" #: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: unknown status 0x%x" -msgstr "" +msgstr "%s misslyckades: oknd status 0x%x" #. TRANSLATORS: "strftime options for date of last login" #: modules/pam_lastlog/pam_lastlog.c:190 msgid " %a %b %e %H:%M:%S %Z %Y" -msgstr "%a %b %e %H:%M:%S %Z %Y" +msgstr " %a %e %b %Y %H.%M.%S %Z" #. TRANSLATORS: " from " #: modules/pam_lastlog/pam_lastlog.c:199 #, c-format msgid " from %.*s" -msgstr "från %.*s" +msgstr " frn %.*s" #. TRANSLATORS: " on " #: modules/pam_lastlog/pam_lastlog.c:211 #, c-format msgid " on %.*s" -msgstr "på %.*s" +msgstr " p %.*s" #. TRANSLATORS: "Last login: from on " #: modules/pam_lastlog/pam_lastlog.c:220 #, c-format msgid "Last login:%s%s%s" -msgstr "Senaste inloggningen:%s%s%s" +msgstr "Senaste inloggning:%s%s%s" #: modules/pam_lastlog/pam_lastlog.c:226 msgid "Welcome to your new account!" -msgstr "Välkommen till ditt nya konto!" +msgstr "Vlkommen till ditt nya konto!" #: modules/pam_limits/pam_limits.c:712 #, c-format msgid "Too many logins for '%s'." -msgstr "För många inloggningar för %s." +msgstr "Fr mnga inloggningar fr \"%s\"." #: modules/pam_mail/pam_mail.c:313 msgid "No mail." -msgstr "Inga e-postmeddelanden." +msgstr "Inga brev." #: modules/pam_mail/pam_mail.c:316 msgid "You have new mail." -msgstr "Du har nya e-postmeddelanden." +msgstr "Du har nya brev." #: modules/pam_mail/pam_mail.c:319 msgid "You have old mail." -msgstr "Du har gamla e-postmeddelanden." +msgstr "Du har gamla brev." #: modules/pam_mail/pam_mail.c:323 msgid "You have mail." -msgstr "Du har e-postmeddelanden." +msgstr "Du har brev." #: modules/pam_mail/pam_mail.c:330 #, c-format msgid "You have no mail in folder %s." -msgstr "Du har inga e-postmeddelanden i mappen %s." +msgstr "Du har inga brev i katalogen %s." #: modules/pam_mail/pam_mail.c:334 #, c-format msgid "You have new mail in folder %s." -msgstr "Du har nya e-postmeddelanden i mappen %s." +msgstr "Du har nya brev i katalogen %s." #: modules/pam_mail/pam_mail.c:338 #, c-format msgid "You have old mail in folder %s." -msgstr "Du har gamla e-postmeddelanden i mappen %s." +msgstr "Du har gamla brev i katalogen %s." #: modules/pam_mail/pam_mail.c:343 #, c-format msgid "You have mail in folder %s." -msgstr "Du har e-postmeddelanden i mappen %s." +msgstr "Du har brev i katalogen %s." #: modules/pam_mkhomedir/pam_mkhomedir.c:142 #, c-format msgid "Creating directory '%s'." -msgstr "" +msgstr "Skapar katalogen \"%s\"." #: modules/pam_mkhomedir/pam_mkhomedir.c:147 #, c-format msgid "Unable to create directory %s: %m" -msgstr "" +msgstr "Kan inte skapa katalogen %s: %m" #: modules/pam_selinux/pam_selinux.c:94 msgid "Error connecting to audit system." -msgstr "" +msgstr "Fel vid anslutning till granskningssystem." #: modules/pam_selinux/pam_selinux.c:98 -#, fuzzy msgid "Error translating default context." -msgstr "Standardkontexten är %s. \n" +msgstr "Fel vid versttning av standardkontext." #: modules/pam_selinux/pam_selinux.c:102 msgid "Error translating selected context." -msgstr "" +msgstr "Fel vid versttning av kontext." #: modules/pam_selinux/pam_selinux.c:113 msgid "Error sending audit message." -msgstr "" +msgstr "Fel vid sndande av granskningsmeddelande" #: modules/pam_selinux/pam_selinux.c:164 -#, fuzzy msgid "Would you like to enter a security context? [N] " -msgstr "Vill du ange en säkerhetskontext? [j]" +msgstr "Vill du ange en skerhetskontext? [N]" #: modules/pam_selinux/pam_selinux.c:181 modules/pam_selinux/pam_selinux.c:265 -#, fuzzy msgid "role:" -msgstr "roll: " +msgstr "roll:" #: modules/pam_selinux/pam_selinux.c:193 modules/pam_selinux/pam_selinux.c:282 -#, fuzzy msgid "level:" -msgstr "nivå: " +msgstr "niv:" #: modules/pam_selinux/pam_selinux.c:206 modules/pam_selinux/pam_selinux.c:313 msgid "Not a valid security context" -msgstr "Säkerhetskontexten är ogiltig" +msgstr "Inte en giltig skerhetskontext" #: modules/pam_selinux/pam_selinux.c:251 -#, fuzzy, c-format +#, c-format msgid "Default Security Context %s\n" -msgstr "Säkerhetskontexten %s har tilldelats" +msgstr "Standardskerhetskontext %s\n" #: modules/pam_selinux/pam_selinux.c:255 -#, fuzzy msgid "Would you like to enter a different role or level?" -msgstr "Vill du ange en säkerhetskontext? [j]" +msgstr "Vill du ange en annan roll eller niv?" #: modules/pam_selinux/pam_selinux.c:269 #, c-format msgid "No default type for role %s\n" -msgstr "" +msgstr "Ingen standardttyp fr %s-roll\n" #: modules/pam_selinux/pam_selinux.c:512 msgid "Out of memory" -msgstr "" +msgstr "Slut p minne" #: modules/pam_selinux/pam_selinux.c:520 modules/pam_selinux/pam_selinux.c:522 #, c-format msgid "Unable to get valid context for %s" -msgstr "" +msgstr "Kan inte hmta giltig kontext fr %s" #: modules/pam_selinux/pam_selinux.c:578 msgid "Requested MLS level not in permitted range" -msgstr "" +msgstr "Begrd MLS-niv utanfr giltigt intervall" #: modules/pam_selinux/pam_selinux.c:628 #, c-format msgid "Security Context %s Assigned" -msgstr "Säkerhetskontexten %s har tilldelats" +msgstr "Skerhetskontext %s tilldelad" #: modules/pam_selinux/pam_selinux.c:649 -#, fuzzy, c-format +#, c-format msgid "Key Creation Context %s Assigned" -msgstr "Säkerhetskontexten %s har tilldelats" +msgstr "Nyckelskapandekontext %s tilldelad" #: modules/pam_selinux/pam_selinux_check.c:99 #, c-format msgid "failed to initialize PAM\n" -msgstr "Det gick inte att initiera PAM\n" +msgstr "misslyckades med att initiera PAM\n" #: modules/pam_selinux/pam_selinux_check.c:105 #, c-format @@ -412,24 +402,24 @@ msgstr "pam_set_item() misslyckades\n" #: modules/pam_selinux/pam_selinux_check.c:133 #, c-format msgid "login: failure forking: %m" -msgstr "inloggning: forking misslyckades: %m" +msgstr "inloggning: fel vid grening: %m" #: modules/pam_stress/pam_stress.c:476 -#, fuzzy, c-format +#, c-format msgid "Changing STRESS password for %s." -msgstr "STRESS-lösenordet ändras för" +msgstr "ndrar STRESS-lsenord fr %s." #: modules/pam_stress/pam_stress.c:490 msgid "Enter new STRESS password: " -msgstr "Ange ett nytt STRESS-lösenord: " +msgstr "Ange nytt STRESS-lsenord: " #: modules/pam_stress/pam_stress.c:493 msgid "Retype new STRESS password: " -msgstr "Ange det nya STRESS-lösenordet igen: " +msgstr "Ange nytt STRESS-lsenord igen: " #: modules/pam_stress/pam_stress.c:522 msgid "Verification mis-typed; password unchanged" -msgstr "Verifieringen misslyckades. Lösenordet har inte ändrats" +msgstr "Felskriven verifikation, lsenord ofrndrat" #: modules/pam_tally/pam_tally.c:746 msgid "Authentication error" @@ -437,111 +427,97 @@ msgstr "Autentiseringsfel" #: modules/pam_tally/pam_tally.c:747 msgid "Service error" -msgstr "Fel på tjänst" +msgstr "Servicefel" #: modules/pam_tally/pam_tally.c:748 msgid "Unknown user" -msgstr "Okänd användare" +msgstr "Oknd anvndare" #: modules/pam_tally/pam_tally.c:749 msgid "Unknown error" -msgstr "Okänt fel" +msgstr "Oknt fel" #: modules/pam_tally/pam_tally.c:765 #, c-format msgid "%s: Bad number given to --reset=\n" -msgstr "%s: Ett ogiltigt nummer skickades till --reset=\n" +msgstr "%s: Felaktigt nummer till --reset=\n" #: modules/pam_tally/pam_tally.c:769 #, c-format msgid "%s: Unrecognised option %s\n" -msgstr "%s: Alternativet %s är okänt\n" +msgstr "%s: Oknd flagga %s\n" #: modules/pam_tally/pam_tally.c:781 #, c-format msgid "" "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" msgstr "" -"%s: [--file filnamn-med-rot] [--user användarnamn] [--reset[=n]] [--quiet]\n" +"%s: [--file absolut-filnamn] [--user anvndarnamn] [--reset[=n]] [--quiet]\n" #: modules/pam_tally/pam_tally.c:855 #, c-format msgid "%s: Can't reset all users to non-zero\n" -msgstr "" -"%s: Det går inte att återställa alla användare till något annat än noll\n" +msgstr "%s: Kan inte stlla om alla anvndare till nollskilt vrde\n" #: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 msgid "Your account has expired; please contact your system administrator" -msgstr "Ditt konto har upphört att gälla. Kontakta systemadministratören." +msgstr "Ditt konto har gtt ut. Kontakta din systemadministratr" #: modules/pam_unix/pam_unix_acct.c:284 msgid "You are required to change your password immediately (root enforced)" -msgstr "Du måste ändra lösenord omedelbart (tvingad av root)" +msgstr "Du mste ndra ditt lsenord omedelbart (ptvingat av root)" #: modules/pam_unix/pam_unix_acct.c:311 msgid "You are required to change your password immediately (password aged)" -msgstr "Du måste ändra lösenord omedelbart (lösenordet är för gammalt)" +msgstr "Du mste ndra ditt lsenord omedelbart (lsenord fr gammalt)" #: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 -#, fuzzy, c-format +#, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" -msgstr[0] "Varning: lösenordet upphör att gälla om %d dag%.2ar" -msgstr[1] "Varning: lösenordet upphör att gälla om %d dag%.2ar" +msgstr[0] "Varning: ditt lsenord gr ut om %d dag" +msgstr[1] "Varning: ditt lsenord gr ut om %d dagar" #. TRANSLATORS: only used if dngettext is not support #. ed #: modules/pam_unix/pam_unix_acct.c:337 -#, fuzzy, c-format +#, c-format msgid "Warning: your password will expire in %d days" -msgstr "Varning: lösenordet upphör att gälla om %d dag%.2ar" +msgstr "Varning: ditt lsenord gr ut om %d dagar" #: modules/pam_unix/pam_unix_auth.c:159 modules/pam_userdb/pam_userdb.c:61 msgid "Password: " -msgstr "Lösenord: " +msgstr "Lsenord: " -# password dialog title #: modules/pam_unix/pam_unix_passwd.c:822 msgid "NIS password could not be changed." -msgstr "Det gick inte att ändra NIS-lösenordet" +msgstr "NIS-lsenord kunde inte ndras." #: modules/pam_unix/pam_unix_passwd.c:999 msgid "You must choose a longer password" -msgstr "Du måste välja ett längre lösenord" +msgstr "Du mste vlja ett lngre lsenord" #: modules/pam_unix/pam_unix_passwd.c:1004 msgid "Password has been already used. Choose another." -msgstr "Lösenordet har redan använts. Välj ett annat." +msgstr "Lsenordet har redan anvnds. Vlj ett annat." #: modules/pam_unix/pam_unix_passwd.c:1104 -#, fuzzy, c-format +#, c-format msgid "Changing password for %s." -msgstr "STRESS-lösenordet ändras för" +msgstr "ndrar lsenord fr %s." #: modules/pam_unix/pam_unix_passwd.c:1115 msgid "(current) UNIX password: " -msgstr "(aktuellt) UNIX-lösenord: " +msgstr "(nuvarande) UNIX-lsenord: " #: modules/pam_unix/pam_unix_passwd.c:1150 msgid "You must wait longer to change your password" -msgstr "Du måste vänta längre innan du ändrar ditt lösenord" +msgstr "Du mste vnta lngre innan du kan ndra lsenord" #: modules/pam_unix/pam_unix_passwd.c:1210 msgid "Enter new UNIX password: " -msgstr "Ange ett nytt UNIX-lösenord: " +msgstr "Ange nytt UNIX-lsenord: " #: modules/pam_unix/pam_unix_passwd.c:1211 msgid "Retype new UNIX password: " -msgstr "Ange det nya UNIX-lösenordet igen: " - -#~ msgid "Do you want to choose a different one? [n]" -#~ msgstr "Vill du välja en annan? [n]" - -#~ msgid "Enter number of choice: " -#~ msgstr "Ange önskat nummer: " - -#~ msgid "type: " -#~ msgstr "typ: " - -#~ msgid "dlopen() failure" -#~ msgstr "dlopen() misslyckades" +msgstr "Ange nytt UNIX-lsenord igen: " -- cgit v1.2.3 From 1f802e15b36f0ca69dc4127a9332983acfd70117 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 7 Jan 2008 14:54:50 +0000 Subject: Relevant BUGIDs: 1863490 Purpose of commit: bugfix Commit summary: --------------- 2008-01-07 Thorsten Kukuk * modules/pam_succeed_if/pam_succeed_if.8.xml: Fix cut & paste error [#1863490]. --- ChangeLog | 4 +- modules/pam_succeed_if/README | 2 +- modules/pam_succeed_if/pam_succeed_if.8 | 184 ++++++++++++++++++---------- modules/pam_succeed_if/pam_succeed_if.8.xml | 2 +- 4 files changed, 121 insertions(+), 71 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6c217aa2..f75e6b40 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,9 @@ * doc/man/pam_xauth_data.3: Likewise. * modules/pam_tty_audit/README: Likewise. * modules/pam_tty_audit/pam_tty_audit.8: Likewise. - * po/sv.po: Update swedish translation [#1857531] + * po/sv.po: Update swedish translation [#1857531]. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Fix + cut & paste error [#1863490]. 2007-12-18 Thorsten Kukuk diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README index 4516a9d1..6e4907c6 100644 --- a/modules/pam_succeed_if/README +++ b/modules/pam_succeed_if/README @@ -50,7 +50,7 @@ field <= number field eq number - Field has a value numerically less equal to number. + Field has a value numerically equal to number. field >= number diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 index 30af456c..45155850 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8 +++ b/modules/pam_succeed_if/pam_succeed_if.8 @@ -1,47 +1,57 @@ .\" Title: pam_succeed_if .\" Author: -.\" Generator: DocBook XSL Stylesheets vsnapshot_2006\-08\-24_0226 -.\" Date: 08/31/2006 -.\" Manual: Linux\-PAM -.\" Source: Linux\-PAM +.\" Generator: DocBook XSL Stylesheets v1.73.1 +.\" Date: 01/07/2008 +.\" Manual: Linux-PAM +.\" Source: Linux-PAM .\" -.TH "PAM_SUCCEED_IF" "8" "08/31/2006" "Linux\-PAM" "Linux\-PAM" +.TH "PAM_SUCCEED_IF" "8" "01/07/2008" "Linux-PAM" "Linux\-PAM" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" -pam_succeed_if \- test account characteristics +pam_succeed_if - test account characteristics .SH "SYNOPSIS" .HP 18 -\fBpam_succeed_if.so\fR [\fIflag\fR...] [\fIcondition\fR...] +\fBpam_succeed_if\.so\fR [\fIflag\fR...] [\fIcondition\fR...] .SH "DESCRIPTION" .PP -pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated. One use is to select whether to load other modules based on this test. +pam_succeed_if\.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated\. One use is to select whether to load other modules based on this test\. .PP -The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met. +The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\. .SH "OPTIONS" .PP The following \fIflag\fRs are supported: -.TP 3n +.PP \fBdebug\fR -Turns on debugging messages sent to syslog. -.TP 3n +.RS 4 +Turns on debugging messages sent to syslog\. +.RE +.PP \fBuse_uid\fR -Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated. -.TP 3n +.RS 4 +Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\. +.RE +.PP \fBquiet\fR -Don't log failure or success to the system log. -.TP 3n +.RS 4 +Don\'t log failure or success to the system log\. +.RE +.PP \fBquiet_fail\fR -Don't log failure to the system log. -.TP 3n +.RS 4 +Don\'t log failure to the system log\. +.RE +.PP \fBquiet_success\fR -Don't log success to the system log. +.RS 4 +Don\'t log success to the system log\. +.RE .PP -\fICondition\fRs are three words: a field, a test, and a value to test for. +\fICondition\fRs are three words: a field, a test, and a value to test for\. .PP Available fields are \fIuser\fR, @@ -51,85 +61,123 @@ Available fields are \fIhome\fR and \fIservice\fR: -.TP 3n +.PP \fBfield < number\fR -Field has a value numerically less than number. -.TP 3n +.RS 4 +Field has a value numerically less than number\. +.RE +.PP \fBfield <= number\fR -Field has a value numerically less than or equal to number. -.TP 3n +.RS 4 +Field has a value numerically less than or equal to number\. +.RE +.PP \fBfield eq number\fR -Field has a value numerically less equal to number. -.TP 3n +.RS 4 +Field has a value numerically equal to number\. +.RE +.PP \fBfield >= number\fR -Field has a value numerically greater than or equal to number. -.TP 3n +.RS 4 +Field has a value numerically greater than or equal to number\. +.RE +.PP \fBfield > number\fR -Field has a value numerically greater than number. -.TP 3n +.RS 4 +Field has a value numerically greater than number\. +.RE +.PP \fBfield ne number\fR -Field has a value numerically different from number. -.TP 3n +.RS 4 +Field has a value numerically different from number\. +.RE +.PP \fBfield = string\fR -Field exactly matches the given string. -.TP 3n +.RS 4 +Field exactly matches the given string\. +.RE +.PP \fBfield != string\fR -Field does not match the given string. -.TP 3n +.RS 4 +Field does not match the given string\. +.RE +.PP \fBfield =~ glob\fR -Field matches the given glob. -.TP 3n +.RS 4 +Field matches the given glob\. +.RE +.PP \fBfield !~ glob\fR -Field does not match the given glob. -.TP 3n -\fBfield in item:item:...\fR -Field is contained in the list of items separated by colons. -.TP 3n -\fBfield notin item:item:...\fR -Field is not contained in the list of items separated by colons. -.TP 3n +.RS 4 +Field does not match the given glob\. +.RE +.PP +\fBfield in item:item:\.\.\.\fR +.RS 4 +Field is contained in the list of items separated by colons\. +.RE +.PP +\fBfield notin item:item:\.\.\.\fR +.RS 4 +Field is not contained in the list of items separated by colons\. +.RE +.PP \fBuser ingroup group\fR -User is in given group. -.TP 3n +.RS 4 +User is in given group\. +.RE +.PP \fBuser notingroup group\fR -User is not in given group. -.TP 3n +.RS 4 +User is not in given group\. +.RE +.PP \fBuser innetgr netgroup\fR -(user,host) is in given netgroup. -.TP 3n +.RS 4 +(user,host) is in given netgroup\. +.RE +.PP \fBuser notinnetgr group\fR -(user,host) is not in given netgroup. +.RS 4 +(user,host) is not in given netgroup\. +.RE .SH "MODULE SERVICES PROVIDED" .PP -All services are supported. +All services are supported\. .SH "RETURN VALUES" -.TP 3n +.PP PAM_SUCCESS -The condition was true. -.TP 3n +.RS 4 +The condition was true\. +.RE +.PP PAM_AUTH_ERR -The condition was false. -.TP 3n +.RS 4 +The condition was false\. +.RE +.PP PAM_SERVICE_ERR -A service error occured or the arguments can't be parsed as numbers. +.RS 4 +A service error occured or the arguments can\'t be parsed as numbers\. +.RE .SH "EXAMPLES" .PP To emulate the behaviour of \fIpam_wheel\fR, except there is no fallback to group 0: .sp -.RS 3n +.RS 4 .nf -auth required pam_succeed_if.so quiet user ingroup wheel +auth required pam_succeed_if\.so quiet user ingroup wheel .fi .RE .PP -Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules. +Given that the type matches, only loads the othermodule rule if the UID is over 500\. Adjust the number after default to skip several rules\. .sp -.RS 3n +.RS 4 .nf -type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 -type required othermodule.so arguments... +type [default=1 success=ignore] pam_succeed_if\.so quiet uid > 500 +type required othermodule\.so arguments\.\.\. .fi .RE @@ -140,4 +188,4 @@ type required othermodule.so arguments... \fBpam\fR(8) .SH "AUTHOR" .PP -Nalin Dahyabhai +Nalin Dahyabhai diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml index b7ad29e6..d064e03b 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8.xml +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -120,7 +120,7 @@ - Field has a value numerically less equal to number. + Field has a value numerically equal to number. -- cgit v1.2.3 From d48c90b14254794fcad9ccc37873a8c663cce02d Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 8 Jan 2008 12:44:15 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- Remove autogenerated documentation from CVS --- doc/man/.cvsignore | 43 +++++ doc/man/PAM.8 | 103 ----------- doc/man/misc_conv.3 | 97 ---------- doc/man/pam.3 | 282 ---------------------------- doc/man/pam.8 | 1 - doc/man/pam.conf.5 | 317 -------------------------------- doc/man/pam.d.5 | 1 - doc/man/pam_acct_mgmt.3 | 68 ------- doc/man/pam_authenticate.3 | 76 -------- doc/man/pam_chauthtok.3 | 73 -------- doc/man/pam_close_session.3 | 55 ------ doc/man/pam_conv.3 | 145 --------------- doc/man/pam_end.3 | 69 ------- doc/man/pam_error.3 | 66 ------- doc/man/pam_fail_delay.3 | 130 ------------- doc/man/pam_get_data.3 | 60 ------ doc/man/pam_get_item.3 | 173 ----------------- doc/man/pam_get_user.3 | 79 -------- doc/man/pam_getenv.3 | 43 ----- doc/man/pam_getenvlist.3 | 50 ----- doc/man/pam_info.3 | 62 ------- doc/man/pam_misc_drop_env.3 | 46 ----- doc/man/pam_misc_paste_env.3 | 41 ----- doc/man/pam_misc_setenv.3 | 46 ----- doc/man/pam_open_session.3 | 55 ------ doc/man/pam_prompt.3 | 55 ------ doc/man/pam_putenv.3 | 96 ---------- doc/man/pam_set_data.3 | 103 ----------- doc/man/pam_set_item.3 | 170 ----------------- doc/man/pam_setcred.3 | 82 --------- doc/man/pam_sm_acct_mgmt.3 | 79 -------- doc/man/pam_sm_authenticate.3 | 80 -------- doc/man/pam_sm_chauthtok.3 | 97 ---------- doc/man/pam_sm_close_session.3 | 58 ------ doc/man/pam_sm_open_session.3 | 58 ------ doc/man/pam_sm_setcred.3 | 95 ---------- doc/man/pam_start.3 | 80 -------- doc/man/pam_strerror.3 | 36 ---- doc/man/pam_syslog.3 | 61 ------ doc/man/pam_verror.3 | 1 - doc/man/pam_vinfo.3 | 1 - doc/man/pam_vprompt.3 | 1 - doc/man/pam_vsyslog.3 | 1 - doc/man/pam_xauth_data.3 | 70 ------- modules/pam_access/.cvsignore | 3 + modules/pam_access/README | 120 ------------ modules/pam_access/access.conf.5 | 170 ----------------- modules/pam_access/pam_access.8 | 112 ----------- modules/pam_cracklib/.cvsignore | 2 + modules/pam_cracklib/README | 220 ---------------------- modules/pam_cracklib/pam_cracklib.8 | 309 ------------------------------- modules/pam_debug/.cvsignore | 2 + modules/pam_debug/README | 64 ------- modules/pam_debug/pam_debug.8 | 110 ----------- modules/pam_deny/.cvsignore | 2 + modules/pam_deny/README | 31 ---- modules/pam_deny/pam_deny.8 | 82 --------- modules/pam_echo/.cvsignore | 2 + modules/pam_echo/README | 50 ----- modules/pam_echo/pam_echo.8 | 88 --------- modules/pam_env/.cvsignore | 3 + modules/pam_env/README | 74 -------- modules/pam_env/pam_env.8 | 89 --------- modules/pam_env/pam_env.conf.5 | 87 --------- modules/pam_exec/.cvsignore | 2 + modules/pam_exec/README | 42 ----- modules/pam_exec/pam_exec.8 | 88 --------- modules/pam_faildelay/.cvsignore | 2 + modules/pam_faildelay/README | 33 ---- modules/pam_faildelay/pam_faildelay.8 | 65 ------- modules/pam_filter/.cvsignore | 2 + modules/pam_filter/README | 78 -------- modules/pam_filter/pam_filter.8 | 140 -------------- modules/pam_ftp/.cvsignore | 2 + modules/pam_ftp/README | 52 ------ modules/pam_ftp/pam_ftp.8 | 95 ---------- modules/pam_group/.cvsignore | 3 + modules/pam_group/README | 45 ----- modules/pam_group/group.conf.5 | 83 --------- modules/pam_group/pam_group.8 | 94 ---------- modules/pam_issue/.cvsignore | 2 + modules/pam_issue/README | 79 -------- modules/pam_issue/pam_issue.8 | 104 ----------- modules/pam_keyinit/.cvsignore | 2 + modules/pam_keyinit/README | 24 --- modules/pam_keyinit/pam_keyinit.8 | 133 -------------- modules/pam_lastlog/.cvsignore | 2 + modules/pam_lastlog/README | 57 ------ modules/pam_lastlog/pam_lastlog.8 | 91 --------- modules/pam_limits/.cvsignore | 3 + modules/pam_limits/README | 64 ------- modules/pam_limits/limits.conf.5 | 219 ---------------------- modules/pam_limits/pam_limits.8 | 132 ------------- modules/pam_listfile/.cvsignore | 2 + modules/pam_listfile/README | 101 ---------- modules/pam_listfile/pam_listfile.8 | 189 ------------------- modules/pam_localuser/.cvsignore | 2 + modules/pam_localuser/README | 38 ---- modules/pam_localuser/pam_localuser.8 | 88 --------- modules/pam_loginuid/.cvsignore | 2 + modules/pam_loginuid/README | 29 --- modules/pam_loginuid/pam_loginuid.8 | 59 ------ modules/pam_mail/.cvsignore | 2 + modules/pam_mail/README | 71 ------- modules/pam_mail/pam_mail.8 | 113 ------------ modules/pam_mkhomedir/.cvsignore | 2 + modules/pam_mkhomedir/README | 36 ---- modules/pam_mkhomedir/pam_mkhomedir.8 | 91 --------- modules/pam_motd/.cvsignore | 2 + modules/pam_motd/README | 27 --- modules/pam_motd/pam_motd.8 | 64 ------- modules/pam_namespace/.cvsignore | 3 + modules/pam_namespace/README | 168 ----------------- modules/pam_namespace/namespace.conf.5 | 101 ---------- modules/pam_namespace/pam_namespace.8 | 137 -------------- modules/pam_nologin/.cvsignore | 2 + modules/pam_nologin/README | 41 ----- modules/pam_nologin/pam_nologin.8 | 96 ---------- modules/pam_permit/.cvsignore | 2 + modules/pam_permit/README | 30 --- modules/pam_permit/pam_permit.8 | 64 ------- modules/pam_rhosts/.cvsignore | 2 + modules/pam_rhosts/README | 56 ------ modules/pam_rhosts/pam_rhosts.8 | 98 ---------- modules/pam_rootok/.cvsignore | 2 + modules/pam_rootok/README | 33 ---- modules/pam_rootok/pam_rootok.8 | 77 -------- modules/pam_securetty/.cvsignore | 2 + modules/pam_securetty/README | 33 ---- modules/pam_securetty/pam_securetty.8 | 85 --------- modules/pam_selinux/.cvsignore | 3 + modules/pam_selinux/README | 66 ------- modules/pam_selinux/pam_selinux.8 | 101 ---------- modules/pam_selinux/pam_selinux_check.8 | 35 ---- modules/pam_shells/.cvsignore | 2 + modules/pam_shells/README | 24 --- modules/pam_shells/pam_shells.8 | 73 -------- modules/pam_stress/.cvsignore | 1 + modules/pam_stress/README | 66 ------- modules/pam_succeed_if/.cvsignore | 2 + modules/pam_succeed_if/README | 124 ------------- modules/pam_succeed_if/pam_succeed_if.8 | 191 ------------------- modules/pam_tally/.cvsignore | 2 + modules/pam_tally/README | 132 ------------- modules/pam_tally/pam_tally.8 | 221 ---------------------- modules/pam_time/.cvsignore | 3 + modules/pam_time/README | 36 ---- modules/pam_time/pam_time.8 | 95 ---------- modules/pam_time/time.conf.5 | 92 --------- modules/pam_tty_audit/.cvsignore | 2 + modules/pam_umask/.cvsignore | 2 + modules/pam_umask/README | 58 ------ modules/pam_umask/pam_umask.8 | 96 ---------- modules/pam_unix/.cvsignore | 3 + modules/pam_unix/README | 142 -------------- modules/pam_unix/pam_unix.8 | 143 -------------- modules/pam_unix/unix_chkpwd.8 | 80 -------- modules/pam_userdb/.cvsignore | 2 + modules/pam_userdb/README | 74 -------- modules/pam_userdb/pam_userdb.8 | 104 ----------- modules/pam_warn/.cvsignore | 2 + modules/pam_warn/README | 36 ---- modules/pam_warn/pam_warn.8 | 69 ------- modules/pam_wheel/.cvsignore | 2 + modules/pam_wheel/README | 61 ------ modules/pam_wheel/pam_wheel.8 | 101 ---------- modules/pam_xauth/.cvsignore | 2 + modules/pam_xauth/README | 90 --------- modules/pam_xauth/pam_xauth.8 | 163 ---------------- 169 files changed, 130 insertions(+), 11084 deletions(-) delete mode 100644 doc/man/PAM.8 delete mode 100644 doc/man/misc_conv.3 delete mode 100644 doc/man/pam.3 delete mode 100644 doc/man/pam.8 delete mode 100644 doc/man/pam.conf.5 delete mode 100644 doc/man/pam.d.5 delete mode 100644 doc/man/pam_acct_mgmt.3 delete mode 100644 doc/man/pam_authenticate.3 delete mode 100644 doc/man/pam_chauthtok.3 delete mode 100644 doc/man/pam_close_session.3 delete mode 100644 doc/man/pam_conv.3 delete mode 100644 doc/man/pam_end.3 delete mode 100644 doc/man/pam_error.3 delete mode 100644 doc/man/pam_fail_delay.3 delete mode 100644 doc/man/pam_get_data.3 delete mode 100644 doc/man/pam_get_item.3 delete mode 100644 doc/man/pam_get_user.3 delete mode 100644 doc/man/pam_getenv.3 delete mode 100644 doc/man/pam_getenvlist.3 delete mode 100644 doc/man/pam_info.3 delete mode 100644 doc/man/pam_misc_drop_env.3 delete mode 100644 doc/man/pam_misc_paste_env.3 delete mode 100644 doc/man/pam_misc_setenv.3 delete mode 100644 doc/man/pam_open_session.3 delete mode 100644 doc/man/pam_prompt.3 delete mode 100644 doc/man/pam_putenv.3 delete mode 100644 doc/man/pam_set_data.3 delete mode 100644 doc/man/pam_set_item.3 delete mode 100644 doc/man/pam_setcred.3 delete mode 100644 doc/man/pam_sm_acct_mgmt.3 delete mode 100644 doc/man/pam_sm_authenticate.3 delete mode 100644 doc/man/pam_sm_chauthtok.3 delete mode 100644 doc/man/pam_sm_close_session.3 delete mode 100644 doc/man/pam_sm_open_session.3 delete mode 100644 doc/man/pam_sm_setcred.3 delete mode 100644 doc/man/pam_start.3 delete mode 100644 doc/man/pam_strerror.3 delete mode 100644 doc/man/pam_syslog.3 delete mode 100644 doc/man/pam_verror.3 delete mode 100644 doc/man/pam_vinfo.3 delete mode 100644 doc/man/pam_vprompt.3 delete mode 100644 doc/man/pam_vsyslog.3 delete mode 100644 doc/man/pam_xauth_data.3 delete mode 100644 modules/pam_access/README delete mode 100644 modules/pam_access/access.conf.5 delete mode 100644 modules/pam_access/pam_access.8 delete mode 100644 modules/pam_cracklib/README delete mode 100644 modules/pam_cracklib/pam_cracklib.8 delete mode 100644 modules/pam_debug/README delete mode 100644 modules/pam_debug/pam_debug.8 delete mode 100644 modules/pam_deny/README delete mode 100644 modules/pam_deny/pam_deny.8 delete mode 100644 modules/pam_echo/README delete mode 100644 modules/pam_echo/pam_echo.8 delete mode 100644 modules/pam_env/README delete mode 100644 modules/pam_env/pam_env.8 delete mode 100644 modules/pam_env/pam_env.conf.5 delete mode 100644 modules/pam_exec/README delete mode 100644 modules/pam_exec/pam_exec.8 delete mode 100644 modules/pam_faildelay/README delete mode 100644 modules/pam_faildelay/pam_faildelay.8 delete mode 100644 modules/pam_filter/README delete mode 100644 modules/pam_filter/pam_filter.8 delete mode 100644 modules/pam_ftp/README delete mode 100644 modules/pam_ftp/pam_ftp.8 delete mode 100644 modules/pam_group/README delete mode 100644 modules/pam_group/group.conf.5 delete mode 100644 modules/pam_group/pam_group.8 delete mode 100644 modules/pam_issue/README delete mode 100644 modules/pam_issue/pam_issue.8 delete mode 100644 modules/pam_keyinit/README delete mode 100644 modules/pam_keyinit/pam_keyinit.8 delete mode 100644 modules/pam_lastlog/README delete mode 100644 modules/pam_lastlog/pam_lastlog.8 delete mode 100644 modules/pam_limits/README delete mode 100644 modules/pam_limits/limits.conf.5 delete mode 100644 modules/pam_limits/pam_limits.8 delete mode 100644 modules/pam_listfile/README delete mode 100644 modules/pam_listfile/pam_listfile.8 delete mode 100644 modules/pam_localuser/README delete mode 100644 modules/pam_localuser/pam_localuser.8 delete mode 100644 modules/pam_loginuid/README delete mode 100644 modules/pam_loginuid/pam_loginuid.8 delete mode 100644 modules/pam_mail/README delete mode 100644 modules/pam_mail/pam_mail.8 delete mode 100644 modules/pam_mkhomedir/README delete mode 100644 modules/pam_mkhomedir/pam_mkhomedir.8 delete mode 100644 modules/pam_motd/README delete mode 100644 modules/pam_motd/pam_motd.8 delete mode 100644 modules/pam_namespace/README delete mode 100644 modules/pam_namespace/namespace.conf.5 delete mode 100644 modules/pam_namespace/pam_namespace.8 delete mode 100644 modules/pam_nologin/README delete mode 100644 modules/pam_nologin/pam_nologin.8 delete mode 100644 modules/pam_permit/README delete mode 100644 modules/pam_permit/pam_permit.8 delete mode 100644 modules/pam_rhosts/README delete mode 100644 modules/pam_rhosts/pam_rhosts.8 delete mode 100644 modules/pam_rootok/README delete mode 100644 modules/pam_rootok/pam_rootok.8 delete mode 100644 modules/pam_securetty/README delete mode 100644 modules/pam_securetty/pam_securetty.8 delete mode 100644 modules/pam_selinux/README delete mode 100644 modules/pam_selinux/pam_selinux.8 delete mode 100644 modules/pam_selinux/pam_selinux_check.8 delete mode 100644 modules/pam_shells/README delete mode 100644 modules/pam_shells/pam_shells.8 delete mode 100644 modules/pam_stress/README delete mode 100644 modules/pam_succeed_if/README delete mode 100644 modules/pam_succeed_if/pam_succeed_if.8 delete mode 100644 modules/pam_tally/README delete mode 100644 modules/pam_tally/pam_tally.8 delete mode 100644 modules/pam_time/README delete mode 100644 modules/pam_time/pam_time.8 delete mode 100644 modules/pam_time/time.conf.5 delete mode 100644 modules/pam_umask/README delete mode 100644 modules/pam_umask/pam_umask.8 delete mode 100644 modules/pam_unix/README delete mode 100644 modules/pam_unix/pam_unix.8 delete mode 100644 modules/pam_unix/unix_chkpwd.8 delete mode 100644 modules/pam_userdb/README delete mode 100644 modules/pam_userdb/pam_userdb.8 delete mode 100644 modules/pam_warn/README delete mode 100644 modules/pam_warn/pam_warn.8 delete mode 100644 modules/pam_wheel/README delete mode 100644 modules/pam_wheel/pam_wheel.8 delete mode 100644 modules/pam_xauth/README delete mode 100644 modules/pam_xauth/pam_xauth.8 diff --git a/doc/man/.cvsignore b/doc/man/.cvsignore index 23c1897f..d1987738 100644 --- a/doc/man/.cvsignore +++ b/doc/man/.cvsignore @@ -1,3 +1,46 @@ Makefile Makefile.in *~ +misc_conv.3 +pam.3 +pam.8 +PAM.8 +pam_acct_mgmt.3 +pam_authenticate.3 +pam_chauthtok.3 +pam_close_session.3 +pam.conf.5 +pam_conv.3 +pam.d.5 +pam_end.3 +pam_error.3 +pam_fail_delay.3 +pam_get_data.3 +pam_getenv.3 +pam_getenvlist.3 +pam_get_item.3 +pam_get_user.3 +pam_info.3 +pam_misc_drop_env.3 +pam_misc_paste_env.3 +pam_misc_setenv.3 +pam_open_session.3 +pam_prompt.3 +pam_putenv.3 +pam_setcred.3 +pam_set_data.3 +pam_set_item.3 +pam_sm_acct_mgmt.3 +pam_sm_authenticate.3 +pam_sm_chauthtok.3 +pam_sm_close_session.3 +pam_sm_open_session.3 +pam_sm_setcred.3 +pam_start.3 +pam_strerror.3 +pam_syslog.3 +pam_verror.3 +pam_vinfo.3 +pam_vprompt.3 +pam_vsyslog.3 +pam_xauth_data.3 diff --git a/doc/man/PAM.8 b/doc/man/PAM.8 deleted file mode 100644 index 112ea7d7..00000000 --- a/doc/man/PAM.8 +++ /dev/null @@ -1,103 +0,0 @@ -.\" Title: pam -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -PAM, pam \- Pluggable Authentication Modules for Linux -.SH "DESCRIPTION" -.PP -This manual is intended to offer a quick introduction to -\fBLinux\-PAM\fR. For more information the reader is directed to the -\fBLinux\-PAM system administrators' guide\fR. -.PP - -\fBLinux\-PAM\fR -is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as -\fBlogin\fR(1) -and -\fBsu\fR(1)) defer to to perform standard authentication tasks. -.PP -The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users. This dynamic configuration is set by the contents of the single -\fBLinux\-PAM\fR -configuration file -\fI/etc/pam.conf\fR. Alternatively, the configuration can be set by individual configuration files located in the -\fI/etc/pam.d/\fR -directory. The presence of this directory will cause -\fBLinux\-PAM\fR -to -\fIignore\fR -\fI/etc/pam.conf\fR. -.PP -From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the -\fBLinux\-PAM\fR -library. The important point to recognize is that the configuration file(s) -\fIdefine\fR -the connection between applications -(\fBservices\fR) and the pluggable authentication modules -(\fBPAM\fRs) that perform the actual authentication tasks. -.PP -\fBLinux\-PAM\fR -separates the tasks of -\fIauthentication\fR -into four independent management groups: -\fBaccount\fR -management; -\fBauth\fRentication management; -\fBpassword\fR -management; and -\fBsession\fR -management. (We highlight the abbreviations used for these groups in the configuration file.) -.PP -Simply put, these groups take care of different aspects of a typical user's request for a restricted service: -.PP -\fBaccount\fR -\- provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service? -.PP -\fBauth\fRentication \- authenticate a user and set up user credentials. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of -\fBLinux\-PAM\fR. -.PP -\fBpassword\fR -\- this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the -\fBauth\fR -group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password\-based access is the obvious example: please enter a replacement password. -.PP -\fBsession\fR -\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The -\fBsession\fR -management group is important as it provides both an opening and closing hook for modules to affect the services available to a user. -.SH "FILES" -.TP 3n -\fI/etc/pam.conf\fR -the configuration file -.TP 3n -\fI/etc/pam.d\fR -the -\fBLinux\-PAM\fR -configuration directory. Generally, if this directory is present, the -\fI/etc/pam.conf\fR -file is ignored. -.SH "ERRORS" -.PP -Typically errors generated by the -\fBLinux\-PAM\fR -system of libraries, will be written to -\fBsyslog\fR(3). -.SH "CONFORMING TO" -.PP -DCE\-RFC 86.0, October 1995. Contains additional features, but remains backwardly compatible with this RFC. -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBpam_authenticate\fR(3), -\fBpam_sm_setcred\fR(3), -\fBpam_strerror\fR(3), -\fBPAM\fR(8) diff --git a/doc/man/misc_conv.3 b/doc/man/misc_conv.3 deleted file mode 100644 index bb8cbd87..00000000 --- a/doc/man/misc_conv.3 +++ /dev/null @@ -1,97 +0,0 @@ -.\" Title: misc_conv -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "MISC_CONV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -misc_conv \- text based conversation function -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 15 -.BI "void misc_conv(int\ " "num_msg" ", const\ struct\ pam_message\ **" "msgm" ", struct\ pam_response\ **" "response" ", void\ *" "appdata_ptr" ");" -.SH "DESCRIPTION" -.PP -The -\fBmisc_conv\fR -function is part of -\fBlibpam_misc\fR -and not of the standard -\fBlibpam\fR -library. This function will prompt the user with the appropriate comments and obtain the appropriate inputs as directed by authentication modules. -.PP -In addition to simply slotting into the appropriate -\fBpam_conv\fR(3), this function provides some time\-out facilities. The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something. The five variabls are as follows: -.TP 3n -\fBtime_t\fR \fIpam_misc_conv_warn_time\fR; -This variable contains the -\fItime\fR -(as returned by -\fBtime\fR(2)) that the user should be first warned that the clock is ticking. By default it has the value -0, which indicates that no such warning will be given. The application may set its value to sometime in the future, but this should be done prior to passing control to the -\fILinux\-PAM\fR -library. -.TP 3n -\fBconst char *\fR\fIpam_misc_conv_warn_line\fR; -Used in conjuction with -\fIpam_misc_conv_warn_time\fR, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching. Its default value is a translated version of -\(lq...Time is running out...\(rq, but this can be changed by the application prior to passing control to -\fILinux\-PAM\fR. -.TP 3n -\fBtime_t\fR \fIpam_misc_conv_die_time\fR; -This variable contains the -\fItime\fR -(as returned by -\fBtime\fR(2)) that the will time out. By default it has the value -0, which indicates that the conversation function will not timeout. The application may set its value to sometime in the future, but this should be done prior to passing control to the -\fILinux\-PAM\fR -library. -.TP 3n -\fBconst char *\fR\fIpam_misc_conv_die_line\fR; -Used in conjuction with -\fIpam_misc_conv_die_time\fR, this variable is a pointer to the string that will be displayed when the conversation times out. Its default value is a translated version of -\(lq...Sorry, your time is up!\(rq, but this can be changed by the application prior to passing control to -\fILinux\-PAM\fR. -.TP 3n -\fBint\fR \fIpam_misc_conv_died\fR; -Following a return from the -\fILinux\-PAM\fR -libraray, the value of this variable indicates whether the conversation has timed out. A value of -1 -indicates the time\-out occurred. -.PP -The following two function pointers are available for supporting binary prompts in the conversation function. They are optimized for the current incarnation of the -\fBlibpamc\fR -library and are subject to change. -.TP 3n -\fBint\fR \fI(*pam_binary_handler_fn)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIprompt_p\fR); -This function pointer is initialized to -NULL -but can be filled with a function that provides machine\-machine (hidden) message exchange. It is intended for use with hidden authentication protocols such as RSA or Diffie\-Hellman key exchanges. (This is still under development.) -.TP 3n -\fBint\fR \fI(*pam_binary_handler_free)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIdelete_me\fR); -This function pointer is initialized to -\fBPAM_BP_RENEW(delete_me, 0, 0)\fR, but can be redefined as desired by the application. -.SH "SEE ALSO" -.PP - -\fBpam_conv\fR(3), -\fBpam\fR(8) -.SH "STANDARDS" -.PP -The -\fBmisc_conv\fR -function is part of the -\fBlibpam_misc\fR -Library and not defined in any standard. diff --git a/doc/man/pam.3 b/doc/man/pam.3 deleted file mode 100644 index a3582242..00000000 --- a/doc/man/pam.3 +++ /dev/null @@ -1,282 +0,0 @@ -.\" Title: pam -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.0 -.\" Date: 10/26/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM" "3" "10/26/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam \- Pluggable Authentication Modules Library -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.SH "DESCRIPTION" -.PP - -\fBPAM\fR -is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as -\fBlogin\fR(1) -and -\fBsu\fR(1)) defer to to perform standard authentication tasks. -.SS "Initialization and Cleanup" -.PP -The -\fBpam_start\fR(3) -function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context. -.PP -The -\fBpam_end\fR(3) -function terminates the PAM transaction and is the last function an application should call in the PAM context. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid. It can be called at any time to terminate a PAM transaction. -.SS "Authentication" -.PP -The -\fBpam_authenticate\fR(3) -function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print. -.PP -The -\fBpam_setcred\fR(3) -function manages the userscredentials. -.SS "Account Management" -.PP -The -\fBpam_acct_mgmt\fR(3) -function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated. -.SS "Password Management" -.PP -The -\fBpam_chauthtok\fR(3) -function is used to change the authentication token for a given user on request or because the token has expired. -.SS "Session Management" -.PP -The -\fBpam_open_session\fR(3) -function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to -\fBpam_close_session\fR(3). -.SS "Conversation" -.PP -The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the -\fIstruct pam_conv\fR -passed to -\fBpam_start\fR(3) -at the start of the transaction. See -\fBpam_conv\fR(3) -for details. -.SS "Data Objects" -.PP -The -\fBpam_set_item\fR(3) -and -\fBpam_get_item\fR(3) -functions allows applications and PAM service modules to set and retrieve PAM informations. -.PP -The -\fBpam_get_user\fR(3) -function is the preferred method to obtain the username. -.PP -The -\fBpam_set_data\fR(3) -and -\fBpam_get_data\fR(3) -functions allows PAM service modules to set and retrieve free\-form data from one invocation to another. -.SS "Environment and Error Management" -.PP -The -\fBpam_putenv\fR(3), -\fBpam_getenv\fR(3) -and -\fBpam_getenvlist\fR(3) -functions are for maintaining a set of private environment variables. -.PP -The -\fBpam_strerror\fR(3) -function returns a pointer to a string describing the given PAM error code. -.SH "RETURN VALUES" -.PP -The following return codes are known by PAM: -.PP -PAM_ABORT -.RS 3n -Critical error, immediate abort. -.RE -.PP -PAM_ACCT_EXPIRED -.RS 3n -User account has expired. -.RE -.PP -PAM_AUTHINFO_UNAVAIL -.RS 3n -Authentication service cannot retrieve authentication info. -.RE -.PP -PAM_AUTHTOK_DISABLE_AGING -.RS 3n -Authentication token aging disabled. -.RE -.PP -PAM_AUTHTOK_ERR -.RS 3n -Authentication token manipulation error. -.RE -.PP -PAM_AUTHTOK_EXPIRED -.RS 3n -Authentication token expired. -.RE -.PP -PAM_AUTHTOK_LOCK_BUSY -.RS 3n -Authentication token lock busy. -.RE -.PP -PAM_AUTHTOK_RECOVERY_ERR -.RS 3n -Authentication information cannot be recovered. -.RE -.PP -PAM_AUTH_ERR -.RS 3n -Authentication failure. -.RE -.PP -PAM_BUF_ERR -.RS 3n -Memory buffer error. -.RE -.PP -PAM_CONV_ERR -.RS 3n -Conversation failure. -.RE -.PP -PAM_CRED_ERR -.RS 3n -Failure setting user credentials. -.RE -.PP -PAM_CRED_EXPIRED -.RS 3n -User credentials expired. -.RE -.PP -PAM_CRED_INSUFFICIENT -.RS 3n -Insufficient credentials to access authentication data. -.RE -.PP -PAM_CRED_UNAVAIL -.RS 3n -Authentication service cannot retrieve user credentials. -.RE -.PP -PAM_IGNORE -.RS 3n -The return value should be ignored by PAM dispatch. -.RE -.PP -PAM_MAXTRIES -.RS 3n -Have exhausted maximum number of retries for service. -.RE -.PP -PAM_MODULE_UNKNOWN -.RS 3n -Module is unknown. -.RE -.PP -PAM_NEW_AUTHTOK_REQD -.RS 3n -Authentication token is no longer valid; new one required. -.RE -.PP -PAM_NO_MODULE_DATA -.RS 3n -No module specific data is present. -.RE -.PP -PAM_OPEN_ERR -.RS 3n -Failed to load module. -.RE -.PP -PAM_PERM_DENIED -.RS 3n -Permission denied. -.RE -.PP -PAM_SERVICE_ERR -.RS 3n -Error in service module. -.RE -.PP -PAM_SESSION_ERR -.RS 3n -Cannot make/remove an entry for the specified session. -.RE -.PP -PAM_SUCCESS -.RS 3n -Success. -.RE -.PP -PAM_SYMBOL_ERR -.RS 3n -Symbol not found. -.RE -.PP -PAM_SYSTEM_ERR -.RS 3n -System error. -.RE -.PP -PAM_TRY_AGAIN -.RS 3n -Failed preliminary check by password service. -.RE -.PP -PAM_USER_UNKNOWN -.RS 3n -User not known to the underlying authentication module. -.RE -.SH "SEE ALSO" -.PP - -\fBpam_acct_mgmt\fR(3), -\fBpam_authenticate\fR(3), -\fBpam_chauthtok\fR(3), -\fBpam_close_session\fR(3), -\fBpam_conv\fR(3), -\fBpam_end\fR(3), -\fBpam_get_data\fR(3), -\fBpam_getenv\fR(3), -\fBpam_getenvlist\fR(3), -\fBpam_get_item\fR(3), -\fBpam_get_user\fR(3), -\fBpam_open_session\fR(3), -\fBpam_putenv\fR(3), -\fBpam_set_data\fR(3), -\fBpam_set_item\fR(3), -\fBpam_setcred\fR(3), -\fBpam_start\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam.8 b/doc/man/pam.8 deleted file mode 100644 index da9773b9..00000000 --- a/doc/man/pam.8 +++ /dev/null @@ -1 +0,0 @@ -.so man8/PAM.8 diff --git a/doc/man/pam.conf.5 b/doc/man/pam.conf.5 deleted file mode 100644 index 11fd86e7..00000000 --- a/doc/man/pam.conf.5 +++ /dev/null @@ -1,317 +0,0 @@ -.\" Title: pam.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM\.CONF" "5" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam.conf, pam.d - PAM configuration files -.SH "DESCRIPTION" -.PP -When a -\fIPAM\fR -aware privilege granting application is started, it activates its attachment to the PAM\-API\. This activation performs a number of tasks, the most important being the reading of the configuration file(s): -\fI/etc/pam\.conf\fR\. Alternatively, this may be the contents of the -\fI/etc/pam\.d/\fR -directory\. The presence of this directory will cause Linux\-PAM to ignore -\fI/etc/pam\.conf\fR\. -.PP -These files list the -\fIPAM\fRs that will do the authentication tasks required by this service, and the appropriate behavior of the PAM\-API in the event that individual -\fIPAM\fRs fail\. -.PP -The syntax of the -\fI/etc/pam\.conf\fR -configuration file is as follows\. The file is made up of a list of rules, each rule is typically placed on a single line, but may be extended with an escaped end of line: `\e\'\. Comments are preceded with `#\' marks and extend to the next end of line\. -.PP -The format of each rule is a space separated collection of tokens, the first three being case\-insensitive: -.PP - -\fB service type control module\-path module\-arguments\fR -.PP -The syntax of files contained in the -\fI/etc/pam\.d/\fR -directory, are identical except for the absence of any -\fIservice\fR -field\. In this case, the -\fIservice\fR -is the name of the file in the -\fI/etc/pam\.d/\fR -directory\. This filename must be in lower case\. -.PP -An important feature of -\fIPAM\fR, is that a number of rules may be -\fIstacked\fR -to combine the services of a number of PAMs for a given authentication task\. -.PP -The -\fIservice\fR -is typically the familiar name of the corresponding application: -\fIlogin\fR -and -\fIsu\fR -are good examples\. The -\fIservice\fR\-name, -\fIother\fR, is reserved for giving -\fIdefault\fR -rules\. Only lines that mention the current service (or in the absence of such, the -\fIother\fR -entries) will be associated with the given service\-application\. -.PP -The -\fItype\fR -is the management group that the rule corresponds to\. It is used to specify which of the management groups the subsequent module is to be associated with\. Valid entries are: -.PP -account -.RS 4 -this module type performs non\-authentication based account management\. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user \-\- \'root\' login only on the console\. -.RE -.PP -auth -.RS 4 -this module type provides two aspects of authenticating the user\. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification\. Secondly, the module can grant group membership or other privileges through its credential granting properties\. -.RE -.PP -password -.RS 4 -this module type is required for updating the authentication token associated with the user\. Typically, there is one module for each \'challenge/response\' based authentication (auth) type\. -.RE -.PP -session -.RS 4 -this module type is associated with doing things that need to be done for the user before/after they can be given service\. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc\. -.RE -.PP -The third field, -\fIcontrol\fR, indicates the behavior of the PAM\-API should the module fail to succeed in its authentication task\. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square\-bracketed selection of -\fIvalue=action\fR -pairs\. -.PP -For the simple (historical) syntax valid -\fIcontrol\fR -values are: -.PP -required -.RS 4 -failure of such a PAM will ultimately lead to the PAM\-API returning failure but only after the remaining -\fIstacked\fR -modules (for this -\fIservice\fR -and -\fItype\fR) have been invoked\. -.RE -.PP -requisite -.RS 4 -like -\fIrequired\fR, however, in the case that such a module returns a failure, control is directly returned to the application\. The return value is that associated with the first required or requisite module to fail\. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium\. It is conceivable that such behavior might inform an attacker of valid accounts on a system\. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment\. -.RE -.PP -sufficient -.RS 4 -success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior -\fIrequired\fR -module has failed the success of this one is -\fIignored\fR)\. A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded\. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules\. -.RE -.PP -optional -.RS 4 -the success or failure of this module is only important if it is the only module in the stack associated with this -\fIservice\fR+\fItype\fR\. -.RE -.PP -include -.RS 4 -include all lines of given type from the configuration file specified as an argument to this control\. -.RE -.PP -substack -.RS 4 -include all lines of given type from the configuration file specified as an argument to this control\. This differs from -\fIinclude\fR -in that evaluation of the -\fIdone\fR -and -\fIdie\fR -actions in a substack does not cause skipping the rest of the complete module stack, but only of the substack\. Jumps in a substack also can not make evaluation jump out of it, and the whole substack is counted as one module when the jump is done in a parent stack\. The -\fIreset\fR -action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation\. -.RE -.PP -For the more complicated syntax valid -\fIcontrol\fR -values have the following form: -.sp -.RS 4 -.nf - [value1=action1 value2=action2 \.\.\.] - -.fi -.RE -.PP -Where -\fIvalueN\fR -corresponds to the return code from the function invoked in the module for which the line is defined\. It is selected from one of these: -\fIsuccess\fR, -\fIopen_err\fR, -\fIsymbol_err\fR, -\fIservice_err\fR, -\fIsystem_err\fR, -\fIbuf_err\fR, -\fIperm_denied\fR, -\fIauth_err\fR, -\fIcred_insufficient\fR, -\fIauthinfo_unavail\fR, -\fIuser_unknown\fR, -\fImaxtries\fR, -\fInew_authtok_reqd\fR, -\fIacct_expired\fR, -\fIsession_err\fR, -\fIcred_unavail\fR, -\fIcred_expired\fR, -\fIcred_err\fR, -\fIno_module_data\fR, -\fIconv_err\fR, -\fIauthtok_err\fR, -\fIauthtok_recover_err\fR, -\fIauthtok_lock_busy\fR, -\fIauthtok_disable_aging\fR, -\fItry_again\fR, -\fIignore\fR, -\fIabort\fR, -\fIauthtok_expired\fR, -\fImodule_unknown\fR, -\fIbad_item\fR, -\fIconv_again\fR, -\fIincomplete\fR, and -\fIdefault\fR\. -.PP -The last of these, -\fIdefault\fR, implies \'all -\fIvalueN\fR\'s not mentioned explicitly\. Note, the full list of PAM errors is available in -\fI/usr/include/security/_pam_types\.h\fR\. The -\fIactionN\fR -can be: an unsigned integer, -\fIn\fR, signifying an action of \'jump over the next -\fIn\fR -modules in the stack\'; or take one of the following forms: -.PP -ignore -.RS 4 -when used with a stack of modules, the module\'s return status will not contribute to the return code the application obtains\. -.RE -.PP -bad -.RS 4 -this action indicates that the return code should be thought of as indicative of the module failing\. If this module is the first in the stack to fail, its status value will be used for that of the whole stack\. -.RE -.PP -die -.RS 4 -equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application\. -.RE -.PP -ok -.RS 4 -this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules\. In other words, if the former state of the stack would lead to a return of -\fIPAM_SUCCESS\fR, the module\'s return code will override this value\. Note, if the former state of the stack holds some value that is indicative of a modules failure, this \'ok\' value will not be used to override that value\. -.RE -.PP -done -.RS 4 -equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application\. -.RE -.PP -reset -.RS 4 -clear all memory of the state of the module stack and start again with the next stacked module\. -.RE -.PP -Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [\.\.\.] syntax\. They are as follows: -.PP -required -.RS 4 -[success=ok new_authtok_reqd=ok ignore=ignore default=bad] -.RE -.PP -requisite -.RS 4 -[success=ok new_authtok_reqd=ok ignore=ignore default=die] -.RE -.PP -sufficient -.RS 4 -[success=done new_authtok_reqd=done default=ignore] -.RE -.PP -optional -.RS 4 -[success=ok new_authtok_reqd=ok default=ignore] -.RE -.PP - -\fImodule\-path\fR -is either the full filename of the PAM to be used by the application (it begins with a \'/\'), or a relative pathname from the default module location: -\fI/lib/security/\fR -or -\fI/lib64/security/\fR, depending on the architecture\. -.PP - -\fImodule\-arguments\fR -are a space separated list of tokens that can be used to modify the specific behavior of the given PAM\. Such arguments will be documented for each individual module\. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets\. -.sp -.RS 4 -.nf - squid auth required pam_mysql\.so user=passwd_query passwd=mada \e - db=eminence [query=select user_name from internet_service \e - where user_name=\'%u\' and password=PASSWORD(\'%p\') and \e - service=\'web_proxy\'] - -.fi -.RE -.PP -When using this convention, you can include `[\' characters inside the string, and if you wish to include a `]\' character inside the string that will survive the argument parsing, you should use `\e]\'\. In other words: -.sp -.RS 4 -.nf - [\.\.[\.\.\e]\.\.] \-\-> \.\.[\.\.]\.\. - -.fi -.RE -.PP -Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail\. A corresponding error is written to the system log files with a call to -\fBsyslog\fR(3)\. -.PP -More flexible than the single configuration file is it to configure libpam via the contents of the -\fI/etc/pam\.d/\fR -directory\. In this case the directory is filled with files each of which has a filename equal to a service\-name (in lower\-case): it is the personal configuration file for the named service\. -.PP -The syntax of each file in /etc/pam\.d/ is similar to that of the -\fI/etc/pam\.conf\fR -file and is made up of lines of the following form: -.sp -.RS 4 -.nf -type control module\-path module\-arguments - -.fi -.RE -.PP -The only difference being that the service\-name is not present\. The service\-name is of course the name of the given configuration file\. For example, -\fI/etc/pam\.d/login\fR -contains the configuration for the -\fBlogin\fR -service\. -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBPAM\fR(8), -\fBpam_start\fR(3) diff --git a/doc/man/pam.d.5 b/doc/man/pam.d.5 deleted file mode 100644 index e4606aed..00000000 --- a/doc/man/pam.d.5 +++ /dev/null @@ -1 +0,0 @@ -.so man5/pam.conf.5 diff --git a/doc/man/pam_acct_mgmt.3 b/doc/man/pam_acct_mgmt.3 deleted file mode 100644 index 352df7d1..00000000 --- a/doc/man/pam_acct_mgmt.3 +++ /dev/null @@ -1,68 +0,0 @@ -.\" Title: pam_acct_mgmt -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_ACCT_MGMT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_acct_mgmt \- PAM account validation management -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 18 -.BI "int pam_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_acct_mgmt\fR -function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated. -.PP -The -\fIpamh\fR -argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values: -.TP 3n -PAM_SILENT -Do not emit any messages. -.TP 3n -PAM_DISALLOW_NULL_AUTHTOK -The PAM module service should return PAM_NEW_AUTHTOK_REQD if the user has a null authentication token. -.SH "RETURN VALUES" -.TP 3n -PAM_ACCT_EXPIRED -User account has expired. -.TP 3n -PAM_AUTH_ERR -Authentication failure. -.TP 3n -PAM_NEW_AUTHTOK_REQD -The user account is valid but their authentication token is -\fIexpired\fR. The correct response to this return\-value is to require that the user satisfies the -\fBpam_chauthtok()\fR -function before obtaining service. It may not be possible for some applications to do this. In such cases, the user should be denied access until such time as they can update their password. -.TP 3n -PAM_PERM_DENIED -Permission denied. -.TP 3n -PAM_SUCCESS -The authentication token was successfully updated. -.TP 3n -PAM_USER_UNKNOWN -User unknown to password service. -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_authenticate\fR(3), -\fBpam_chauthtok\fR(3), -\fBpam_strerror\fR(3), -\fBpam\fR(8) diff --git a/doc/man/pam_authenticate.3 b/doc/man/pam_authenticate.3 deleted file mode 100644 index 576a7a2c..00000000 --- a/doc/man/pam_authenticate.3 +++ /dev/null @@ -1,76 +0,0 @@ -.\" Title: pam_authenticate -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_AUTHENTICATE" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_authenticate \- account authentication -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 21 -.BI "int pam_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_authenticate\fR -function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print. -.PP -The PAM service module may request that the user enter their username vio the the conversation mechanism (see -\fBpam_start\fR(3) -and -\fBpam_conv\fR(3)). The name of the authenticated user will be present in the PAM item PAM_USER. This item may be recovered with a call to -\fBpam_get_item\fR(3). -.PP -The -\fIpamh\fR -argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values: -.TP 3n -PAM_SILENT -Do not emit any messages. -.TP 3n -PAM_DISALLOW_NULL_AUTHTOK -The PAM module service should return PAM_AUTH_ERR if the user does not have a registered authentication token. -.SH "RETURN VALUES" -.TP 3n -PAM_ABORT -The application should exit immediately after calling -\fBpam_end\fR(3) -first. -.TP 3n -PAM_AUTH_ERR -The user was not authenticated. -.TP 3n -PAM_CRED_INSUFFICIENT -For some reason the application does not have sufficient credentials to authenticate the user. -.TP 3n -PAM_AUTHINFO_UNVAIL -The modules were not able to access the authentication information. This might be due to a network or hardware failure etc. -.TP 3n -PAM_MAXTRIES -One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again. -.TP 3n -PAM_SUCCESS -The user was successfully authenticated. -.TP 3n -PAM_USER_UNKNOWN -User unknown to authentication service. -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_setcred\fR(3), -\fBpam_chauthtok\fR(3), -\fBpam_strerror\fR(3), -\fBpam\fR(8) diff --git a/doc/man/pam_chauthtok.3 b/doc/man/pam_chauthtok.3 deleted file mode 100644 index 16c673b5..00000000 --- a/doc/man/pam_chauthtok.3 +++ /dev/null @@ -1,73 +0,0 @@ -.\" Title: pam_chauthtok -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_CHAUTHTOK" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_chauthtok \- updating authentication tokens -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 18 -.BI "int pam_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_chauthtok\fR -function is used to change the authentication token for a given user (as indicated by the state associated with the handle -\fIpamh\fR). -.PP -The -\fIpamh\fR -argument is an authentication handle obtained by a prior call to pam_start(). The flags argument is the binary or of zero or more of the following values: -.TP 3n -PAM_SILENT -Do not emit any messages. -.TP 3n -PAM_CHANGE_EXPIRED_AUTHTOK -This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired. If this argument is not passed, the application requires that all authentication tokens are to be changed. -.SH "RETURN VALUES" -.TP 3n -PAM_AUTHTOK_ERR -A module was unable to obtain the new authentication token. -.TP 3n -PAM_AUTHTOK_RECOVERY_ERR -A module was unable to obtain the old authentication token. -.TP 3n -PAM_AUTHTOK_LOCK_BUSY -One or more of the modules was unable to change the authentication token since it is currently locked. -.TP 3n -PAM_AUTHTOK_DISABLE_AGING -Authentication token aging has been disabled for at least one of the modules. -.TP 3n -PAM_PERM_DENIED -Permission denied. -.TP 3n -PAM_SUCCESS -The authentication token was successfully updated. -.TP 3n -PAM_TRY_AGAIN -Not all of the modules were in a position to update the authentication token(s). In such a case none of the user's authentication tokens are updated. -.TP 3n -PAM_USER_UNKNOWN -User unknown to password service. -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_authenticate\fR(3), -\fBpam_setcred\fR(3), -\fBpam_get_item\fR(3), -\fBpam_strerror\fR(3), -\fBpam\fR(8) diff --git a/doc/man/pam_close_session.3 b/doc/man/pam_close_session.3 deleted file mode 100644 index 622c10e9..00000000 --- a/doc/man/pam_close_session.3 +++ /dev/null @@ -1,55 +0,0 @@ -.\" Title: pam_close_session -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_CLOSE_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_close_session \- terminate PAM session management -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 22 -.BI "int pam_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_close_session\fR -function is used to indicate that an authenticated session has ended. The session should have been created with a call to -\fBpam_open_session\fR(3). -.PP -It should be noted that the effective uid, -\fBgeteuid\fR(2). of the application should be of sufficient privilege to perform such tasks as unmounting the user's home directory for example. -.PP -The flags argument is the binary or of zero or more of the following values: -.TP 3n -PAM_SILENT -Do not emit any messages. -.SH "RETURN VALUES" -.TP 3n -PAM_ABORT -General failure. -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_SESSION_ERR -Session failure. -.TP 3n -PAM_SUCCESS -Session was successful terminated. -.SH "SEE ALSO" -.PP - -\fBpam_open_session\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_conv.3 b/doc/man/pam_conv.3 deleted file mode 100644 index 4465adfc..00000000 --- a/doc/man/pam_conv.3 +++ /dev/null @@ -1,145 +0,0 @@ -.\" Title: pam_conv -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_CONV" "3" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_conv - PAM conversation function -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.sp -.RS 4 -.nf -struct pam_message { - int msg_style; - const char *msg; -}; - -struct pam_response { - char *resp; - int resp_retcode; -}; - -struct pam_conv { - int (*conv)(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr); - void *appdata_ptr; -}; - -.fi -.RE -.SH "DESCRIPTION" -.PP -The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\. This callback is specified by the -\fIstruct pam_conv\fR -passed to -\fBpam_start\fR(3) -at the start of the transaction\. -.PP -When a module calls the referenced conv() function, the argument -\fIappdata_ptr\fR -is set to the second element of this structure\. -.PP -The other arguments of a call to conv() concern the information exchanged by module and application\. That is to say, -\fInum_msg\fR -holds the length of the array of pointers, -\fImsg\fR\. After a successful return, the pointer -\fIresp\fR -points to an array of pam_response structures, holding the application supplied text\. The -\fIresp_retcode\fR -member of this struct is unused and should be set to zero\. It is the caller\'s responsibility to release both, this array and the responses themselves, using -\fBfree\fR(3)\. Note, -\fI*resp\fR -is a -\fIstruct pam_response\fR -array and not an array of pointers\. -.PP -The number of responses is always equal to the -\fInum_msg\fR -conversation function argument\. This does require that the response array is -\fBfree\fR(3)\'d after every call to the conversation function\. The index of the responses corresponds directly to the prompt index in the pam_message array\. -.PP -On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\. -.PP -Each message can have one of four types, specified by the -\fImsg_style\fR -member of -\fIstruct pam_message\fR: -.PP -PAM_PROMPT_ECHO_OFF -.RS 4 -Obtain a string without echoing any text\. -.RE -.PP -PAM_PROMPT_ECHO_ON -.RS 4 -Obtain a string whilst echoing text\. -.RE -.PP -PAM_ERROR_MSG -.RS 4 -Display an error message\. -.RE -.PP -PAM_TEXT_INFO -.RS 4 -Display some text\. -.RE -.PP -The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\. -.PP -In passing, it is worth noting that there is a descrepency between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument from the way that Solaris\' PAM (and derivitives, known to include HP/UX, are there others?) does\. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \'struct pam_message\' pointers\. Solaris\' PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\. -.PP -For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are: -.sp -.RS 4 -\h'-04'\(bu\h'+03'never call the conversation function with num_msg greater than one\. -.RE -.sp -.RS 4 -\h'-04'\(bu\h'+03'set up msg as doubly referenced so both types of conversation function can find the messages\. That is, make -.sp -.RS 4 -.nf - msg[n] = & (( *msg )[n]) - -.fi -.RE -.RE -.SH "RETURN VALUES" -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_CONV_ERR -.RS 4 -Conversation failure\. The application should not set -\fI*resp\fR\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Success\. -.RE -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_set_item\fR(3), -\fBpam_get_item\fR(3), -\fBpam_strerror\fR(3), -\fBpam\fR(8) diff --git a/doc/man/pam_end.3 b/doc/man/pam_end.3 deleted file mode 100644 index 3b28a265..00000000 --- a/doc/man/pam_end.3 +++ /dev/null @@ -1,69 +0,0 @@ -.\" Title: pam_end -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_END" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_end \- termination of PAM transaction -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 12 -.BI "int pam_end(pam_handle_t\ *" "pamh" ", int\ " "pam_status" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_end\fR -function terminates the PAM transaction and is the last function an application should call in the PAM context. Upon return the handle -\fIpamh\fR -is no longer valid and all memory associated with it will be invalid. -.PP -The -\fIpam_status\fR -argument should be set to the value returned to the application by the last PAM library call. -.PP -The value taken by -\fIpam_status\fR -is used as an argument to the module specific callback function, -\fBcleanup()\fR -(See -\fBpam_set_data\fR(3) -and -\fBpam_get_data\fR(3)). In this way the module can be given notification of the pass/fail nature of the tear\-down process, and perform any last minute tasks that are appropriate to the module before it is unlinked. This argument can be logically OR'd with -\fIPAM_DATA_SILENT\fR -to indicate to indicate that the module should not treat the call too seriously. It is generally used to indicate that the current closing of the library is in a -\fBfork\fR(2)ed process, and that the parent will take care of cleaning up things that exist outside of the current process space (files etc.). -.PP -This function -\fIfree\fR's all memory for items associated with the -\fBpam_set_item\fR(3) -and -\fBpam_get_item\fR(3) -functions. Pointers associated with such objects are not valid anymore after -\fBpam_end\fR -was called. -.SH "RETURN VALUES" -.TP 3n -PAM_SUCCESS -Transaction was successful terminated. -.TP 3n -PAM_SYSTEM_ERR -System error, for example a NULL pointer was submitted as PAM handle or the function was called by a module. -.SH "SEE ALSO" -.PP - -\fBpam_get_data\fR(3), -\fBpam_set_data\fR(3), -\fBpam_start\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_error.3 b/doc/man/pam_error.3 deleted file mode 100644 index f295f98b..00000000 --- a/doc/man/pam_error.3 +++ /dev/null @@ -1,66 +0,0 @@ -.\" Title: pam_error -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_ERROR" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_error, pam_verror \- display error messages to the user -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 14 -.BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "..." ");" -.HP 15 -.BI "int pam_verror(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_error\fR -function prints error messages through the conversation function to the user. -.PP -The -\fBpam_verror\fR -function performs the same task as -\fBpam_error()\fR -with the difference that it takes a set of arguments which have been obtained using the -\fBstdarg\fR(3) -variable argument list macros. -.SH "RETURN VALUES" -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_CONV_ERR -Conversation failure. -.TP 3n -PAM_SUCCESS -Error message was displayed. -.TP 3n -PAM_SYSTEM_ERR -System error. -.SH "SEE ALSO" -.PP - -\fBpam_info\fR(3), -\fBpam_vinfo\fR(3), -\fBpam_prompt\fR(3), -\fBpam_vprompt\fR(3), -\fBpam\fR(8) -.SH "STANDARDS" -.PP -The -\fBpam_error\fR -and -\fBpam_verror\fR -functions are Linux\-PAM extensions. diff --git a/doc/man/pam_fail_delay.3 b/doc/man/pam_fail_delay.3 deleted file mode 100644 index 000276ed..00000000 --- a/doc/man/pam_fail_delay.3 +++ /dev/null @@ -1,130 +0,0 @@ -.\" Title: pam_fail_delay -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 08/01/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_FAIL_DELAY" "3" "08/01/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_fail_delay \- request a delay on failure -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 19 -.BI "int pam_fail_delay(pam_handle_t\ *" "pamh" ", unsigned\ int\ " "usec" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_fail_delay\fR -function provides a mechanism by which an application or module can suggest a minimum delay of -\fIusec\fR -micro\-seconds. The function keeps a record of the longest time requested with this function. Should -\fBpam_authenticate\fR(3) -fail, the failing return to the application is delayed by an amount of time randomly distributed (by up to 25%) about this longest value. -.PP -Independent of success, the delay time is reset to its zero default value when the PAM service module returns control to the application. The delay occurs -\fIafter\fR -all authentication modules have been called, but -\fIbefore\fR -control is returned to the service application. -.PP -When using this function the programmer should check if it is available with: -.sp -.RS 3n -.nf -#ifdef HAVE_PAM_FAIL_DELAY - .... -#endif /* HAVE_PAM_FAIL_DELAY */ - -.fi -.RE -.PP -For applications written with a single thread that are event driven in nature, generating this delay may be undesirable. Instead, the application may want to register the delay in some other way. For example, in a single threaded server that serves multiple authentication requests from a single event loop, the application might want to simply mark a given connection as blocked until an application timer expires. For this reason the delay function can be changed with the -\fIPAM_FAIL_DELAY\fR -item. It can be queried and set with -\fBpam_get_item\fR(3) -and -\fBpam_set_item \fR(3) -respectively. The value used to set it should be a function pointer of the following prototype: -.sp -.RS 3n -.nf -void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); - -.fi -.RE -.sp -The arguments being the -\fIretval\fR -return code of the module stack, the -\fIusec_delay\fR -micro\-second delay that libpam is requesting and the -\fIappdata_ptr\fR -that the application has associated with the current -\fIpamh\fR. This last value was set by the application when it called -\fBpam_start\fR(3) -or explicitly with -\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay will be performed. -.SH "RATIONALE" -.PP -It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of -\fIshort\fR -timeouts, it may prove possible to attempt a -\fIbrute force\fR -dictionary attack \-\- with an automated process, the attacker tries all possible passwords to gain access to the system. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process. These latter attacks make use of procedural delays that constitute a -\fIcovert channel\fR -of useful information. -.PP -To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process. Preferable this value should be set by the application or a special PAM module. Standard PAM modules should not modify the delay unconditional. -.SH "EXAMPLE" -.PP -For example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code: -.sp -.RS 3n -.nf - pam_fail_delay (pamh, 3000000 /* micro\-seconds */ ); - pam_authenticate (pamh, 0); - -.fi -.RE -.PP -if the modules do not request a delay, the failure delay will be between 2.25 and 3.75 seconds. -.PP -However, the modules, invoked in the authentication process, may also request delays: -.sp -.RS 3n -.nf -module #1: pam_fail_delay (pamh, 2000000); -module #2: pam_fail_delay (pamh, 4000000); - -.fi -.RE -.PP -in this case, it is the largest requested value that is used to compute the actual failed delay: here between 3 and 5 seconds. -.SH "RETURN VALUES" -.TP 3n -PAM_SUCCESS -Delay was successful adjusted. -.TP 3n -PAM_SYSTEM_ERR -A NULL pointer was submitted as PAM handle. -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_get_item\fR(3), -\fBpam_strerror\fR(3) -.SH "STANDARDS" -.PP -The -\fBpam_fail_delay\fR -function is an Linux\-PAM extension. diff --git a/doc/man/pam_get_data.3 b/doc/man/pam_get_data.3 deleted file mode 100644 index cacec733..00000000 --- a/doc/man/pam_get_data.3 +++ /dev/null @@ -1,60 +0,0 @@ -.\" Title: pam_get_data -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_GET_DATA" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_get_data \- get module internal data -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 17 -.BI "int pam_get_data(const\ pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", const\ void\ **" "data" ");" -.SH "DESCRIPTION" -.PP -This function together with the -\fBpam_set_data\fR(3) -function is useful to manage module\-specific data meaningful only to the calling PAM module. -.PP -The -\fBpam_get_data\fR -function looks up the object associated with the (hopefully) unique string -\fImodule_data_name\fR -in the PAM context specified by the -\fIpamh\fR -argument. A successful call to -\fBpam_get_data\fR -will result in -\fIdata\fR -pointing to the object. Note, this data is -\fInot\fR -a copy and should be treated as -\fIconstant\fR -by the module. -.SH "RETURN VALUES" -.TP 3n -PAM_SUCCESS -Data was successful retrieved. -.TP 3n -PAM_SYSTEM_ERR -A NULL pointer was submitted as PAM handle or the function was called by an application. -.TP 3n -PAM_NO_MODULE_DATA -Module data not found or there is an entry, but it has the value NULL. -.SH "SEE ALSO" -.PP - -\fBpam_end\fR(3), -\fBpam_set_data\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_get_item.3 b/doc/man/pam_get_item.3 deleted file mode 100644 index 27ea6cf3..00000000 --- a/doc/man/pam_get_item.3 +++ /dev/null @@ -1,173 +0,0 @@ -.\" Title: pam_get_item -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.2 -.\" Date: 12/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_GET_ITEM" "3" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_get_item - getting PAM informations -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 17 -.BI "int pam_get_item(const\ pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ **" "item" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_get_item\fR -function allows applications and PAM service modules to access and retrieve PAM informations of -\fIitem_type\fR\. Upon successful return, -\fIitem\fR -contains a pointer to the value of the corresponding item\. Note, this is a pointer to the -\fIactual\fR -data and should -\fBnot\fR -be -\fIfree()\fR\'ed or over\-written! The following values are supported for -\fIitem_type\fR: -.PP -PAM_SERVICE -.RS 4 -The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\. -.RE -.PP -PAM_USER -.RS 4 -The username of the entity under whose identity service will be given\. That is, following authentication, -\fIPAM_USER\fR -identifies the local entity that gets to use the service\. Note, this value can be mapped from something (eg\., "anonymous") to something else (eg\. "guest119") by any module in the PAM stack\. As such an application should consult the value of -\fIPAM_USER\fR -after each call to a PAM function\. -.RE -.PP -PAM_USER_PROMPT -.RS 4 -The string used when prompting for a user\'s name\. The default value for this string is a localized version of "login: "\. -.RE -.PP -PAM_TTY -.RS 4 -The terminal name: prefixed by -\fI/dev/\fR -if it is a device file; for graphical, X\-based, applications the value for this item should be the -\fI$DISPLAY\fR -variable\. -.RE -.PP -PAM_RUSER -.RS 4 -The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\. -.sp -Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\. -.sp - -\fIPAM_RUSER@PAM_RHOST\fR -should always identify the requesting user\. In some cases, -\fIPAM_RUSER\fR -may be NULL\. In such situations, it is unclear who the requesting entity is\. -.RE -.PP -PAM_RHOST -.RS 4 -The requesting hostname (the hostname of the machine from which the -\fIPAM_RUSER\fR -entity is requesting service)\. That is -\fIPAM_RUSER@PAM_RHOST\fR -does identify the requesting user\. In some applications, -\fIPAM_RHOST\fR -may be NULL\. In such situations, it is unclear where the authentication request is originating from\. -.RE -.PP -PAM_AUTHTOK -.RS 4 -The authentication token (often a password)\. This token should be ignored by all module functions besides -\fBpam_sm_authenticate\fR(3) -and -\fBpam_sm_chauthtok\fR(3)\. In the former function it is used to pass the most recent authentication token from one stacked module to another\. In the latter function the token is used for another purpose\. It contains the currently active authentication token\. -.RE -.PP -PAM_OLDAUTHTOK -.RS 4 -The old authentication token\. This token should be ignored by all module functions except -\fBpam_sm_chauthtok\fR(3)\. -.RE -.PP -PAM_CONV -.RS 4 -The pam_conv structure\. See -\fBpam_conv\fR(3)\. -.RE -.PP -The following additional items are specific to Linux\-PAM and should not be used in portable applications: -.PP -PAM_FAIL_DELAY -.RS 4 -A function pointer to redirect centrally managed failure delays\. See -\fBpam_fail_delay\fR(3)\. -.RE -.PP -PAM_XDISPLAY -.RS 4 -The name of the X display\. For graphical, X\-based applications the value for this item should be the -\fI$DISPLAY\fR -variable\. This value should be used instead of -\fIPAM_TTY\fR -for passing the name of the display where possible\. -.RE -.PP -PAM_XAUTHDATA -.RS 4 -A pointer to a structure containing the X authentication data required to make a connection to the display specified by -\fIPAM_XDISPLAY\fR, if such information is necessary\. See -\fBpam_xauth_data\fR(3)\. -.RE -.PP -If a service module wishes to obtain the name of the user, it should not use this function, but instead perform a call to -\fBpam_get_user\fR(3)\. -.PP -Only a service module is privileged to read the authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK\. -.SH "RETURN VALUES" -.PP -PAM_BAD_ITEM -.RS 4 -The application attempted to set an undefined or inaccessible item\. -.RE -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_PERM_DENIED -.RS 4 -The value of -\fIitem\fR -was NULL\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Data was successful updated\. -.RE -.PP -PAM_SYSTEM_ERR -.RS 4 -The -\fIpam_handle_t\fR -passed as first argument was invalid\. -.RE -.SH "SEE ALSO" -.PP - -\fBpam_set_item\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_get_user.3 b/doc/man/pam_get_user.3 deleted file mode 100644 index f4ab776b..00000000 --- a/doc/man/pam_get_user.3 +++ /dev/null @@ -1,79 +0,0 @@ -.\" Title: pam_get_user -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_GET_USER" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_get_user \- get user name -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 17 -.BI "int pam_get_user(const\ pam_handle_t\ *" "pamh" ", const\ char\ **" "user" ", const\ char\ *" "prompt" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_get_user\fR -function returns the name of the user specified by -\fBpam_start\fR(3). If no user was specified it what -\fBpam_get_item (pamh, PAM_USER, ... );\fR -would have returned. If this is NULL it obtains the username via the -\fBpam_conv\fR(3) -mechanism, it prompts the user with the first non\-NULL string in the following list: -.TP 3n -\(bu -The -\fIprompt\fR -argument passed to the function. -.TP 3n -\(bu -What is returned by pam_get_item (pamh, PAM_USER_PROMPT, ... ); -.TP 3n -\(bu -The default prompt: "login: " -.sp -.RE -.PP -By whatever means the username is obtained, a pointer to it is returned as the contents of -\fI*user\fR. Note, this memory should -\fBnot\fR -be -\fIfree()\fR'd or -\fImodified\fR -by the module. -.PP -This function sets the -\fIPAM_USER\fR -item associated with the -\fBpam_set_item\fR(3) -and -\fBpam_get_item\fR(3) -functions. -.SH "RETURN VALUES" -.TP 3n -PAM_SUCCESS -User name was successful retrieved. -.TP 3n -PAM_SYSTEM_ERR -A NULL pointer was submitted. -.TP 3n -PAM_CONV_ERR -The conversation method supplied by the application failed to obtain the username. -.SH "SEE ALSO" -.PP - -\fBpam_end\fR(3), -\fBpam_get_item\fR(3), -\fBpam_set_item\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_getenv.3 b/doc/man/pam_getenv.3 deleted file mode 100644 index 3882d080..00000000 --- a/doc/man/pam_getenv.3 +++ /dev/null @@ -1,43 +0,0 @@ -.\" Title: pam_getenv -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_GETENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_getenv \- get a PAM environment variable -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 23 -.BI "const char *pam_getenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_getenv\fR -function searches the PAM environment list as associated with the handle -\fIpamh\fR -for a string that matches the string pointed to by -\fIname\fR. The return values are of the form: "\fIname=value\fR". -.SH "RETURN VALUES" -.PP -The -\fBpam_getenv\fR -function returns NULL on failure. -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_getenvlist\fR(3), -\fBpam_putenv\fR(3), -\fBpam\fR(8) diff --git a/doc/man/pam_getenvlist.3 b/doc/man/pam_getenvlist.3 deleted file mode 100644 index 57c1d70e..00000000 --- a/doc/man/pam_getenvlist.3 +++ /dev/null @@ -1,50 +0,0 @@ -.\" Title: pam_getenvlist -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_GETENVLIST" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_getenvlist \- getting the PAM environment -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 22 -.BI "char **pam_getenvlist(pam_handle_t\ *" "pamh" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_getenvlist\fR -function returns a complete copy of the PAM environment as associated with the handle -\fIpamh\fR. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted. -.PP -The format of the memory is a malloc()'d array of char pointers, the last element of which is set to NULL. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()'d char string of the form: "\fIname=value\fR". -.PP -It should be noted that this memory will never be free()'d by libpam. Once obtained by a call to -\fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory. -.PP -It is by design, and not a coincidence, that the format and contents of the returned array matches that required for the third argument of the -\fBexecle\fR(3) -function call. -.SH "RETURN VALUES" -.PP -The -\fBpam_getenvlist\fR -function returns NULL on failure. -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_getenv\fR(3), -\fBpam_putenv\fR(3), -\fBpam\fR(8) diff --git a/doc/man/pam_info.3 b/doc/man/pam_info.3 deleted file mode 100644 index fabb5aa7..00000000 --- a/doc/man/pam_info.3 +++ /dev/null @@ -1,62 +0,0 @@ -.\" Title: pam_info -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_INFO" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_info, pam_vinfo \- display messages to the user -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 13 -.BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "..." ");" -.HP 14 -.BI "int pam_vinfo(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_info\fR -function prints messages through the conversation function to the user. -.PP -The -\fBpam_vinfo\fR -function performs the same task as -\fBpam_info()\fR -with the difference that it takes a set of arguments which have been obtained using the -\fBstdarg\fR(3) -variable argument list macros. -.SH "RETURN VALUES" -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_CONV_ERR -Conversation failure. -.TP 3n -PAM_SUCCESS -Transaction was successful created. -.TP 3n -PAM_SYSTEM_ERR -System error. -.SH "SEE ALSO" -.PP - -\fBpam\fR(8) -.SH "STANDARDS" -.PP -The -\fBpam_info\fR -and -\fBpam_vinfo\fR -functions are Linux\-PAM extensions. diff --git a/doc/man/pam_misc_drop_env.3 b/doc/man/pam_misc_drop_env.3 deleted file mode 100644 index 5708d5bc..00000000 --- a/doc/man/pam_misc_drop_env.3 +++ /dev/null @@ -1,46 +0,0 @@ -.\" Title: pam_misc_drop_env -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_MISC_DROP_ENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_misc_drop_env \- liberating a locally saved environment -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 22 -.BI "int pam_misc_drop_env(char\ **" "env" ");" -.SH "DESCRIPTION" -.PP -This function is defined to complement the -\fBpam_getenvlist\fR(3) -function. It liberates the memory associated with -\fIenv\fR, -\fIoverwriting\fR -with -\fI0\fR -all memory before -\fBfree()\fRing it. -.SH "SEE ALSO" -.PP - -\fBpam_getenvlist\fR(3), -\fBpam\fR(8) -.SH "STANDARDS" -.PP -The -\fBpam_misc_drop_env\fR -function is part of the -\fBlibpam_misc\fR -Library and not defined in any standard. diff --git a/doc/man/pam_misc_paste_env.3 b/doc/man/pam_misc_paste_env.3 deleted file mode 100644 index 9ba1e8fe..00000000 --- a/doc/man/pam_misc_paste_env.3 +++ /dev/null @@ -1,41 +0,0 @@ -.\" Title: pam_misc_paste_env -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_MISC_PASTE_ENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_misc_paste_env \- transcribing an environment to that of PAM -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 23 -.BI "int pam_misc_paste_env(pam_handle_t\ *" "pamh" ", const\ char\ *\ const\ *" "user" ");" -.SH "DESCRIPTION" -.PP -This function takes the supplied list of environment pointers and -\fIuploads\fR -its contents to the PAM environment. Success is indicated by -PAM_SUCCESS. -.SH "SEE ALSO" -.PP - -\fBpam_putenv\fR(3), -\fBpam\fR(8) -.SH "STANDARDS" -.PP -The -\fBpam_misc_paste_env\fR -function is part of the -\fBlibpam_misc\fR -Library and not defined in any standard. diff --git a/doc/man/pam_misc_setenv.3 b/doc/man/pam_misc_setenv.3 deleted file mode 100644 index 49e8138c..00000000 --- a/doc/man/pam_misc_setenv.3 +++ /dev/null @@ -1,46 +0,0 @@ -.\" Title: pam_misc_setenv -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_MISC_SETENV" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_misc_setenv \- BSD like PAM environment variable setting -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 20 -.BI "int pam_misc_setenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ", const\ char\ *" "value" ", int" "readonly" ");" -.SH "DESCRIPTION" -.PP -This function performs a task equivalent to -\fBpam_putenv\fR(3), its syntax is, however, more like the BSD style function; -\fBsetenv()\fR. The -\fIname\fR -and -\fIvalue\fR -are concatenated with an '=' to form a name=value and passed to -\fBpam_putenv()\fR. If, however, the PAM variable is already set, the replacement will only be applied if the last argument, -\fIreadonly\fR, is zero. -.SH "SEE ALSO" -.PP - -\fBpam_putenv\fR(3), -\fBpam\fR(8) -.SH "STANDARDS" -.PP -The -\fBpam_misc_setenv\fR -function is part of the -\fBlibpam_misc\fR -Library and not defined in any standard. diff --git a/doc/man/pam_open_session.3 b/doc/man/pam_open_session.3 deleted file mode 100644 index e61b5ed8..00000000 --- a/doc/man/pam_open_session.3 +++ /dev/null @@ -1,55 +0,0 @@ -.\" Title: pam_open_session -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_OPEN_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_open_session \- start PAM session management -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 21 -.BI "int pam_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_open_session\fR -function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to -\fBpam_close_session\fR(3). -.PP -It should be noted that the effective uid, -\fBgeteuid\fR(2). of the application should be of sufficient privilege to perform such tasks as creating or mounting the user's home directory for example. -.PP -The flags argument is the binary or of zero or more of the following values: -.TP 3n -PAM_SILENT -Do not emit any messages. -.SH "RETURN VALUES" -.TP 3n -PAM_ABORT -General failure. -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_SESSION_ERR -Session failure. -.TP 3n -PAM_SUCCESS -Session was successful created. -.SH "SEE ALSO" -.PP - -\fBpam_close_session\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_prompt.3 b/doc/man/pam_prompt.3 deleted file mode 100644 index ce3b2a96..00000000 --- a/doc/man/pam_prompt.3 +++ /dev/null @@ -1,55 +0,0 @@ -.\" Title: pam_prompt -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_PROMPT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_prompt, pam_vprompt \- interface to conversation function -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 16 -.BI "void pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "..." ");" -.HP 17 -.BI "void pam_vprompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_prompt\fR -function constructs a message from the specified format string and arguments and passes it to -.SH "RETURN VALUES" -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_CONV_ERR -Conversation failure. -.TP 3n -PAM_SUCCESS -Transaction was successful created. -.TP 3n -PAM_SYSTEM_ERR -System error. -.SH "SEE ALSO" -.PP - -\fBpam\fR(8), -\fBpam_conv\fR(3) -.SH "STANDARDS" -.PP -The -\fBpam_prompt\fR -and -\fBpam_vprompt\fR -functions are Linux\-PAM extensions. diff --git a/doc/man/pam_putenv.3 b/doc/man/pam_putenv.3 deleted file mode 100644 index b0edc103..00000000 --- a/doc/man/pam_putenv.3 +++ /dev/null @@ -1,96 +0,0 @@ -.\" Title: pam_putenv -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 09/28/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_PUTENV" "3" "09/28/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_putenv - set or change PAM environment variable -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 15 -.BI "int pam_putenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name_value" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_putenv\fR -function is used to add or change the value of PAM environment variables as associated with the -\fIpamh\fR -handle\. -.PP -The -\fIpamh\fR -argument is an authentication handle obtained by a prior call to pam_start()\. The -\fIname_value\fR -argument is a single NUL terminated string of one of the following forms: -.PP -NAME=value of variable -.RS 4 -In this case the environment variable of the given NAME is set to the indicated value: -\fIvalue of variable\fR\. If this variable is already known, it is overwritten\. Otherwise it is added to the PAM environment\. -.RE -.PP -NAME= -.RS 4 -This function sets the variable to an empty value\. It is listed separately to indicate that this is the correct way to achieve such a setting\. -.RE -.PP -NAME -.RS 4 -Without an \'=\' the -\fBpam_putenv\fR() function will delete the corresponding variable from the PAM environment\. -.RE -.PP - -\fBpam_putenv\fR() operates on a copy of -\fIname_value\fR, which means in contrast to -\fBputenv\fR(3), the application is responsible to free the data\. -.SH "RETURN VALUES" -.PP -PAM_PERM_DENIED -.RS 4 -Argument -\fIname_value\fR -given is a NULL pointer\. -.RE -.PP -PAM_BAD_ITEM -.RS 4 -Variable requested (for deletion) is not currently set\. -.RE -.PP -PAM_ABORT -.RS 4 -The -\fIpamh\fR -handle is corrupt\. -.RE -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_SUCCESS -.RS 4 -The environment variable was successfully updated\. -.RE -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_getenv\fR(3), -\fBpam_getenvlist\fR(3), -\fBpam_strerror\fR(3), -\fBpam\fR(8) diff --git a/doc/man/pam_set_data.3 b/doc/man/pam_set_data.3 deleted file mode 100644 index 1991b92a..00000000 --- a/doc/man/pam_set_data.3 +++ /dev/null @@ -1,103 +0,0 @@ -.\" Title: pam_set_data -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.2 -.\" Date: 12/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_SET_DATA" "3" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_set_data - set module internal data -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 17 -.BI "int pam_set_data(pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", void\ *" "data" ", void\ " "(*cleanup)(pam_handle_t\ *pamh,\ void\ *data,\ int\ error_status)" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_set_data\fR -function associates a pointer to an object with the (hopefully) unique string -\fImodule_data_name\fR -in the PAM context specified by the -\fIpamh\fR -argument\. -.PP -PAM modules may be dynamically loadable objects\. In general such files should not contain -\fIstatic\fR -variables\. This function and its counterpart -\fBpam_get_data\fR(3), provide a mechanism for a module to associate some data with the handle -\fIpamh\fR\. Typically a module will call the -\fBpam_set_data\fR -function to register some data under a (hopefully) unique -\fImodule_data_name\fR\. The data is available for use by other modules too but -\fInot\fR -by an application\. Since this functions stores only a pointer to the -\fIdata\fR, the module should not modify or free the content of it\. -.PP -The function -\fBcleanup()\fR -is associated with the -\fIdata\fR -and, if non\-NULL, it is called when this data is over\-written or following a call to -\fBpam_end\fR(3)\. -.PP -The -\fIerror_status\fR -argument is used to indicate to the module the sort of action it is to take in cleaning this data item\. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item\. When -\fBpam_end\fR(3) -is called by the module, the -\fIerror_status\fR -carries the return value of the -\fBpam_authenticate\fR(3) -or other -\fIlibpam\fR -function as appropriate\. Based on this value the Kerberos module may choose to delete the ticket file (\fIauthentication failure\fR) or leave it in place\. -.PP -The -\fIerror_status\fR -may have been logically OR\'d with either of the following two values: -.PP -PAM_DATA_REPLACE -.RS 4 -When a data item is being replaced (through a second call to -\fBpam_set_data\fR) this mask is used\. Otherwise, the call is assumed to be from -\fBpam_end\fR(3)\. -.RE -.PP -PAM_DATA_SILENT -.RS 4 -Which indicates that the process would prefer to perform the -\fBcleanup()\fR -quietly\. That is, discourages logging/messages to the user\. -.RE -.SH "RETURN VALUES" -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Data was successful stored\. -.RE -.PP -PAM_SYSTEM_ERR -.RS 4 -A NULL pointer was submitted as PAM handle or the function was called by an application\. -.RE -.SH "SEE ALSO" -.PP - -\fBpam_end\fR(3), -\fBpam_get_data\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_set_item.3 b/doc/man/pam_set_item.3 deleted file mode 100644 index a152cbbf..00000000 --- a/doc/man/pam_set_item.3 +++ /dev/null @@ -1,170 +0,0 @@ -.\" Title: pam_set_item -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.2 -.\" Date: 12/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_SET_ITEM" "3" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_set_item - set and update PAM informations -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 17 -.BI "int pam_set_item(pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ *" "item" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_set_item\fR -function allows applications and PAM service modules to access and to update PAM informations of -\fIitem_type\fR\. For this a copy of the object pointed to by the -\fIitem\fR -argument is created\. The following -\fIitem_type\fRs are supported: -.PP -PAM_SERVICE -.RS 4 -The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\. -.RE -.PP -PAM_USER -.RS 4 -The username of the entity under whose identity service will be given\. That is, following authentication, -\fIPAM_USER\fR -identifies the local entity that gets to use the service\. Note, this value can be mapped from something (eg\., "anonymous") to something else (eg\. "guest119") by any module in the PAM stack\. As such an application should consult the value of -\fIPAM_USER\fR -after each call to a PAM function\. -.RE -.PP -PAM_USER_PROMPT -.RS 4 -The string used when prompting for a user\'s name\. The default value for this string is a localized version of "login: "\. -.RE -.PP -PAM_TTY -.RS 4 -The terminal name: prefixed by -\fI/dev/\fR -if it is a device file; for graphical, X\-based, applications the value for this item should be the -\fI$DISPLAY\fR -variable\. -.RE -.PP -PAM_RUSER -.RS 4 -The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\. -.sp -Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\. -.sp - -\fIPAM_RUSER@PAM_RHOST\fR -should always identify the requesting user\. In some cases, -\fIPAM_RUSER\fR -may be NULL\. In such situations, it is unclear who the requesting entity is\. -.RE -.PP -PAM_RHOST -.RS 4 -The requesting hostname (the hostname of the machine from which the -\fIPAM_RUSER\fR -entity is requesting service)\. That is -\fIPAM_RUSER@PAM_RHOST\fR -does identify the requesting user\. In some applications, -\fIPAM_RHOST\fR -may be NULL\. In such situations, it is unclear where the authentication request is originating from\. -.RE -.PP -PAM_AUTHTOK -.RS 4 -The authentication token (often a password)\. This token should be ignored by all module functions besides -\fBpam_sm_authenticate\fR(3) -and -\fBpam_sm_chauthtok\fR(3)\. In the former function it is used to pass the most recent authentication token from one stacked module to another\. In the latter function the token is used for another purpose\. It contains the currently active authentication token\. -.RE -.PP -PAM_OLDAUTHTOK -.RS 4 -The old authentication token\. This token should be ignored by all module functions except -\fBpam_sm_chauthtok\fR(3)\. -.RE -.PP -PAM_CONV -.RS 4 -The pam_conv structure\. See -\fBpam_conv\fR(3)\. -.RE -.PP -The following additional items are specific to Linux\-PAM and should not be used in portable applications: -.PP -PAM_FAIL_DELAY -.RS 4 -A function pointer to redirect centrally managed failure delays\. See -\fBpam_fail_delay\fR(3)\. -.RE -.PP -PAM_XDISPLAY -.RS 4 -The name of the X display\. For graphical, X\-based applications the value for this item should be the -\fI$DISPLAY\fR -variable\. This value should be used instead of -\fIPAM_TTY\fR -for passing the name of the display where possible\. -.RE -.PP -PAM_XAUTHDATA -.RS 4 -A pointer to a structure containing the X authentication data required to make a connection to the display specified by -\fIPAM_XDISPLAY\fR, if such information is necessary\. See -\fBpam_xauth_data\fR(3)\. -.RE -.PP -For all -\fIitem_type\fRs, other than PAM_CONV and PAM_FAIL_DELAY, -\fIitem\fR -is a pointer to a terminated character string\. In the case of PAM_CONV, -\fIitem\fR -points to an initialized -\fIpam_conv\fR -structure\. In the case of PAM_FAIL_DELAY, -\fIitem\fR -is a function pointer: -\fBvoid (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)\fR -.PP -Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before returning to the application\. Which means an application is not able to access the authentication tokens\. -.SH "RETURN VALUES" -.PP -PAM_BAD_ITEM -.RS 4 -The application attempted to set an undefined or inaccessible item\. -.RE -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Data was successful updated\. -.RE -.PP -PAM_SYSTEM_ERR -.RS 4 -The -\fIpam_handle_t\fR -passed as first argument was invalid\. -.RE -.SH "SEE ALSO" -.PP - -\fBpam_get_item\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_setcred.3 b/doc/man/pam_setcred.3 deleted file mode 100644 index 055ee56e..00000000 --- a/doc/man/pam_setcred.3 +++ /dev/null @@ -1,82 +0,0 @@ -.\" Title: pam_setcred -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SETCRED" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_setcred \- establish / delete user credentials -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 16 -.BI "int pam_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_setcred\fR -function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been authenticated and before a session is opened for the user (with -\fBpam_open_session\fR(3)). -.PP -A credential is something that the user possesses. It is some property, such as a -\fIKerberos\fR -ticket, or a supplementary group membership that make up the uniqueness of a given user. On a Linux system the user's -\fIUID\fR -and -\fIGID\fR's are credentials too. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM. Such credentials should be established, by the application, prior to a call to this function. For example, -\fBinitgroups\fR(2) -(or equivalent) should have been performed. -.PP -Valid -\fIflags\fR, any one of which, may be logically OR'd with -\fBPAM_SILENT\fR, are: -.TP 3n -PAM_ESTABLISH_CRED -Initialize the credentials for the user. -.TP 3n -PAM_DELETE_CRED -Delete the user's credentials. -.TP 3n -PAM_REINITIALIZE_CRED -Fully reinitialize the user's credentials. -.TP 3n -PAM_REFRESH_CRED -Extend the lifetime of the existing credentials. -.SH "RETURN VALUES" -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_CRED_ERR -Failed to set user credentials. -.TP 3n -PAM_CRED_EXPIRED -User credentials are expired. -.TP 3n -PAM_CRED_UNAVAIL -Failed to retrieve user credentials. -.TP 3n -PAM_SUCCESS -Data was successful stored. -.TP 3n -PAM_SYSTEM_ERR -A NULL pointer was submitted as PAM handle, the function was called by a module or another system error occured. -.TP 3n -PAM_USER_UNKNOWN -User is not known to an authentication module. -.SH "SEE ALSO" -.PP - -\fBpam_authenticate\fR(3), -\fBpam_open_session\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_sm_acct_mgmt.3 b/doc/man/pam_sm_acct_mgmt.3 deleted file mode 100644 index b720e3af..00000000 --- a/doc/man/pam_sm_acct_mgmt.3 +++ /dev/null @@ -1,79 +0,0 @@ -.\" Title: pam_sm_acct_mgmt -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SM_ACCT_MGMT" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_sm_acct_mgmt \- PAM service function for account management -.SH "SYNOPSIS" -.sp -.ft B -.nf -#define PAM_SM_ACCOUNT -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.HP 32 -.BI "PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_sm_acct_mgmt\fR -function is the service module's implementation of the -\fBpam_acct_mgmt\fR(3) -interface. -.PP -This function performs the task of establishing whether the user is permitted to gain access at this time. It should be understood that the user has previously been validated by an authentication module. This function checks for other things. Such things might be: the time of day or the date, the terminal line, remote hostname, etc. This function may also determine things like the expiration on passwords, and respond that the user change it before continuing. -.PP -Valid flags, which may be logically OR'd with -\fIPAM_SILENT\fR, are: -.TP 3n -PAM_SILENT -Do not emit any messages. -.TP 3n -PAM_DISALLOW_NULL_AUTHTOK -Return -\fBPAM_AUTH_ERR\fR -if the database of authentication tokens for this authentication mechanism has a -\fINULL\fR -entry for the user. -.SH "RETURN VALUES" -.TP 3n -PAM_ACCT_EXPIRED -User account has expired. -.TP 3n -PAM_AUTH_ERR -Authentication failure. -.TP 3n -PAM_NEW_AUTHTOK_REQD -The user's authentication token has expired. Before calling this function again the application will arrange for a new one to be given. This will likely result in a call to -\fBpam_sm_chauthtok()\fR. -.TP 3n -PAM_PERM_DENIED -Permission denied. -.TP 3n -PAM_SUCCESS -The authentication token was successfully updated. -.TP 3n -PAM_USER_UNKNOWN -User unknown to password service. -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBpam_acct_mgmt\fR(3), -\fBpam_sm_chauthtok\fR(3), -\fBpam_strerror\fR(3), -\fBPAM\fR(8) diff --git a/doc/man/pam_sm_authenticate.3 b/doc/man/pam_sm_authenticate.3 deleted file mode 100644 index 7487f6af..00000000 --- a/doc/man/pam_sm_authenticate.3 +++ /dev/null @@ -1,80 +0,0 @@ -.\" Title: pam_sm_authenticate -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SM_AUTHENTICATE" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_sm_authenticate \- PAM service function for user authentication -.SH "SYNOPSIS" -.sp -.ft B -.nf -#define PAM_SM_AUTH -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.HP 35 -.BI "PAM_EXTERN int pam_sm_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_sm_authenticate\fR -function is the service module's implementation of the -\fBpam_authenticate\fR(3) -interface. -.PP -This function performs the task of authenticating the user. -.PP -Valid flags, which may be logically OR'd with -\fIPAM_SILENT\fR, are: -.TP 3n -PAM_SILENT -Do not emit any messages. -.TP 3n -PAM_DISALLOW_NULL_AUTHTOK -Return -\fBPAM_AUTH_ERR\fR -if the database of authentication tokens for this authentication mechanism has a -\fINULL\fR -entry for the user. Without this flag, such a -\fINULL\fR -token will lead to a success without the user being prompted. -.SH "RETURN VALUES" -.TP 3n -PAM_AUTH_ERR -Authentication failure. -.TP 3n -PAM_CRED_INSUFFICIENT -For some reason the application does not have sufficient credentials to authenticate the user. -.TP 3n -PAM_AUTHINFO_UNAVAIL -The modules were not able to access the authentication information. This might be due to a network or hardware failure etc. -.TP 3n -PAM_SUCCESS -The authentication token was successfully updated. -.TP 3n -PAM_USER_UNKNOWN -The supplied username is not known to the authentication service. -.TP 3n -PAM_MAXTRIES -One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again. -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBpam_authenticate\fR(3), -\fBpam_sm_setcred\fR(3), -\fBpam_strerror\fR(3), -\fBPAM\fR(8) diff --git a/doc/man/pam_sm_chauthtok.3 b/doc/man/pam_sm_chauthtok.3 deleted file mode 100644 index c247f68f..00000000 --- a/doc/man/pam_sm_chauthtok.3 +++ /dev/null @@ -1,97 +0,0 @@ -.\" Title: pam_sm_chauthtok -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SM_CHAUTHTOK" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_sm_chauthtok \- PAM service function for authentication token management -.SH "SYNOPSIS" -.sp -.ft B -.nf -#define PAM_SM_PASSWORD -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.HP 32 -.BI "PAM_EXTERN int pam_sm_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_sm_chauthtok\fR -function is the service module's implementation of the -\fBpam_chauthtok\fR(3) -interface. -.PP -This function is used to (re\-)set the authentication token of the user. -.PP -Valid flags, which may be logically OR'd with -\fIPAM_SILENT\fR, are: -.TP 3n -PAM_SILENT -Do not emit any messages. -.TP 3n -PAM_CHANGE_EXPIRED_AUTHTOK -This argument indicates to the module that the users authentication token (password) should only be changed if it has expired. This flag is optional and -\fImust\fR -be combined with one of the following two flags. Note, however, the following two options are -\fImutually exclusive\fR. -.TP 3n -PAM_PRELIM_CHECK -This indicates that the modules are being probed as to their ready status for altering the user's authentication token. If the module requires access to another system over some network it should attempt to verify it can connect to this system on receiving this flag. If a module cannot establish it is ready to update the user's authentication token it should return -\fBPAM_TRY_AGAIN\fR, this information will be passed back to the application. -.TP 3n -PAM_UPDATE_AUTHTOK -This informs the module that this is the call it should change the authorization tokens. If the flag is logically OR'd with -\fBPAM_CHANGE_EXPIRED_AUTHTOK\fR, the token is only changed if it has actually expired. -.PP -The PAM library calls this function twice in succession. The first time with -\fBPAM_PRELIM_CHECK\fR -and then, if the module does not return -\fBPAM_TRY_AGAIN\fR, subsequently with -\fBPAM_UPDATE_AUTHTOK\fR. It is only on the second call that the authorization token is (possibly) changed. -.SH "RETURN VALUES" -.TP 3n -PAM_AUTHTOK_ERR -The module was unable to obtain the new authentication token. -.TP 3n -PAM_AUTHTOK_RECOVERY_ERR -The module was unable to obtain the old authentication token. -.TP 3n -PAM_AUTHTOK_LOCK_BUSY -Cannot change the authentication token since it is currently locked. -.TP 3n -PAM_AUTHTOK_DISABLE_AGING -Authentication token aging has been disabled. -.TP 3n -PAM_PERM_DENIED -Permission denied. -.TP 3n -PAM_TRY_AGAIN -Preliminary check was unsuccessful. Signals an immediate return to the application is desired. -.TP 3n -PAM_SUCCESS -The authentication token was successfully updated. -.TP 3n -PAM_USER_UNKNOWN -User unknown to password service. -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBpam_chauthtok\fR(3), -\fBpam_sm_chauthtok\fR(3), -\fBpam_strerror\fR(3), -\fBPAM\fR(8) diff --git a/doc/man/pam_sm_close_session.3 b/doc/man/pam_sm_close_session.3 deleted file mode 100644 index 4d0f081b..00000000 --- a/doc/man/pam_sm_close_session.3 +++ /dev/null @@ -1,58 +0,0 @@ -.\" Title: pam_sm_close_session -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SM_CLOSE_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_sm_close_session \- PAM service function to terminate session management -.SH "SYNOPSIS" -.sp -.ft B -.nf -#define PAM_SM_SESSION -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.HP 36 -.BI "PAM_EXTERN int pam_sm_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_sm_close_session\fR -function is the service module's implementation of the -\fBpam_close_session\fR(3) -interface. -.PP -This function is called to terminate a session. The only valid value for -\fIflags\fR -is zero or: -.TP 3n -PAM_SILENT -Do not emit any messages. -.SH "RETURN VALUES" -.TP 3n -PAM_SESSION_ERR -Cannot make/remove an entry for the specified session. -.TP 3n -PAM_SUCCESS -The session was successfully terminated. -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBpam_close_session\fR(3), -\fBpam_sm_close_session\fR(3), -\fBpam_strerror\fR(3), -\fBPAM\fR(8) diff --git a/doc/man/pam_sm_open_session.3 b/doc/man/pam_sm_open_session.3 deleted file mode 100644 index b97f6005..00000000 --- a/doc/man/pam_sm_open_session.3 +++ /dev/null @@ -1,58 +0,0 @@ -.\" Title: pam_sm_open_session -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SM_OPEN_SESSION" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_sm_open_session \- PAM service function to start session management -.SH "SYNOPSIS" -.sp -.ft B -.nf -#define PAM_SM_SESSION -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.HP 35 -.BI "PAM_EXTERN int pam_sm_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_sm_open_session\fR -function is the service module's implementation of the -\fBpam_open_session\fR(3) -interface. -.PP -This function is called to commence a session. The only valid value for -\fIflags\fR -is zero or: -.TP 3n -PAM_SILENT -Do not emit any messages. -.SH "RETURN VALUES" -.TP 3n -PAM_SESSION_ERR -Cannot make/remove an entry for the specified session. -.TP 3n -PAM_SUCCESS -The session was successfully started. -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBpam_open_session\fR(3), -\fBpam_sm_close_session\fR(3), -\fBpam_strerror\fR(3), -\fBPAM\fR(8) diff --git a/doc/man/pam_sm_setcred.3 b/doc/man/pam_sm_setcred.3 deleted file mode 100644 index b4cb70e8..00000000 --- a/doc/man/pam_sm_setcred.3 +++ /dev/null @@ -1,95 +0,0 @@ -.\" Title: pam_sm_setcred -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SM_SETCRED" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_sm_setcred \- PAM service function to alter credentials -.SH "SYNOPSIS" -.sp -.ft B -.nf -#define PAM_SM_AUTH -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.HP 30 -.BI "PAM_EXTERN int pam_sm_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_sm_setcred\fR -function is the service module's implementation of the -\fBpam_setcred\fR(3) -interface. -.PP -This function performs the task of altering the credentials of the user with respect to the corresponding authorization scheme. Generally, an authentication module may have access to more information about a user than their authentication token. This function is used to make such information available to the application. It should only be called -\fIafter\fR -the user has been authenticated but before a session has been established. -.PP -Valid flags, which may be logically OR'd with -\fIPAM_SILENT\fR, are: -.TP 3n -PAM_SILENT -Do not emit any messages. -.TP 3n -PAM_DELETE_CRED -Delete the credentials associated with the authentication service. -.TP 3n -PAM_REINITIALIZE_CRED -Reinitialize the user credentials. -.TP 3n -PAM_REFRESH_CRED -Extend the lifetime of the user credentials. -.PP -The way the -\fBauth\fR -stack is navigated in order to evaluate the -\fBpam_setcred\fR() function call, independent of the -\fBpam_sm_setcred\fR() return codes, is exactly the same way that it was navigated when evaluating the -\fBpam_authenticate\fR() library call. Typically, if a stack entry was ignored in evaluating -\fBpam_authenticate\fR(), it will be ignored when libpam evaluates the -\fBpam_setcred\fR() function call. Otherwise, the return codes from each module specific -\fBpam_sm_setcred\fR() call are treated as -\fBrequired\fR. -.SH "RETURN VALUES" -.TP 3n -PAM_CRED_UNAVAIL -This module cannot retrieve the user's credentials. -.TP 3n -PAM_CRED_EXPIRED -The user's credentials have expired. -.TP 3n -PAM_CRED_ERR -This module was unable to set the credentials of the user. -.TP 3n -PAM_SUCCESS -The user credential was successfully set. -.TP 3n -PAM_USER_UNKNOWN -The user is not known to this authentication module. -.PP -These, non\-\fIPAM_SUCCESS\fR, return values will typically lead to the credential stack -\fIfailing\fR. The first such error will dominate in the return value of -\fBpam_setcred\fR(). -.SH "SEE ALSO" -.PP - -\fBpam\fR(3), -\fBpam_authenticate\fR(3), -\fBpam_setcred\fR(3), -\fBpam_sm_authenticate\fR(3), -\fBpam_strerror\fR(3), -\fBPAM\fR(8) diff --git a/doc/man/pam_start.3 b/doc/man/pam_start.3 deleted file mode 100644 index 22521213..00000000 --- a/doc/man/pam_start.3 +++ /dev/null @@ -1,80 +0,0 @@ -.\" Title: pam_start -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_START" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_start \- initialization of PAM transaction -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 14 -.BI "int pam_start(const\ char\ *" "service_name" ", const\ char\ *" "user" ", const\ struct\ pam_conv\ *" "pam_conversation" ", pam_handle_t\ **" "pamh" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_start\fR -function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context. -.PP -The -\fIservice_name\fR -argument specifies the name of the service to apply and will be stored as PAM_SERVICE item in the new context. The policy for the service will be read from the file -\fI/etc/pam.d/service_name\fR -or, if that file does not exist, from -\fI/etc/pam.conf\fR. -.PP -The -\fIuser\fR -argument can specify the name of the target user and will be stored as PAM_USER item. If the argument is NULL, the module has to ask for this item if necessary. -.PP -The -\fIpam_conversation\fR -argument points to a -\fIstruct pam_conv\fR -describing the conversation function to use. An application must provide this for direct communication between a loaded module and the application. -.PP -Following a successful return (PAM_SUCCESS) the contents of -\fIpamh\fR -is a handle that contains the PAM context for successive calls to the PAM functions. In an error case is the content of -\fIpamh\fR -undefined. -.PP -The -\fIpam_handle_t\fR -is a blind structure and the application should not attempt to probe it directly for information. Instead the PAM library provides the functions -\fBpam_set_item\fR(3) -and -\fBpam_get_item\fR(3). The PAM handle cannot be used for mulitiple authentications at the same time as long as -\fBpam_end\fR -was not called on it before. -.SH "RETURN VALUES" -.TP 3n -PAM_ABORT -General failure. -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_SUCCESS -Transaction was successful created. -.TP 3n -PAM_SYSTEM_ERR -System error, for example a NULL pointer was submitted instead of a pointer to data. -.SH "SEE ALSO" -.PP - -\fBpam_get_data\fR(3), -\fBpam_set_data\fR(3), -\fBpam_end\fR(3), -\fBpam_strerror\fR(3) diff --git a/doc/man/pam_strerror.3 b/doc/man/pam_strerror.3 deleted file mode 100644 index 2d1e8849..00000000 --- a/doc/man/pam_strerror.3 +++ /dev/null @@ -1,36 +0,0 @@ -.\" Title: pam_strerror -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_STRERROR" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_strerror \- return string describing PAM error code -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.HP 25 -.BI "const char *pam_strerror(pam_handle_t\ *" "pamh" ", int\ " "errnum" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_strerror\fR -function returns a pointer to a string describing the error code passed in the argument -\fIerrnum\fR, possibly using the LC_MESSAGES part of the current locale to select the appropriate language. This string must not be modified by the application. No library function will modify this string. -.SH "RETURN VALUES" -.PP -This function returns always a pointer to a string. -.SH "SEE ALSO" -.PP - -\fBpam\fR(8) diff --git a/doc/man/pam_syslog.3 b/doc/man/pam_syslog.3 deleted file mode 100644 index 112066d9..00000000 --- a/doc/man/pam_syslog.3 +++ /dev/null @@ -1,61 +0,0 @@ -.\" Title: pam_syslog -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/27/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SYSLOG" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_syslog, pam_vsyslog \- send messages to the system logger -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.sp -.ft B -.nf -#include -.fi -.ft -.HP 16 -.BI "void pam_syslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", " "..." ");" -.HP 17 -.BI "void pam_vsyslog(pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" -.SH "DESCRIPTION" -.PP -The -\fBpam_syslog\fR -function logs messages using -\fBsyslog\fR(3) -and is intended for internal use by Linux\-PAM and PAM service modules. The -\fIpriority\fR -argument is formed by ORing the facility and the level values as documented in the -\fBsyslog\fR(3) -manual page. -.PP -The -\fBpam_vsyslog\fR -function performs the same task as -\fBpam_syslog()\fR -with the difference that it takes a set of arguments which have been obtained using the -\fBstdarg\fR(3) -variable argument list macros. -.SH "SEE ALSO" -.PP - -\fBpam\fR(8) -.SH "STANDARDS" -.PP -The -\fBpam_syslog\fR -and -\fBpam_vsyslog\fR -functions are Linux\-PAM extensions. diff --git a/doc/man/pam_verror.3 b/doc/man/pam_verror.3 deleted file mode 100644 index 6e052ef6..00000000 --- a/doc/man/pam_verror.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/pam_error.3 diff --git a/doc/man/pam_vinfo.3 b/doc/man/pam_vinfo.3 deleted file mode 100644 index 79f3a153..00000000 --- a/doc/man/pam_vinfo.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/pam_info.3 diff --git a/doc/man/pam_vprompt.3 b/doc/man/pam_vprompt.3 deleted file mode 100644 index bba0b1d3..00000000 --- a/doc/man/pam_vprompt.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/pam_prompt.3 diff --git a/doc/man/pam_vsyslog.3 b/doc/man/pam_vsyslog.3 deleted file mode 100644 index b987b067..00000000 --- a/doc/man/pam_vsyslog.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/pam_syslog.3 diff --git a/doc/man/pam_xauth_data.3 b/doc/man/pam_xauth_data.3 deleted file mode 100644 index 49f9c9ec..00000000 --- a/doc/man/pam_xauth_data.3 +++ /dev/null @@ -1,70 +0,0 @@ -.\" Title: pam_xauth_data -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 01/07/2008 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_XAUTH_DATA" "3" "01/07/2008" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_xauth_data - structure containing X authentication data -.SH "SYNOPSIS" -.sp -.ft B -.nf -#include -.fi -.ft -.sp -.RS 4 -.nf -struct pam_xauth_data { - int namelen; - char *name; - int datalen; - char *data; -}; - -.fi -.RE -.SH "DESCRIPTION" -.PP -The -\fBpam_xauth_data\fR -structure contains X authentication data used to make a connection to an X display\. Using this mechanism, an application can communicate X authentication data to PAM service modules\. This allows modules to make a connection to the user\'s X display in order to label the user\'s session on login, display visual feedback or for other purposes\. -.PP -The -\fIname\fR -field contains the name of the authentication method, such as "MIT\-MAGIC\-COOKIE\-1"\. The -\fInamelen\fR -field contains the length of this string, not including the trailing NUL character\. -.PP -The -\fIdata\fR -field contains the authentication method\-specific data corresponding to the specified name\. The -\fIdatalen\fR -field contains its length in bytes\. -.PP -The X authentication data can be changed with the -\fIPAM_XAUTH_DATA\fR -item\. It can be queried and set with -\fBpam_get_item\fR(3) -and -\fBpam_set_item \fR(3) -respectively\. The value used to set it should be a pointer to a pam_xauth_data structure\. An internal copy of both the structure itself and its fields is made by PAM when setting the item\. -.SH "SEE ALSO" -.PP - -\fBpam_start\fR(3), -\fBpam_get_item\fR(3), -.SH "STANDARDS" -.PP -The -\fBpam_xauth_data\fR -structure and -\fIPAM_XAUTH_DATA\fR -item are Linux\-PAM extensions\. diff --git a/modules/pam_access/.cvsignore b/modules/pam_access/.cvsignore index 9fb98574..6e648372 100644 --- a/modules/pam_access/.cvsignore +++ b/modules/pam_access/.cvsignore @@ -4,3 +4,6 @@ .libs Makefile Makefile.in +README +access.conf.5 +pam_access.8 diff --git a/modules/pam_access/README b/modules/pam_access/README deleted file mode 100644 index ec0d67e0..00000000 --- a/modules/pam_access/README +++ /dev/null @@ -1,120 +0,0 @@ -pam_access — PAM module for logdaemon style login access control - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_access PAM module is mainly for access management. It provides -logdaemon style login access control based on login names, host or domain -names, internet addresses or network numbers, or on terminal line names in case -of non-networked logins. - -By default rules for access management are taken from config file /etc/security -/access.conf if you don't specify another file. - -If Linux PAM is compiled with audit support the module will report when it -denies access based on origin (host or tty). - -OPTIONS - -accessfile=/path/to/access.conf - - Indicate an alternative access.conf style configuration file to override - the default. This can be useful when different services need different - access lists. - -debug - - A lot of debug informations are printed with syslog(3). - -noaudit - - Do not report logins from disallowed hosts and ttys to the audit subsystem. - -fieldsep=separators - - This option modifies the field separator character that pam_access will - recognize when parsing the access configuration file. For example: fieldsep - =| will cause the default `:' character to be treated as part of a field - value and `|' becomes the field separator. Doing this may be useful in - conjuction with a system that wants to use pam_access with X based - applications, since the PAM_TTY item is likely to be of the form - "hostname:0" which includes a `:' character in its value. But you should - not need this. - -listsep=separators - - This option modifies the list separator character that pam_access will - recognize when parsing the access configuration file. For example: listsep - =, will cause the default ` ' (space) and `\t' (tab) characters to be - treated as part of a list element value and `,' becomes the only list - element separator. Doing this may be useful on a system with group - information obtained from a Windows domain, where the default built-in - groups "Domain Users", "Domain Admins" contain a space. - -nodefgroup - - The group database will not be used for tokens not identified as account - name. - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -access.conf. - -User root should be allowed to get access via cron, X11 terminal :0, tty1, ..., -tty5, tty6. - -+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 - -User root should be allowed to get access from hosts which own the IPv4 -addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 -connection from a host with one of this IPv4 addresses does work, too. - -+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 - -+ : root : 127.0.0.1 - -User root should get access from network 192.168.201. where the term will be -evaluated by string matching. But it might be better to use network/netmask -instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/ -255.255.255.0. - -+ : root : 192.168.201. - -User root should be able to have access from hosts foo1.bar.org and -foo2.bar.org (uses string matching also). - -+ : root : foo1.bar.org foo2.bar.org - -User root should be able to have access from domain foo.bar.org (uses string -matching also). - -+ : root : .foo.bar.org - -User root should be denied to get access from all other sources. - -- : root : ALL - -User foo and members of netgroup admins should be allowed to get access from -all sources. This will only work if netgroup service is available. - -+ : @admins foo : ALL - -User john and foo should get access from IPv6 host address. - -+ : john foo : 2001:4ca0:0:101::1 - -User john should get access from IPv6 net/mask. - -+ : john : 2001:4ca0:0:101::/64 - -Disallow console logins to all but the shutdown, sync and all other accounts, -which are a member of the wheel group. - --:ALL EXCEPT (wheel) shutdown sync:LOCAL - -All other users should be denied to get access from all sources. - -- : ALL : ALL - diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 deleted file mode 100644 index fcd33bb4..00000000 --- a/modules/pam_access/access.conf.5 +++ /dev/null @@ -1,170 +0,0 @@ -.\" Title: access.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 06/22/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "ACCESS.CONF" "5" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -access.conf \- the login access control table file -.SH "DESCRIPTION" -.PP -The -\fI/etc/security/access.conf\fR -file specifies (\fIuser/group\fR, -\fIhost\fR), (\fIuser/group\fR, -\fInetwork/netmask\fR) or (\fIuser/group\fR, -\fItty\fR) combinations for which a login will be either accepted or refused. -.PP -When someone logs in, the file -\fIaccess.conf\fR -is scanned for the first entry that matches the (\fIuser/group\fR, -\fIhost\fR) or (\fIuser/group\fR, -\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, -\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused. -.PP -Each line of the login access control table has three fields separated by a ":" character (colon): -.PP - -\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR -.PP -The first field, the -\fIpermission\fR -field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied. -.PP -The second field, the -\fIusers\fR/\fIgroup\fR -field, should be a list of one or more login names, group names, or -\fIALL\fR -(which always matches). To differentiate user entries from group entries, group entries should be written with brackets, e.g. -\fI(group)\fR. -.PP -The third field, the -\fIorigins\fR -field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), -\fIALL\fR -(which always matches) or -\fILOCAL\fR -(which matches any string that does not contain a "." character). If supported by the system you can use -\fI@netgroupname\fR -in host or user patterns. -.PP -The -\fIEXCEPT\fR -operator makes it possible to write very compact rules. -.PP -If the -\fBnodefgroup\fR -is not set, the group file is searched when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user. -.PP -The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line. -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/access.conf\fR. -.PP -User -\fIroot\fR -should be allowed to get access via -\fIcron\fR, X11 terminal -\fI:0\fR, -\fItty1\fR, ..., -\fItty5\fR, -\fItty6\fR. -.PP -+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 -.PP -User -\fIroot\fR -should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too. -.PP -+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 -.PP -+ : root : 127.0.0.1 -.PP -User -\fIroot\fR -should get access from network -192.168.201. -where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of -192.168.201. -is -\fI192.168.201.0/24\fR -or -\fI192.168.201.0/255.255.255.0\fR. -.PP -+ : root : 192.168.201. -.PP -User -\fIroot\fR -should be able to have access from hosts -\fIfoo1.bar.org\fR -and -\fIfoo2.bar.org\fR -(uses string matching also). -.PP -+ : root : foo1.bar.org foo2.bar.org -.PP -User -\fIroot\fR -should be able to have access from domain -\fIfoo.bar.org\fR -(uses string matching also). -.PP -+ : root : .foo.bar.org -.PP -User -\fIroot\fR -should be denied to get access from all other sources. -.PP -\- : root : ALL -.PP -User -\fIfoo\fR -and members of netgroup -\fIadmins\fR -should be allowed to get access from all sources. This will only work if netgroup service is available. -.PP -+ : @admins foo : ALL -.PP -User -\fIjohn\fR -and -\fIfoo\fR -should get access from IPv6 host address. -.PP -+ : john foo : 2001:4ca0:0:101::1 -.PP -User -\fIjohn\fR -should get access from IPv6 net/mask. -.PP -+ : john : 2001:4ca0:0:101::/64 -.PP -Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group. -.PP -\-:ALL EXCEPT (wheel) shutdown sync:LOCAL -.PP -All other users should be denied to get access from all sources. -.PP -\- : ALL : ALL -.SH "SEE ALSO" -.PP - -\fBpam_access\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHORS" -.PP -Original -\fBlogin.access\fR(5) -manual was provided by Guido van Rooij which was renamed to -\fBaccess.conf\fR(5) -to reflect relation to default config file. -.PP -Network address / netmask description and example text was introduced by Mike Becher . diff --git a/modules/pam_access/pam_access.8 b/modules/pam_access/pam_access.8 deleted file mode 100644 index f151859c..00000000 --- a/modules/pam_access/pam_access.8 +++ /dev/null @@ -1,112 +0,0 @@ -.\" Title: pam_access -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.2 -.\" Date: 11/30/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_ACCESS" "8" "11/30/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_access - PAM module for logdaemon style login access control -.SH "SYNOPSIS" -.HP 14 -\fBpam_access\.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] -.SH "DESCRIPTION" -.PP -The pam_access PAM module is mainly for access management\. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\. -.PP -By default rules for access management are taken from config file -\fI/etc/security/access\.conf\fR -if you don\'t specify another file\. -.PP -If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\. -.SH "OPTIONS" -.PP -\fBaccessfile=\fR\fB\fI/path/to/access\.conf\fR\fR -.RS 4 -Indicate an alternative -\fIaccess\.conf\fR -style configuration file to override the default\. This can be useful when different services need different access lists\. -.RE -.PP -\fBdebug\fR -.RS 4 -A lot of debug informations are printed with -\fBsyslog\fR(3)\. -.RE -.PP -\fBnoaudit\fR -.RS 4 -Do not report logins from disallowed hosts and ttys to the audit subsystem\. -.RE -.PP -\fBfieldsep=\fR\fB\fIseparators\fR\fR -.RS 4 -This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\. For example: -\fBfieldsep=|\fR -will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the -\fBPAM_TTY\fR -item is likely to be of the form "hostname:0" which includes a `:\' character in its value\. But you should not need this\. -.RE -.PP -\fBlistsep=\fR\fB\fIseparators\fR\fR -.RS 4 -This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\. For example: -\fBlistsep=,\fR -will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\. -.RE -.PP -\fBnodefgroup\fR -.RS 4 -The group database will not be used for tokens not identified as account name\. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -All services are supported\. -.SH "RETURN VALUES" -.PP -PAM_SUCCESS -.RS 4 -Access was granted\. -.RE -.PP -PAM_PERM_DENIED -.RS 4 -Access was not granted\. -.RE -.PP -PAM_IGNORE -.RS 4 - -\fBpam_setcred\fR -was called which does nothing\. -.RE -.PP -PAM_ABORT -.RS 4 -Not all relevant data or options could be gotten\. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -The user is not known to the system\. -.RE -.SH "FILES" -.PP -\fI/etc/security/access\.conf\fR -.RS 4 -Default configuration file -.RE -.SH "SEE ALSO" -.PP - -\fBaccess.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8)\. -.SH "AUTHORS" -.PP -The logdaemon style login access control scheme was designed and implemented by Wietse Venema\. The pam_access PAM module was developed by Alexei Nogin \. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher \. diff --git a/modules/pam_cracklib/.cvsignore b/modules/pam_cracklib/.cvsignore index 9fb98574..db3b3295 100644 --- a/modules/pam_cracklib/.cvsignore +++ b/modules/pam_cracklib/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_cracklib.8 diff --git a/modules/pam_cracklib/README b/modules/pam_cracklib/README deleted file mode 100644 index 25ec00b4..00000000 --- a/modules/pam_cracklib/README +++ /dev/null @@ -1,220 +0,0 @@ -pam_cracklib — PAM module to check the password against dictionary words - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -This module can be plugged into the password stack of a given application to -provide some plug-in strength-checking for passwords. - -The action of this module is to prompt the user for a password and check its -strength against a system dictionary and a set of rules for identifying poor -choices. - -The first action is to prompt for a single password, check its strength and -then, if it is considered strong, prompt for the password a second time (to -verify that it was typed correctly on the first occasion). All being well, the -password is passed on to subsequent modules to be installed as the new -authentication token. - -The strength checks works in the following manner: at first the Cracklib -routine is called to check if the password is part of a dictionary; if this is -not the case an additional set of strength checks is done. These checks are: - -Palindrome - - Is the new password a palindrome of the old one? - -Case Change Only - - Is the new password the the old one with only a change of case? - -Similar - - Is the new password too much like the old one? This is primarily controlled - by one argument, difok which is a number of characters that if different - between the old and new are enough to accept the new password, this - defaults to 10 or 1/2 the size of the new password whichever is smaller. - - To avoid the lockup associated with trying to change a long and complicated - password, difignore is available. This argument can be used to specify the - minimum length a new password needs to be before the difok value is - ignored. The default value for difignore is 23. - -Simple - - Is the new password too small? This is controlled by 5 arguments minlen, - dcredit, ucredit, lcredit, and ocredit. See the section on the arguments - for the details of how these work and there defaults. - -Rotated - - Is the new password a rotated version of the old password? - -Already used - - Was the password used in the past? Previously used passwords are to be - found in /etc/security/opasswd. - -This module with no arguments will work well for standard unix password -encryption. With md5 encryption, passwords can be longer than 8 characters and -the default settings for this module can make it hard for the user to choose a -satisfactory new password. Notably, the requirement that the new password -contain no more than 1/2 of the characters in the old password becomes a -non-trivial constraint. For example, an old password of the form "the quick -brown fox jumped over the lazy dogs" would be difficult to change... In -addition, the default action is to allow passwords as small as 5 characters in -length. For a md5 systems it can be a good idea to increase the required -minimum size of a password. One can then allow more credit for different kinds -of characters but accept that the new password may share most of these -characters with the old password. - -OPTIONS - -debug - - This option makes the module write information to syslog(3) indicating the - behavior of the module (this option does not write password information to - the log file). - -type=XXX - - The default action is for the module to use the following prompts when - requesting passwords: "New UNIX password: " and "Retype UNIX password: ". - The default word UNIX can be replaced with this option. - -retry=N - - Prompt user at most N times before returning with error. The default is 1 - -difok=N - - This argument will change the default of 5 for the number of characters in - the new password that must not be present in the old password. In addition, - if 1/2 of the characters in the new password are different then the new - password will be accepted anyway. - -difignore=N - - How many characters should the password have before difok will be ignored. - The default is 23. - -minlen=N - - The minimum acceptable size for the new password (plus one if credits are - not disabled which is the default). In addition to the number of characters - in the new password, credit (of +1 in length) is given for each different - kind of character (other, upper, lower and digit). The default for this - parameter is 9 which is good for a old style UNIX password all of the same - type of character but may be too low to exploit the added security of a md5 - system. Note that there is a pair of length limits in Cracklib itself, a - "way too short" limit of 4 which is hard coded in and a defined limit (6) - that will be checked without reference to minlen. If you want to allow - passwords as short as 5 characters you should not use this module. - -dcredit=N - - (N >= 0) This is the maximum credit for having digits in the new password. - If you have less than or N digits, each digit will count +1 towards meeting - the current minlen value. The default for dcredit is 1 which is the - recommended value for minlen less than 10. - - (N < 0) This is the minimum number of digits that must be met for a new - password. - -ucredit=N - - (N >= 0) This is the maximum credit for having upper case letters in the - new password. If you have less than or N upper case letters each letter - will count +1 towards meeting the current minlen value. The default for - ucredit is 1 which is the recommended value for minlen less than 10. - - (N > 0) This is the minimum number of upper case letters that must be met - for a new password. - -lcredit=N - - (N >= 0) This is the maximum credit for having lower case letters in the - new password. If you have less than or N lower case letters, each letter - will count +1 towards meeting the current minlen value. The default for - lcredit is 1 which is the recommended value for minlen less than 10. - - (N < 0) This is the minimum number of lower case letters that must be met - for a new password. - -ocredit=N - - (N >= 0) This is the maximum credit for having other characters in the new - password. If you have less than or N other characters, each character will - count +1 towards meeting the current minlen value. The default for ocredit - is 1 which is the recommended value for minlen less than 10. - - (N < 0) This is the minimum number of other characters that must be met for - a new password. - -minclass=N - - The minimum number of required classes of characters for the new password. - The default number is zero. The four classes are digits, upper and lower - letters and other characters. The difference to the credit check is that a - specific class if of characters is not required. Instead N out of four of - the classes are required. - -use_authtok - - This argument is used to force the module to not prompt the user for a new - password but use the one provided by the previously stacked password - module. - -dictpath=/path/to/dict - - Path to the cracklib dictionaries. - -EXAMPLES - -For an example of the use of this module, we show how it may be stacked with -the password component of pam_unix(8) - -# -# These lines stack two password type modules. In this example the -# user is given 3 opportunities to enter a strong password. The -# "use_authtok" argument ensures that the pam_unix module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib. -# -passwd password required pam_cracklib.so retry=3 -passwd password required pam_unix.so use_authtok - - -Another example (in the /etc/pam.d/passwd format) is for the case that you want -to use md5 password encryption: - -#%PAM-1.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib.so \ - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix.so use_authtok nullok md5 - - -And here is another example in case you don't want to use credits: - -#%PAM-1.0 -# -# These lines require the user to select a password with a minimum -# length of 8 and with at least 1 digit number, 1 upper case letter, -# and 1 other character -# -password required pam_cracklib.so \ - dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 -password required pam_unix.so use_authtok nullok md5 - - -AUTHOR - -pam_cracklib was written by Cristian Gafton - diff --git a/modules/pam_cracklib/pam_cracklib.8 b/modules/pam_cracklib/pam_cracklib.8 deleted file mode 100644 index f9ccea46..00000000 --- a/modules/pam_cracklib/pam_cracklib.8 +++ /dev/null @@ -1,309 +0,0 @@ -.\" Title: pam_cracklib -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_CRACKLIB" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_cracklib - PAM module to check the password against dictionary words -.SH "SYNOPSIS" -.HP 16 -\fBpam_cracklib\.so\fR [\fI\.\.\.\fR] -.SH "DESCRIPTION" -.PP -This module can be plugged into the -\fIpassword\fR -stack of a given application to provide some plug\-in strength\-checking for passwords\. -.PP -The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices\. -.PP -The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion)\. All being well, the password is passed on to subsequent modules to be installed as the new authentication token\. -.PP -The strength checks works in the following manner: at first the -\fBCracklib\fR -routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done\. These checks are: -.PP -Palindrome -.RS 4 -Is the new password a palindrome of the old one? -.RE -.PP -Case Change Only -.RS 4 -Is the new password the the old one with only a change of case? -.RE -.PP -Similar -.RS 4 -Is the new password too much like the old one? This is primarily controlled by one argument, -\fBdifok\fR -which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller\. -.sp -To avoid the lockup associated with trying to change a long and complicated password, -\fBdifignore\fR -is available\. This argument can be used to specify the minimum length a new password needs to be before the -\fBdifok\fR -value is ignored\. The default value for -\fBdifignore\fR -is 23\. -.RE -.PP -Simple -.RS 4 -Is the new password too small? This is controlled by 5 arguments -\fBminlen\fR, -\fBdcredit\fR, -\fBucredit\fR, -\fBlcredit\fR, and -\fBocredit\fR\. See the section on the arguments for the details of how these work and there defaults\. -.RE -.PP -Rotated -.RS 4 -Is the new password a rotated version of the old password? -.RE -.PP -Already used -.RS 4 -Was the password used in the past? Previously used passwords are to be found in -\fI/etc/security/opasswd\fR\. -.RE -.PP -This module with no arguments will work well for standard unix password encryption\. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password\. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint\. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change\.\.\. In addition, the default action is to allow passwords as small as 5 characters in length\. For a md5 systems it can be a good idea to increase the required minimum size of a password\. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password\. -.SH "OPTIONS" -.PP -.PP -\fBdebug\fR -.RS 4 -This option makes the module write information to -\fBsyslog\fR(3) -indicating the behavior of the module (this option does not write password information to the log file)\. -.RE -.PP -\fBtype=\fR\fB\fIXXX\fR\fR -.RS 4 -The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\. The default word -\fIUNIX\fR -can be replaced with this option\. -.RE -.PP -\fBretry=\fR\fB\fIN\fR\fR -.RS 4 -Prompt user at most -\fIN\fR -times before returning with error\. The default is -\fI1\fR -.RE -.PP -\fBdifok=\fR\fB\fIN\fR\fR -.RS 4 -This argument will change the default of -\fI5\fR -for the number of characters in the new password that must not be present in the old password\. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway\. -.RE -.PP -\fBdifignore=\fR\fB\fIN\fR\fR -.RS 4 -How many characters should the password have before difok will be ignored\. The default is -\fI23\fR\. -.RE -.PP -\fBminlen=\fR\fB\fIN\fR\fR -.RS 4 -The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)\. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, -\fIupper\fR, -\fIlower\fR -and -\fIdigit\fR)\. The default for this parameter is -\fI9\fR -which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system\. Note that there is a pair of length limits in -\fICracklib\fR -itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to -\fBminlen\fR\. If you want to allow passwords as short as 5 characters you should not use this module\. -.RE -.PP -\fBdcredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having digits in the new password\. If you have less than or -\fIN\fR -digits, each digit will count +1 towards meeting the current -\fBminlen\fR -value\. The default for -\fBdcredit\fR -is 1 which is the recommended value for -\fBminlen\fR -less than 10\. -.sp -(N < 0) This is the minimum number of digits that must be met for a new password\. -.RE -.PP -\fBucredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having upper case letters in the new password\. If you have less than or -\fIN\fR -upper case letters each letter will count +1 towards meeting the current -\fBminlen\fR -value\. The default for -\fBucredit\fR -is -\fI1\fR -which is the recommended value for -\fBminlen\fR -less than 10\. -.sp -(N > 0) This is the minimum number of upper case letters that must be met for a new password\. -.RE -.PP -\fBlcredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having lower case letters in the new password\. If you have less than or -\fIN\fR -lower case letters, each letter will count +1 towards meeting the current -\fBminlen\fR -value\. The default for -\fBlcredit\fR -is 1 which is the recommended value for -\fBminlen\fR -less than 10\. -.sp -(N < 0) This is the minimum number of lower case letters that must be met for a new password\. -.RE -.PP -\fBocredit=\fR\fB\fIN\fR\fR -.RS 4 -(N >= 0) This is the maximum credit for having other characters in the new password\. If you have less than or -\fIN\fR -other characters, each character will count +1 towards meeting the current -\fBminlen\fR -value\. The default for -\fBocredit\fR -is 1 which is the recommended value for -\fBminlen\fR -less than 10\. -.sp -(N < 0) This is the minimum number of other characters that must be met for a new password\. -.RE -.PP -\fBminclass=\fR\fB\fIN\fR\fR -.RS 4 -The minimum number of required classes of characters for the new password\. The default number is zero\. The four classes are digits, upper and lower letters and other characters\. The difference to the -\fBcredit\fR -check is that a specific class if of characters is not required\. Instead -\fIN\fR -out of four of the classes are required\. -.RE -.PP -\fBuse_authtok\fR -.RS 4 -This argument is used to -\fIforce\fR -the module to not prompt the user for a new password but use the one provided by the previously stacked -\fIpassword\fR -module\. -.RE -.PP -\fBdictpath=\fR\fB\fI/path/to/dict\fR\fR -.RS 4 -Path to the cracklib dictionaries\. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -Only he -\fBpassword\fR -service is supported\. -.SH "RETURN VALUES" -.PP -.PP -PAM_SUCCESS -.RS 4 -The new password passes all checks\. -.RE -.PP -PAM_AUTHTOK_ERR -.RS 4 -No new password was entered, the username could not be determined or the new password fails the strength checks\. -.RE -.PP -PAM_AUTHTOK_RECOVERY_ERR -.RS 4 -The old password was not supplied by a previous stacked module or got not requested from the user\. The first error can happen if -\fBuse_authtok\fR -is specified\. -.RE -.PP -PAM_SERVICE_ERR -.RS 4 -A internal error occured\. -.RE -.SH "EXAMPLES" -.PP -For an example of the use of this module, we show how it may be stacked with the password component of -\fBpam_unix\fR(8) -.sp -.RS 4 -.nf -# -# These lines stack two password type modules\. In this example the -# user is given 3 opportunities to enter a strong password\. The -# "use_authtok" argument ensures that the pam_unix module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib\. -# -passwd password required pam_cracklib\.so retry=3 -passwd password required pam_unix\.so use_authtok - -.fi -.RE -.PP -Another example (in the -\fI/etc/pam\.d/passwd\fR -format) is for the case that you want to use md5 password encryption: -.sp -.RS 4 -.nf -#%PAM\-1\.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib\.so \e - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix\.so use_authtok nullok md5 - -.fi -.RE -.PP -And here is another example in case you don\'t want to use credits: -.sp -.RS 4 -.nf -#%PAM\-1\.0 -# -# These lines require the user to select a password with a minimum -# length of 8 and with at least 1 digit number, 1 upper case letter, -# and 1 other character -# -password required pam_cracklib\.so \e - dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8 -password required pam_unix\.so use_authtok nullok md5 - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_cracklib was written by Cristian Gafton diff --git a/modules/pam_debug/.cvsignore b/modules/pam_debug/.cvsignore index 9fb98574..af38ef08 100644 --- a/modules/pam_debug/.cvsignore +++ b/modules/pam_debug/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_debug.8 diff --git a/modules/pam_debug/README b/modules/pam_debug/README deleted file mode 100644 index 4afff114..00000000 --- a/modules/pam_debug/README +++ /dev/null @@ -1,64 +0,0 @@ -pam_debug — PAM module to debug the PAM stack - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_debug PAM module is intended as a debugging aide for determining how -the PAM stack is operating. This module returns what its module arguments tell -it to return. - -OPTIONS - -auth=value - - The pam_sm_authenticate(3) function will return value. - -cred=value - - The pam_sm_setcred(3) function will return value. - -acct=value - - The pam_sm_acct_mgmt(3) function will return value. - -prechauthtok=value - - The pam_sm_chauthtok(3) function will return value if the PAM_PRELIM_CHECK - flag is set. - -chauthtok=value - - The pam_sm_chauthtok(3) function will return value if the PAM_PRELIM_CHECK - flag is not set. - -open_session=value - - The pam_sm_open_session(3) function will return value. - -close_session=value - - The pam_sm_close_session(3) function will return value. - -Where value can be one of: success, open_err, symbol_err, service_err, -system_err, buf_err, perm_denied, auth_err, cred_insufficient, -authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, -session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, -authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, -try_again, ignore, abort, authtok_expired, module_unknown, bad_item, -conv_again, incomplete. - -EXAMPLES - -auth requisite pam_permit.so -auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success -auth [default=reset] pam_debug.so auth=success cred=perm_denied -auth [success=done default=die] pam_debug.so -auth optional pam_debug.so auth=perm_denied cred=perm_denied -auth sufficient pam_debug.so auth=success cred=success - - -AUTHOR - -pam_debug was written by Andrew G. Morgan . - diff --git a/modules/pam_debug/pam_debug.8 b/modules/pam_debug/pam_debug.8 deleted file mode 100644 index ae4a1407..00000000 --- a/modules/pam_debug/pam_debug.8 +++ /dev/null @@ -1,110 +0,0 @@ -.\" Title: pam_debug -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/23/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_DEBUG" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_debug \- PAM module to debug the PAM stack -.SH "SYNOPSIS" -.HP 13 -\fBpam_debug.so\fR [auth=\fIvalue\fR] [cred=\fIvalue\fR] [acct=\fIvalue\fR] [prechauthtok=\fIvalue\fR] [chauthtok=\fIvalue\fR] [auth=\fIvalue\fR] [open_session=\fIvalue\fR] [close_session=\fIvalue\fR] -.SH "DESCRIPTION" -.PP -The pam_debug PAM module is intended as a debugging aide for determining how the PAM stack is operating. This module returns what its module arguments tell it to return. -.SH "OPTIONS" -.TP 3n -\fBauth=\fR\fB\fIvalue\fR\fR -The -\fBpam_sm_authenticate\fR(3) -function will return -\fIvalue\fR. -.TP 3n -\fBcred=\fR\fB\fIvalue\fR\fR -The -\fBpam_sm_setcred\fR(3) -function will return -\fIvalue\fR. -.TP 3n -\fBacct=\fR\fB\fIvalue\fR\fR -The -\fBpam_sm_acct_mgmt\fR(3) -function will return -\fIvalue\fR. -.TP 3n -\fBprechauthtok=\fR\fB\fIvalue\fR\fR -The -\fBpam_sm_chauthtok\fR(3) -function will return -\fIvalue\fR -if the -\fIPAM_PRELIM_CHECK\fR -flag is set. -.TP 3n -\fBchauthtok=\fR\fB\fIvalue\fR\fR -The -\fBpam_sm_chauthtok\fR(3) -function will return -\fIvalue\fR -if the -\fIPAM_PRELIM_CHECK\fR -flag is -\fBnot\fR -set. -.TP 3n -\fBopen_session=\fR\fB\fIvalue\fR\fR -The -\fBpam_sm_open_session\fR(3) -function will return -\fIvalue\fR. -.TP 3n -\fBclose_session=\fR\fB\fIvalue\fR\fR -The -\fBpam_sm_close_session\fR(3) -function will return -\fIvalue\fR. -.PP -Where -\fIvalue\fR -can be one of: success, open_err, symbol_err, service_err, system_err, buf_err, perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again, ignore, abort, authtok_expired, module_unknown, bad_item, conv_again, incomplete. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR, -\fBaccount\fR, -\fBpassword\fR -and -\fBsession\fR -are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_SUCCESS -Default return code if no other value was specified, else specified return value. -.SH "EXAMPLES" -.sp -.RS 3n -.nf -auth requisite pam_permit.so -auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success -auth [default=reset] pam_debug.so auth=success cred=perm_denied -auth [success=done default=die] pam_debug.so -auth optional pam_debug.so auth=perm_denied cred=perm_denied -auth sufficient pam_debug.so auth=success cred=success - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_debug was written by Andrew G. Morgan . diff --git a/modules/pam_deny/.cvsignore b/modules/pam_deny/.cvsignore index 9fb98574..180c6155 100644 --- a/modules/pam_deny/.cvsignore +++ b/modules/pam_deny/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_deny.8 diff --git a/modules/pam_deny/README b/modules/pam_deny/README deleted file mode 100644 index 6b3a86f8..00000000 --- a/modules/pam_deny/README +++ /dev/null @@ -1,31 +0,0 @@ -pam_deny — The locking-out PAM module - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -This module can be used to deny access. It always indicates a failure to the -application through the PAM framework. It might be suitable for using for -default (the OTHER) entries. - -EXAMPLES - -#%PAM-1.0 -# -# If we don't have config entries for a service, the -# OTHER entries are used. To be secure, warn and deny -# access to everything. -other auth required pam_warn.so -other auth required pam_deny.so -other account required pam_warn.so -other account required pam_deny.so -other password required pam_warn.so -other password required pam_deny.so -other session required pam_warn.so -other session required pam_deny.so - - -AUTHOR - -pam_deny was written by Andrew G. Morgan - diff --git a/modules/pam_deny/pam_deny.8 b/modules/pam_deny/pam_deny.8 deleted file mode 100644 index e3d34414..00000000 --- a/modules/pam_deny/pam_deny.8 +++ /dev/null @@ -1,82 +0,0 @@ -.\" Title: pam_deny -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_DENY" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_deny - The locking-out PAM module -.SH "SYNOPSIS" -.HP 12 -\fBpam_deny\.so\fR -.SH "DESCRIPTION" -.PP -This module can be used to deny access\. It always indicates a failure to the application through the PAM framework\. It might be suitable for using for default (the -\fIOTHER\fR) entries\. -.SH "OPTIONS" -.PP -This module does not recognise any options\. -.SH "MODULE SERVICES PROVIDED" -.PP -All services (\fBaccount\fR, -\fBauth\fR, -\fBpassword\fR -and -\fBsession\fR) are supported\. -.SH "RETURN VALUES" -.PP -.PP -PAM_AUTH_ERR -.RS 4 -This is returned by the account and auth services\. -.RE -.PP -PAM_CRED_ERR -.RS 4 -This is returned by the setcred function\. -.RE -.PP -PAM_AUTHTOK_ERR -.RS 4 -This is returned by the password service\. -.RE -.PP -PAM_SESSION_ERR -.RS 4 -This is returned by the session service\. -.RE -.SH "EXAMPLES" -.sp -.RS 4 -.nf -#%PAM\-1\.0 -# -# If we don\'t have config entries for a service, the -# OTHER entries are used\. To be secure, warn and deny -# access to everything\. -other auth required pam_warn\.so -other auth required pam_deny\.so -other account required pam_warn\.so -other account required pam_deny\.so -other password required pam_warn\.so -other password required pam_deny\.so -other session required pam_warn\.so -other session required pam_deny\.so - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_deny was written by Andrew G\. Morgan diff --git a/modules/pam_echo/.cvsignore b/modules/pam_echo/.cvsignore index 9fb98574..2d5569ad 100644 --- a/modules/pam_echo/.cvsignore +++ b/modules/pam_echo/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_echo.8 diff --git a/modules/pam_echo/README b/modules/pam_echo/README deleted file mode 100644 index fca26b77..00000000 --- a/modules/pam_echo/README +++ /dev/null @@ -1,50 +0,0 @@ -pam_echo — PAM module for printing text messages - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_echo PAM module is for printing text messages to inform user about -special things. Sequences starting with the % character are interpreted in the -following way: - -%H - - The name of the remote host (PAM_RHOST). - -%h - - The name of the local host. - -%s - - The service name (PAM_SERVICE). - -%t - - The name of the controlling terminal (PAM_TTY). - -%U - - The remote user name (PAM_RUSER). - -%u - - The local user name (PAM_USER). - -All other sequences beginning with % expands to the characters following the % -character. - -EXAMPLES - -For an example of the use of this module, we show how it may be used to print -informations about good passwords: - -password optional pam_echo.so file=/usr/share/doc/good-password.txt -password required pam_unix.so - - -AUTHOR - -Thorsten Kukuk - diff --git a/modules/pam_echo/pam_echo.8 b/modules/pam_echo/pam_echo.8 deleted file mode 100644 index 423a8e1b..00000000 --- a/modules/pam_echo/pam_echo.8 +++ /dev/null @@ -1,88 +0,0 @@ -.\" Title: pam_echo -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/21/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_ECHO" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_echo \- PAM module for printing text messages -.SH "SYNOPSIS" -.HP 12 -\fBpam_echo.so\fR [file=\fI/path/message\fR] -.SH "DESCRIPTION" -.PP -The -\fIpam_echo\fR -PAM module is for printing text messages to inform user about special things. Sequences starting with the -\fI%\fR -character are interpreted in the following way: -.TP 3n -\fI%H\fR -The name of the remote host (PAM_RHOST). -.TP 3n -\fB%h\fR -The name of the local host. -.TP 3n -\fI%s\fR -The service name (PAM_SERVICE). -.TP 3n -\fI%t\fR -The name of the controlling terminal (PAM_TTY). -.TP 3n -\fI%U\fR -The remote user name (PAM_RUSER). -.TP 3n -\fI%u\fR -The local user name (PAM_USER). -.PP -All other sequences beginning with -\fI%\fR -expands to the characters following the -\fI%\fR -character. -.SH "OPTIONS" -.TP 3n -\fBfile=\fR\fB\fI/path/message\fR\fR -The content of the file -\fI/path/message\fR -will be printed with the PAM conversion function as PAM_TEXT_INFO. -.SH "MODULE SERVICES PROVIDED" -.PP -All services are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_SUCCESS -Message was successful printed. -.TP 3n -PAM_IGNORE -PAM_SILENT flag was given or message file does not exist, no message printed. -.SH "EXAMPLES" -.PP -For an example of the use of this module, we show how it may be used to print informations about good passwords: -.sp -.RS 3n -.nf -password optional pam_echo.so file=/usr/share/doc/good\-password.txt -password required pam_unix.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(8), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -Thorsten Kukuk diff --git a/modules/pam_env/.cvsignore b/modules/pam_env/.cvsignore index 9fb98574..e35f869e 100644 --- a/modules/pam_env/.cvsignore +++ b/modules/pam_env/.cvsignore @@ -4,3 +4,6 @@ .libs Makefile Makefile.in +README +pam_env.8 +pam_env.conf.5 diff --git a/modules/pam_env/README b/modules/pam_env/README deleted file mode 100644 index 81c63154..00000000 --- a/modules/pam_env/README +++ /dev/null @@ -1,74 +0,0 @@ -pam_env — PAM module to set/unset environment variables - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_env PAM module allows the (un)setting of environment variables. -Supported is the use of previously set environment variables as well as -PAM_ITEMs such as PAM_RHOST. - -By default rules for (un)setting of variables is taken from the config file / -etc/security/pam_env.conf if no other file is specified. - -This module can also parse a file with simple KEY=VAL pairs on seperate lines -(/etc/environment by default). You can change the default file to parse, with -the envfile flag and turn it on or off by setting the readenv flag to 1 or 0 -respectively. - -OPTIONS - -conffile=/path/to/pam_env.conf - - Indicate an alternative pam_env.conf style configuration file to override - the default. This can be useful when different services need different - environments. - -debug - - A lot of debug informations are printed with syslog(3). - -envfile=/path/to/environment - - Indicate an alternative environment file to override the default. This can - be useful when different services need different environments. - -readenv=0|1 - - Turns on or off the reading of the file specified by envfile (0 is off, 1 - is on). By default this option is on. - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -pam_env.conf. - -Set the REMOTEHOST variable for any hosts that are remote, default to -"localhost" rather than not being set at all - - REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} - - -Set the DISPLAY variable if it seems reasonable - - DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} - - -Now some simple variables - - PAGER DEFAULT=less - MANPAGER DEFAULT=less - LESS DEFAULT="M q e h15 z23 b80" - NNTPSERVER DEFAULT=localhost - PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ - :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 - - -Silly examples of escaped variables, just to show how they work. - - DOLLAR DEFAULT=\$ - DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} - DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} - ATSIGN DEFAULT="" OVERRIDE=\@ - - diff --git a/modules/pam_env/pam_env.8 b/modules/pam_env/pam_env.8 deleted file mode 100644 index e7746de3..00000000 --- a/modules/pam_env/pam_env.8 +++ /dev/null @@ -1,89 +0,0 @@ -.\" Title: pam_env -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/21/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_ENV" "8" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_env \- PAM module to set/unset environment variables -.SH "SYNOPSIS" -.HP 11 -\fBpam_env.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR] -.SH "DESCRIPTION" -.PP -The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as -\fIPAM_ITEM\fRs such as -\fIPAM_RHOST\fR. -.PP -By default rules for (un)setting of variables is taken from the config file -\fI/etc/security/pam_env.conf\fR -if no other file is specified. -.PP -This module can also parse a file with simple -\fIKEY=VAL\fR -pairs on seperate lines (\fI/etc/environment\fR -by default). You can change the default file to parse, with the -\fIenvfile\fR -flag and turn it on or off by setting the -\fIreadenv\fR -flag to 1 or 0 respectively. -.SH "OPTIONS" -.TP 3n -\fBconffile=\fR\fB\fI/path/to/pam_env.conf\fR\fR -Indicate an alternative -\fIpam_env.conf\fR -style configuration file to override the default. This can be useful when different services need different environments. -.TP 3n -\fBdebug\fR -A lot of debug informations are printed with -\fBsyslog\fR(3). -.TP 3n -\fBenvfile=\fR\fB\fI/path/to/environment\fR\fR -Indicate an alternative -\fIenvironment\fR -file to override the default. This can be useful when different services need different environments. -.TP 3n -\fBreadenv=\fR\fB\fI0|1\fR\fR -Turns on or off the reading of the file specified by envfile (0 is off, 1 is on). By default this option is on. -.SH "MODULE SERVICES PROVIDED" -.PP -The -\fBauth\fR -and -\fBsession\fR -services are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_ABORT -Not all relevant data or options could be gotten. -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_IGNORE -No pam_env.conf and environment file was found. -.TP 3n -PAM_SUCCESS -Environment variables were set. -.SH "FILES" -.TP 3n -\fI/etc/security/pam_env.conf\fR -Default configuration file -.TP 3n -\fI/etc/environment\fR -Default environment file -.SH "SEE ALSO" -.PP - -\fBpam_env.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8). -.SH "AUTHOR" -.PP -pam_env was written by Dave Kinchlea . diff --git a/modules/pam_env/pam_env.conf.5 b/modules/pam_env/pam_env.conf.5 deleted file mode 100644 index 17c1a19d..00000000 --- a/modules/pam_env/pam_env.conf.5 +++ /dev/null @@ -1,87 +0,0 @@ -.\" Title: pam_env.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/21/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_ENV.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_env.conf \- the environment variables config file -.SH "DESCRIPTION" -.PP -The -\fI/etc/security/pam_env.conf\fR -file specifies the environment variables to be set, unset or modified by -\fBpam_env\fR(8). When someone logs in, this file is read and the environment variables are set according. -.PP -Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use. OVERRIDE is not used, "" is assumed and no override will be done. -.PP - -\fIVARIABLE\fR -[\fIDEFAULT=[value]\fR] [\fIOVERRIDE=[value]\fR] -.PP -(Possibly non\-existent) environment variables may be used in values using the ${string} syntax and (possibly non\-existent) PAM_ITEMs may be used in values using the @{string} syntax. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many environment variables that you would like to use may not be set by the time the module is called. For example, HOME is used below several times, but many PAM applications don't make it available by the time you need it. -.PP -The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line. -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/pam_env.conf\fR. -.PP -Set the REMOTEHOST variable for any hosts that are remote, default to "localhost" rather than not being set at all -.sp -.RS 3n -.nf - REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} - -.fi -.RE -.PP -Set the DISPLAY variable if it seems reasonable -.sp -.RS 3n -.nf - DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} - -.fi -.RE -.PP -Now some simple variables -.sp -.RS 3n -.nf - PAGER DEFAULT=less - MANPAGER DEFAULT=less - LESS DEFAULT="M q e h15 z23 b80" - NNTPSERVER DEFAULT=localhost - PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\\ - :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 - -.fi -.RE -.PP -Silly examples of escaped variables, just to show how they work. -.sp -.RS 3n -.nf - DOLLAR DEFAULT=\\$ - DOLLARDOLLAR DEFAULT= OVERRIDE=\\$${DOLLAR} - DOLLARPLUS DEFAULT=\\${REMOTEHOST}${REMOTEHOST} - ATSIGN DEFAULT="" OVERRIDE=\\@ - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam_env\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_env was written by Dave Kinchlea . diff --git a/modules/pam_exec/.cvsignore b/modules/pam_exec/.cvsignore index 9fb98574..47c8610e 100644 --- a/modules/pam_exec/.cvsignore +++ b/modules/pam_exec/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_exec.8 diff --git a/modules/pam_exec/README b/modules/pam_exec/README deleted file mode 100644 index 8ff9a742..00000000 --- a/modules/pam_exec/README +++ /dev/null @@ -1,42 +0,0 @@ -pam_exec — PAM module which calls an external command - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_exec is a PAM module that can be used to run an external command. - -OPTIONS - -debug - - Print debug information. - -log=file - - The output of the command is appended to file - -seteuid - - Per default pam_exec.so will execute the external command with the real - user ID of the calling process. Specifying this option means the command is - run with the effective user ID. - -EXAMPLES - -Add the following line to /etc/pam.d/passwd to rebuild the NIS database after -each local password change: - - passwd optional pam_exec.so seteuid make -C /var/yp - - -This will execute the command - -make -C /var/yp - -with effective user ID. - -AUTHOR - -pam_exec was written by Thorsten Kukuk . - diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8 deleted file mode 100644 index ae8f8a46..00000000 --- a/modules/pam_exec/pam_exec.8 +++ /dev/null @@ -1,88 +0,0 @@ -.\" Title: pam_exec -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_EXEC" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_exec \- PAM module which calls an external command -.SH "SYNOPSIS" -.HP 12 -\fBpam_exec.so\fR [debug] [seteuid] [log=\fIfile\fR] \fIcommand\fR [\fI...\fR] -.SH "DESCRIPTION" -.PP -pam_exec is a PAM module that can be used to run an external command. -.SH "OPTIONS" -.PP -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBlog=\fR\fB\fIfile\fR\fR -The output of the command is appended to -\fIfile\fR -.TP 3n -\fBseteuid\fR -Per default pam_exec.so will execute the external command with the real user ID of the calling process. Specifying this option means the command is run with the effective user ID. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR, -\fBaccount\fR, -\fBpassword\fR -and -\fBsession\fR -are supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_SUCCESS -The external command runs successfull. -.TP 3n -PAM_SERVICE_ERR -No argument or a wrong number of arguments were given. -.TP 3n -PAM_SYSTEM_ERR -A system error occured or the command to execute failed. -.TP 3n -PAM_IGNORE - -\fBpam_setcred\fR -was called, which does not execute the command. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/passwd\fR -to rebuild the NIS database after each local password change: -.sp -.RS 3n -.nf - passwd optional pam_exec.so seteuid make \-C /var/yp - -.fi -.RE -.sp -This will execute the command -.sp -.RS 3n -.nf -make \-C /var/yp -.fi -.RE -.sp -with effective user ID. -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_exec was written by Thorsten Kukuk . diff --git a/modules/pam_faildelay/.cvsignore b/modules/pam_faildelay/.cvsignore index 9fb98574..cc931c87 100644 --- a/modules/pam_faildelay/.cvsignore +++ b/modules/pam_faildelay/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_faildelay.8 diff --git a/modules/pam_faildelay/README b/modules/pam_faildelay/README deleted file mode 100644 index a06d7e3f..00000000 --- a/modules/pam_faildelay/README +++ /dev/null @@ -1,33 +0,0 @@ -pam_faildelay — Change the delay on failure per-application - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_faildelay is a PAM module that can be used to set the delay on failure -per-application. - -If no delay is given, pam_faildelay will use the value of FAIL_DELAY from /etc/ -login.defs. - -OPTIONS - -debug - - Turns on debugging messages sent to syslog. - -delay=N - - Set the delay on failure to N microseconds. - -EXAMPLES - -The following example will set the delay on failure to 10 seconds: - -auth optional pam_faildelay.so delay=10000000 - - -AUTHOR - -pam_faildelay was written by Darren Tucker . - diff --git a/modules/pam_faildelay/pam_faildelay.8 b/modules/pam_faildelay/pam_faildelay.8 deleted file mode 100644 index 86eb031a..00000000 --- a/modules/pam_faildelay/pam_faildelay.8 +++ /dev/null @@ -1,65 +0,0 @@ -.\" Title: pam_faildelay -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 12/06/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_FAILDELAY" "8" "12/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_faildelay \- Change the delay on failure per\-application -.SH "SYNOPSIS" -.HP 17 -\fBpam_faildelay.so\fR [debug] [delay=\fImicroseconds\fR] -.SH "DESCRIPTION" -.PP -pam_faildelay is a PAM module that can be used to set the delay on failure per\-application. -.PP -If no -\fBdelay\fR -is given, pam_faildelay will use the value of FAIL_DELAY from -\fI/etc/login.defs\fR. -.SH "OPTIONS" -.TP 3n -\fBdebug\fR -Turns on debugging messages sent to syslog. -.TP 3n -\fBdelay=\fR\fB\fIN\fR\fR -Set the delay on failure to N microseconds. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBauth\fR -service is supported. -.SH "RETURN VALUES" -.TP 3n -PAM_IGNORE -Delay was successful adjusted. -.TP 3n -PAM_SYSTEM_ERR -The specified delay was not valid. -.SH "EXAMPLES" -.PP -The following example will set the delay on failure to 10 seconds: -.sp -.RS 3n -.nf -auth optional pam_faildelay.so delay=10000000 - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam_fail_delay\fR(3), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_faildelay was written by Darren Tucker . diff --git a/modules/pam_filter/.cvsignore b/modules/pam_filter/.cvsignore index 621f79ca..dc6908c2 100644 --- a/modules/pam_filter/.cvsignore +++ b/modules/pam_filter/.cvsignore @@ -5,3 +5,5 @@ Makefile Makefile.in security +README +pam_filter.8 diff --git a/modules/pam_filter/README b/modules/pam_filter/README deleted file mode 100644 index 4d4e2194..00000000 --- a/modules/pam_filter/README +++ /dev/null @@ -1,78 +0,0 @@ -pam_filter — PAM filter module - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -This module is intended to be a platform for providing access to all of the -input/output that passes between the user and the application. It is only -suitable for tty-based and (stdin/stdout) applications. - -To function this module requires filters to be installed on the system. The -single filter provided with the module simply transposes upper and lower case -letters in the input and output streams. (This can be very annoying and is not -kind to termcap based editors). - -Each component of the module has the potential to invoke the desired filter. -The filter is always execv(2) with the privilege of the calling application and -not that of the user. For this reason it cannot usually be killed by the user -without closing their session. - -OPTIONS - -debug - - Print debug information. - -new_term - - The default action of the filter is to set the PAM_TTY item to indicate the - terminal that the user is using to connect to the application. This - argument indicates that the filter should set PAM_TTY to the filtered - pseudo-terminal. - -non_term - - don't try to set the PAM_TTY item. - -runX - - In order that the module can invoke a filter it should know when to invoke - it. This argument is required to tell the filter when to do this. - - Permitted values for X are 1 and 2. These indicate the precise time that - the filter is to be run. To understand this concept it will be useful to - have read the pam(3) manual page. Basically, for each management group - there are up to two ways of calling the module's functions. In the case of - the authentication and session components there are actually two separate - functions. For the case of authentication, these functions are - pam_authenticate(3) and pam_setcred(3), here run1 means run the filter from - the pam_authenticate function and run2 means run the filter from - pam_setcred. In the case of the session modules, run1 implies that the - filter is invoked at the pam_open_session(3) stage, and run2 for - pam_close_session(3). - - For the case of the account component. Either run1 or run2 may be used. - - For the case of the password component, run1 is used to indicate that the - filter is run on the first occasion of pam_chauthtok(3) (the - PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run - on the second occasion (the PAM_UPDATE_AUTHTOK phase). - -filter - - The full pathname of the filter to be run and any command line arguments - that the filter might expect. - -EXAMPLES - -Add the following line to /etc/pam.d/login to see how to configure login to -transpose upper and lower case letters once the user has logged in: - - session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER - - -AUTHOR - -pam_filter was written by Andrew G. Morgan . - diff --git a/modules/pam_filter/pam_filter.8 b/modules/pam_filter/pam_filter.8 deleted file mode 100644 index 7def7fe9..00000000 --- a/modules/pam_filter/pam_filter.8 +++ /dev/null @@ -1,140 +0,0 @@ -.\" Title: pam_filter -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_FILTER" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_filter \- PAM filter module -.SH "SYNOPSIS" -.HP 14 -\fBpam_filter.so\fR [debug] [new_term] [non_term] run1|run2 \fIfilter\fR [\fI...\fR] -.SH "DESCRIPTION" -.PP -This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application. It is only suitable for tty\-based and (stdin/stdout) applications. -.PP -To function this module requires -\fIfilters\fR -to be installed on the system. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams. (This can be very annoying and is not kind to termcap based editors). -.PP -Each component of the module has the potential to invoke the desired filter. The filter is always -\fBexecv\fR(2) -with the privilege of the calling application and -\fInot\fR -that of the user. For this reason it cannot usually be killed by the user without closing their session. -.SH "OPTIONS" -.PP -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBnew_term\fR -The default action of the filter is to set the -\fIPAM_TTY\fR -item to indicate the terminal that the user is using to connect to the application. This argument indicates that the filter should set -\fIPAM_TTY\fR -to the filtered pseudo\-terminal. -.TP 3n -\fBnon_term\fR -don't try to set the -\fIPAM_TTY\fR -item. -.TP 3n -\fBrunX\fR -In order that the module can invoke a filter it should know when to invoke it. This argument is required to tell the filter when to do this. -.sp -Permitted values for -\fIX\fR -are -\fI1\fR -and -\fI2\fR. These indicate the precise time that the filter is to be run. To understand this concept it will be useful to have read the -\fBpam\fR(3) -manual page. Basically, for each management group there are up to two ways of calling the module's functions. In the case of the -\fIauthentication\fR -and -\fIsession\fR -components there are actually two separate functions. For the case of authentication, these functions are -\fBpam_authenticate\fR(3) -and -\fBpam_setcred\fR(3), here -\fBrun1\fR -means run the filter from the -\fBpam_authenticate\fR -function and -\fBrun2\fR -means run the filter from -\fBpam_setcred\fR. In the case of the session modules, -\fIrun1\fR -implies that the filter is invoked at the -\fBpam_open_session\fR(3) -stage, and -\fIrun2\fR -for -\fBpam_close_session\fR(3). -.sp -For the case of the account component. Either -\fIrun1\fR -or -\fIrun2\fR -may be used. -.sp -For the case of the password component, -\fIrun1\fR -is used to indicate that the filter is run on the first occasion of -\fBpam_chauthtok\fR(3) -(the -\fIPAM_PRELIM_CHECK\fR -phase) and -\fIrun2\fR -is used to indicate that the filter is run on the second occasion (the -\fIPAM_UPDATE_AUTHTOK\fR -phase). -.TP 3n -\fBfilter\fR -The full pathname of the filter to be run and any command line arguments that the filter might expect. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR, -\fBaccount\fR, -\fBpassword\fR -and -\fBsession\fR -are supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_SUCCESS -The new filter was set successfull. -.TP 3n -PAM_ABORT -Critical error, immediate abort. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/login\fR -to see how to configure login to transpose upper and lower case letters once the user has logged in: -.sp -.RS 3n -.nf - session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_filter was written by Andrew G. Morgan . diff --git a/modules/pam_ftp/.cvsignore b/modules/pam_ftp/.cvsignore index 9fb98574..02e0ab6b 100644 --- a/modules/pam_ftp/.cvsignore +++ b/modules/pam_ftp/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_ftp.8 diff --git a/modules/pam_ftp/README b/modules/pam_ftp/README deleted file mode 100644 index 15f4130e..00000000 --- a/modules/pam_ftp/README +++ /dev/null @@ -1,52 +0,0 @@ -pam_ftp — PAM module for anonymous access module - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of -access. - -This module intercepts the user's name and password. If the name is ftp or -anonymous, the user's password is broken up at the @ delimiter into a PAM_RUSER -and a PAM_RHOST part; these pam-items being set accordingly. The username ( -PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the -module sets the PAM_AUTHTOK item with the entered password and fails. - -This module is not safe and easily spoofable. - -OPTIONS - -debug - - Print debug information. - -ignore - - Pay no attention to the email address of the user (if supplied). - -ftp=XXX,YYY,... - - Instead of ftp or anonymous, provide anonymous login to the comma separated - list of users: XXX,YYY,.... Should the applicant enter one of these - usernames the returned username is set to the first in the list: XXX. - -EXAMPLES - -Add the following line to /etc/pam.d/ftpd to handle ftp style anonymous login: - -# -# ftpd; add ftp-specifics. These lines enable anonymous ftp over -# standard UN*X access (the listfile entry blocks access to -# users listed in /etc/ftpusers) -# -auth sufficient pam_ftp.so -auth required pam_unix.so use_first_pass -auth required pam_listfile.so \ - onerr=succeed item=user sense=deny file=/etc/ftpusers - - -AUTHOR - -pam_ftp was written by Andrew G. Morgan . - diff --git a/modules/pam_ftp/pam_ftp.8 b/modules/pam_ftp/pam_ftp.8 deleted file mode 100644 index 0c730267..00000000 --- a/modules/pam_ftp/pam_ftp.8 +++ /dev/null @@ -1,95 +0,0 @@ -.\" Title: pam_ftp -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_FTP" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_ftp \- PAM module for anonymous access module -.SH "SYNOPSIS" -.HP 11 -\fBpam_ftp.so\fR [debug] [ignore] [users=\fIXXX,YYY,\fR...] -.SH "DESCRIPTION" -.PP -pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of access. -.PP -This module intercepts the user's name and password. If the name is -\fIftp\fR -or -\fIanonymous\fR, the user's password is broken up at the -\fI@\fR -delimiter into a -\fIPAM_RUSER\fR -and a -\fIPAM_RHOST\fR -part; these pam\-items being set accordingly. The username (\fIPAM_USER\fR) is set to -\fIftp\fR. In this case the module succeeds. Alternatively, the module sets the -\fIPAM_AUTHTOK\fR -item with the entered password and fails. -.PP -This module is not safe and easily spoofable. -.SH "OPTIONS" -.PP -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBignore\fR -Pay no attention to the email address of the user (if supplied). -.TP 3n -\fBftp=\fR\fB\fIXXX,YYY,...\fR\fR -Instead of -\fIftp\fR -or -\fIanonymous\fR, provide anonymous login to the comma separated list of users: -\fB\fIXXX,YYY,...\fR\fR. Should the applicant enter one of these usernames the returned username is set to the first in the list: -\fIXXX\fR. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBauth\fR -service is supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_SUCCESS -The authentication was successfull. -.TP 3n -PAM_USER_UNKNOWN -User not known. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/ftpd\fR -to handle ftp style anonymous login: -.sp -.RS 3n -.nf -# -# ftpd; add ftp\-specifics. These lines enable anonymous ftp over -# standard UN*X access (the listfile entry blocks access to -# users listed in /etc/ftpusers) -# -auth sufficient pam_ftp.so -auth required pam_unix.so use_first_pass -auth required pam_listfile.so \\ - onerr=succeed item=user sense=deny file=/etc/ftpusers - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_ftp was written by Andrew G. Morgan . diff --git a/modules/pam_group/.cvsignore b/modules/pam_group/.cvsignore index 9fb98574..49b88179 100644 --- a/modules/pam_group/.cvsignore +++ b/modules/pam_group/.cvsignore @@ -4,3 +4,6 @@ .libs Makefile Makefile.in +README +group.conf.5 +pam_group.8 diff --git a/modules/pam_group/README b/modules/pam_group/README deleted file mode 100644 index 2e1e37a5..00000000 --- a/modules/pam_group/README +++ /dev/null @@ -1,45 +0,0 @@ -pam_group — PAM module for group access - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_group PAM module does not authenticate the user, but instead it grants -group memberships (in the credential setting phase of the authentication -module) to the user. Such memberships are based on the service they are -applying for. - -By default rules for group memberships are taken from config file /etc/security -/group.conf. - -This module's usefulness relies on the file-systems accessible to the user. The -point being that once granted the membership of a group, the user may attempt -to create a setgid binary with a restricted group ownership. Later, when the -user is not given membership to this group, they can recover group membership -with the precompiled binary. The reason that the file-systems that the user has -access to are so significant, is the fact that when a system is mounted nosuid -the user is unable to create or execute such a binary file. For this module to -provide any level of security, all file-systems that the user has write access -to should be mounted nosuid. - -The pam_group module fuctions in parallel with the /etc/group file. If the user -is granted any groups based on the behavior of this module, they are granted in -addition to those entries /etc/group (or equivalent). - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -group.conf. - -Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the -floppy (through membership of the floppy group) - -xsh;tty*&!ttyp*;us;Al0000-2400;floppy - -Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to -games (through membership of the floppy group) after work hours. - -xsh; tty* ;sword;!Wk0900-1800;games, sound -xsh; tty* ;*;Al0900-1800;floppy - - diff --git a/modules/pam_group/group.conf.5 b/modules/pam_group/group.conf.5 deleted file mode 100644 index 0e36ebf4..00000000 --- a/modules/pam_group/group.conf.5 +++ /dev/null @@ -1,83 +0,0 @@ -.\" Title: group.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/21/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "GROUP.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -group.conf \- configuration file for the pam_group module -.SH "DESCRIPTION" -.PP -The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. -.PP -For this module to function correctly there must be a correctly formatted -\fI/etc/security/group.conf\fR -file present. White spaces are ignored and lines maybe extended with '\\' (escaped newlines). Text following a '#' is ignored to the end of the line. -.PP -The syntax of the lines is as follows: -.PP - -\fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR;\fIgroups\fR -.PP -The first field, the -\fIservices\fR -field, is a logic list of PAM service names that the rule applies to. -.PP -The second field, the -\fItty\fR -field, is a logic list of terminal names that this rule applies to. -.PP -The third field, the -\fIusers\fR -field, is a logic list of users or a netgroup of users to whom this rule applies. -.PP -For these items the simple wildcard '*' may be used only once. With netgroups no wildcards or logic operators are allowed. -.PP -The -\fItimes\fR -field is used to indicate "when" these groups are to be given to the user. The format here is a logic list of day/time\-range entries. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively. As a final example, AlFr means all days except Friday. -.PP -Each day/time\-range can be prefixed with a '!' to indicate "anything but". The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day). -.PP -The -\fIgroups\fR -field is a comma or space separated list of groups that the user inherits membership of. These groups are added if the previous fields are satisfied by the user's request. -.PP -For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process. -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/group.conf\fR. -.PP -Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the floppy (through membership of the floppy group) -.sp -.RS 3n -.nf -xsh;tty*&!ttyp*;us;Al0000\-2400;floppy -.fi -.RE -.PP -Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to games (through membership of the floppy group) after work hours. -.sp -.RS 3n -.nf -xsh; tty* ;sword;!Wk0900\-1800;games, sound -xsh; tty* ;*;Al0900\-1800;floppy - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam_group\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_group was written by Andrew G. Morgan . diff --git a/modules/pam_group/pam_group.8 b/modules/pam_group/pam_group.8 deleted file mode 100644 index 249d5683..00000000 --- a/modules/pam_group/pam_group.8 +++ /dev/null @@ -1,94 +0,0 @@ -.\" Title: pam_group -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_GROUP" "8" "11/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_group - PAM module for group access -.SH "SYNOPSIS" -.HP 13 -\fBpam_group\.so\fR -.SH "DESCRIPTION" -.PP -The pam_group PAM module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user\. Such memberships are based on the service they are applying for\. -.PP -By default rules for group memberships are taken from config file -\fI/etc/security/group\.conf\fR\. -.PP -This module\'s usefulness relies on the file\-systems accessible to the user\. The point being that once granted the membership of a group, the user may attempt to create a -\fBsetgid\fR -binary with a restricted group ownership\. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary\. The reason that the file\-systems that the user has access to are so significant, is the fact that when a system is mounted -\fInosuid\fR -the user is unable to create or execute such a binary file\. For this module to provide any level of security, all file\-systems that the user has write access to should be mounted -\fInosuid\fR\. -.PP -The pam_group module fuctions in parallel with the -\fI/etc/group\fR -file\. If the user is granted any groups based on the behavior of this module, they are granted -\fIin addition\fR -to those entries -\fI/etc/group\fR -(or equivalent)\. -.SH "OPTIONS" -.PP -This module does not recognise any options\. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBauth\fR -service is supported\. -.SH "RETURN VALUES" -.PP -PAM_SUCCESS -.RS 4 -group membership was granted\. -.RE -.PP -PAM_ABORT -.RS 4 -Not all relevant data could be gotten\. -.RE -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_CRED_ERR -.RS 4 -Group membership was not granted\. -.RE -.PP -PAM_IGNORE -.RS 4 - -\fBpam_sm_authenticate\fR -was called which does nothing\. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -The user is not known to the system\. -.RE -.SH "FILES" -.PP -\fI/etc/security/group\.conf\fR -.RS 4 -Default configuration file -.RE -.SH "SEE ALSO" -.PP - -\fBgroup.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8)\. -.SH "AUTHORS" -.PP -pam_group was written by Andrew G\. Morgan \. diff --git a/modules/pam_issue/.cvsignore b/modules/pam_issue/.cvsignore index 9fb98574..8754cdf0 100644 --- a/modules/pam_issue/.cvsignore +++ b/modules/pam_issue/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_issue.8 diff --git a/modules/pam_issue/README b/modules/pam_issue/README deleted file mode 100644 index e3192beb..00000000 --- a/modules/pam_issue/README +++ /dev/null @@ -1,79 +0,0 @@ -pam_issue — PAM module to add issue file to user prompt - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_issue is a PAM module to prepend an issue file to the username prompt. It -also by default parses escape codes in the issue file similar to some common -getty's (using \x format). - -Recognized escapes: - -\d - - current day - -\l - - name of this tty - -\m - - machine architecture (uname -m) - -\n - - machine's network node hostname (uname -n) - -\o - - domain name of this system - -\r - - release number of operating system (uname -r) - -\t - - current time - -\s - - operating system name (uname -s) - -\u - - number of users currently logged in - -\U - - same as \u except it is suffixed with "user" or "users" (eg. "1 user" or - "10 users") - -\v - - operating system version and build date (uname -v) - -OPTIONS - -noesc - - Turns off escape code parsing. - -issue=issue-file-name - - The file to output if not using the default. - -EXAMPLES - -Add the following line to /etc/pam.d/login to set the user specific issue at -login: - - auth optional pam_issue.so issue=/etc/issue - - -AUTHOR - -pam_issue was written by Ben Collins . - diff --git a/modules/pam_issue/pam_issue.8 b/modules/pam_issue/pam_issue.8 deleted file mode 100644 index 011a5e91..00000000 --- a/modules/pam_issue/pam_issue.8 +++ /dev/null @@ -1,104 +0,0 @@ -.\" Title: pam_issue -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/17/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_ISSUE" "8" "06/17/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_issue \- PAM module to add issue file to user prompt -.SH "SYNOPSIS" -.HP 13 -\fBpam_issue.so\fR [noesc] [issue=\fIissue\-file\-name\fR] -.SH "DESCRIPTION" -.PP -pam_issue is a PAM module to prepend an issue file to the username prompt. It also by default parses escape codes in the issue file similar to some common getty's (using \\x format). -.PP -Recognized escapes: -.TP 3n -\fB\\d\fR -current day -.TP 3n -\fB\\l\fR -name of this tty -.TP 3n -\fB\\m\fR -machine architecture (uname \-m) -.TP 3n -\fB\\n\fR -machine's network node hostname (uname \-n) -.TP 3n -\fB\\o\fR -domain name of this system -.TP 3n -\fB\\r\fR -release number of operating system (uname \-r) -.TP 3n -\fB\\t\fR -current time -.TP 3n -\fB\\s\fR -operating system name (uname \-s) -.TP 3n -\fB\\u\fR -number of users currently logged in -.TP 3n -\fB\\U\fR -same as \\u except it is suffixed with "user" or "users" (eg. "1 user" or "10 users") -.TP 3n -\fB\\v\fR -operating system version and build date (uname \-v) -.SH "OPTIONS" -.PP -.TP 3n -\fBnoesc\fR -Turns off escape code parsing. -.TP 3n -\fBissue=\fR\fB\fIissue\-file\-name\fR\fR -The file to output if not using the default. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBauth\fR -service is supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_IGNORE -The prompt was already changed. -.TP 3n -PAM_SERVICE_ERR -A service module error occured. -.TP 3n -PAM_SUCCESS -The new prompt was set successfull. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/login\fR -to set the user specific issue at login: -.sp -.RS 3n -.nf - auth optional pam_issue.so issue=/etc/issue - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_issue was written by Ben Collins . diff --git a/modules/pam_keyinit/.cvsignore b/modules/pam_keyinit/.cvsignore index 9fb98574..a2072fc9 100644 --- a/modules/pam_keyinit/.cvsignore +++ b/modules/pam_keyinit/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_keyinit.8 diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README deleted file mode 100644 index a27077b3..00000000 --- a/modules/pam_keyinit/README +++ /dev/null @@ -1,24 +0,0 @@ -# $Id$ -*- text -*- -# - -This module makes sure the calling process has its own session keyring rather -than using the default per-user session keyring. - -The following words may be supplied as arguments to the module through the PAM -configuration scripts: - - (*) "force" - - This will cause the process's current session keyring to be replaced with - a new one. If this isn't supplied, a session keyring will only be created - if the process doesn't already have its own. - - (*) "revoke" - - If the module actually created a keyring, this will cause that keyring to - be revoked on session closure. - - (*) "debug" - - This will cause the module to write some debugging information to the - syslog. diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 deleted file mode 100644 index 40b1e125..00000000 --- a/modules/pam_keyinit/pam_keyinit.8 +++ /dev/null @@ -1,133 +0,0 @@ -.\"Generated by db2man.xsl. Don't modify this, modify the source. -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "PAM_KEYINIT" 8 "" "" "" -.SH NAME -pam_keyinit \- Kernel session keyring initialiser module -.SH "SYNOPSIS" -.ad l -.hy 0 -.HP 15 -\fBpam_keyinit\&.so\fR [debug] [force] [revoke] -.ad -.hy - -.SH "DESCRIPTION" - -.PP -The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. - -.PP -The session component of the module checks to see if the process's session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. - -.PP -If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. - -.PP -The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. - -.PP -This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. - -.PP -This module should not, generally, be invoked by programs like \fIsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. - -.PP -This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. - -.PP -The keyutils package is used to manipulate keys more directly\&. This included in the Fedora Extras 5+ and Red Hat Enterprise Linux 4 U2+ and can also be obtained from: - -.PP - Keyutils : \fIhttp://people.redhat.com/~dhowells/keyutils/\fR - -.SH "OPTIONS" - -.TP -\fBdebug\fR -Log debug information with \fBsyslog\fR(3)\&. - -.TP -\fBforce\fR -Causes the session keyring of the invoking process to be replaced unconditionally\&. - -.TP -\fBrevoke\fR -Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. - -.SH "MODULE SERVICES PROVIDED" - -.PP -Only the \fIsession\fR service is supported\&. - -.SH "RETURN VALUES" - -.TP -PAM_SUCCESS -This module will usually return this value - -.TP -PAM_AUTH_ERR -Authentication failure\&. - -.TP -PAM_BUF_ERR -Memory buffer error\&. - -.TP -PAM_IGNORE -The return value should be ignored by PAM dispatch\&. - -.TP -PAM_SERVICE_ERR -Cannot determine the user name\&. - -.TP -PAM_SESSION_ERR -This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. - -.TP -PAM_USER_UNKNOWN -User not known\&. - -.SH "EXAMPLES" - -.PP -Add this line to your login entries to start each login session with its own session keyring: - -.nf - -session required pam_keyinit\&.so - -.fi - - -.PP -This will prevent keys from one session leaking into another session for the same user\&. - -.SH "SEE ALSO" - -.PP - \fBpam\&.conf\fR(5), \fBpam\&.d\fR(8), \fBpam\fR(8) \fBkeyctl\fR(1) - -.SH "AUTHOR" - -.PP -pam_keyinit was written by David Howells, \&. - diff --git a/modules/pam_lastlog/.cvsignore b/modules/pam_lastlog/.cvsignore index 9fb98574..9b0768f7 100644 --- a/modules/pam_lastlog/.cvsignore +++ b/modules/pam_lastlog/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_lastlog.8 diff --git a/modules/pam_lastlog/README b/modules/pam_lastlog/README deleted file mode 100644 index 9f6c5505..00000000 --- a/modules/pam_lastlog/README +++ /dev/null @@ -1,57 +0,0 @@ -pam_lastlog — PAM module to display date of last login - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_lastlog is a PAM module to display a line of information about the last -login of the user. In addition, the module maintains the /var/log/lastlog file. - -Some applications may perform this function themselves. In such cases, this -module is not necessary. - -OPTIONS - -debug - - Print debug information. - -silent - - Don't inform the user about any previous login, just upate the /var/log/ - lastlog file. - -never - - If the /var/log/lastlog file does not contain any old entries for the user, - indicate that the user has never previously logged in with a welcome - message. - -nodate - - Don't display the date of the last login. - -noterm - - Don't display the terminal name on which the last login was attempted. - -nohost - - Don't indicate from which host the last login was attempted. - -nowtmp - - Don't update the wtmp entry. - -EXAMPLES - -Add the following line to /etc/pam.d/login to display the last login time of an -user: - - session required pam_lastlog.so nowtmp - - -AUTHOR - -pam_lastlog was written by Andrew G. Morgan . - diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8 deleted file mode 100644 index 81b04470..00000000 --- a/modules/pam_lastlog/pam_lastlog.8 +++ /dev/null @@ -1,91 +0,0 @@ -.\" Title: pam_lastlog -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_LASTLOG" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_lastlog \- PAM module to display date of last login -.SH "SYNOPSIS" -.HP 15 -\fBpam_lastlog.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] -.SH "DESCRIPTION" -.PP -pam_lastlog is a PAM module to display a line of information about the last login of the user. In addition, the module maintains the -\fI/var/log/lastlog\fR -file. -.PP -Some applications may perform this function themselves. In such cases, this module is not necessary. -.SH "OPTIONS" -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBsilent\fR -Don't inform the user about any previous login, just upate the -\fI/var/log/lastlog\fR -file. -.TP 3n -\fBnever\fR -If the -\fI/var/log/lastlog\fR -file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message. -.TP 3n -\fBnodate\fR -Don't display the date of the last login. -.TP 3n -\fBnoterm\fR -Don't display the terminal name on which the last login was attempted. -.TP 3n -\fBnohost\fR -Don't indicate from which host the last login was attempted. -.TP 3n -\fBnowtmp\fR -Don't update the wtmp entry. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBsession\fR -service is supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_SUCCESS -Everything was successfull. -.TP 3n -PAM_SERVICE_ERR -Internal service module error. -.TP 3n -PAM_USER_UNKNOWN -User not known. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/login\fR -to display the last login time of an user: -.sp -.RS 3n -.nf - session required pam_lastlog.so nowtmp - -.fi -.RE -.SH "FILES" -.TP 3n -\fI/var/log/lastlog\fR -Lastlog logging file -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_lastlog was written by Andrew G. Morgan . diff --git a/modules/pam_limits/.cvsignore b/modules/pam_limits/.cvsignore index 9fb98574..b2519a1c 100644 --- a/modules/pam_limits/.cvsignore +++ b/modules/pam_limits/.cvsignore @@ -4,3 +4,6 @@ .libs Makefile Makefile.in +README +limits.conf.5 +pam_limits.8 diff --git a/modules/pam_limits/README b/modules/pam_limits/README deleted file mode 100644 index 3c59052a..00000000 --- a/modules/pam_limits/README +++ /dev/null @@ -1,64 +0,0 @@ -pam_limits — PAM module to limit resources - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_limits PAM module sets limits on the system resources that can be -obtained in a user-session. Users of uid=0 are affected by this limits, too. - -By default limits are taken from the /etc/security/limits.conf config file. -Then individual files from the /etc/security/limits.d/ directory are read. The -files are parsed one after another in the order of "C" locale. The effect of -the individual files is the same as if all the files were concatenated together -in the order of parsing. If a config file is explicitely specified with a -module option then the files in the above directory are not parsed. - -The module must not be called by a multithreaded application. - -If Linux PAM is compiled with audit support the module will report when it -denies access based on limit of maximum number of concurrent login sessions. - -OPTIONS - -change_uid - - Change real uid to the user for who the limits are set up. Use this option - if you have problems like login not forking a shell for user who has no - processes. Be warned that something else may break when you do this. - -conf=/path/to/limits.conf - - Indicate an alternative limits.conf style configuration file to override - the default. - -debug - - Print debug information. - -utmp_early - - Some broken applications actually allocate a utmp entry for the user before - the user is admitted to the system. If some of the services you are - configuring PAM for do this, you can selectively use this module argument - to compensate for this behavior and at the same time maintain system-wide - consistency with a single limits.conf file. - -noaudit - - Do not report exceeded maximum logins count to the audit subsystem. - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -limits.conf. - -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student - maxlogins 4 - - diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 deleted file mode 100644 index 7c5a3d5e..00000000 --- a/modules/pam_limits/limits.conf.5 +++ /dev/null @@ -1,219 +0,0 @@ -.\" Title: limits.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "LIMITS\.CONF" "5" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -limits.conf - configuration file for the pam_limits module -.SH "DESCRIPTION" -.PP -The syntax of the lines is as follows: -.PP - -\fI\fR -\fI\fR -\fI\fR -\fI\fR -.PP -The fields listed above should be filled as follows: -.PP -\fB\fR -.RS 4 -.sp -.RS 4 -\h'-04'\(bu\h'+03'a username -.RE -.sp -.RS 4 -\h'-04'\(bu\h'+03'a groupname, with -\fB@group\fR -syntax\. This should not be confused with netgroups\. -.RE -.sp -.RS 4 -\h'-04'\(bu\h'+03'the wildcard -\fB*\fR, for default entry\. -.RE -.sp -.RS 4 -\h'-04'\(bu\h'+03'the wildcard -\fB%\fR, for maxlogins limit only, can also be used with -\fI%group\fR -syntax\. -.RE -.RE -.PP -\fB\fR -.RS 4 -.PP -\fBhard\fR -.RS 4 -for enforcing -\fBhard\fR -resource limits\. These limits are set by the superuser and enforced by the Kernel\. The user cannot raise his requirement of system resources above such values\. -.RE -.PP -\fBsoft\fR -.RS 4 -for enforcing -\fBsoft\fR -resource limits\. These limits are ones that the user can move up or down within the permitted range by any pre\-existing -\fBhard\fR -limits\. The values specified with this token can be thought of as -\fIdefault\fR -values, for normal system usage\. -.RE -.PP -\fB\-\fR -.RS 4 -for enforcing both -\fBsoft\fR -and -\fBhard\fR -resource limits together\. -.sp -Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\. \. -.RE -.RE -.PP -\fB\fR -.RS 4 -.PP -\fBcore\fR -.RS 4 -limits the core file size (KB) -.RE -.PP -\fBdata\fR -.RS 4 -maximum data size (KB) -.RE -.PP -\fBfsize\fR -.RS 4 -maximum filesize (KB) -.RE -.PP -\fBmemlock\fR -.RS 4 -maximum locked\-in\-memory address space (KB) -.RE -.PP -\fBnofile\fR -.RS 4 -maximum number of open files -.RE -.PP -\fBrss\fR -.RS 4 -maximum resident set size (KB) -.RE -.PP -\fBstack\fR -.RS 4 -maximum stack size (KB) -.RE -.PP -\fBcpu\fR -.RS 4 -maximum CPU time (minutes) -.RE -.PP -\fBnproc\fR -.RS 4 -maximum number of processes -.RE -.PP -\fBas\fR -.RS 4 -address space limit (KB) -.RE -.PP -\fBmaxlogins\fR -.RS 4 -maximum number of logins for this user except for this with -\fIuid=0\fR -.RE -.PP -\fBmaxsyslogins\fR -.RS 4 -maximum number of logins on system -.RE -.PP -\fBpriority\fR -.RS 4 -the priority to run user process with (negative values boost process priority) -.RE -.PP -\fBlocks\fR -.RS 4 -maximum locked files (Linux 2\.4 and higher) -.RE -.PP -\fBsigpending\fR -.RS 4 -maximum number of pending signals (Linux 2\.6 and higher) -.RE -.PP -\fBmsqqueue\fR -.RS 4 -maximum memory used by POSIX message queues (bytes) (Linux 2\.6 and higher) -.RE -.PP -\fBnice\fR -.RS 4 -maximum nice priority allowed to raise to (Linux 2\.6\.12 and higher) -.RE -.PP -\fBrtprio\fR -.RS 4 -maximum realtime priority allowed for non\-privileged processes (Linux 2\.6\.12 and higher) -.RE -.RE -.PP -In general, individual limits have priority over group limits, so if you impose no limits for -\fIadmin\fR -group, but one of the members in this group have a limits line, the user will have its limits set according to this line\. -.PP -Also, please note that all limit settings are set -\fIper login\fR\. They are not global, nor are they permanent; existing only for the duration of the session\. -.PP -In the -\fIlimits\fR -configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\. -.PP -The pam_limits module does its best to report configuration problems found in its configuration file via -\fBsyslog\fR(3)\. -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/limits\.conf\fR\. -.sp -.RS 4 -.nf -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student \- maxlogins 4 - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam_limits\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_limits was initially written by Cristian Gafton diff --git a/modules/pam_limits/pam_limits.8 b/modules/pam_limits/pam_limits.8 deleted file mode 100644 index fa183d3a..00000000 --- a/modules/pam_limits/pam_limits.8 +++ /dev/null @@ -1,132 +0,0 @@ -.\" Title: pam_limits -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.2 -.\" Date: 12/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_LIMITS" "8" "12/06/2007" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_limits - PAM module to limit resources -.SH "SYNOPSIS" -.HP 14 -\fBpam_limits\.so\fR [change_uid] [conf=\fI/path/to/limits\.conf\fR] [debug] [utmp_early] [noaudit] -.SH "DESCRIPTION" -.PP -The pam_limits PAM module sets limits on the system resources that can be obtained in a user\-session\. Users of -\fIuid=0\fR -are affected by this limits, too\. -.PP -By default limits are taken from the -\fI/etc/security/limits\.conf\fR -config file\. Then individual files from the -\fI/etc/security/limits\.d/\fR -directory are read\. The files are parsed one after another in the order of "C" locale\. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing\. If a config file is explicitely specified with a module option then the files in the above directory are not parsed\. -.PP -The module must not be called by a multithreaded application\. -.PP -If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions\. -.SH "OPTIONS" -.PP -\fBchange_uid\fR -.RS 4 -Change real uid to the user for who the limits are set up\. Use this option if you have problems like login not forking a shell for user who has no processes\. Be warned that something else may break when you do this\. -.RE -.PP -\fBconf=\fR\fB\fI/path/to/limits\.conf\fR\fR -.RS 4 -Indicate an alternative limits\.conf style configuration file to override the default\. -.RE -.PP -\fBdebug\fR -.RS 4 -Print debug information\. -.RE -.PP -\fButmp_early\fR -.RS 4 -Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system\. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits\.conf file\. -.RE -.PP -\fBnoaudit\fR -.RS 4 -Do not report exceeded maximum logins count to the audit subsystem\. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBsession\fR -service is supported\. -.SH "RETURN VALUES" -.PP -PAM_ABORT -.RS 4 -Cannot get current limits\. -.RE -.PP -PAM_IGNORE -.RS 4 -No limits found for this user\. -.RE -.PP -PAM_PERM_DENIED -.RS 4 -New limits could not be set\. -.RE -.PP -PAM_SERVICE_ERR -.RS 4 -Cannot read config file\. -.RE -.PP -PAM_SESSEION_ERR -.RS 4 -Error recovering account name\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Limits were changed\. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -The user is not known to the system\. -.RE -.SH "FILES" -.PP -\fI/etc/security/limits\.conf\fR -.RS 4 -Default configuration file -.RE -.SH "EXAMPLES" -.PP -For the services you need resources limits (login for example) put a the following line in -\fI/etc/pam\.d/login\fR -as the last line for that service (usually after the pam_unix session line): -.sp -.RS 4 -.nf -#%PAM\-1\.0 -# -# Resource limits imposed on login sessions via pam_limits -# -session required pam_limits\.so - -.fi -.RE -.PP -Replace "login" for each service you are using this module\. -.SH "SEE ALSO" -.PP - -\fBlimits.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8)\. -.SH "AUTHORS" -.PP -pam_limits was initially written by Cristian Gafton diff --git a/modules/pam_listfile/.cvsignore b/modules/pam_listfile/.cvsignore index 9fb98574..f54f6f27 100644 --- a/modules/pam_listfile/.cvsignore +++ b/modules/pam_listfile/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_listfile.8 diff --git a/modules/pam_listfile/README b/modules/pam_listfile/README deleted file mode 100644 index 7fe7051b..00000000 --- a/modules/pam_listfile/README +++ /dev/null @@ -1,101 +0,0 @@ -pam_listfile — deny or allow services based on an arbitrary file - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_listfile is a PAM module which provides a way to deny or allow services -based on an arbitrary file. - -The module gets the item of the type specified -- user specifies the username, -PAM_USER; tty specifies the name of the terminal over which the request has -been made, PAM_TTY; rhost specifies the name of the remote host (if any) from -which the request was made, PAM_RHOST; and ruser specifies the name of the -remote user (if available) who made the request, PAM_RUSER -- and looks for an -instance of that item in the file=filename. filename contains one line per item -listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned, -causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR -is returned, causing the authorization request to fail. - -If an error is encountered (for instance, if filename does not exist, or a -poorly-constructed argument is encountered), then if onerr=succeed, PAM_SUCCESS -is returned, otherwise if onerr=fail, PAM_AUTH_ERR or PAM_SERVICE_ERR (as -appropriate) will be returned. - -An additional argument, apply=, can be used to restrict the application of the -above to a specific user (apply=username) or a given group (apply=@groupname). -This added restriction is only meaningful when used with the tty, rhost and -shell items. - -Besides this last one, all arguments should be specified; do not count on any -default behavior. - -No credentials are awarded by this module. - -OPTIONS - -item=[tty|user|rhost|ruser|group|shell] - - What is listed in the file and should be checked for. - -sense=[allow|deny] - - Action to take if found in file, if the item is NOT found in the file, then - the opposite action is requested. - -file=/path/filename - - File containing one item per line. The file needs to be a plain file and - not world writeable. - -onerr=[succeed|fail] - - What to do if something weird happens like being unable to open the file. - -apply=[user|@group] - - Restrict the user class for which the restriction apply. Note that with - item=[user|ruser|group] this does not make sense, but for item=[tty|rhost| - shell] it have a meaning. - -quiet - - Do not treat service refusals or missing list files as errors that need to - be logged. - -EXAMPLES - -Classic 'ftpusers' authentication can be implemented with this entry in /etc/ -pam.d/ftpd: - -# -# deny ftp-access to users listed in the /etc/ftpusers file -# -auth required pam_listfile.so \ - onerr=succeed item=user sense=deny file=/etc/ftpusers - - -Note, users listed in /etc/ftpusers file are (counterintuitively) not allowed -access to the ftp service. - -To allow login access only for certain users, you can use a /etc/pam.d/login -entry like this: - -# -# permit login to users listed in /etc/loginusers -# -auth required pam_listfile.so \ - onerr=fail item=user sense=allow file=/etc/loginusers - - -For this example to work, all users who are allowed to use the login service -should be listed in the file /etc/loginusers. Unless you are explicitly trying -to lock out root, make sure that when you do this, you leave a way for root to -log in, either by listing root in /etc/loginusers, or by listing a user who is -able to su to the root account. - -AUTHOR - -pam_listfile was written by Michael K. Johnson and Elliot -Lee . - diff --git a/modules/pam_listfile/pam_listfile.8 b/modules/pam_listfile/pam_listfile.8 deleted file mode 100644 index f7425653..00000000 --- a/modules/pam_listfile/pam_listfile.8 +++ /dev/null @@ -1,189 +0,0 @@ -.\" Title: pam_listfile -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_LISTFILE" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_listfile - deny or allow services based on an arbitrary file -.SH "SYNOPSIS" -.HP 16 -\fBpam_listfile\.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet] -.SH "DESCRIPTION" -.PP -pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\. -.PP -The module gets the -\fBitem\fR -of the type specified \-\- -\fIuser\fR -specifies the username, -\fIPAM_USER\fR; tty specifies the name of the terminal over which the request has been made, -\fIPAM_TTY\fR; rhost specifies the name of the remote host (if any) from which the request was made, -\fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request, -\fIPAM_RUSER\fR -\-\- and looks for an instance of that item in the -\fBfile=\fR\fB\fIfilename\fR\fR\. -\fIfilename\fR -contains one line per item listed\. If the item is found, then if -\fBsense=\fR\fB\fIallow\fR\fR, -\fIPAM_SUCCESS\fR -is returned, causing the authorization request to succeed; else if -\fBsense=\fR\fB\fIdeny\fR\fR, -\fIPAM_AUTH_ERR\fR -is returned, causing the authorization request to fail\. -.PP -If an error is encountered (for instance, if -\fIfilename\fR -does not exist, or a poorly\-constructed argument is encountered), then if -\fIonerr=succeed\fR, -\fIPAM_SUCCESS\fR -is returned, otherwise if -\fIonerr=fail\fR, -\fIPAM_AUTH_ERR\fR -or -\fIPAM_SERVICE_ERR\fR -(as appropriate) will be returned\. -.PP -An additional argument, -\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\. This added restriction is only meaningful when used with the -\fItty\fR, -\fIrhost\fR -and -\fIshell\fR -items\. -.PP -Besides this last one, all arguments should be specified; do not count on any default behavior\. -.PP -No credentials are awarded by this module\. -.SH "OPTIONS" -.PP -.PP -\fBitem=[tty|user|rhost|ruser|group|shell]\fR -.RS 4 -What is listed in the file and should be checked for\. -.RE -.PP -\fBsense=[allow|deny]\fR -.RS 4 -Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\. -.RE -.PP -\fBfile=\fR\fB\fI/path/filename\fR\fR -.RS 4 -File containing one item per line\. The file needs to be a plain file and not world writeable\. -.RE -.PP -\fBonerr=[succeed|fail]\fR -.RS 4 -What to do if something weird happens like being unable to open the file\. -.RE -.PP -\fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR -.RS 4 -Restrict the user class for which the restriction apply\. Note that with -\fBitem=[user|ruser|group]\fR -this does not make sense, but for -\fBitem=[tty|rhost|shell]\fR -it have a meaning\. -.RE -.PP -\fBquiet\fR -.RS 4 -Do not treat service refusals or missing list files as errors that need to be logged\. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR, -\fBaccount\fR, -\fBpassword\fR -and -\fBsession\fR -are supported\. -.SH "RETURN VALUES" -.PP -.PP -PAM_AUTH_ERR -.RS 4 -Authentication failure\. -.RE -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_IGNORE -.RS 4 -The rule does not apply to the -\fBapply\fR -option\. -.RE -.PP -PAM_SERVICE_ERR -.RS 4 -Error in service module\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Success\. -.RE -.SH "EXAMPLES" -.PP -Classic \'ftpusers\' authentication can be implemented with this entry in -\fI/etc/pam\.d/ftpd\fR: -.sp -.RS 4 -.nf -# -# deny ftp\-access to users listed in the /etc/ftpusers file -# -auth required pam_listfile\.so \e - onerr=succeed item=user sense=deny file=/etc/ftpusers - -.fi -.RE -.sp -Note, users listed in -\fI/etc/ftpusers\fR -file are (counterintuitively) -\fInot\fR -allowed access to the ftp service\. -.PP -To allow login access only for certain users, you can use a -\fI/etc/pam\.d/login\fR -entry like this: -.sp -.RS 4 -.nf -# -# permit login to users listed in /etc/loginusers -# -auth required pam_listfile\.so \e - onerr=fail item=user sense=allow file=/etc/loginusers - -.fi -.RE -.sp -For this example to work, all users who are allowed to use the login service should be listed in the file -\fI/etc/loginusers\fR\. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in -\fI/etc/loginusers\fR, or by listing a user who is able to -\fIsu\fR -to the root account\. -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_listfile was written by Michael K\. Johnson and Elliot Lee \. diff --git a/modules/pam_localuser/.cvsignore b/modules/pam_localuser/.cvsignore index 621104aa..ae7dab97 100644 --- a/modules/pam_localuser/.cvsignore +++ b/modules/pam_localuser/.cvsignore @@ -6,3 +6,5 @@ .libs Makefile Makefile.in +README +pam_localuser.8 diff --git a/modules/pam_localuser/README b/modules/pam_localuser/README deleted file mode 100644 index 50663ead..00000000 --- a/modules/pam_localuser/README +++ /dev/null @@ -1,38 +0,0 @@ -pam_localuser — require users to be listed in /etc/passwd - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_localuser is a PAM module to help implementing site-wide login policies, -where they typically include a subset of the network's users and a few accounts -that are local to a particular workstation. Using pam_localuser and pam_wheel -or pam_listfile is an effective way to restrict access to either local users -and/or a subset of the network's users. - -This could also be implemented using pam_listfile.so and a very short awk -script invoked by cron, but it's common enough to have been separated out. - -OPTIONS - -debug - - Print debug information. - -file=/path/passwd - - Use a file other than /etc/passwd. - -EXAMPLES - -Add the following line to /etc/pam.d/su to allow only local users in group -wheel to use su. - -account sufficient pam_localuser.so -account required pam_wheel.so - - -AUTHOR - -pam_localuser was written by Nalin Dahyabhai . - diff --git a/modules/pam_localuser/pam_localuser.8 b/modules/pam_localuser/pam_localuser.8 deleted file mode 100644 index e88f0b57..00000000 --- a/modules/pam_localuser/pam_localuser.8 +++ /dev/null @@ -1,88 +0,0 @@ -.\" Title: pam_localuser -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.0 -.\" Date: 12/13/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_LOCALUSER" "8" "12/13/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_localuser \- require users to be listed in /etc/passwd -.SH "SYNOPSIS" -.HP 17 -\fBpam_localuser.so\fR [debug] [file=\fI/path/passwd\fR] -.SH "DESCRIPTION" -.PP -pam_localuser is a PAM module to help implementing site\-wide login policies, where they typically include a subset of the network's users and a few accounts that are local to a particular workstation. Using pam_localuser and pam_wheel or pam_listfile is an effective way to restrict access to either local users and/or a subset of the network's users. -.PP -This could also be implemented using pam_listfile.so and a very short awk script invoked by cron, but it's common enough to have been separated out. -.SH "OPTIONS" -.PP -.PP -\fBdebug\fR -.RS 3n -Print debug information. -.RE -.PP -\fBfile=\fR\fB\fI/path/passwd\fR\fR -.RS 3n -Use a file other than -\fI/etc/passwd\fR. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -All services (\fBaccount\fR, -\fBauth\fR, -\fBpassword\fR -and -\fBsession\fR) are supported. -.SH "RETURN VALUES" -.PP -.PP -PAM_SUCCESS -.RS 3n -The new localuser was set successfull. -.RE -.PP -PAM_SERVICE_ERR -.RS 3n -No username was given. -.RE -.PP -PAM_USER_UNKNOWN -.RS 3n -User not known. -.RE -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/su\fR -to allow only local users in group wheel to use su. -.sp -.RS 3n -.nf -account sufficient pam_localuser.so -account required pam_wheel.so - -.fi -.RE -.sp -.SH "FILES" -.PP -\fI/etc/passwd\fR -.RS 3n -Local user account information. -.RE -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_localuser was written by Nalin Dahyabhai . diff --git a/modules/pam_loginuid/.cvsignore b/modules/pam_loginuid/.cvsignore index 2a3d8d21..cb4cb6de 100644 --- a/modules/pam_loginuid/.cvsignore +++ b/modules/pam_loginuid/.cvsignore @@ -5,3 +5,5 @@ Makefile Makefile.in pam_loginuid +README +pam_loginuid.8 diff --git a/modules/pam_loginuid/README b/modules/pam_loginuid/README deleted file mode 100644 index f07cffeb..00000000 --- a/modules/pam_loginuid/README +++ /dev/null @@ -1,29 +0,0 @@ -pam_loginuid — Record user's login uid to the process attribute - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_loginuid module sets the loginuid process attribute for the process -that was authenticated. This is necessary for applications to be correctly -audited. This PAM module should only be used for entry point applications like: -login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point -applications besides these. You should not use it for applications like sudo or -su as that defeats the purpose by changing the loginuid to the account they -just switched to. - -EXAMPLES - -#%PAM-1.0 -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_unix.so -session required pam_loginuid.so - - -AUTHOR - -pam_loginuid was written by Steve Grubb - diff --git a/modules/pam_loginuid/pam_loginuid.8 b/modules/pam_loginuid/pam_loginuid.8 deleted file mode 100644 index ef0f95f1..00000000 --- a/modules/pam_loginuid/pam_loginuid.8 +++ /dev/null @@ -1,59 +0,0 @@ -.\" Title: pam_loginuid -.\" Author: -.\" Generator: DocBook XSL Stylesheets vsnapshot_2006\-08\-24_0226 -.\" Date: 09/06/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_LOGINUID" "8" "09/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_loginuid \- Record user's login uid to the process attribute -.SH "SYNOPSIS" -.HP 16 -\fBpam_loginuid.so\fR [require_auditd] -.SH "DESCRIPTION" -.PP -The pam_loginuid module sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to be correctly audited. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to. -.SH "OPTIONS" -.TP 3n -\fBrequire_auditd\fR -This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running. -.SH "MODULE SERVICES PROVIDED" -.PP -The -\fBsession\fR -service is supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_SESSION_ERR -An error occured during session management. -.SH "EXAMPLES" -.sp -.RS 3n -.nf -#%PAM\-1.0 -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_unix.so -session required pam_loginuid.so - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8), -\fBauditctl\fR(8), -\fBauditd\fR(8) -.SH "AUTHOR" -.PP -pam_loginuid was written by Steve Grubb diff --git a/modules/pam_mail/.cvsignore b/modules/pam_mail/.cvsignore index 9fb98574..e34886b5 100644 --- a/modules/pam_mail/.cvsignore +++ b/modules/pam_mail/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_mail.8 diff --git a/modules/pam_mail/README b/modules/pam_mail/README deleted file mode 100644 index a0a0b7d9..00000000 --- a/modules/pam_mail/README +++ /dev/null @@ -1,71 +0,0 @@ -pam_mail — Inform about available mail - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_mail PAM module provides the "you have new mail" service to the user. -It can be plugged into any application that has credential or session hooks. It -gives a single message indicating the newness of any mail it finds in the -user's mail folder. This module also sets the PAM environment variable, MAIL, -to the user's mail directory. - -If the mail spool file (be it /var/mail/$USER or a pathname given with the dir= -parameter) is a directory then pam_mail assumes it is in the Maildir format. - -OPTIONS - -close - - Indicate if the user has any mail also on logout. - -debug - - Print debug information. - -dir=maildir - - Look for the users' mail in an alternative location defined by maildir/ - . The default location for mail is /var/mail/. Note, if the - supplied maildir is prefixed by a '~', the directory is interpreted as - indicating a file in the user's home directory. - -empty - - Also print message if user has no mail. - -hash=count - - Mail directory hash depth. For example, a hashcount of 2 would make the - mail file be /var/spool/mail/u/s/user. - -noenv - - Do not set the MAIL environment variable. - -nopen - - Don't print any mail information on login. This flag is useful to get the - MAIL environment variable set, but to not display any information about it. - -quiet - - Only report when there is new mail. - -standard - - Old style "You have..." format which doesn't show the mail spool being - used. This also implies "empty". - -EXAMPLES - -Add the following line to /etc/pam.d/login to indicate that the user has new -mail when they login to the system. - -session optional pam_mail.so standard - - -AUTHOR - -pam_mail was written by Andrew G. Morgan . - diff --git a/modules/pam_mail/pam_mail.8 b/modules/pam_mail/pam_mail.8 deleted file mode 100644 index 6d8a69a8..00000000 --- a/modules/pam_mail/pam_mail.8 +++ /dev/null @@ -1,113 +0,0 @@ -.\" Title: pam_mail -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_MAIL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_mail \- Inform about available mail -.SH "SYNOPSIS" -.HP 12 -\fBpam_mail.so\fR [close] [debug] [dir=\fImaildir\fR] [empty] [hash=\fIcount\fR] [noenv] [nopen] [quit] [standard] -.SH "DESCRIPTION" -.PP -The pam_mail PAM module provides the "you have new mail" service to the user. It can be plugged into any application that has credential or session hooks. It gives a single message indicating the -\fInewness\fR -of any mail it finds in the user's mail folder. This module also sets the PAM environment variable, -\fBMAIL\fR, to the user's mail directory. -.PP -If the mail spool file (be it -\fI/var/mail/$USER\fR -or a pathname given with the -\fBdir=\fR -parameter) is a directory then pam_mail assumes it is in the -\fIMaildir\fR -format. -.SH "OPTIONS" -.PP -.TP 3n -\fBclose\fR -Indicate if the user has any mail also on logout. -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBdir=\fR\fB\fImaildir\fR\fR -Look for the users' mail in an alternative location defined by -\fImaildir/\fR. The default location for mail is -\fI/var/mail/\fR. Note, if the supplied -\fImaildir\fR -is prefixed by a '~', the directory is interpreted as indicating a file in the user's home directory. -.TP 3n -\fBempty\fR -Also print message if user has no mail. -.TP 3n -\fBhash=\fR\fB\fIcount\fR\fR -Mail directory hash depth. For example, a -\fIhashcount\fR -of 2 would make the mail file be -\fI/var/spool/mail/u/s/user\fR. -.TP 3n -\fBnoenv\fR -Do not set the -\fBMAIL\fR -environment variable. -.TP 3n -\fBnopen\fR -Don't print any mail information on login. This flag is useful to get the -\fBMAIL\fR -environment variable set, but to not display any information about it. -.TP 3n -\fBquiet\fR -Only report when there is new mail. -.TP 3n -\fBstandard\fR -Old style "You have..." format which doesn't show the mail spool being used. This also implies "empty". -.SH "MODULE SERVICES PROVIDED" -.PP -The -\fBauth\fR -and -\fBaccount\fR -services are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_SERVICE_ERR -Badly formed arguments. -.TP 3n -PAM_SUCCESS -Success. -.TP 3n -PAM_USER_UNKNOWN -User not known. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/login\fR -to indicate that the user has new mail when they login to the system. -.sp -.RS 3n -.nf -session optional pam_mail.so standard - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_mail was written by Andrew G. Morgan . diff --git a/modules/pam_mkhomedir/.cvsignore b/modules/pam_mkhomedir/.cvsignore index 9fb98574..bd6faa7e 100644 --- a/modules/pam_mkhomedir/.cvsignore +++ b/modules/pam_mkhomedir/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_mkhomedir.8 diff --git a/modules/pam_mkhomedir/README b/modules/pam_mkhomedir/README deleted file mode 100644 index 64810060..00000000 --- a/modules/pam_mkhomedir/README +++ /dev/null @@ -1,36 +0,0 @@ -pam_mkhomedir — PAM module to create users home directory - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_mkhomedir PAM module will create a users home directory if it does not -exist when the session begins. This allows users to be present in central -database (such as NIS, kerberos or LDAP) without using a distributed file -system or pre-creating a large number of directories. The skeleton directory -(usually /etc/skel/) is used to copy default files and also set's a umask for -the creation. - -The new users home directory will not be removed after logout of the user. - -EXAMPLES - -A sample /etc/pam.d/login file: - - auth requisite pam_securetty.so - auth sufficient pam_ldap.so - auth required pam_unix.so - auth required pam_nologin.so - account sufficient pam_ldap.so - account required pam_unix.so - password required pam_unix.so - session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 - session required pam_unix.so - session optional pam_lastlog.so - session optional pam_mail.so standard - - -AUTHOR - -pam_mkhomedir was written by Jason Gunthorpe . - diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8 b/modules/pam_mkhomedir/pam_mkhomedir.8 deleted file mode 100644 index 1364e01f..00000000 --- a/modules/pam_mkhomedir/pam_mkhomedir.8 +++ /dev/null @@ -1,91 +0,0 @@ -.\" Title: pam_mkhomedir -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/02/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_MKHOMEDIR" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_mkhomedir \- PAM module to create users home directory -.SH "SYNOPSIS" -.HP 17 -\fBpam_mkhomedir.so\fR [silent] [umask=\fImode\fR] [skel=\fIskeldir\fR] -.SH "DESCRIPTION" -.PP -The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre\-creating a large number of directories. The skeleton directory (usually -\fI/etc/skel/\fR) is used to copy default files and also set's a umask for the creation. -.PP -The new users home directory will not be removed after logout of the user. -.SH "OPTIONS" -.TP 3n -\fBsilent\fR -Don't print informative messages. -.TP 3n -\fBumask=\fR\fB\fImask\fR\fR -The user file\-creation mask is set to -\fImask\fR. The default value of mask is 0022. -.TP 3n -\fBskel=\fR\fB\fI/path/to/skel/directory\fR\fR -Indicate an alternative -\fIskel\fR -directory to override the default -\fI/etc/skel\fR. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBsession\fR -service is supported. -.SH "RETURN VALUES" -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_CRED_INSUFFICIENT -Insufficient credentials to access authentication data. -.TP 3n -PAM_PERM_DENIED -Not enough permissions to create the new directory or read the skel directory. -.TP 3n -PAM_USER_UNKNOWN -User not known to the underlying authentication module. -.TP 3n -PAM_SUCCESS -Environment variables were set. -.SH "FILES" -.TP 3n -\fI/etc/skel\fR -Default skel directory -.SH "EXAMPLES" -.PP -A sample /etc/pam.d/login file: -.sp -.RS 3n -.nf - auth requisite pam_securetty.so - auth sufficient pam_ldap.so - auth required pam_unix.so - auth required pam_nologin.so - account sufficient pam_ldap.so - account required pam_unix.so - password required pam_unix.so - session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 - session required pam_unix.so - session optional pam_lastlog.so - session optional pam_mail.so standard - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.d\fR(8), -\fBpam\fR(8). -.SH "AUTHOR" -.PP -pam_mkhomedir was written by Jason Gunthorpe . diff --git a/modules/pam_motd/.cvsignore b/modules/pam_motd/.cvsignore index 9fb98574..f36d06fa 100644 --- a/modules/pam_motd/.cvsignore +++ b/modules/pam_motd/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_motd.8 diff --git a/modules/pam_motd/README b/modules/pam_motd/README deleted file mode 100644 index 414ad6f6..00000000 --- a/modules/pam_motd/README +++ /dev/null @@ -1,27 +0,0 @@ -pam_motd — Display the motd file - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_motd is a PAM module that can be used to display arbitrary motd (message of -the day) files after a succesful login. By default the /etc/motd file is shown. -The message size is limited to 64KB. - -OPTIONS - -motd=/path/filename - - The /path/filename file is displayed as message of the day. - -EXAMPLES - -The suggested usage for /etc/pam.d/login is: - -session optional pam_motd.so motd=/etc/motd - - -AUTHOR - -pam_motd was written by Ben Collins . - diff --git a/modules/pam_motd/pam_motd.8 b/modules/pam_motd/pam_motd.8 deleted file mode 100644 index 74bfb586..00000000 --- a/modules/pam_motd/pam_motd.8 +++ /dev/null @@ -1,64 +0,0 @@ -.\" Title: pam_motd -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.0 -.\" Date: 10/26/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_MOTD" "8" "10/26/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_motd \- Display the motd file -.SH "SYNOPSIS" -.HP 12 -\fBpam_motd.so\fR [motd=\fI/path/filename\fR] -.SH "DESCRIPTION" -.PP -pam_motd is a PAM module that can be used to display arbitrary motd (message of the day) files after a succesful login. By default the -\fI/etc/motd\fR -file is shown. The message size is limited to 64KB. -.SH "OPTIONS" -.PP -\fBmotd=\fR\fB\fI/path/filename\fR\fR -.RS 3n -The -\fI/path/filename\fR -file is displayed as message of the day. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBsession\fR -service is supported. -.SH "RETURN VALUES" -.PP -PAM_IGNORE -.RS 3n -This is the only return value of this module. -.RE -.SH "EXAMPLES" -.PP -The suggested usage for -\fI/etc/pam.d/login\fR -is: -.sp -.RS 3n -.nf -session optional pam_motd.so motd=/etc/motd - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBmotd\fR(5), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_motd was written by Ben Collins . diff --git a/modules/pam_namespace/.cvsignore b/modules/pam_namespace/.cvsignore index 9fb98574..59a9578c 100644 --- a/modules/pam_namespace/.cvsignore +++ b/modules/pam_namespace/.cvsignore @@ -4,3 +4,6 @@ .libs Makefile Makefile.in +README +namespace.conf.5 +pam_namespace.8 diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README deleted file mode 100644 index cf5814e3..00000000 --- a/modules/pam_namespace/README +++ /dev/null @@ -1,168 +0,0 @@ -pam_namespace — PAM module for configuring namespace for a session - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_namespace PAM module sets up a private namespace for a session with -polyinstantiated directories. A polyinstantiated directory provides a different -instance of itself based on user name, or when using SELinux, user name, -security context or both. If an executable script /etc/security/namespace.init -exists, it is used to initialize the namespace every time a new instance -directory is setup. The script receives the polyinstantiated directory path and -the instance directory path as its arguments. - -The pam_namespace module disassociates the session namespace from the parent -namespace. Any mounts/unmounts performed in the parent namespace, such as -mounting of devices, are not reflected in the session namespace. To propagate -selected mount/unmount events from the parent namespace into the disassociated -session namespace, an administrator may use the special shared-subtree feature. -For additional information on shared-subtree feature, please refer to the mount -(8) man page and the shared-subtree description at http://lwn.net/Articles/ -159077 and http://lwn.net/Articles/159092. - -OPTIONS - -debug - - A lot of debug information is logged using syslog - -unmnt_remnt - - For programs such as su and newrole, the login session has already setup a - polyinstantiated namespace. For these programs, polyinstantiation is - performed based on new user id or security context, however the command - first needs to undo the polyinstantiation performed by login. This argument - instructs the command to first undo previous polyinstantiation before - proceeding with new polyinstantiation based on new id/context - -unmnt_only - - For trusted programs that want to undo any existing bind mounts and process - instance directories on their own, this argument allows them to unmount - currently mounted instance directories - -require_selinux - - If selinux is not enabled, return failure - -gen_hash - - Instead of using the security context string for the instance name, - generate and use its md5 hash. - -ignore_config_error - - If a line in the configuration file corresponding to a polyinstantiated - directory contains format error, skip that line process the next line. - Without this option, pam will return an error to the calling program - resulting in termination of the session. - -ignore_instance_parent_mode - - Instance parent directories by default are expected to have the restrictive - mode of 000. Using this option, an administrator can choose to ignore the - mode of the instance parent. This option should be used with caution as it - will reduce security and isolation goals of the polyinstantiation - mechanism. - -no_unmount_on_close - - For certain trusted programs such as newrole, open session is called from a - child process while the parent perfoms close session and pam end functions. - For these commands use this option to instruct pam_close_session to not - unmount the bind mounted polyinstantiated directory in the parent. - -DESCRIPTION - -This module allows setup of private namespaces with polyinstantiated -directories. Directories can be polyinstantiated based on user name or, in the -case of SELinux, user name, sensitivity level or complete security context. If -an executable script /etc/security/namespace.init exists, it is used to -initialize the namespace every time a new instance directory is setup. The -script receives the polyinstantiated directory path and the instance directory -path as its arguments. - -The /etc/security/namespace.conf file specifies which directories are -polyinstantiated, how they are polyinstantiated, how instance directories would -be named, and any users for whom polyinstantiation would not be performed. - -When someone logs in, the file namespace.conf is scanned where each non comment -line represents one polyinstantiated directory with space separated fields as -follows: - -polydir instance_prefix method list_of_uids - -The first field, polydir, is the absolute pathname of the directory to -polyinstantiate. Special entry $HOME is supported to designate user's home -directory. This field cannot be blank. - -The second field, instance_prefix is the string prefix used to build the -pathname for the instantiation of . Depending on the polyinstantiation -method it is then appended with "instance differentiation string" to generate -the final instance directory path. This directory is created if it did not -exist already, and is then bind mounted on the to provide an instance -of based on the column. The special string $HOME is replaced -with the user's home directory, and $USER with the username. This field cannot -be blank. The directory where polyinstantiated instances are to be created, -must exist and must have, by default, the mode of 000. The requirement that the -instance parent be of mode 000 can be overridden with the command line option -ignore_instance_parent_mode - -The third field, method, is the method used for polyinstantiation. It can take -3 different values; "user" for polyinstantiation based on user name, "level" -for polyinstantiation based on process MLS level and user name, and "context" -for polyinstantiation based on process security context and user name Methods -"context" and "level" are only available with SELinux. This field cannot be -blank. - -The fourth field, list_of_uids, is a comma separated list of user names for -whom the polyinstantiation is not performed. If left blank, polyinstantiation -will be performed for all users. - -In case of context or level polyinstantiation the SELinux context which is used -for polyinstantiation is the context used for executing a new process as -obtained by getexeccon. This context must be set by the calling application or -pam_selinux.so module. If this context is not set the polyinstatiation will be -based just on user name. - -The "instance differentiation string" is for "user" method and -_ for "context" and "level" methods. If the -whole string is too long the end of it is replaced with md5sum of itself. Also -when command line option gen_hash is used the whole string is replaced with -md5sum of itself. - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -namespace.conf. - - -      # The following three lines will polyinstantiate /tmp, -      # /var/tmp and user's home directories. /tmp and /var/tmp -      # will be polyinstantiated based on the security level -      # as well as user name, whereas home directory will be -      # polyinstantiated based on the full security context and user name. -      # Polyinstantiation will not be performed for user root -      # and adm for directories /tmp and /var/tmp, whereas home -      # directories will be polyinstantiated for all users. -      # -      # Note that instance directories do not have to reside inside -      # the polyinstantiated directory. In the examples below, -      # instances of /tmp will be created in /tmp-inst directory, -      # where as instances of /var/tmp and users home directories -      # will reside within the directories that are being -      # polyinstantiated. -      # -      /tmp     /tmp-inst/               level      root,adm -      /var/tmp /var/tmp/tmp-inst/    level      root,adm -      $HOME    $HOME/$USER.inst/inst- context -     - -For the s you need polyinstantiation (login for example) put the -following line in /etc/pam.d/ as the last line for session group: - -session required pam_namespace.so [arguments] - -This module also depends on pam_selinux.so setting the context. - diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5 deleted file mode 100644 index 0a4d98e4..00000000 --- a/modules/pam_namespace/namespace.conf.5 +++ /dev/null @@ -1,101 +0,0 @@ -.\" Title: namespace.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 06/20/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "NAMESPACE.CONF" "5" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -namespace.conf \- the namespace configuration file -.SH "DESCRIPTION" -.PP -This module allows setup of private namespaces with polyinstantiated directories. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context. If an executable script -\fI/etc/security/namespace.init\fR -exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments. -.PP -The -\fI/etc/security/namespace.conf\fR -file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. -.PP -When someone logs in, the file -\fInamespace.conf\fR -is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows: -.PP - -\fIpolydir\fR -\fI instance_prefix\fR -\fI method\fR -\fI list_of_uids\fR -.PP -The first field, -\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate. Special entry $HOME is supported to designate user's home directory. This field cannot be blank. -.PP -The second field, -\fIinstance_prefix\fR -is the string prefix used to build the pathname for the instantiation of . Depending on the polyinstantiation -\fImethod\fR -it is then appended with "instance differentiation string" to generate the final instance directory path. This directory is created if it did not exist already, and is then bind mounted on the to provide an instance of based on the column. The special string $HOME is replaced with the user's home directory, and $USER with the username. This field cannot be blank. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000. The requirement that the instance parent be of mode 000 can be overridden with the command line option -\fIignore_instance_parent_mode\fR -.PP -The third field, -\fImethod\fR, is the method used for polyinstantiation. It can take 3 different values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, and "context" for polyinstantiation based on process security context and user name Methods "context" and "level" are only available with SELinux. This field cannot be blank. -.PP -The fourth field, -\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed. If left blank, polyinstantiation will be performed for all users. -.PP -In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon. This context must be set by the calling application or -\fIpam_selinux.so\fR -module. If this context is not set the polyinstatiation will be based just on user name. -.PP -The "instance differentiation string" is for "user" method and _ for "context" and "level" methods. If the whole string is too long the end of it is replaced with md5sum of itself. Also when command line option -\fIgen_hash\fR -is used the whole string is replaced with md5sum of itself. -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/namespace.conf\fR. -.sp -.RS 4 -.nf - # The following three lines will polyinstantiate /tmp, - # /var/tmp and user's home directories. /tmp and /var/tmp - # will be polyinstantiated based on the security level - # as well as user name, whereas home directory will be - # polyinstantiated based on the full security context and user name. - # Polyinstantiation will not be performed for user root - # and adm for directories /tmp and /var/tmp, whereas home - # directories will be polyinstantiated for all users. - # - # Note that instance directories do not have to reside inside - # the polyinstantiated directory. In the examples below, - # instances of /tmp will be created in /tmp\-inst directory, - # where as instances of /var/tmp and users home directories - # will reside within the directories that are being - # polyinstantiated. - # - /tmp /tmp\-inst/ level root,adm - /var/tmp /var/tmp/tmp\-inst/ level root,adm - $HOME $HOME/$USER.inst/inst\- context - -.fi -.RE -.PP -For the s you need polyinstantiation (login for example) put the following line in /etc/pam.d/ as the last line for session group: -.PP -session required pam_namespace.so [arguments] -.PP -This module also depends on pam_selinux.so setting the context. -.SH "SEE ALSO" -.PP - -\fBpam_namespace\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHORS" -.PP -The namespace.conf manual page was written by Janak Desai . diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8 deleted file mode 100644 index 8d136c99..00000000 --- a/modules/pam_namespace/pam_namespace.8 +++ /dev/null @@ -1,137 +0,0 @@ -.\" Title: pam_namespace -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 06/20/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_NAMESPACE" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_namespace \- PAM module for configuring namespace for a session -.SH "SYNOPSIS" -.HP 17 -\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] -.SH "DESCRIPTION" -.PP -The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. If an executable script -\fI/etc/security/namespace.init\fR -exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments. -.PP -The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092. -.SH "OPTIONS" -.PP -\fBdebug\fR -.RS 4 -A lot of debug information is logged using syslog -.RE -.PP -\fBunmnt_remnt\fR -.RS 4 -For programs such as su and newrole, the login session has already setup a polyinstantiated namespace. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context -.RE -.PP -\fBunmnt_only\fR -.RS 4 -For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories -.RE -.PP -\fBrequire_selinux\fR -.RS 4 -If selinux is not enabled, return failure -.RE -.PP -\fBgen_hash\fR -.RS 4 -Instead of using the security context string for the instance name, generate and use its md5 hash. -.RE -.PP -\fBignore_config_error\fR -.RS 4 -If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line. Without this option, pam will return an error to the calling program resulting in termination of the session. -.RE -.PP -\fBignore_instance_parent_mode\fR -.RS 4 -Instance parent directories by default are expected to have the restrictive mode of 000. Using this option, an administrator can choose to ignore the mode of the instance parent. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism. -.RE -.PP -\fBno_unmount_on_close\fR -.RS 4 -For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -The -\fBsession\fR -service is supported. -.SH "RETURN VALUES" -.PP -PAM_SUCCESS -.RS 4 -Namespace setup was successful. -.RE -.PP -PAM_SERVICE_ERR -.RS 4 -Unexpected system error occurred while setting up namespace. -.RE -.PP -PAM_SESSION_ERR -.RS 4 -Unexpected namespace configuration error occurred. -.RE -.SH "FILES" -.PP -\fI/etc/security/namespace.conf\fR -.RS 4 -Configuration file -.RE -.SH "EXAMPLES" -.PP -For the s you need polyinstantiation (login for example) put the following line in /etc/pam.d/ as the last line for session group: -.PP -session required pam_namespace.so [arguments] -.PP -To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default: -.PP -/usr/sbin/gdm\-safe\-restart -.PP -This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the initialization script -\fI/etc/security/namespace.init\fR -to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided in the comment section of the instance initialization script -\fI/etc/security/namespace.init\fR. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp: -.PP - -.sp -.RS 4 -.nf - 1. Disable the use of font server by commenting out "FontPath" - line in /etc/X11/xorg.conf. If you do want to use the font server - then you will have to augment the instance initialization - script to appropriately provide /tmp/.font\-unix from the - polyinstantiated /tmp. - 2. Ensure that the gdm service is setup to use pam_namespace, - as described above, by modifying /etc/pam.d/gdm. - 3. Ensure that the display manager is configured to restart X server - with each new session. This default setup can be verified by - making sure that /usr/share/gdm/defaults.conf contains - "AlwaysRestartServer=true", and it is not overridden by - /etc/gdm/custom.conf. - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBnamespace.conf\fR(5), -\fBpam.d\fR(8), -\fBmount\fR(8), -\fBpam\fR(8). -.SH "AUTHORS" -.PP -The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers. The pam_namespace PAM module was developed by Janak Desai , Chad Sellers and Steve Grubb . diff --git a/modules/pam_nologin/.cvsignore b/modules/pam_nologin/.cvsignore index 9fb98574..f9fb15b5 100644 --- a/modules/pam_nologin/.cvsignore +++ b/modules/pam_nologin/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_nologin.8 diff --git a/modules/pam_nologin/README b/modules/pam_nologin/README deleted file mode 100644 index 3ffa591d..00000000 --- a/modules/pam_nologin/README +++ /dev/null @@ -1,41 +0,0 @@ -pam_nologin — Prevent non-root users from login - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_nologin is a PAM module that prevents users from logging into the system -when /etc/nologin exists. The contents of the /etc/nologin file are displayed -to the user. The pam_nologin module has no effect on the root user's ability to -log in. - -OPTIONS - -file=/path/nologin - - Use this file instead the default /etc/nologin. - -successok - - Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE. - -EXAMPLES - -The suggested usage for /etc/pam.d/login is: - -auth required pam_nologin.so - - -NOTES - -In order to make this module effective, all login methods should be secured by -it. It should be used as a required method listed before any sufficient methods -in order to get standard Unix nologin semantics. Note, the use of successok -module argument causes the module to return PAM_SUCCESS and as such would break -such a configuration - failing sufficient modules would lead to a successful -login because the nologin module succeeded. - -AUTHOR - -pam_nologin was written by Michael K. Johnson . - diff --git a/modules/pam_nologin/pam_nologin.8 b/modules/pam_nologin/pam_nologin.8 deleted file mode 100644 index 5e502266..00000000 --- a/modules/pam_nologin/pam_nologin.8 +++ /dev/null @@ -1,96 +0,0 @@ -.\" Title: pam_nologin -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/04/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_NOLOGIN" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_nologin \- Prevent non\-root users from login -.SH "SYNOPSIS" -.HP 15 -\fBpam_nologin.so\fR [file=\fI/path/nologin\fR] [successok] -.SH "DESCRIPTION" -.PP -pam_nologin is a PAM module that prevents users from logging into the system when -\fI/etc/nologin\fR -exists. The contents of the -\fI/etc/nologin\fR -file are displayed to the user. The pam_nologin module has no effect on the root user's ability to log in. -.SH "OPTIONS" -.TP 3n -\fBfile=\fR\fB\fI/path/nologin\fR\fR -Use this file instead the default -\fI/etc/nologin\fR. -.TP 3n -\fBsuccessok\fR -Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE. -.SH "MODULE SERVICES PROVIDED" -.PP -The -\fBauth\fR -and -\fBacct\fR -services are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_AUTH_ERR -The user is not root and -\fI/etc/nologin\fR -exists, so the user is not permitted to log in. -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_IGNORE -This is the default return value. -.TP 3n -PAM_SUCCESS -Success: either the user is root or the -\fI/etc/nologin\fR -file does not exist. -.TP 3n -PAM_USER_UNKNOWN -User not known to the underlying authentication module. -.SH "EXAMPLES" -.PP -The suggested usage for -\fI/etc/pam.d/login\fR -is: -.sp -.RS 3n -.nf -auth required pam_nologin.so - -.fi -.RE -.sp -.SH "NOTES" -.PP -In order to make this module effective, all login methods should be secured by it. It should be used as a -\fIrequired\fR -method listed before any -\fIsufficient\fR -methods in order to get standard Unix nologin semantics. Note, the use of -\fBsuccessok\fR -module argument causes the module to return -\fIPAM_SUCCESS\fR -and as such would break such a configuration \- failing -\fIsufficient\fR -modules would lead to a successful login because the nologin module -\fIsucceeded\fR. -.SH "SEE ALSO" -.PP - -\fBnologin\fR(5), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_nologin was written by Michael K. Johnson . diff --git a/modules/pam_permit/.cvsignore b/modules/pam_permit/.cvsignore index 9fb98574..5406ac33 100644 --- a/modules/pam_permit/.cvsignore +++ b/modules/pam_permit/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_permit.8 diff --git a/modules/pam_permit/README b/modules/pam_permit/README deleted file mode 100644 index d479dccd..00000000 --- a/modules/pam_permit/README +++ /dev/null @@ -1,30 +0,0 @@ -pam_permit — The promiscuous module - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_permit is a PAM module that always permit access. It does nothing else. - -In the case of authentication, the user's name will be set to nobody if the -application didn't set one. Many applications and PAM modules become confused -if this name is unknown. - -This module is very dangerous. It should be used with extreme caution. - -OPTIONS - -This module does not recognise any options. - -EXAMPLES - -Add this line to your other login entries to disable account management, but -continue to permit users to log in. - -account required pam_permit.so - - -AUTHOR - -pam_permit was written by Andrew G. Morgan, . - diff --git a/modules/pam_permit/pam_permit.8 b/modules/pam_permit/pam_permit.8 deleted file mode 100644 index 135db335..00000000 --- a/modules/pam_permit/pam_permit.8 +++ /dev/null @@ -1,64 +0,0 @@ -.\" Title: pam_permit -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_PERMIT" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_permit - The promiscuous module -.SH "SYNOPSIS" -.HP 14 -\fBpam_permit\.so\fR -.SH "DESCRIPTION" -.PP -pam_permit is a PAM module that always permit access\. It does nothing else\. -.PP -In the case of authentication, the user\'s name will be set to -\fInobody\fR -if the application didn\'t set one\. Many applications and PAM modules become confused if this name is unknown\. -.PP -This module is very dangerous\. It should be used with extreme caution\. -.SH "OPTIONS" -.PP -This module does not recognise any options\. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR, -\fBaccount\fR, -\fBpassword\fR -and -\fBsession\fR -are supported\. -.SH "RETURN VALUES" -.PP -PAM_SUCCESS -.RS 4 -This module always returns this value\. -.RE -.SH "EXAMPLES" -.PP -Add this line to your other login entries to disable account management, but continue to permit users to log in\. -.sp -.RS 4 -.nf -account required pam_permit\.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_permit was written by Andrew G\. Morgan, \. diff --git a/modules/pam_rhosts/.cvsignore b/modules/pam_rhosts/.cvsignore index 9fb98574..8f807d67 100644 --- a/modules/pam_rhosts/.cvsignore +++ b/modules/pam_rhosts/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_rhosts.8 diff --git a/modules/pam_rhosts/README b/modules/pam_rhosts/README deleted file mode 100644 index b1911785..00000000 --- a/modules/pam_rhosts/README +++ /dev/null @@ -1,56 +0,0 @@ -pam_rhosts — The rhosts PAM module - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -This module performs the standard network authentication for services, as used -by traditional implementations of rlogin and rsh etc. - -The authentication mechanism of this module is based on the contents of two -files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former -file are treated as equivalent to the localhost. Secondly, entries in the -user's own copy of the latter file is used to map "remote-host remote-user" -pairs to that user's account on the current host. Access is granted to the user -if their host is present in /etc/hosts.equiv and their remote account is -identical to their local one, or if their remote account has an entry in their -personal configuration file. - -The module authenticates a remote user (internally specified by the item -PAM_RUSER connecting from the remote host (internally specified by the item -PAM_RHOST). Accordingly, for applications to be compatible this authentication -module they must set these items prior to calling pam_authenticate(). The -module is not capable of independently probing the network connection for such -information. - -OPTIONS - -debug - - Print debug information. - -silent - - Don't print informative messages. - -superuser=account - - Handle account as root. - -EXAMPLES - -To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the -following lines to /etc/pam.d/rsh: - -#%PAM-1.0 -# -auth required pam_rhosts.so -auth required pam_nologin.so -auth required pam_env.so -auth required pam_unix.so - - -AUTHOR - -pam_rhosts was written by Thorsten Kukuk - diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8 deleted file mode 100644 index 0d7f4a16..00000000 --- a/modules/pam_rhosts/pam_rhosts.8 +++ /dev/null @@ -1,98 +0,0 @@ -.\" Title: pam_rhosts -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/28/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_RHOSTS" "8" "06/28/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_rhosts \- The rhosts PAM module -.SH "SYNOPSIS" -.HP 14 -\fBpam_rhosts.so\fR -.SH "DESCRIPTION" -.PP -This module performs the standard network authentication for services, as used by traditional implementations of -\fBrlogin\fR -and -\fBrsh\fR -etc. -.PP -The authentication mechanism of this module is based on the contents of two files; -\fI/etc/hosts.equiv\fR -(or and -\fI~/.rhosts\fR. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user's account on the current host. Access is granted to the user if their host is present in -\fI/etc/hosts.equiv\fR -and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file. -.PP -The module authenticates a remote user (internally specified by the item -\fIPAM_RUSER\fR -connecting from the remote host (internally specified by the item -\fBPAM_RHOST\fR). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling -\fBpam_authenticate()\fR. The module is not capable of independently probing the network connection for such information. -.SH "OPTIONS" -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBsilent\fR -Don't print informative messages. -.TP 3n -\fBsuperuser=\fR\fB\fIaccount\fR\fR -Handle -\fIaccount\fR -as root. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBauth\fR -service is supported. -.SH "RETURN VALUES" -.TP 3n -PAM_AUTH_ERR -The remote host, remote user name or the local user name couldn't be determined or access was denied by -\fI.rhosts\fR -file. -.TP 3n -PAM_USER_UNKNOWN -User is not known to system. -.SH "EXAMPLES" -.PP -To grant a remote user access by -\fI/etc/hosts.equiv\fR -or -\fI.rhosts\fR -for -\fBrsh\fR -add the following lines to -\fI/etc/pam.d/rsh\fR: -.sp -.RS 3n -.nf -#%PAM\-1.0 -# -auth required pam_rhosts.so -auth required pam_nologin.so -auth required pam_env.so -auth required pam_unix.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBrootok\fR(3), -\fBhosts.equiv\fR(5), -\fBrhosts\fR(5), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_rhosts was written by Thorsten Kukuk diff --git a/modules/pam_rootok/.cvsignore b/modules/pam_rootok/.cvsignore index 9fb98574..70776789 100644 --- a/modules/pam_rootok/.cvsignore +++ b/modules/pam_rootok/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_rootok.8 diff --git a/modules/pam_rootok/README b/modules/pam_rootok/README deleted file mode 100644 index 55a44756..00000000 --- a/modules/pam_rootok/README +++ /dev/null @@ -1,33 +0,0 @@ -pam_rootok — Gain only root access - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_rootok is a PAM module that authenticates the user if their UID is 0. -Applications that are created setuid-root generally retain the UID of the user -but run with the authority of an enhanced effective-UID. It is the real UID -that is checked. - -OPTIONS - -debug - - Print debug information. - -EXAMPLES - -In the case of the su(1) application the historical usage is to permit the -superuser to adopt the identity of a lesser user without the use of a password. -To obtain this behavior with PAM the following pair of lines are needed for the -corresponding entry in the /etc/pam.d/su configuration file: - -# su authentication. Root is granted access by default. -auth sufficient pam_rootok.so -auth required pam_unix.so - - -AUTHOR - -pam_rootok was written by Andrew G. Morgan, . - diff --git a/modules/pam_rootok/pam_rootok.8 b/modules/pam_rootok/pam_rootok.8 deleted file mode 100644 index 79618050..00000000 --- a/modules/pam_rootok/pam_rootok.8 +++ /dev/null @@ -1,77 +0,0 @@ -.\" Title: pam_rootok -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/23/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_ROOTOK" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_rootok \- Gain only root access -.SH "SYNOPSIS" -.HP 14 -\fBpam_rootok.so\fR [debug] -.SH "DESCRIPTION" -.PP -pam_rootok is a PAM module that authenticates the user if their -\fIUID\fR -is -\fI0\fR. Applications that are created setuid\-root generally retain the -\fIUID\fR -of the user but run with the authority of an enhanced effective\-UID. It is the real -\fIUID\fR -that is checked. -.SH "OPTIONS" -.TP 3n -\fBdebug\fR -Print debug information. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBauth\fR -service is supported. -.SH "RETURN VALUES" -.TP 3n -PAM_SUCCESS -The -\fIUID\fR -is -\fI0\fR. -.TP 3n -PAM_AUTH_ERR -The -\fIUID\fR -is -\fBnot\fR -\fI0\fR. -.SH "EXAMPLES" -.PP -In the case of the -\fBsu\fR(1) -application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password. To obtain this behavior with PAM the following pair of lines are needed for the corresponding entry in the -\fI/etc/pam.d/su\fR -configuration file: -.sp -.RS 3n -.nf -# su authentication. Root is granted access by default. -auth sufficient pam_rootok.so -auth required pam_unix.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBsu\fR(1), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_rootok was written by Andrew G. Morgan, . diff --git a/modules/pam_securetty/.cvsignore b/modules/pam_securetty/.cvsignore index 9fb98574..1e9b0b2d 100644 --- a/modules/pam_securetty/.cvsignore +++ b/modules/pam_securetty/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_securetty.8 diff --git a/modules/pam_securetty/README b/modules/pam_securetty/README deleted file mode 100644 index d4ee5f97..00000000 --- a/modules/pam_securetty/README +++ /dev/null @@ -1,33 +0,0 @@ -pam_securetty — Limit root login to special devices - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_securetty is a PAM module that allows root logins only if the user is -logging in on a "secure" tty, as defined by the listing in /etc/securetty. -pam_securetty also checks to make sure that /etc/securetty is a plain file and -not world writable. - -This module has no effect on non-root users and requires that the application -fills in the PAM_TTY item correctly. - -For canonical usage, should be listed as a required authentication method -before any sufficient authentication methods. - -OPTIONS - -debug - - Print debug information. - -EXAMPLES - -auth required pam_securetty.so -auth required pam_unix.so - - -AUTHOR - -pam_securetty was written by Elliot Lee . - diff --git a/modules/pam_securetty/pam_securetty.8 b/modules/pam_securetty/pam_securetty.8 deleted file mode 100644 index f72e611f..00000000 --- a/modules/pam_securetty/pam_securetty.8 +++ /dev/null @@ -1,85 +0,0 @@ -.\" Title: pam_securetty -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/04/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SECURETTY" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_securetty \- Limit root login to special devices -.SH "SYNOPSIS" -.HP 17 -\fBpam_securetty.so\fR [debug] -.SH "DESCRIPTION" -.PP -pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in -\fI/etc/securetty\fR. pam_securetty also checks to make sure that -\fI/etc/securetty\fR -is a plain file and not world writable. -.PP -This module has no effect on non\-root users and requires that the application fills in the -\fBPAM_TTY\fR -item correctly. -.PP -For canonical usage, should be listed as a -\fBrequired\fR -authentication method before any -\fBsufficient\fR -authentication methods. -.SH "OPTIONS" -.TP 3n -\fBdebug\fR -Print debug information. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBauth\fR -service is supported. -.SH "RETURN VALUES" -.TP 3n -PAM_SUCCESS -The user is allowed to continue authentication. Either the user is not root, or the root user is trying to log in on an acceptable device. -.TP 3n -PAM_AUTH_ERR -Authentication is rejected. Either root is attempting to log in via an unacceptable device, or the -\fI/etc/securetty\fR -file is world writable or not a normal file. -.TP 3n -PAM_INCOMPLETE -An application error occurred. pam_securetty was not able to get information it required from the application that called it. -.TP 3n -PAM_SERVICE_ERR -An error occurred while the module was determining the user's name or tty, or the module could not open -\fI/etc/securetty\fR. -.TP 3n -PAM_IGNORE -The module could not find the user name in the -\fI/etc/passwd\fR -file to verify whether the user had a UID of 0. Therefore, the results of running this module are ignored. -.SH "EXAMPLES" -.PP - -.sp -.RS 3n -.nf -auth required pam_securetty.so -auth required pam_unix.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBsecuretty\fR(5), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_securetty was written by Elliot Lee . diff --git a/modules/pam_selinux/.cvsignore b/modules/pam_selinux/.cvsignore index 78054a1c..72174be1 100644 --- a/modules/pam_selinux/.cvsignore +++ b/modules/pam_selinux/.cvsignore @@ -7,3 +7,6 @@ Makefile Makefile.in pam_selinux_check +README +pam_selinux.8 +pam_selinux_check.8 diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README deleted file mode 100644 index 9e841f2e..00000000 --- a/modules/pam_selinux/README +++ /dev/null @@ -1,66 +0,0 @@ -pam_selinux — PAM module to set the default security context - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -In a nutshell, pam_selinux sets up the default security context for the next -execed shell. - -When an application opens a session using pam_selinux, the shell that gets -executed will be run in the default security context, or if the user chooses -and the pam file allows the selected security context. Also the controlling tty -will have it's security context modified to match the users. - -Adding pam_selinux into a pam file could cause other pam modules to change -their behavior if the exec another application. The close and open option help -mitigate this problem. close option will only cause the close portion of the -pam_selinux to execute, and open will only cause the open portion to run. You -can add pam_selinux to the config file twice. Add the pam_selinux close as the -executes the open pass through the modules, pam_selinux open_session will -happen last. When PAM executes the close pass through the modules pam_selinux -close_session will happen first. - -OPTIONS - -close - - Only execute the close_session portion of the module. - -debug - - Turns on debugging via syslog(3). - -open - - Only execute the open_session portion of the module. - -nottys - - Do not try to setup the ttys security context. - -verbose - - attempt to inform the user when security context is set. - -select_context - - Attempt to ask the user for a custom security context role. If MLS is on - ask also for sensitivity level. - -use_current_range - - Use the sensitivity range of the process for the user context. This option - and the select_context option are mutually exclusive. - -EXAMPLES - -auth required pam_unix.so -session required pam_permit.so -session optional pam_selinux.so - - -AUTHOR - -pam_selinux was written by Dan Walsh . - diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 deleted file mode 100644 index 6709ac9c..00000000 --- a/modules/pam_selinux/pam_selinux.8 +++ /dev/null @@ -1,101 +0,0 @@ -.\" Title: pam_selinux -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: 06/20/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_SELINUX" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_selinux \- PAM module to set the default security context -.SH "SYNOPSIS" -.HP 15 -\fBpam_selinux.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range] -.SH "DESCRIPTION" -.PP -In a nutshell, pam_selinux sets up the default security context for the next execed shell. -.PP -When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context. Also the controlling tty will have it's security context modified to match the users. -.PP -Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application. The close and open option help mitigate this problem. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run. You can add pam_selinux to the config file twice. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last. When PAM executes the close pass through the modules pam_selinux close_session will happen first. -.SH "OPTIONS" -.PP -\fBclose\fR -.RS 4 -Only execute the close_session portion of the module. -.RE -.PP -\fBdebug\fR -.RS 4 -Turns on debugging via -\fBsyslog\fR(3). -.RE -.PP -\fBopen\fR -.RS 4 -Only execute the open_session portion of the module. -.RE -.PP -\fBnottys\fR -.RS 4 -Do not try to setup the ttys security context. -.RE -.PP -\fBverbose\fR -.RS 4 -attempt to inform the user when security context is set. -.RE -.PP -\fBselect_context\fR -.RS 4 -Attempt to ask the user for a custom security context role. If MLS is on ask also for sensitivity level. -.RE -.PP -\fBuse_current_range\fR -.RS 4 -Use the sensitivity range of the process for the user context. This option and the select_context option are mutually exclusive. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBsession\fR -service is supported. -.SH "RETURN VALUES" -.PP -PAM_AUTH_ERR -.RS 4 -Unable to get or set a valid context. -.RE -.PP -PAM_SUCCESS -.RS 4 -The security context was set successfull. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -The user is not known to the system. -.RE -.SH "EXAMPLES" -.sp -.RS 4 -.nf -auth required pam_unix.so -session required pam_permit.so -session optional pam_selinux.so - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_selinux was written by Dan Walsh . diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8 deleted file mode 100644 index d6fcdff1..00000000 --- a/modules/pam_selinux/pam_selinux_check.8 +++ /dev/null @@ -1,35 +0,0 @@ -.TH pam_selinux_check 8 2002/05/23 "Red Hat Linux" "System Administrator's Manual" -.SH NAME -pam_selinux_check \- login program to test pam_selinux.so -.SH SYNOPSIS -.B pam_selinux_check [user] -.br - -.SH DESCRIPTION -With no arguments, -.B pam_selinux_check -will prompt for user - -.SH OPTIONS -.IP target_user -The user to login as. - -.SH DIAGNOSTICS -You must setup a /etc/pam.d/pam_selinux_check file, in order for the check to work. - -When checking if a selinux is valid, -.B pam_selinux_check -returns an exit code of 0 for success and > 0 on error: - -.nf -1: Authentication failure -.fi - -.SH SEE ALSO -pam_selinux(8) - -.SH BUGS -Let's hope not, but if you find any, please email the author. - -.SH AUTHOR -Dan Walsh diff --git a/modules/pam_shells/.cvsignore b/modules/pam_shells/.cvsignore index 9fb98574..f86c33b1 100644 --- a/modules/pam_shells/.cvsignore +++ b/modules/pam_shells/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_shells.8 diff --git a/modules/pam_shells/README b/modules/pam_shells/README deleted file mode 100644 index f4658be3..00000000 --- a/modules/pam_shells/README +++ /dev/null @@ -1,24 +0,0 @@ -pam_shells — PAM module to check for valid login shell - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_shells is a PAM module that only allows access to the system if the users -shell is listed in /etc/shells. - -It also checks if /etc/shells is a plain file and not world writable. - -OPTIONS - -This module does not recognise any options. - -EXAMPLES - -auth required pam_shells.so - - -AUTHOR - -pam_shells was written by Erik Troan . - diff --git a/modules/pam_shells/pam_shells.8 b/modules/pam_shells/pam_shells.8 deleted file mode 100644 index 016af07b..00000000 --- a/modules/pam_shells/pam_shells.8 +++ /dev/null @@ -1,73 +0,0 @@ -.\" Title: pam_shells -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_SHELLS" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_shells - PAM module to check for valid login shell -.SH "SYNOPSIS" -.HP 14 -\fBpam_shells\.so\fR -.SH "DESCRIPTION" -.PP -pam_shells is a PAM module that only allows access to the system if the users shell is listed in -\fI/etc/shells\fR\. -.PP -It also checks if -\fI/etc/shells\fR -is a plain file and not world writable\. -.SH "OPTIONS" -.PP -This module does not recognise any options\. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR -and -\fBaccount\fR -are supported\. -.SH "RETURN VALUES" -.PP -PAM_AUTH_ERR -.RS 4 -Access to the system was denied\. -.RE -.PP -PAM_SUCCESS -.RS 4 -The users login shell was listed as valid shell in -\fI/etc/shells\fR\. -.RE -.PP -PAM_SERVICE_ERR -.RS 4 -The module was not able to get the name of the user\. -.RE -.SH "EXAMPLES" -.PP - -.sp -.RS 4 -.nf -auth required pam_shells\.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBshells\fR(5), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_shells was written by Erik Troan \. diff --git a/modules/pam_stress/.cvsignore b/modules/pam_stress/.cvsignore index 9fb98574..acf3f3bc 100644 --- a/modules/pam_stress/.cvsignore +++ b/modules/pam_stress/.cvsignore @@ -4,3 +4,4 @@ .libs Makefile Makefile.in +README diff --git a/modules/pam_stress/README b/modules/pam_stress/README deleted file mode 100644 index 74a297b2..00000000 --- a/modules/pam_stress/README +++ /dev/null @@ -1,66 +0,0 @@ -# -# $Id$ -# -# This describes the behavior of this module with respect to the -# /etc/pam.conf file. -# -# writen by Andrew Morgan -# - -This module recognizes the following arguments. - -debug put lots of information in syslog. - *NOTE* this option writes passwords to syslog, so - don't use anything sensitive when testing. - -no_warn don't give warnings about things (otherwise warnings are issued - via the conversation function) - -use_first_pass don't prompt for a password, for pam_sm_authentication - function just use item PAM_AUTHTOK. - -try_first_pass don't prompt for a password unless there has been no - previous authentication token (item PAM_AUTHTOK is NULL) - -rootok This is intended for the pam_sm_chauthtok function and - it instructs this function to permit root to change - the user's password without entering the old password. - -The following arguments are acted on by the module. They are intended -to make the module give the impression of failing as a fully -functioning module might. - -expired an argument intended for the account and chauthtok module - parts. It instructs the module to act as if the user's - password has expired - -fail_1 this instructs the module to make its first function fail. - -fail_2 this instructs the module to make its second function (if there - is one) fail. - - The function break up is indicated in the Module - Developers' Guide. Listed here it is: - - service function 1 function 2 - ------- ---------- ---------- - auth pam_sm_authenticate pam_sm_setcred - password pam_sm_chauthtok - session pam_sm_open_session pam_sm_close_session - account pam_sm_acct_mgmt - -prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. - -required for pam_sm_chauthtok, means fail if the user hasn't already - been authenticated by this module. (See stress_new_pwd data - item below.) - -# -# data strings that this module uses are the following: -# - -data name value(s) Comments ---------- -------- -------- -stress_new_pwd yes tells pam_sm_chauthtok that - pam_sm_acct_mgmt says we need a new - password diff --git a/modules/pam_succeed_if/.cvsignore b/modules/pam_succeed_if/.cvsignore index 621104aa..6218e822 100644 --- a/modules/pam_succeed_if/.cvsignore +++ b/modules/pam_succeed_if/.cvsignore @@ -6,3 +6,5 @@ .libs Makefile Makefile.in +README +pam_succeed_if.8 diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README deleted file mode 100644 index 6e4907c6..00000000 --- a/modules/pam_succeed_if/README +++ /dev/null @@ -1,124 +0,0 @@ -pam_succeed_if — test account characteristics - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_succeed_if.so is designed to succeed or fail authentication based on -characteristics of the account belonging to the user being authenticated. One -use is to select whether to load other modules based on this test. - -The module should be given one or more conditions as module arguments, and -authentication will succeed only if all of the conditions are met. - -OPTIONS - -The following flags are supported: - -debug - - Turns on debugging messages sent to syslog. - -use_uid - - Evaluate conditions using the account of the user whose UID the application - is running under instead of the user being authenticated. - -quiet - - Don't log failure or success to the system log. - -quiet_fail - - Don't log failure to the system log. - -quiet_success - - Don't log success to the system log. - -Conditions are three words: a field, a test, and a value to test for. - -Available fields are user, uid, gid, shell, home and service: - -field < number - - Field has a value numerically less than number. - -field <= number - - Field has a value numerically less than or equal to number. - -field eq number - - Field has a value numerically equal to number. - -field >= number - - Field has a value numerically greater than or equal to number. - -field > number - - Field has a value numerically greater than number. - -field ne number - - Field has a value numerically different from number. - -field = string - - Field exactly matches the given string. - -field != string - - Field does not match the given string. - -field =~ glob - - Field matches the given glob. - -field !~ glob - - Field does not match the given glob. - -field in item:item:... - - Field is contained in the list of items separated by colons. - -field notin item:item:... - - Field is not contained in the list of items separated by colons. - -user ingroup group - - User is in given group. - -user notingroup group - - User is not in given group. - -user innetgr netgroup - - (user,host) is in given netgroup. - -user notinnetgr group - - (user,host) is not in given netgroup. - -EXAMPLES - -To emulate the behaviour of pam_wheel, except there is no fallback to group 0: - -auth required pam_succeed_if.so quiet user ingroup wheel - - -Given that the type matches, only loads the othermodule rule if the UID is over -500. Adjust the number after default to skip several rules. - -type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 -type required othermodule.so arguments... - - -AUTHOR - -Nalin Dahyabhai - diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 deleted file mode 100644 index 45155850..00000000 --- a/modules/pam_succeed_if/pam_succeed_if.8 +++ /dev/null @@ -1,191 +0,0 @@ -.\" Title: pam_succeed_if -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 01/07/2008 -.\" Manual: Linux-PAM -.\" Source: Linux-PAM -.\" -.TH "PAM_SUCCEED_IF" "8" "01/07/2008" "Linux-PAM" "Linux\-PAM" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_succeed_if - test account characteristics -.SH "SYNOPSIS" -.HP 18 -\fBpam_succeed_if\.so\fR [\fIflag\fR...] [\fIcondition\fR...] -.SH "DESCRIPTION" -.PP -pam_succeed_if\.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated\. One use is to select whether to load other modules based on this test\. -.PP -The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\. -.SH "OPTIONS" -.PP -The following -\fIflag\fRs are supported: -.PP -\fBdebug\fR -.RS 4 -Turns on debugging messages sent to syslog\. -.RE -.PP -\fBuse_uid\fR -.RS 4 -Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\. -.RE -.PP -\fBquiet\fR -.RS 4 -Don\'t log failure or success to the system log\. -.RE -.PP -\fBquiet_fail\fR -.RS 4 -Don\'t log failure to the system log\. -.RE -.PP -\fBquiet_success\fR -.RS 4 -Don\'t log success to the system log\. -.RE -.PP - -\fICondition\fRs are three words: a field, a test, and a value to test for\. -.PP -Available fields are -\fIuser\fR, -\fIuid\fR, -\fIgid\fR, -\fIshell\fR, -\fIhome\fR -and -\fIservice\fR: -.PP -\fBfield < number\fR -.RS 4 -Field has a value numerically less than number\. -.RE -.PP -\fBfield <= number\fR -.RS 4 -Field has a value numerically less than or equal to number\. -.RE -.PP -\fBfield eq number\fR -.RS 4 -Field has a value numerically equal to number\. -.RE -.PP -\fBfield >= number\fR -.RS 4 -Field has a value numerically greater than or equal to number\. -.RE -.PP -\fBfield > number\fR -.RS 4 -Field has a value numerically greater than number\. -.RE -.PP -\fBfield ne number\fR -.RS 4 -Field has a value numerically different from number\. -.RE -.PP -\fBfield = string\fR -.RS 4 -Field exactly matches the given string\. -.RE -.PP -\fBfield != string\fR -.RS 4 -Field does not match the given string\. -.RE -.PP -\fBfield =~ glob\fR -.RS 4 -Field matches the given glob\. -.RE -.PP -\fBfield !~ glob\fR -.RS 4 -Field does not match the given glob\. -.RE -.PP -\fBfield in item:item:\.\.\.\fR -.RS 4 -Field is contained in the list of items separated by colons\. -.RE -.PP -\fBfield notin item:item:\.\.\.\fR -.RS 4 -Field is not contained in the list of items separated by colons\. -.RE -.PP -\fBuser ingroup group\fR -.RS 4 -User is in given group\. -.RE -.PP -\fBuser notingroup group\fR -.RS 4 -User is not in given group\. -.RE -.PP -\fBuser innetgr netgroup\fR -.RS 4 -(user,host) is in given netgroup\. -.RE -.PP -\fBuser notinnetgr group\fR -.RS 4 -(user,host) is not in given netgroup\. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -All services are supported\. -.SH "RETURN VALUES" -.PP -PAM_SUCCESS -.RS 4 -The condition was true\. -.RE -.PP -PAM_AUTH_ERR -.RS 4 -The condition was false\. -.RE -.PP -PAM_SERVICE_ERR -.RS 4 -A service error occured or the arguments can\'t be parsed as numbers\. -.RE -.SH "EXAMPLES" -.PP -To emulate the behaviour of -\fIpam_wheel\fR, except there is no fallback to group 0: -.sp -.RS 4 -.nf -auth required pam_succeed_if\.so quiet user ingroup wheel - -.fi -.RE -.PP -Given that the type matches, only loads the othermodule rule if the UID is over 500\. Adjust the number after default to skip several rules\. -.sp -.RS 4 -.nf -type [default=1 success=ignore] pam_succeed_if\.so quiet uid > 500 -type required othermodule\.so arguments\.\.\. - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBglob\fR(7), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -Nalin Dahyabhai diff --git a/modules/pam_tally/.cvsignore b/modules/pam_tally/.cvsignore index e5f2d30a..0286d635 100644 --- a/modules/pam_tally/.cvsignore +++ b/modules/pam_tally/.cvsignore @@ -5,3 +5,5 @@ Makefile Makefile.in pam_tally +README +pam_tally.8 diff --git a/modules/pam_tally/README b/modules/pam_tally/README deleted file mode 100644 index d3bf5354..00000000 --- a/modules/pam_tally/README +++ /dev/null @@ -1,132 +0,0 @@ -pam_tally — The login counter (tallying) module - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -This module maintains a count of attempted accesses, can reset count on -success, can deny access if too many attempts fail. - -pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM -module and the latter, a stand-alone program. pam_tally is an (optional) -application which can be used to interrogate and manipulate the counter file. -It can display users' counts, set individual counts, or clear all counts. -Setting artificially high counts may be useful for blocking users without -changing their passwords. For example, one might find it useful to clear all -counts every midnight from a cron job. The faillog(8) command can be used -instead of pam_tally to to maintain the counter file. - -Normally, failed attempts to access root will not cause the root account to -become blocked, to prevent denial-of-service: if your users aren't given shell -accounts and root may only login via su or at the machine console (not telnet/ -rsh, etc), this is safe. - -OPTIONS - -GLOBAL OPTIONS - - This can be used for auth and account services. - - onerr=[fail|succeed] - - If something weird happens (like unable to open the file), return with - PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM - error code. - - file=/path/to/counter - - File where to keep counts. Default is /var/log/faillog. - - audit - - Will log the user name into the system log if the user is not found. - -AUTH OPTIONS - - Authentication phase first checks if user should be denied access and if - not it increments attempted login counter. Then on call to pam_setcred(3) - it resets the attempts counter. - - deny=n - - Deny access if tally for this user exceeds n. - - lock_time=n - - Always deny for n seconds after failed attempt. - - unlock_time=n - - Allow access after n seconds after failed attempt. If this option is - used the user will be locked out for the specified amount of time after - he exceeded his maximum allowed attempts. Otherwise the account is - locked until the lock is removed by a manual intervention of the system - administrator. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - incremented. The sys-admin should use this for user launched services, - like su, otherwise this argument should be omitted. - - no_lock_time - - Do not use the .fail_locktime field in /var/log/faillog for this user. - - no_reset - - Don't reset count on successful entry, only decrement. - - even_deny_root_account - - Root account can become unavailable. - - per_user - - If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field - for this user then use it instead of deny=n/ lock_time=n parameter. - - no_lock_time - - Don't use .fail_locktime filed in /var/log/faillog for this user. - -ACCOUNT OPTIONS - - Account phase resets attempts counter if the user is not magic root. This - phase can be used optionaly for services which don't call pam_setcred(3) - correctly or if the reset should be done regardless of the failure of the - account phase of other modules. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - incremented. The sys-admin should use this for user launched services, - like su, otherwise this argument should be omitted. - - no_reset - - Don't reset count on successful entry, only decrement. - -EXAMPLES - -Add the following line to /etc/pam.d/login to lock the account after too many -failed logins. The number of allowed fails is specified by /var/log/faillog and -needs to be set with pam_tally or faillog(8) before. - -auth required pam_securetty.so -auth required pam_tally.so per_user -auth required pam_env.so -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_limits.so -session required pam_unix.so -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard - - -AUTHOR - -pam_tally was written by Tim Baverstock and Tomas Mraz. - diff --git a/modules/pam_tally/pam_tally.8 b/modules/pam_tally/pam_tally.8 deleted file mode 100644 index 69b95624..00000000 --- a/modules/pam_tally/pam_tally.8 +++ /dev/null @@ -1,221 +0,0 @@ -.\" Title: pam_tally -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 10/12/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_TALLY" "8" "10/12/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_tally - The login counter (tallying) module -.SH "SYNOPSIS" -.HP 13 -\fBpam_tally\.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] -.HP 10 -\fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] -.SH "DESCRIPTION" -.PP -This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\. -.PP -pam_tally comes in two parts: -\fBpam_tally\.so\fR -and -\fBpam_tally\fR\. The former is the PAM module and the latter, a stand\-alone program\. -\fBpam_tally\fR -is an (optional) application which can be used to interrogate and manipulate the counter file\. It can display users\' counts, set individual counts, or clear all counts\. Setting artificially high counts may be useful for blocking users without changing their passwords\. For example, one might find it useful to clear all counts every midnight from a cron job\. The -\fBfaillog\fR(8) -command can be used instead of pam_tally to to maintain the counter file\. -.PP -Normally, failed attempts to access -\fIroot\fR -will -\fBnot\fR -cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via -\fBsu\fR -or at the machine console (not telnet/rsh, etc), this is safe\. -.SH "OPTIONS" -.PP -GLOBAL OPTIONS -.RS 4 -This can be used for -\fIauth\fR -and -\fIaccount\fR -services\. -.PP -\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR -.RS 4 -If something weird happens (like unable to open the file), return with -\fBPAM_SUCESS\fR -if -\fBonerr=\fR\fB\fIsucceed\fR\fR -is given, else with the corresponding PAM error code\. -.RE -.PP -\fBfile=\fR\fB\fI/path/to/counter\fR\fR -.RS 4 -File where to keep counts\. Default is -\fI/var/log/faillog\fR\. -.RE -.PP -\fBaudit\fR -.RS 4 -Will log the user name into the system log if the user is not found\. -.RE -.RE -.PP -AUTH OPTIONS -.RS 4 -Authentication phase first checks if user should be denied access and if not it increments attempted login counter\. Then on call to -\fBpam_setcred\fR(3) -it resets the attempts counter\. -.PP -\fBdeny=\fR\fB\fIn\fR\fR -.RS 4 -Deny access if tally for this user exceeds -\fIn\fR\. -.RE -.PP -\fBlock_time=\fR\fB\fIn\fR\fR -.RS 4 -Always deny for -\fIn\fR -seconds after failed attempt\. -.RE -.PP -\fBunlock_time=\fR\fB\fIn\fR\fR -.RS 4 -Allow access after -\fIn\fR -seconds after failed attempt\. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\. -.RE -.PP -\fBmagic_root\fR -.RS 4 -If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted\. -.RE -.PP -\fBno_lock_time\fR -.RS 4 -Do not use the \.fail_locktime field in -\fI/var/log/faillog\fR -for this user\. -.RE -.PP -\fBno_reset\fR -.RS 4 -Don\'t reset count on successful entry, only decrement\. -.RE -.PP -\fBeven_deny_root_account\fR -.RS 4 -Root account can become unavailable\. -.RE -.PP -\fBper_user\fR -.RS 4 -If -\fI/var/log/faillog\fR -contains a non\-zero \.fail_max/\.fail_locktime field for this user then use it instead of -\fBdeny=\fR\fB\fIn\fR\fR/ -\fBlock_time=\fR\fB\fIn\fR\fR -parameter\. -.RE -.PP -\fBno_lock_time\fR -.RS 4 -Don\'t use \.fail_locktime filed in -\fI/var/log/faillog\fR -for this user\. -.RE -.RE -.PP -ACCOUNT OPTIONS -.RS 4 -Account phase resets attempts counter if the user is -\fBnot\fR -magic root\. This phase can be used optionaly for services which don\'t call -\fBpam_setcred\fR(3) -correctly or if the reset should be done regardless of the failure of the account phase of other modules\. -.PP -\fBmagic_root\fR -.RS 4 -If the module is invoked by a user with uid=0 the counter is not incremented\. The sys\-admin should use this for user launched services, like -\fBsu\fR, otherwise this argument should be omitted\. -.RE -.PP -\fBno_reset\fR -.RS 4 -Don\'t reset count on successful entry, only decrement\. -.RE -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -The -\fBauth\fR -and -\fBaccount\fR -services are supported\. -.SH "RETURN VALUES" -.PP -PAM_AUTH_ERR -.RS 4 -A invalid option was given, the module was not able to retrive the user name, no valid counter file was found, or too many failed logins\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Everything was successfull\. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -User not known\. -.RE -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam\.d/login\fR -to lock the account after too many failed logins\. The number of allowed fails is specified by -\fI/var/log/faillog\fR -and needs to be set with pam_tally or -\fBfaillog\fR(8) -before\. -.sp -.RS 4 -.nf -auth required pam_securetty\.so -auth required pam_tally\.so per_user -auth required pam_env\.so -auth required pam_unix\.so -auth required pam_nologin\.so -account required pam_unix\.so -password required pam_unix\.so -session required pam_limits\.so -session required pam_unix\.so -session required pam_lastlog\.so nowtmp -session optional pam_mail\.so standard - -.fi -.RE -.SH "FILES" -.PP -\fI/var/log/faillog\fR -.RS 4 -failure logging file -.RE -.SH "SEE ALSO" -.PP - -\fBfaillog\fR(8), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_tally was written by Tim Baverstock and Tomas Mraz\. diff --git a/modules/pam_time/.cvsignore b/modules/pam_time/.cvsignore index 9fb98574..cac9cca3 100644 --- a/modules/pam_time/.cvsignore +++ b/modules/pam_time/.cvsignore @@ -4,3 +4,6 @@ .libs Makefile Makefile.in +README +pam_time.8 +time.conf.5 diff --git a/modules/pam_time/README b/modules/pam_time/README deleted file mode 100644 index 05eaec2c..00000000 --- a/modules/pam_time/README +++ /dev/null @@ -1,36 +0,0 @@ -pam_time — PAM module for time control access - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_time PAM module does not authenticate the user, but instead it -restricts access to a system and or specific applications at various times of -the day and on specific days or over various terminal lines. This module can be -configured to deny access to (individual) users based on their name, the time -of day, the day of week, the service they are applying for and their terminal -from which they are making their request. - -By default rules for time/port access are taken from config file /etc/security/ -time.conf. - -If Linux PAM is compiled with audit support the module will report when it -denies access. - -EXAMPLES - -These are some example lines which might be specified in /etc/security/ -time.conf. - -All users except for root are denied access to console-login at all times: - -login ; tty* & !ttyp* ; !root ; !Al0000-2400 - - -Games (configured to use PAM) are only to be accessed out of working hours. -This rule does not apply to the user waster: - - -games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 - - diff --git a/modules/pam_time/pam_time.8 b/modules/pam_time/pam_time.8 deleted file mode 100644 index 21fb83d5..00000000 --- a/modules/pam_time/pam_time.8 +++ /dev/null @@ -1,95 +0,0 @@ -.\" Title: pam_time -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 01/07/2008 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_TIME" "8" "01/07/2008" "Linux-PAM Manual" "Linux-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_time - PAM module for time control access -.SH "SYNOPSIS" -.HP 12 -\fBpam_time\.so\fR [debug] [noaudit] -.SH "DESCRIPTION" -.PP -The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines\. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request\. -.PP -By default rules for time/port access are taken from config file -\fI/etc/security/time\.conf\fR\. -.PP -If Linux PAM is compiled with audit support the module will report when it denies access\. -.SH "OPTIONS" -.PP -\fBdebug\fR -.RS 4 -Some debug informations are printed with -\fBsyslog\fR(3)\. -.RE -.PP -\fBnoaudit\fR -.RS 4 -Do not report logins at disallowed time to the audit subsystem\. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBaccount\fR -service is supported\. -.SH "RETURN VALUES" -.PP -PAM_SUCCESS -.RS 4 -Access was granted\. -.RE -.PP -PAM_ABORT -.RS 4 -Not all relevant data could be gotten\. -.RE -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_PERM_DENIED -.RS 4 -Access was not granted\. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -The user is not known to the system\. -.RE -.SH "FILES" -.PP -\fI/etc/security/time\.conf\fR -.RS 4 -Default configuration file -.RE -.SH "EXAMPLES" -.sp -.RS 4 -.nf -#%PAM\-1\.0 -# -# apply pam_time accounting to login requests -# -login account required pam_time\.so - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBtime.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8)\. -.SH "AUTHOR" -.PP -pam_time was written by Andrew G\. Morgan \. diff --git a/modules/pam_time/time.conf.5 b/modules/pam_time/time.conf.5 deleted file mode 100644 index 400344a6..00000000 --- a/modules/pam_time/time.conf.5 +++ /dev/null @@ -1,92 +0,0 @@ -.\" Title: time.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/21/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "TIME.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -time.conf \- configuration file for the pam_time module -.SH "DESCRIPTION" -.PP -The pam_time PAM module does not authenticate the user, but instead it restricts access to a system and or specific applications at various times of the day and on specific days or over various terminal lines. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request. -.PP -For this module to function correctly there must be a correctly formatted -\fI/etc/security/time.conf\fR -file present. White spaces are ignored and lines maybe extended with '\\' (escaped newlines). Text following a '#' is ignored to the end of the line. -.PP -The syntax of the lines is as follows: -.PP - -\fIservices\fR;\fIttys\fR;\fIusers\fR;\fItimes\fR -.PP -In words, each rule occupies a line, terminated with a newline or the beginning of a comment; a '\fB#\fR'. It contains four fields separated with semicolons, '\fB;\fR'. -.PP -The first field, the -\fIservices\fR -field, is a logic list of PAM service names that the rule applies to. -.PP -The second field, the -\fItty\fR -field, is a logic list of terminal names that this rule applies to. -.PP -The third field, the -\fIusers\fR -field, is a logic list of users or a netgroup of users to whom this rule applies. -.PP -For these items the simple wildcard '*' may be used only once. With netgroups no wildcards or logic operators are allowed. -.PP -The -\fItimes\fR -field is used to indicate the times at which this rule applies. The format here is a logic list of day/time\-range entries. The days are specified by a sequence of two character entries, MoTuSa for example is Monday Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week\-end days and all 7 days of the week respectively. As a final example, AlFr means all days except Friday. -.PP -Each day/time\-range can be prefixed with a '!' to indicate "anything but". The time\-range part is two 24\-hour times HHMM, separated by a hyphen, indicating the start and finish time (if the finish time is smaller than the start time it is deemed to apply on the following day). -.PP -For a rule to be active, ALL of service+ttys+users must be satisfied by the applying process. -.PP -Note, currently there is no daemon enforcing the end of a session. This needs to be remedied. -.PP -Poorly formatted rules are logged as errors using -\fBsyslog\fR(3). -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/time.conf\fR. -.PP -All users except for -\fIroot\fR -are denied access to console\-login at all times: -.sp -.RS 3n -.nf -login ; tty* & !ttyp* ; !root ; !Al0000\-2400 - -.fi -.RE -.sp -.PP -Games (configured to use PAM) are only to be accessed out of working hours. This rule does not apply to the user -\fIwaster\fR: -.sp -.RS 3n -.nf - -games ; * ; !waster ; Wd0000\-2400 | Wk1800\-0800 - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam_time\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_time was written by Andrew G. Morgan . diff --git a/modules/pam_tty_audit/.cvsignore b/modules/pam_tty_audit/.cvsignore index 9fb98574..aefb9d6f 100644 --- a/modules/pam_tty_audit/.cvsignore +++ b/modules/pam_tty_audit/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_tty_audit.8 diff --git a/modules/pam_umask/.cvsignore b/modules/pam_umask/.cvsignore index 621104aa..d53ba152 100644 --- a/modules/pam_umask/.cvsignore +++ b/modules/pam_umask/.cvsignore @@ -6,3 +6,5 @@ .libs Makefile Makefile.in +README +pam_umask.8 diff --git a/modules/pam_umask/README b/modules/pam_umask/README deleted file mode 100644 index 69003ec3..00000000 --- a/modules/pam_umask/README +++ /dev/null @@ -1,58 +0,0 @@ -pam_umask — PAM module to set the file mode creation mask - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_umask is a PAM module to set the file mode creation mask of the current -environment. The umask affects the default permissions assigned to newly -created files. - -The PAM module tries to get the umask value from the following places in the -following order: - - ● umask= argument - - ● umask= entry of the users GECOS field - - ● pri= entry of the users GECOS field - - ● ulimit= entry of the users GECOS field - - ● UMASK= entry from /etc/default/login - - ● UMASK entry from /etc/login.defs - -OPTIONS - -debug - - Print debug information. - -silent - - Don't print informative messages. - -usergroups - - If the user is not root, and the user ID is equal to the group ID, and the - username is the same as primary group name, the umask group bits are set to - be the same as owner bits (examples: 022 -> 002, 077 -> 007). - -umask=mask - - Sets the calling process's file mode creation mask (umask) to mask & 0777. - The value is interpreted as Octal. - -EXAMPLES - -Add the following line to /etc/pam.d/login to set the user specific umask at -login: - - session optional pam_umask.so umask=0022 - - -AUTHOR - -pam_umask was written by Thorsten Kukuk . - diff --git a/modules/pam_umask/pam_umask.8 b/modules/pam_umask/pam_umask.8 deleted file mode 100644 index 43160d63..00000000 --- a/modules/pam_umask/pam_umask.8 +++ /dev/null @@ -1,96 +0,0 @@ -.\" Title: pam_umask -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 08/06/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_UMASK" "8" "08/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_umask \- PAM module to set the file mode creation mask -.SH "SYNOPSIS" -.HP 13 -\fBpam_umask.so\fR [debug] [silent] [usergroups] [umask=\fImask\fR] -.SH "DESCRIPTION" -.PP -pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created files. -.PP -The PAM module tries to get the umask value from the following places in the following order: -.TP 3n -\(bu -umask= argument -.TP 3n -\(bu -umask= entry of the users GECOS field -.TP 3n -\(bu -pri= entry of the users GECOS field -.TP 3n -\(bu -ulimit= entry of the users GECOS field -.TP 3n -\(bu -UMASK= entry from /etc/default/login -.TP 3n -\(bu -UMASK entry from /etc/login.defs -.sp -.RE -.SH "OPTIONS" -.PP -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBsilent\fR -Don't print informative messages. -.TP 3n -\fBusergroups\fR -If the user is not root, and the user ID is equal to the group ID, and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007). -.TP 3n -\fBumask=\fR\fB\fImask\fR\fR -Sets the calling process's file mode creation mask (umask) to -\fBmask\fR -& 0777. The value is interpreted as Octal. -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBsession\fR -service is supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_SUCCESS -The new umask was set successfull. -.TP 3n -PAM_SERVICE_ERR -No username was given. -.TP 3n -PAM_USER_UNKNOWN -User not known. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/login\fR -to set the user specific umask at login: -.sp -.RS 3n -.nf - session optional pam_umask.so umask=0022 - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_umask was written by Thorsten Kukuk . diff --git a/modules/pam_unix/.cvsignore b/modules/pam_unix/.cvsignore index 8de09aa5..454f7276 100644 --- a/modules/pam_unix/.cvsignore +++ b/modules/pam_unix/.cvsignore @@ -7,3 +7,6 @@ Makefile Makefile.in bigcrypt unix_chkpwd +README +pam_unix.8 +unix_chkpwd.8 diff --git a/modules/pam_unix/README b/modules/pam_unix/README deleted file mode 100644 index 3421eb31..00000000 --- a/modules/pam_unix/README +++ /dev/null @@ -1,142 +0,0 @@ -pam_unix — Module for traditional password authentication - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -This is the standard Unix authentication module. It uses standard calls from -the system's libraries to retrieve and set account information as well as -authentication. Usually this is obtained from the /etc/passwd and the /etc/ -shadow file as well if shadow is enabled. - -The account component performs the task of establishing the status of the -user's account and password based on the following shadow elements: expire, -last_change, max_change, min_change, warn_change. In the case of the latter, it -may offer advice to the user on changing their password or, through the -PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have -established a new password. The entries listed above are documented in the -shadow(5) manual page. Should the user's record not contain one or more of -these entries, the corresponding shadow check is not performed. - -The authentication component performs the task of checking the users -credentials (password). The default action of this module is to not permit the -user access to a service if their official password is blank. - -A helper binary, unix_chkpwd(8), is provided to check the user's password when -it is stored in a read protected database. This binary is very simple and will -only check the password of the user invoking it. It is called transparently on -behalf of the user by the authenticating component of this module. In this way -it is possible for applications like xlock(1) to work without being -setuid-root. The module, by default, will temporarily turn off SIGCHLD handling -for the duration of execution of the helper binary. This is generally the right -thing to do, as many applications are not prepared to handle this signal from a -child they didn't know was fork()d. The noreap module argument can be used to -suppress this temporary shielding and may be needed for use with certain -applications. - -The password component of this module performs the task of updating the user's -password. - -The session component of this module logs when a user logins or leave the -system. - -Remaining arguments, supported by others functions of this module, are silently -ignored. Other arguments are logged as errors through syslog(3). - -OPTIONS - -debug - - Turns on debugging via syslog(3). - -audit - - A little more extreme than debug. - -nullok - - The default action of this module is to not permit the user access to a - service if their official password is blank. The nullok argument overrides - this default. - -try_first_pass - - Before prompting the user for their password, the module first tries the - previous stacked module's password in case that satisfies this module as - well. - -use_first_pass - - The argument use_first_pass forces the module to use a previous stacked - modules password and will never prompt the user - if no password is - available or the password is not appropriate, the user will be denied - access. - -nodelay - - This argument can be used to discourage the authentication component from - requesting a delay should the authentication as a whole fail. The default - action is for the module to request a delay-on-failure of the order of two - second. - -use_authtok - - When password changing enforce the module to set the new password to the - one provided by a previously stacked password module (this is used in the - example of the stacking of the pam_cracklib module documented above). - -not_set_pass - - This argument is used to inform the module that it is not to pay attention - to/make available the old or new passwords from/to other (stacked) password - modules. - -nis - - NIS RPC is used for setting new passwords. - -remember=n - - The last n passwords for each user are saved in /etc/security/opasswd in - order to force password change history and keep the user from alternating - between the same password too frequently. - -shadow - - Try to maintain a shadow based system. - -md5 - - When a user changes their password next, encrypt it with the MD5 algorithm. - -bigcrypt - - When a user changes their password next, encrypt it with the DEC C2 - algorithm. - -broken_shadow - - Ignore errors reading shadow inforation for users in the account management - module. - -Invalid arguments are logged with syslog(3). - -EXAMPLES - -An example usage for /etc/pam.d/login would be: - -# Authenticate the user -auth required pam_unix.so -# Ensure users account and password are still active -account required pam_unix.so -# Change the users password, but at first check the strength -# with pam_cracklib(8) -password required pam_cracklib.so retry=3 minlen=6 difok=3 -password required pam_unix.so use_authtok nullok md5 -session required pam_unix.so - - -AUTHOR - -pam_unix was written by various people. - diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 deleted file mode 100644 index e57de221..00000000 --- a/modules/pam_unix/pam_unix.8 +++ /dev/null @@ -1,143 +0,0 @@ -.\" Title: pam_unix -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 09/20/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_UNIX" "8" "09/20/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_unix \- Module for traditional password authentication -.SH "SYNOPSIS" -.HP 12 -\fBpam_unix.so\fR [...] -.SH "DESCRIPTION" -.PP -This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled. -.PP -The account component performs the task of establishing the status of the user's account and password based on the following -\fIshadow\fR -elements: expire, last_change, max_change, min_change, warn_change. In the case of the latter, it may offer advice to the user on changing their password or, through the -\fBPAM_AUTHTOKEN_REQD\fR -return, delay giving service to the user until they have established a new password. The entries listed above are documented in the -\fBshadow\fR(5) -manual page. Should the user's record not contain one or more of these entries, the corresponding -\fIshadow\fR -check is not performed. -.PP -The authentication component performs the task of checking the users credentials (password). The default action of this module is to not permit the user access to a service if their official password is blank. -.PP -A helper binary, -\fBunix_chkpwd\fR(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like -\fBxlock\fR(1) -to work without being setuid\-root. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn't know was -\fBfork()\fRd. The -\fBnoreap\fR -module argument can be used to suppress this temporary shielding and may be needed for use with certain applications. -.PP -The password component of this module performs the task of updating the user's password. -.PP -The session component of this module logs when a user logins or leave the system. -.PP -Remaining arguments, supported by others functions of this module, are silently ignored. Other arguments are logged as errors through -\fBsyslog\fR(3). -.SH "OPTIONS" -.TP 3n -\fBdebug\fR -Turns on debugging via -\fBsyslog\fR(3). -.TP 3n -\fBaudit\fR -A little more extreme than debug. -.TP 3n -\fBnullok\fR -The default action of this module is to not permit the user access to a service if their official password is blank. The -\fBnullok\fR -argument overrides this default. -.TP 3n -\fBtry_first_pass\fR -Before prompting the user for their password, the module first tries the previous stacked module's password in case that satisfies this module as well. -.TP 3n -\fBuse_first_pass\fR -The argument -\fBuse_first_pass\fR -forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access. -.TP 3n -\fBnodelay\fR -This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail. The default action is for the module to request a delay\-on\-failure of the order of two second. -.TP 3n -\fBuse_authtok\fR -When password changing enforce the module to set the new password to the one provided by a previously stacked -\fBpassword\fR -module (this is used in the example of the stacking of the -\fBpam_cracklib\fR -module documented above). -.TP 3n -\fBnot_set_pass\fR -This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules. -.TP 3n -\fBnis\fR -NIS RPC is used for setting new passwords. -.TP 3n -\fBremember=\fR\fB\fIn\fR\fR -The last -\fIn\fR -passwords for each user are saved in -\fI/etc/security/opasswd\fR -in order to force password change history and keep the user from alternating between the same password too frequently. -.TP 3n -\fBshadow\fR -Try to maintain a shadow based system. -.TP 3n -\fBmd5\fR -When a user changes their password next, encrypt it with the MD5 algorithm. -.TP 3n -\fBbigcrypt\fR -When a user changes their password next, encrypt it with the DEC C2 algorithm. -.TP 3n -\fBbroken_shadow\fR -Ignore errors reading shadow inforation for users in the account management module. -.PP -Invalid arguments are logged with -\fBsyslog\fR(3). -.SH "MODULE SERVICES PROVIDED" -.PP -All service are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_IGNORE -Ignore this module. -.SH "EXAMPLES" -.PP -An example usage for -\fI/etc/pam.d/login\fR -would be: -.sp -.RS 3n -.nf -# Authenticate the user -auth required pam_unix.so -# Ensure users account and password are still active -account required pam_unix.so -# Change the users password, but at first check the strength -# with pam_cracklib(8) -password required pam_cracklib.so retry=3 minlen=6 difok=3 -password required pam_unix.so use_authtok nullok md5 -session required pam_unix.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_unix was written by various people. diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8 deleted file mode 100644 index 02ccfe4a..00000000 --- a/modules/pam_unix/unix_chkpwd.8 +++ /dev/null @@ -1,80 +0,0 @@ -.\" Copyright (C) 2003 International Business Machines Corporation -.\" This file is distributed according to the GNU General Public License. -.\" See the file COPYING in the top level source directory for details. -.\" -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "UNIX_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" -.SH NAME -unix_chkpwd \- helper binary that verifies the password of the current user -.SH "SYNOPSIS" -.ad l -.hy 0 - -/sbin/unix_chkpwd [\fIusername\fR] -.sp -.ad -.hy -.SH "DESCRIPTION" -.PP -\fBunix_chkpwd\fR is a helper program for the pam_unix module that verifies -the password of the current user. It is not intended to be run directly from -the command line and logs a security violation if done so. - -It is typically installed setuid root or setgid shadow. - -.SH "OPTIONS" -.PP -unix_pwdchk optionally takes the following argument: -.TP -\fIusername\fR -The username of the user whose password you want to check: this must match the current user id. - -.SH "INPUTS" -.PP -unix_pwdchk expects the following inputs via stdin: -.TP -\fIoption\fR -Either nullok or nonull, depending on whether the user can have an empty password. -.TP -\fIpassword\fR -The password to verify. - -.SH "RETURN CODES" -.PP -\fBunix_chkpwd\fR has the following return codes: -.TP -1 -unix_chkpwd was inappropriately called from the command line or the password is incorrect. - -.TP -0 -The password is correct. - -.SH "HISTORY" -Written by Andrew Morgan - -.SH "SEE ALSO" - -.PP -\fBpam\fR(8) - -.SH AUTHOR -Emily Ratliff. - diff --git a/modules/pam_userdb/.cvsignore b/modules/pam_userdb/.cvsignore index 9fb98574..ca9670ba 100644 --- a/modules/pam_userdb/.cvsignore +++ b/modules/pam_userdb/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_userdb.8 diff --git a/modules/pam_userdb/README b/modules/pam_userdb/README deleted file mode 100644 index 8e1a5ffd..00000000 --- a/modules/pam_userdb/README +++ /dev/null @@ -1,74 +0,0 @@ -pam_userdb — PAM module to authenticate against a db database - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_userdb module is used to verify a username/password pair against values -stored in a Berkeley DB database. The database is indexed by the username, and -the data fields corresponding to the username keys are the passwords. - -OPTIONS - -crypt=[crypt|none] - - Indicates whether encrypted or plaintext passwords are stored in the - database. If it is crypt, passwords should be stored in the database in - crypt(3) form. If none is selected, passwords should be stored in the - database as plaintext. - -db=/path/database - - Use the /path/database database for performing lookup. There is no default; - the module will return PAM_IGNORE if no database is provided. - -debug - - Print debug information. - -dump - - Dump all the entries in the database to the log. Don't do this by default! - -icase - - Make the password verification to be case insensitive (ie when working with - registration numbers and such). Only works with plaintext password storage. - -try_first_pass - - Use the authentication token previously obtained by another module that did - the conversation with the application. If this token can not be obtained - then the module will try to converse. This option can be used for stacking - different modules that need to deal with the authentication tokens. - -use_first_pass - - Use the authentication token previously obtained by another module that did - the conversation with the application. If this token can not be obtained - then the module will fail. This option can be used for stacking different - modules that need to deal with the authentication tokens. - -unknown_ok - - Do not return error when checking for a user that is not in the database. - This can be used to stack more than one pam_userdb module that will check a - username/password pair in more than a database. - -key_only - - The username and password are concatenated together in the database hash as - 'username-password' with a random value. if the concatenation of the - username and password with a dash in the middle returns any result, the - user is valid. this is useful in cases where the username may not be unique - but the username and password pair are. - -EXAMPLES - -auth sufficient pam_userdb.so icase db=/etc/dbtest.db - - -AUTHOR - -pam_userdb was written by Cristian Gafton >gafton@redhat.com<. - diff --git a/modules/pam_userdb/pam_userdb.8 b/modules/pam_userdb/pam_userdb.8 deleted file mode 100644 index b1ad6677..00000000 --- a/modules/pam_userdb/pam_userdb.8 +++ /dev/null @@ -1,104 +0,0 @@ -.\" Title: pam_userdb -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/07/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_USERDB" "8" "06/07/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_userdb \- PAM module to authenticate against a db database -.SH "SYNOPSIS" -.HP 14 -\fBpam_userdb.so\fR db=\fI/path/database\fR [debug] [crypt=[crypt|none]] [icase] [dump] [try_first_pass] [use_first_pass] [unknown_ok] [key_only] -.SH "DESCRIPTION" -.PP -The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords. -.SH "OPTIONS" -.TP 3n -\fBcrypt=[crypt|none]\fR -Indicates whether encrypted or plaintext passwords are stored in the database. If it is -\fBcrypt\fR, passwords should be stored in the database in -\fBcrypt\fR(3) -form. If -\fBnone\fR -is selected, passwords should be stored in the database as plaintext. -.TP 3n -\fBdb=\fR\fB\fI/path/database\fR\fR -Use the -\fI/path/database\fR -database for performing lookup. There is no default; the module will return -\fBPAM_IGNORE\fR -if no database is provided. -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBdump\fR -Dump all the entries in the database to the log. Don't do this by default! -.TP 3n -\fBicase\fR -Make the password verification to be case insensitive (ie when working with registration numbers and such). Only works with plaintext password storage. -.TP 3n -\fBtry_first_pass\fR -Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will try to converse. This option can be used for stacking different modules that need to deal with the authentication tokens. -.TP 3n -\fBuse_first_pass\fR -Use the authentication token previously obtained by another module that did the conversation with the application. If this token can not be obtained then the module will fail. This option can be used for stacking different modules that need to deal with the authentication tokens. -.TP 3n -\fBunknown_ok\fR -Do not return error when checking for a user that is not in the database. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database. -.TP 3n -\fBkey_only\fR -The username and password are concatenated together in the database hash as 'username\-password' with a random value. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid. this is useful in cases where the username may not be unique but the username and password pair are. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR -and -\fBaccount\fR -are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_AUTH_ERR -Authentication failure. -.TP 3n -PAM_AUTHTOK_RECOVERY_ERR -Authentication information cannot be recovered. -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_CONV_ERR -Conversation failure. -.TP 3n -PAM_SERVICE_ERR -Error in service module. -.TP 3n -PAM_SUCCESS -Success. -.TP 3n -PAM_USER_UNKNOWN -User not known to the underlying authentication module. -.SH "EXAMPLES" -.sp -.RS 3n -.nf -auth sufficient pam_userdb.so icase db=/etc/dbtest.db - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBcrypt\fR(3), -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_userdb was written by Cristian Gafton >gafton@redhat.com<. diff --git a/modules/pam_warn/.cvsignore b/modules/pam_warn/.cvsignore index 9fb98574..7737bcc0 100644 --- a/modules/pam_warn/.cvsignore +++ b/modules/pam_warn/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_warn.8 diff --git a/modules/pam_warn/README b/modules/pam_warn/README deleted file mode 100644 index a0713173..00000000 --- a/modules/pam_warn/README +++ /dev/null @@ -1,36 +0,0 @@ -pam_warn — PAM module which logs all PAM items if called - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_warn is a PAM module that logs the service, terminal, user, remote user and -remote host to syslog(3). The items are not probed for, but instead obtained -from the standard PAM items. The module always returns PAM_IGNORE, indicating -that it does not want to affect the authentication process. - -OPTIONS - -This module does not recognise any options. - -EXAMPLES - -#%PAM-1.0 -# -# If we don't have config entries for a service, the -# OTHER entries are used. To be secure, warn and deny -# access to everything. -other auth required pam_warn.so -other auth required pam_deny.so -other account required pam_warn.so -other account required pam_deny.so -other password required pam_warn.so -other password required pam_deny.so -other session required pam_warn.so -other session required pam_deny.so - - -AUTHOR - -pam_warn was written by Andrew G. Morgan . - diff --git a/modules/pam_warn/pam_warn.8 b/modules/pam_warn/pam_warn.8 deleted file mode 100644 index 4bc3f203..00000000 --- a/modules/pam_warn/pam_warn.8 +++ /dev/null @@ -1,69 +0,0 @@ -.\" Title: pam_warn -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_WARN" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_warn - PAM module which logs all PAM items if called -.SH "SYNOPSIS" -.HP 12 -\fBpam_warn\.so\fR -.SH "DESCRIPTION" -.PP -pam_warn is a PAM module that logs the service, terminal, user, remote user and remote host to -\fBsyslog\fR(3)\. The items are not probed for, but instead obtained from the standard PAM items\. The module always returns -\fBPAM_IGNORE\fR, indicating that it does not want to affect the authentication process\. -.SH "OPTIONS" -.PP -This module does not recognise any options\. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR, -\fBaccount\fR, -\fBpassword\fR -and -\fBsession\fR -are supported\. -.SH "RETURN VALUES" -.PP -PAM_IGNORE -.RS 4 -This module always returns PAM_IGNORE\. -.RE -.SH "EXAMPLES" -.sp -.RS 4 -.nf -#%PAM\-1\.0 -# -# If we don\'t have config entries for a service, the -# OTHER entries are used\. To be secure, warn and deny -# access to everything\. -other auth required pam_warn\.so -other auth required pam_deny\.so -other account required pam_warn\.so -other account required pam_deny\.so -other password required pam_warn\.so -other password required pam_deny\.so -other session required pam_warn\.so -other session required pam_deny\.so - -.fi -.RE -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_warn was written by Andrew G\. Morgan \. diff --git a/modules/pam_wheel/.cvsignore b/modules/pam_wheel/.cvsignore index 9fb98574..e63f2a9c 100644 --- a/modules/pam_wheel/.cvsignore +++ b/modules/pam_wheel/.cvsignore @@ -4,3 +4,5 @@ .libs Makefile Makefile.in +README +pam_wheel.8 diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README deleted file mode 100644 index 6a2b21c5..00000000 --- a/modules/pam_wheel/README +++ /dev/null @@ -1,61 +0,0 @@ -pam_wheel — Only permit root access to members of group wheel - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_wheel PAM module is used to enforce the so-called wheel group. By -default it permits root access to the system if the applicant user is a member -of the wheel group. If no group with this name exist, the module is using the -group with the group-ID 0. - -OPTIONS - -debug - - Print debug information. - -deny - - Reverse the sense of the auth operation: if the user is trying to get UID 0 - access and is a member of the wheel group (or the group of the group - option), deny access. Conversely, if the user is not in the group, return - PAM_IGNORE (unless trust was also specified, in which case we return - PAM_SUCCESS). - -group=name - - Instead of checking the wheel or GID 0 groups, use the name group to - perform the authentication. - -root_only - - The check for wheel membership is done only. - -trust - - The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the - user is a member of the wheel group (thus with a little play stacking the - modules the wheel members may be able to su to root without being prompted - for a passwd). - -use_uid - - The check for wheel membership will be done against the current uid instead - of the original one (useful when jumping with su from one account to - another for example). - -EXAMPLES - -The root account gains access by default (rootok), only wheel members can -become root (wheel) but Unix authenticate non-root applicants. - -su auth sufficient pam_rootok.so -su auth required pam_wheel.so -su auth required pam_unix.so - - -AUTHOR - -pam_wheel was written by Cristian Gafton . - diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 deleted file mode 100644 index ae29c37e..00000000 --- a/modules/pam_wheel/pam_wheel.8 +++ /dev/null @@ -1,101 +0,0 @@ -.\" Title: pam_wheel -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_wheel \- Only permit root access to members of group wheel -.SH "SYNOPSIS" -.HP 13 -\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] -.SH "DESCRIPTION" -.PP -The pam_wheel PAM module is used to enforce the so\-called -\fIwheel\fR -group. By default it permits root access to the system if the applicant user is a member of the -\fIwheel\fR -group. If no group with this name exist, the module is using the group with the group\-ID -\fB0\fR. -.SH "OPTIONS" -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBdeny\fR -Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the -\fBgroup\fR -option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless -\fBtrust\fR -was also specified, in which case we return PAM_SUCCESS). -.TP 3n -\fBgroup=\fR\fB\fIname\fR\fR -Instead of checking the wheel or GID 0 groups, use the -\fB\fIname\fR\fR -group to perform the authentication. -.TP 3n -\fBroot_only\fR -The check for wheel membership is done only. -.TP 3n -\fBtrust\fR -The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). -.TP 3n -\fBuse_uid\fR -The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). -.SH "MODULE SERVICES PROVIDED" -.PP -The -\fBauth\fR -and -\fBaccount\fR -services are supported. -.SH "RETURN VALUES" -.TP 3n -PAM_AUTH_ERR -Authentication failure. -.TP 3n -PAM_BUF_ERR -Memory buffer error. -.TP 3n -PAM_IGNORE -The return value should be ignored by PAM dispatch. -.TP 3n -PAM_PERM_DENY -Permission denied. -.TP 3n -PAM_SERVICE_ERR -Cannot determine the user name. -.TP 3n -PAM_SUCCESS -Success. -.TP 3n -PAM_USER_UNKNOWN -User not known. -.SH "EXAMPLES" -.PP -The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants. -.sp -.RS 3n -.nf -su auth sufficient pam_rootok.so -su auth required pam_wheel.so -su auth required pam_unix.so - -.fi -.RE -.sp -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_wheel was written by Cristian Gafton . diff --git a/modules/pam_xauth/.cvsignore b/modules/pam_xauth/.cvsignore index 621104aa..1611e414 100644 --- a/modules/pam_xauth/.cvsignore +++ b/modules/pam_xauth/.cvsignore @@ -6,3 +6,5 @@ .libs Makefile Makefile.in +README +pam_xauth.8 diff --git a/modules/pam_xauth/README b/modules/pam_xauth/README deleted file mode 100644 index 4e0e3ec4..00000000 --- a/modules/pam_xauth/README +++ /dev/null @@ -1,90 +0,0 @@ -pam_xauth — PAM module to forward xauth keys between users - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -The pam_xauth PAM module is designed to forward xauth keys (sometimes referred -to as "cookies") between users. - -Without pam_xauth, when xauth is enabled and a user uses the su(1) command to -assume another user's priviledges, that user is no longer able to access the -original user's X display because the new user does not have the key needed to -access the display. pam_xauth solves the problem by forwarding the key from the -user running su (the source user) to the user whose identity the source user is -assuming (the target user) when the session is created, and destroying the key -when the session is torn down. - -This means, for example, that when you run su(1) from an xterm sesssion, you -will be able to run X programs without explicitly dealing with the xauth(1) -xauth command or ~/.Xauthority files. - -pam_xauth will only forward keys if xauth can list a key connected to the -$DISPLAY environment variable. - -Primitive access control is provided by ~/.xauth/export in the invoking user's -home directory and ~/.xauth/import in the target user's home directory. - -If a user has a ~/.xauth/import file, the user will only receive cookies from -users listed in the file. If there is no ~/.xauth/import file, the user will -accept cookies from any other user. - -If a user has a .xauth/export file, the user will only forward cookies to users -listed in the file. If there is no ~/.xauth/export file, and the invoking user -is not root, the user will forward cookies to any other user. If there is no ~ -/.xauth/export file, and the invoking user is root, the user will not forward -cookies to other users. - -Both the import and export files support wildcards (such as *). Both the import -and export files can be empty, signifying that no users are allowed. - -OPTIONS - -debug - - Print debug information. - -xauthpath=/path/to/xauth - - Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth, - /usr/bin/xauth, or /usr/bin/X11/xauth by default). - -systemuser=UID - - Specify the highest UID which will be assumed to belong to a "system" user. - pam_xauth will refuse to forward credentials to users with UID less than or - equal to this number, except for root and the "targetuser", if specified. - -targetuser=UID - - Specify a single target UID which is exempt from the systemuser check. - -EXAMPLES - -Add the following line to /etc/pam.d/su to forward xauth keys between users -when calling su: - -session optional pam_xauth.so - - -IMPLEMENTATION DETAILS - -pam_xauth will work only if it is used from a setuid application in which the -getuid() call returns the id of the user running the application, and for which -PAM can supply the name of the account that the user is attempting to assume. -The typical application of this type is su(1). The application must call both -pam_open_session() and pam_close_session() with the ruid set to the uid of the -calling user and the euid set to root, and must have provided as the PAM_USER -item the name of the target user. - -pam_xauth calls xauth(1) as the source user to extract the key for $DISPLAY, -then calls xauth as the target user to merge the key into the a temporary -database and later remove the database. - -pam_xauth cannot be told to not remove the keys when the session is closed. - -AUTHOR - -pam_xauth was written by Nalin Dahyabhai , based on original -version by Michael K. Johnson . - diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 deleted file mode 100644 index f316ad7b..00000000 --- a/modules/pam_xauth/pam_xauth.8 +++ /dev/null @@ -1,163 +0,0 @@ -.\" Title: pam_xauth -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 -.\" Date: 11/06/2007 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "PAM_XAUTH" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_xauth - PAM module to forward xauth keys between users -.SH "SYNOPSIS" -.HP 13 -\fBpam_xauth\.so\fR [debug] [xauthpath=\fI/path/to/xauth\fR] [systemuser=\fIUID\fR] [targetuser=\fIUID\fR] -.SH "DESCRIPTION" -.PP -The pam_xauth PAM module is designed to forward xauth keys (sometimes referred to as "cookies") between users\. -.PP -Without pam_xauth, when xauth is enabled and a user uses the -\fBsu\fR(1) -command to assume another user\'s priviledges, that user is no longer able to access the original user\'s X display because the new user does not have the key needed to access the display\. pam_xauth solves the problem by forwarding the key from the user running su (the source user) to the user whose identity the source user is assuming (the target user) when the session is created, and destroying the key when the session is torn down\. -.PP -This means, for example, that when you run -\fBsu\fR(1) -from an xterm sesssion, you will be able to run X programs without explicitly dealing with the -\fBxauth\fR(1) -xauth command or ~/\.Xauthority files\. -.PP -pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable\. -.PP -Primitive access control is provided by -\fI~/\.xauth/export\fR -in the invoking user\'s home directory and -\fI~/\.xauth/import\fR -in the target user\'s home directory\. -.PP -If a user has a -\fI~/\.xauth/import\fR -file, the user will only receive cookies from users listed in the file\. If there is no -\fI~/\.xauth/import\fR -file, the user will accept cookies from any other user\. -.PP -If a user has a -\fI\.xauth/export\fR -file, the user will only forward cookies to users listed in the file\. If there is no -\fI~/\.xauth/export\fR -file, and the invoking user is not -\fBroot\fR, the user will forward cookies to any other user\. If there is no -\fI~/\.xauth/export\fR -file, and the invoking user is -\fBroot\fR, the user will -\fInot\fR -forward cookies to other users\. -.PP -Both the import and export files support wildcards (such as -\fI*\fR)\. Both the import and export files can be empty, signifying that no users are allowed\. -.SH "OPTIONS" -.PP -\fBdebug\fR -.RS 4 -Print debug information\. -.RE -.PP -\fBxauthpath=\fR\fB\fI/path/to/xauth\fR\fR -.RS 4 -Specify the path the xauth program (it is expected in -\fI/usr/X11R6/bin/xauth\fR, -\fI/usr/bin/xauth\fR, or -\fI/usr/bin/X11/xauth\fR -by default)\. -.RE -.PP -\fBsystemuser=\fR\fB\fIUID\fR\fR -.RS 4 -Specify the highest UID which will be assumed to belong to a "system" user\. pam_xauth will refuse to forward credentials to users with UID less than or equal to this number, except for root and the "targetuser", if specified\. -.RE -.PP -\fBtargetuser=\fR\fB\fIUID\fR\fR -.RS 4 -Specify a single target UID which is exempt from the systemuser check\. -.RE -.SH "MODULE SERVICES PROVIDED" -.PP -Only the -\fBsession\fR -service is supported\. -.SH "RETURN VALUES" -.PP -PAM_BUF_ERR -.RS 4 -Memory buffer error\. -.RE -.PP -PAM_PERM_DENIED -.RS 4 -Permission denied by import/export file\. -.RE -.PP -PAM_SESSION_ERR -.RS 4 -Cannot determine user name, UID or access users home directory\. -.RE -.PP -PAM_SUCCESS -.RS 4 -Success\. -.RE -.PP -PAM_USER_UNKNOWN -.RS 4 -User not known\. -.RE -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam\.d/su\fR -to forward xauth keys between users when calling su: -.sp -.RS 4 -.nf -session optional pam_xauth\.so - -.fi -.RE -.sp -.SH "IMPLEMENTATION DETAILS" -.PP -pam_xauth will work -\fIonly\fR -if it is used from a setuid application in which the -\fBgetuid\fR() call returns the id of the user running the application, and for which PAM can supply the name of the account that the user is attempting to assume\. The typical application of this type is -\fBsu\fR(1)\. The application must call both -\fBpam_open_session\fR() and -\fBpam_close_session\fR() with the ruid set to the uid of the calling user and the euid set to root, and must have provided as the PAM_USER item the name of the target user\. -.PP -pam_xauth calls -\fBxauth\fR(1) -as the source user to extract the key for $DISPLAY, then calls xauth as the target user to merge the key into the a temporary database and later remove the database\. -.PP -pam_xauth cannot be told to not remove the keys when the session is closed\. -.SH "FILES" -.PP -\fI~/\.xauth/import\fR -.RS 4 -XXX -.RE -.PP -\fI~/\.xauth/export\fR -.RS 4 -XXX -.RE -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_xauth was written by Nalin Dahyabhai , based on original version by Michael K\. Johnson \. -- cgit v1.2.3 From ca2cb12dd3165ab006c674d673a2d596d642c875 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 8 Jan 2008 14:49:05 +0000 Subject: Relevant BUGIDs: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Purpose of commit: bigfix Commit summary: --------------- 2008-01-08 Thorsten Kukuk * doc/man/Makefile.am: Fix manual page dependencies, add hack for bug in xsl stylestheets. 2008-01-02 Petteri Räty * modules/pam_limits/limits.conf: document allowed values for nice. * modules/pam_limits/limits.conf.5.xml: Likewise. and readd files wrongly deleted before. --- ChangeLog | 24 +++++++--- doc/man/Makefile.am | 7 ++- modules/pam_limits/limits.conf | 2 +- modules/pam_limits/limits.conf.5.xml | 2 +- modules/pam_selinux/.cvsignore | 1 - modules/pam_selinux/Makefile.am | 3 +- modules/pam_selinux/pam_selinux_check.8 | 35 +++++++++++++++ modules/pam_stress/.cvsignore | 1 - modules/pam_stress/README | 64 ++++++++++++++++++++++++++ modules/pam_unix/.cvsignore | 1 - modules/pam_unix/unix_chkpwd.8 | 80 +++++++++++++++++++++++++++++++++ 11 files changed, 206 insertions(+), 14 deletions(-) create mode 100644 modules/pam_selinux/pam_selinux_check.8 create mode 100644 modules/pam_stress/README create mode 100644 modules/pam_unix/unix_chkpwd.8 diff --git a/ChangeLog b/ChangeLog index f75e6b40..4198a142 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,9 @@ -2008-01-07 Thorsten Kukuk +2008-01-08 Thorsten Kukuk + + * doc/man/Makefile.am: Fix manual page dependencies, + add hack for bug in xsl stylestheets. + +2008-01-07 Thorsten Kukuk * po/it.po: Fix typos. * po/de.po: Few new translations. @@ -10,17 +15,22 @@ * po/sv.po: Update swedish translation [#1857531]. * modules/pam_succeed_if/pam_succeed_if.8.xml: Fix cut & paste error [#1863490]. - -2007-12-18 Thorsten Kukuk + +2008-01-02 Petteri Räty + * modules/pam_limits/limits.conf: document allowed values for + nice. + * modules/pam_limits/limits.conf.5.xml: Likewise. + +2007-12-18 Thorsten Kukuk * README: Document how to run make check with static modules (SF#1822779). -2007-12-18 Peter Breitenlohner +2007-12-18 Peter Breitenlohner * README: Document that "make check" requires a file /etc/pam.d/other (SF#1822764). -2007-12-12 Eamon Walsh +2007-12-12 Eamon Walsh * doc/man/pam_item_types_ext.inc.xml: More appropriate wording for PAM_XDISPLAY doc. @@ -60,11 +70,11 @@ (check_account): Call _pam_parse(). Call pam_modutil_audit_write() and pam_syslog() on login denials. -2007-12-07 Luca Bruno +2007-12-07 Luca Bruno * po/it.po: Updated translations. -2007-12-06 Eamon Walsh +2007-12-06 Eamon Walsh * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n() macro. diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 926f1ae5..ca8be05e 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -1,8 +1,9 @@ # -# Copyright (c) 2006 Thorsten Kukuk +# Copyright (c) 2006, 2007 Thorsten Kukuk # CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) EXTRA_DIST = $(MANS) $(XMLS) @@ -44,6 +45,10 @@ XMLS = pam.3.xml pam.8.xml \ pam_misc_setenv.3.xml if ENABLE_REGENERATE_MAN +PAM.8: pam.8 +pam.d.5: pam.conf.5 + test -f pam\\.d.5 && mv pam\\.d.5 pam.d.5 + pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf index d3463638..5d5c3f70 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf @@ -33,7 +33,7 @@ # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to +# - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority # # diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index 8983bee3..fb1fad27 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -214,7 +214,7 @@ - maximum nice priority allowed to raise to (Linux 2.6.12 and higher) + maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19] diff --git a/modules/pam_selinux/.cvsignore b/modules/pam_selinux/.cvsignore index 72174be1..08754fd5 100644 --- a/modules/pam_selinux/.cvsignore +++ b/modules/pam_selinux/.cvsignore @@ -9,4 +9,3 @@ Makefile.in pam_selinux_check README pam_selinux.8 -pam_selinux_check.8 diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index d11b507c..baf782a8 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -1,8 +1,9 @@ # -# Copyright (c) 2005, 2006 Thorsten Kukuk +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk # CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ tst-pam_selinux diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8 new file mode 100644 index 00000000..d6fcdff1 --- /dev/null +++ b/modules/pam_selinux/pam_selinux_check.8 @@ -0,0 +1,35 @@ +.TH pam_selinux_check 8 2002/05/23 "Red Hat Linux" "System Administrator's Manual" +.SH NAME +pam_selinux_check \- login program to test pam_selinux.so +.SH SYNOPSIS +.B pam_selinux_check [user] +.br + +.SH DESCRIPTION +With no arguments, +.B pam_selinux_check +will prompt for user + +.SH OPTIONS +.IP target_user +The user to login as. + +.SH DIAGNOSTICS +You must setup a /etc/pam.d/pam_selinux_check file, in order for the check to work. + +When checking if a selinux is valid, +.B pam_selinux_check +returns an exit code of 0 for success and > 0 on error: + +.nf +1: Authentication failure +.fi + +.SH SEE ALSO +pam_selinux(8) + +.SH BUGS +Let's hope not, but if you find any, please email the author. + +.SH AUTHOR +Dan Walsh diff --git a/modules/pam_stress/.cvsignore b/modules/pam_stress/.cvsignore index acf3f3bc..9fb98574 100644 --- a/modules/pam_stress/.cvsignore +++ b/modules/pam_stress/.cvsignore @@ -4,4 +4,3 @@ .libs Makefile Makefile.in -README diff --git a/modules/pam_stress/README b/modules/pam_stress/README new file mode 100644 index 00000000..e64bf2d3 --- /dev/null +++ b/modules/pam_stress/README @@ -0,0 +1,64 @@ +# +# This describes the behavior of this module with respect to the +# /etc/pam.conf file. +# +# writen by Andrew Morgan +# + +This module recognizes the following arguments. + +debug put lots of information in syslog. + *NOTE* this option writes passwords to syslog, so + don't use anything sensitive when testing. + +no_warn don't give warnings about things (otherwise warnings are issued + via the conversation function) + +use_first_pass don't prompt for a password, for pam_sm_authentication + function just use item PAM_AUTHTOK. + +try_first_pass don't prompt for a password unless there has been no + previous authentication token (item PAM_AUTHTOK is NULL) + +rootok This is intended for the pam_sm_chauthtok function and + it instructs this function to permit root to change + the user's password without entering the old password. + +The following arguments are acted on by the module. They are intended +to make the module give the impression of failing as a fully +functioning module might. + +expired an argument intended for the account and chauthtok module + parts. It instructs the module to act as if the user's + password has expired + +fail_1 this instructs the module to make its first function fail. + +fail_2 this instructs the module to make its second function (if there + is one) fail. + + The function break up is indicated in the Module + Developers' Guide. Listed here it is: + + service function 1 function 2 + ------- ---------- ---------- + auth pam_sm_authenticate pam_sm_setcred + password pam_sm_chauthtok + session pam_sm_open_session pam_sm_close_session + account pam_sm_acct_mgmt + +prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. + +required for pam_sm_chauthtok, means fail if the user hasn't already + been authenticated by this module. (See stress_new_pwd data + item below.) + +# +# data strings that this module uses are the following: +# + +data name value(s) Comments +--------- -------- -------- +stress_new_pwd yes tells pam_sm_chauthtok that + pam_sm_acct_mgmt says we need a new + password diff --git a/modules/pam_unix/.cvsignore b/modules/pam_unix/.cvsignore index 454f7276..905ba473 100644 --- a/modules/pam_unix/.cvsignore +++ b/modules/pam_unix/.cvsignore @@ -9,4 +9,3 @@ bigcrypt unix_chkpwd README pam_unix.8 -unix_chkpwd.8 diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8 new file mode 100644 index 00000000..02ccfe4a --- /dev/null +++ b/modules/pam_unix/unix_chkpwd.8 @@ -0,0 +1,80 @@ +.\" Copyright (C) 2003 International Business Machines Corporation +.\" This file is distributed according to the GNU General Public License. +.\" See the file COPYING in the top level source directory for details. +.\" +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "UNIX_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" +.SH NAME +unix_chkpwd \- helper binary that verifies the password of the current user +.SH "SYNOPSIS" +.ad l +.hy 0 + +/sbin/unix_chkpwd [\fIusername\fR] +.sp +.ad +.hy +.SH "DESCRIPTION" +.PP +\fBunix_chkpwd\fR is a helper program for the pam_unix module that verifies +the password of the current user. It is not intended to be run directly from +the command line and logs a security violation if done so. + +It is typically installed setuid root or setgid shadow. + +.SH "OPTIONS" +.PP +unix_pwdchk optionally takes the following argument: +.TP +\fIusername\fR +The username of the user whose password you want to check: this must match the current user id. + +.SH "INPUTS" +.PP +unix_pwdchk expects the following inputs via stdin: +.TP +\fIoption\fR +Either nullok or nonull, depending on whether the user can have an empty password. +.TP +\fIpassword\fR +The password to verify. + +.SH "RETURN CODES" +.PP +\fBunix_chkpwd\fR has the following return codes: +.TP +1 +unix_chkpwd was inappropriately called from the command line or the password is incorrect. + +.TP +0 +The password is correct. + +.SH "HISTORY" +Written by Andrew Morgan + +.SH "SEE ALSO" + +.PP +\fBpam\fR(8) + +.SH AUTHOR +Emily Ratliff. + -- cgit v1.2.3 From 459e97431e99fa2c32e30e957993f95794b98dd0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 23 Jan 2008 15:35:12 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup, new feature Commit summary: --------------- Merging the the refactorization pam_unix_ref branch into the trunk. Added support for sha256 and sha512 password hashes to pam_unix when the libcrypt supports them. --- ChangeLog | 63 +++ NEWS | 4 + configure.in | 11 + modules/pam_unix/.cvsignore | 3 + modules/pam_unix/Makefile.am | 17 +- modules/pam_unix/pam_unix.8.xml | 37 ++ modules/pam_unix/pam_unix_acct.c | 221 +++------ modules/pam_unix/pam_unix_auth.c | 2 +- modules/pam_unix/pam_unix_passwd.c | 704 +++------------------------ modules/pam_unix/pam_unix_sess.c | 4 +- modules/pam_unix/passverify.c | 970 ++++++++++++++++++++++++++++++++++++- modules/pam_unix/passverify.h | 83 +++- modules/pam_unix/support.c | 216 +++------ modules/pam_unix/support.h | 16 +- modules/pam_unix/unix_chkpwd.8 | 80 --- modules/pam_unix/unix_chkpwd.8.xml | 67 +++ modules/pam_unix/unix_chkpwd.c | 395 ++------------- modules/pam_unix/unix_update.8.xml | 67 +++ modules/pam_unix/unix_update.c | 194 ++++++++ 19 files changed, 1779 insertions(+), 1375 deletions(-) delete mode 100644 modules/pam_unix/unix_chkpwd.8 create mode 100644 modules/pam_unix/unix_chkpwd.8.xml create mode 100644 modules/pam_unix/unix_update.8.xml create mode 100644 modules/pam_unix/unix_update.c diff --git a/ChangeLog b/ChangeLog index 4198a142..a1fee209 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,66 @@ +2008-01-23 Tomas Mraz + + * modules/pam_unix/Makefile.am: Add unix_update.8 manpage generated from + XML, generate also unix_chkpwd.8 from XML. + * modules/pam_unix/pam_unix_acct.c: Add rounds parameter to _set_ctrl(). + * modules/pam_unix/pam_unix_auth.c: Likewise. + * modules/pam_unix/pam_unix_sess.c: Likewise. + * modules/pam_unix/pam_unix_passwd.c: Likewise. + * modules/pam_unix/support.c(_set_ctrl): Likewise. + * modules/pam_unix/support.h: Likewise. Add UNIX_SHA256_PASS, + UNIX_SHA512_PASS, and UNIX_ALGO_ROUNDS ctrls. + (pam_sm_chauthtok): Refactor out new password encryption. + * modules/pam_unix/passverify.c(crypt_make_salt): New function. + (crypt_md5_wrapper): Call crypt_make_salt(). + (create_password_hash): New function refactored out of + pam_sm_chauthtok(). Support for new password hashes. + * modules/pam_unix/passverify.h: Drop ascii_to_bin() and bin_to_ascii() + macros. Add prototype for create_password_hash(). + * modules/pam_unix/unix_update.8.xml: New file. + * modules/pam_unix/unix_chkpwd.8.xml: Likewise. + + * modules/pam_unix/Makefile.am: Add unix_update helper. + * modules/pam_unix/pam_unix_passwd.c: Move functions i64c(), + crypt_md5_wrapper(), save_old_password(), _update_passwd() and + _update_shadow() to passverify.c file. Rename _unix_run_shadow_binary() + to _unix_run_update_binary(), which also verifies old password and + does all writing. + (_do_setpass, pam_sm_chauthtok): lckpwdf()->lock_pwdf(), the same for unlock. + Call _unix_run_update_binary() appropriately. + _update_passwd()->unix_update_passwd(), the same for shadow. + * modules/pam_unix/passverify.c: Add new functions moved from + pam_unix_passwd.c and unix_chkpwd.c. + * modules/pam_unix/passverify.h: Likewise. + * modules/pam_unix/unix_chkpwd.c: Remove SELinux checks. Move + su_sighandler(), setup_signals(), getuidname() to passverify.c. + (main): Remove 'shadow' option. Refactor out read_passwords() and + call it. More strict checking how the binary is called. + * modules/pam_unix/unix_update.c: New helper binary - non-setuid, + called from SELinux confined apps only. + + * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Return + status and daysleft instead of fake shadow entry. + (pam_sm_acct_mgmt): Call _unix_run_verify_binary() appropriately. + * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Call + get_account_info() and check_shadow_expiry(). + * modules/pam_unix/support.h: Adjust _unix_run_verify_binary() + prototype. + * modules/pam_unix/support.c (_unix_run_helper_binary): Remove check + on selinux enabled/disabled. + * modules/pam_unix/unix_chkpwd.c (_verify_account): Rename to + _check_expiry(), now checks shadow expiry info. + (main): Remove check on selinux enabled/disabled. Check shadow + expiry through _check_expiry(). + + * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Call + get_account_info() and check_shadow_expiry(). + * modules/pam_unix/passverify.c: Add get_account_info() to + obtain shadow and passwd entry. Add check_shadow_expiry() to + for shadow password expiry check. + (get_pwd_hash): Call get_account_info(). + * modules/pam_unix/passverify.h: Add prototypes for get_account_info() + and check_shadow_expiry(). + 2008-01-08 Thorsten Kukuk * doc/man/Makefile.am: Fix manual page dependencies, diff --git a/NEWS b/NEWS index e794525e..44e93d5a 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,10 @@ Linux-PAM NEWS -- history of user-visible changes. * New module pam_tty_audit.so for enabling and disabling tty auditing. * New PAM items PAM_XDISPLAY and PAM_XAUTHDATA. +* Auditing login denials based by origin (pam_access), time (pam_time), + and number of sessions (pam_limits) to the Linux audit subsystem. +* Support sha256 and sha512 algorithms in pam_unix when they are supported + by crypt(). Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/configure.in b/configure.in index 146e177a..cd92f80a 100644 --- a/configure.in +++ b/configure.in @@ -352,9 +352,20 @@ AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS], BACKUP_LIBS=$LIBS AC_SEARCH_LIBS([crypt],[xcrypt crypt], LIBCRYPT="-l$ac_lib", LIBCRYPT="") +AC_CHECK_FUNCS(crypt_r) LIBS=$BACKUP_LIBS AC_SUBST(LIBCRYPT) +AC_ARG_WITH([randomdev], AC_HELP_STRING([--with-randomdev=(|yes|no)], [use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval) +if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then + opt_randomdev="/dev/urandom" +elif test "$opt_randomdev" = no; then + opt_randomdev= +fi +if test -n "$opt_randomdev"; then + AC_DEFINE_UNQUOTED(PAM_PATH_RANDOMDEV, "$opt_randomdev", [Random device path.]) +fi + dnl check for libdb or libndbm as fallback. Some libndbm compat dnl libraries are unuseable, so try libdb first. AC_ARG_ENABLE([db], diff --git a/modules/pam_unix/.cvsignore b/modules/pam_unix/.cvsignore index 905ba473..01819c28 100644 --- a/modules/pam_unix/.cvsignore +++ b/modules/pam_unix/.cvsignore @@ -7,5 +7,8 @@ Makefile Makefile.in bigcrypt unix_chkpwd +unix_update README pam_unix.8 +unix_chkpwd.8 +unix_update.8 diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index a74d9762..4d2c58b8 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -7,8 +7,8 @@ CLEANFILES = *~ EXTRA_DIST = README md5.c md5_crypt.c lckpwdf.-c $(MANS) CHANGELOG \ tst-pam_unix $(XMLS) -man_MANS = pam_unix.8 unix_chkpwd.8 -XMLS = README.xml pam_unix.8.xml +man_MANS = pam_unix.8 unix_chkpwd.8 unix_update.8 +XMLS = README.xml pam_unix.8.xml unix_chkpwd.8.xml unix_update.8.xml TESTS = tst-pam_unix @@ -16,7 +16,8 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" + -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ + -DUPDATE_HELPER=\"$(sbindir)/unix_update\" if HAVE_LIBSELINUX AM_CFLAGS += -D"WITH_SELINUX" @@ -36,7 +37,7 @@ securelib_LTLIBRARIES = pam_unix.la noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h -sbin_PROGRAMS = unix_chkpwd +sbin_PROGRAMS = unix_chkpwd unix_update noinst_PROGRAMS = bigcrypt @@ -50,10 +51,16 @@ bigcrypt_LDADD = @LIBCRYPT@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c -unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ +unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ +unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ + passverify.c +unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" +unix_update_LDFLAGS = @PIE_LDFLAGS@ +unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ + if ENABLE_REGENERATE_MAN noinst_DATA = README README: pam_unix.8.xml diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index 41757977..290cb2b9 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -258,6 +258,43 @@ + + + + + + + When a user changes their password next, + encrypt it with the SHA256 algorithm. If the + SHA256 algorithm is not known to the libcrypt, + fall back to MD5. + + + + + + + + + + When a user changes their password next, + encrypt it with the SHA512 algorithm. If the + SHA512 algorithm is not known to the libcrypt, + fall back to MD5. + + + + + + + + + + Set the optional number of rounds of the SHA256 and SHA512 + password hashing algorithms to n. + + + diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index aeecb132..c09bc175 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -47,10 +47,6 @@ #include /* for time() */ #include #include -#ifdef WITH_SELINUX -#include -#define SELINUX_ENABLED is_selinux_enabled()>0 -#endif #include @@ -65,11 +61,8 @@ #include "support.h" #include "passverify.h" -#ifdef WITH_SELINUX - -struct spwd spwd; - -struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user) +int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, + const char *user, int *daysleft) { int retval=0, child, fds[2]; void (*sighandler)(int) = NULL; @@ -79,7 +72,7 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons if (pipe(fds) != 0) { D(("could not make pipe")); pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m"); - return NULL; + return PAM_AUTH_ERR; } D(("called.")); @@ -118,7 +111,7 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons } } - if (SELINUX_ENABLED && geteuid() == 0) { + if (geteuid() == 0) { /* must set the real uid to 0 so the helper will not error out if pam is called from setuid binary (su, sudo...) */ setuid(0); @@ -127,7 +120,7 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); args[1] = x_strdup(user); - args[2] = x_strdup("verify"); + args[2] = x_strdup("chkexpiry"); execve(CHKPWD_HELPER, args, envp); @@ -135,11 +128,12 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons /* should not get here: exit with error */ close (fds[1]); D(("helper binary is not available")); + printf("-1\n"); exit(PAM_AUTHINFO_UNAVAIL); } else { close(fds[1]); if (child > 0) { - char buf[1024]; + char buf[32]; int rc=0; rc=waitpid(child, &retval, 0); /* wait for helper to complete */ if (rc<0) { @@ -147,22 +141,16 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons retval = PAM_AUTH_ERR; } else { retval = WEXITSTATUS(retval); - if (retval != PAM_AUTHINFO_UNAVAIL) { - rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1); - if(rc > 0) { + rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1); + if(rc > 0) { buf[rc] = '\0'; - if (sscanf(buf,"%ld:%ld:%ld:%ld:%ld:%ld", - &spwd.sp_lstchg, /* last password change */ - &spwd.sp_min, /* days until change allowed. */ - &spwd.sp_max, /* days before change required */ - &spwd.sp_warn, /* days warning for expiration */ - &spwd.sp_inact, /* days before account inactive */ - &spwd.sp_expire) /* date when account expires */ != 6 ) retval = PAM_AUTH_ERR; + if (sscanf(buf,"%d", daysleft) != 1 ) + retval = PAM_AUTH_ERR; } - else { - pam_syslog(pamh, LOG_ERR, " ERROR %d: %m", rc); retval = PAM_AUTH_ERR; + else { + pam_syslog(pamh, LOG_ERR, "read unix_chkpwd output error %d: %m", rc); + retval = PAM_AUTH_ERR; } - } } } else { pam_syslog(pamh, LOG_ERR, "Fork failed: %m"); @@ -175,15 +163,9 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons (void) signal(SIGCHLD, sighandler); /* restore old signal handler */ } D(("Returning %d",retval)); - if (retval != PAM_SUCCESS) { - return NULL; - } - return &spwd; + return retval; } -#endif - - /* * PAM framework looks for this entry-point to pass control to the * account management module. @@ -196,14 +178,13 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, const void *void_uname; const char *uname; int retval, daysleft; - time_t curdays; struct spwd *spent; struct passwd *pwent; char buf[256]; D(("called.")); - ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); retval = pam_get_item(pamh, PAM_USER, &void_uname); uname = void_uname; @@ -215,134 +196,90 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, return PAM_USER_UNKNOWN; } - pwent = pam_modutil_getpwnam(pamh, uname); - if (!pwent) { + retval = get_account_info(pamh, uname, &pwent, &spent); + if (retval == PAM_USER_UNKNOWN) { pam_syslog(pamh, LOG_ALERT, "could not identify user (from getpwnam(%s))", uname); - return PAM_USER_UNKNOWN; + return retval; } - if (!strcmp( pwent->pw_passwd, "*NP*" )) { /* NIS+ */ - uid_t save_euid, save_uid; - - save_euid = geteuid(); - save_uid = getuid(); - if (save_uid == pwent->pw_uid) - setreuid( save_euid, save_uid ); - else { - setreuid( 0, -1 ); - if (setreuid( -1, pwent->pw_uid ) == -1) { - setreuid( -1, 0 ); - setreuid( 0, -1 ); - if(setreuid( -1, pwent->pw_uid ) == -1) - return PAM_CRED_INSUFFICIENT; - } - } - spent = pam_modutil_getspnam (pamh, uname); - if (save_uid == pwent->pw_uid) - setreuid( save_uid, save_euid ); - else { - if (setreuid( -1, 0 ) == -1) - setreuid( save_uid, -1 ); - setreuid( -1, save_euid ); - } - - } else if (_unix_shadowed (pwent)) - spent = pam_modutil_getspnam (pamh, uname); - else + if (retval == PAM_SUCCESS && spent == NULL) return PAM_SUCCESS; -#ifdef WITH_SELINUX - if (!spent && SELINUX_ENABLED ) - spent = _unix_run_verify_binary(pamh, ctrl, uname); -#endif - - if (!spent) + if (retval == PAM_UNIX_RUN_HELPER) { + retval = _unix_run_verify_binary(pamh, ctrl, uname, &daysleft); + if (retval == PAM_AUTHINFO_UNAVAIL && + on(UNIX_BROKEN_SHADOW, ctrl)) + return PAM_SUCCESS; + } else if (retval != PAM_SUCCESS) { if (on(UNIX_BROKEN_SHADOW,ctrl)) return PAM_SUCCESS; + else + return retval; + } else + retval = check_shadow_expiry(pamh, spent, &daysleft); - if (!spent) - return PAM_AUTHINFO_UNAVAIL; /* Couldn't get username from shadow */ - - curdays = time(NULL) / (60 * 60 * 24); - D(("today is %d, last change %d", curdays, spent->sp_lstchg)); - if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) { + switch (retval) { + case PAM_ACCT_EXPIRED: pam_syslog(pamh, LOG_NOTICE, - "account %s has expired (account expired)", - uname); + "account %s has expired (account expired)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("Your account has expired; please contact your system administrator")); - D(("account expired")); - return PAM_ACCT_EXPIRED; - } - if (spent->sp_lstchg == 0) { - pam_syslog(pamh, LOG_NOTICE, - "expired password for user %s (root enforced)", - uname); - _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("You are required to change your password immediately (root enforced)")); - D(("need a new password")); - return PAM_NEW_AUTHTOK_REQD; - } - if (curdays < spent->sp_lstchg) { - pam_syslog(pamh, LOG_DEBUG, - "account %s has password changed in future", - uname); - return PAM_SUCCESS; - } - if ((curdays - spent->sp_lstchg > spent->sp_max) - && (curdays - spent->sp_lstchg > spent->sp_inact) - && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) - && (spent->sp_max != -1) && (spent->sp_inact != -1)) { + _("Your account has expired; please contact your system administrator")); + break; + case PAM_NEW_AUTHTOK_REQD: + if (daysleft == 0) { + pam_syslog(pamh, LOG_NOTICE, + "expired password for user %s (root enforced)", + uname); + _make_remark(pamh, ctrl, PAM_ERROR_MSG, + _("You are required to change your password immediately (root enforced)")); + } else { + pam_syslog(pamh, LOG_DEBUG, + "expired password for user %s (password aged)", + uname); + _make_remark(pamh, ctrl, PAM_ERROR_MSG, + _("You are required to change your password immediately (password aged)")); + } + break; + case PAM_AUTHTOK_EXPIRED: pam_syslog(pamh, LOG_NOTICE, - "account %s has expired (failed to change password)", - uname); - _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("Your account has expired; please contact your system administrator")); - D(("account expired 2")); - return PAM_ACCT_EXPIRED; - } - if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { - pam_syslog(pamh, LOG_DEBUG, - "expired password for user %s (password aged)", - uname); + "account %s has expired (failed to change password)", + uname); _make_remark(pamh, ctrl, PAM_ERROR_MSG, - _("You are required to change your password immediately (password aged)")); - D(("need a new password 2")); - return PAM_NEW_AUTHTOK_REQD; - } - if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) - && (spent->sp_max != -1) && (spent->sp_warn != -1)) { - daysleft = (spent->sp_lstchg + spent->sp_max) - curdays; - pam_syslog(pamh, LOG_DEBUG, - "password for user %s will expire in %d days", - uname, daysleft); + _("Your account has expired; please contact your system administrator")); + break; + case PAM_SUCCESS: + if (daysleft >= 0) { + pam_syslog(pamh, LOG_DEBUG, + "password for user %s will expire in %d days", + uname, daysleft); #if defined HAVE_DNGETTEXT && defined ENABLE_NLS - snprintf (buf, sizeof (buf), - dngettext(PACKAGE, - "Warning: your password will expire in %d day", - "Warning: your password will expire in %d days", - daysleft), - daysleft); + snprintf (buf, sizeof (buf), + dngettext(PACKAGE, + "Warning: your password will expire in %d day", + "Warning: your password will expire in %d days", + daysleft), + daysleft); #else - if (daysleft == 1) - snprintf(buf, sizeof (buf), - _("Warning: your password will expire in %d day"), - daysleft); - else - snprintf(buf, sizeof (buf), - /* TRANSLATORS: only used if dngettext is not support -ed */ - _("Warning: your password will expire in %d days"), - daysleft); + if (daysleft == 1) + snprintf(buf, sizeof (buf), + _("Warning: your password will expire in %d day"), + daysleft); + else + snprintf(buf, sizeof (buf), + /* TRANSLATORS: only used if dngettext is not supported */ + _("Warning: your password will expire in %d days"), + daysleft); #endif - _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf); + _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf); + } } D(("all done")); - return PAM_SUCCESS; + return retval; } diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 3004bee8..dfedd608 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -111,7 +111,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags D(("called.")); - ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); /* Get a few bytes so we can pass our return value to pam_sm_setcred(). */ diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 3a61925e..432f687f 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -2,6 +2,7 @@ * Main coding by Elliot Lee , Red Hat Software. * Copyright (C) 1996. * Copyright (c) Jan Rkorajski, 1999. + * Copyright (c) Red Hat, Inc., 2007, 2008. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -63,7 +64,6 @@ #ifdef WITH_SELINUX static int selinux_enabled=-1; #include -static security_context_t prev_context=NULL; #define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) #endif @@ -92,15 +92,6 @@ extern int getrpcport(const char *host, unsigned long prognum, unsigned long versnum, unsigned int proto); #endif /* GNU libc 2.1 */ -/* - * PAM framework looks for these entry-points to pass control to the - * password changing module. - */ - -#if defined(USE_LCKPWDF) && !defined(HAVE_LCKPWDF) -# include "./lckpwdf.-c" -#endif - /* How it works: Gets in username (has to be done) from the calling program @@ -109,82 +100,15 @@ extern int getrpcport(const char *host, unsigned long prognum, Sets it. */ -/* passwd/salt conversion macros */ - -#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.') -#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.') - /* data tokens */ #define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS" #define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS" #define MAX_PASSWD_TRIES 3 -#define PW_TMPFILE "/etc/npasswd" -#define SH_TMPFILE "/etc/nshadow" #ifndef CRACKLIB_DICTS #define CRACKLIB_DICTS NULL #endif -#define OPW_TMPFILE "/etc/security/nopasswd" -#define OLD_PASSWORDS_FILE "/etc/security/opasswd" - -/* - * i64c - convert an integer to a radix 64 character - */ -static int i64c(int i) -{ - if (i < 0) - return ('.'); - else if (i > 63) - return ('z'); - if (i == 0) - return ('.'); - if (i == 1) - return ('/'); - if (i >= 2 && i <= 11) - return ('0' - 2 + i); - if (i >= 12 && i <= 37) - return ('A' - 12 + i); - if (i >= 38 && i <= 63) - return ('a' - 38 + i); - return ('\0'); -} - -static char *crypt_md5_wrapper(const char *pass_new) -{ - /* - * Code lifted from Marek Michalkiewicz's shadow suite. (CG) - * removed use of static variables (AGM) - */ - - struct timeval tv; - MD5_CTX ctx; - unsigned char result[16]; - char *cp = (char *) result; - unsigned char tmp[16]; - int i; - char *x = NULL; - - GoodMD5Init(&ctx); - gettimeofday(&tv, (struct timezone *) 0); - GoodMD5Update(&ctx, (void *) &tv, sizeof tv); - i = getpid(); - GoodMD5Update(&ctx, (void *) &i, sizeof i); - i = clock(); - GoodMD5Update(&ctx, (void *) &i, sizeof i); - GoodMD5Update(&ctx, result, sizeof result); - GoodMD5Final(tmp, &ctx); - strcpy(cp, "$1$"); /* magic for the MD5 */ - cp += strlen(cp); - for (i = 0; i < 8; i++) - *cp++ = i64c(tmp[i] & 077); - *cp = '\0'; - - /* no longer need cleartext */ - x = Goodcrypt_md5(pass_new, (const char *) result); - - return x; -} static char *getNISserver(pam_handle_t *pamh) { @@ -218,7 +142,8 @@ static char *getNISserver(pam_handle_t *pamh) #ifdef WITH_SELINUX -static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, const char *fromwhat, const char *towhat) +static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, + const char *fromwhat, const char *towhat, int remember) { int retval, child, fds[2]; void (*sighandler)(int) = NULL; @@ -248,7 +173,8 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const size_t i=0; struct rlimit rlim; static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL, NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; + char buffer[16]; /* XXX - should really tidy up PAM here too */ @@ -271,11 +197,18 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const } /* exec binary helper */ - args[0] = x_strdup(CHKPWD_HELPER); + args[0] = x_strdup(UPDATE_HELPER); args[1] = x_strdup(user); - args[2] = x_strdup("shadow"); + args[2] = x_strdup("update"); + if (on(UNIX_SHADOW, ctrl)) + args[3] = x_strdup("1"); + else + args[3] = x_strdup("0"); - execve(CHKPWD_HELPER, args, envp); + snprintf(buffer, sizeof(buffer), "%d", remember); + args[4] = x_strdup(buffer); + + execve(UPDATE_HELPER, args, envp); /* should not get here: exit with error */ D(("helper binary is not available")); @@ -298,7 +231,7 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const close(fds[1]); rc=waitpid(child, &retval, 0); /* wait for helper to complete */ if (rc<0) { - pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); + pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m"); retval = PAM_AUTH_ERR; } else { retval = WEXITSTATUS(retval); @@ -355,393 +288,6 @@ static int check_old_password(const char *forwho, const char *newpass) return retval; } -static int save_old_password(pam_handle_t *pamh, - const char *forwho, const char *oldpass, - int howmany) -{ - static char buf[16384]; - static char nbuf[16384]; - char *s_luser, *s_uid, *s_npas, *s_pas, *pass; - int npas; - FILE *pwfile, *opwfile; - int err = 0; - int oldmask; - int found = 0; - struct passwd *pwd = NULL; - struct stat st; - - if (howmany < 0) { - return PAM_SUCCESS; - } - - if (oldpass == NULL) { - return PAM_SUCCESS; - } - - oldmask = umask(077); - -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - security_context_t passwd_context=NULL; - if (getfilecon("/etc/passwd",&passwd_context)<0) { - return PAM_AUTHTOK_ERR; - }; - if (getfscreatecon(&prev_context)<0) { - freecon(passwd_context); - return PAM_AUTHTOK_ERR; - } - if (setfscreatecon(passwd_context)) { - freecon(passwd_context); - freecon(prev_context); - return PAM_AUTHTOK_ERR; - } - freecon(passwd_context); - } -#endif - pwfile = fopen(OPW_TMPFILE, "w"); - umask(oldmask); - if (pwfile == NULL) { - err = 1; - goto done; - } - - opwfile = fopen(OLD_PASSWORDS_FILE, "r"); - if (opwfile == NULL) { - fclose(pwfile); - err = 1; - goto done; - } - - if (fstat(fileno(opwfile), &st) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - if (fchmod(fileno(pwfile), st.st_mode) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - while (fgets(buf, 16380, opwfile)) { - if (!strncmp(buf, forwho, strlen(forwho))) { - char *sptr; - buf[strlen(buf) - 1] = '\0'; - s_luser = strtok_r(buf, ":", &sptr); - s_uid = strtok_r(NULL, ":", &sptr); - s_npas = strtok_r(NULL, ":", &sptr); - s_pas = strtok_r(NULL, ":", &sptr); - npas = strtol(s_npas, NULL, 10) + 1; - while (npas > howmany) { - s_pas = strpbrk(s_pas, ","); - if (s_pas != NULL) - s_pas++; - npas--; - } - pass = crypt_md5_wrapper(oldpass); - if (s_pas == NULL) - snprintf(nbuf, sizeof(nbuf), "%s:%s:%d:%s\n", - s_luser, s_uid, npas, pass); - else - snprintf(nbuf, sizeof(nbuf),"%s:%s:%d:%s,%s\n", - s_luser, s_uid, npas, s_pas, pass); - _pam_delete(pass); - if (fputs(nbuf, pwfile) < 0) { - err = 1; - break; - } - found = 1; - } else if (fputs(buf, pwfile) < 0) { - err = 1; - break; - } - } - fclose(opwfile); - - if (!found) { - pwd = pam_modutil_getpwnam(pamh, forwho); - if (pwd == NULL) { - err = 1; - } else { - pass = crypt_md5_wrapper(oldpass); - snprintf(nbuf, sizeof(nbuf), "%s:%lu:1:%s\n", - forwho, (unsigned long)pwd->pw_uid, pass); - _pam_delete(pass); - if (fputs(nbuf, pwfile) < 0) { - err = 1; - } - } - } - - if (fclose(pwfile)) { - D(("error writing entries to old passwords file: %m")); - err = 1; - } - -done: - if (!err) { - if (rename(OPW_TMPFILE, OLD_PASSWORDS_FILE)) - err = 1; - } -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - if (setfscreatecon(prev_context)) { - err = 1; - } - if (prev_context) - freecon(prev_context); - prev_context=NULL; - } -#endif - if (!err) { - return PAM_SUCCESS; - } else { - unlink(OPW_TMPFILE); - return PAM_AUTHTOK_ERR; - } -} - -static int _update_passwd(pam_handle_t *pamh, - const char *forwho, const char *towhat) -{ - struct passwd *tmpent = NULL; - struct stat st; - FILE *pwfile, *opwfile; - int err = 1; - int oldmask; - - oldmask = umask(077); -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - security_context_t passwd_context=NULL; - if (getfilecon("/etc/passwd",&passwd_context)<0) { - return PAM_AUTHTOK_ERR; - }; - if (getfscreatecon(&prev_context)<0) { - freecon(passwd_context); - return PAM_AUTHTOK_ERR; - } - if (setfscreatecon(passwd_context)) { - freecon(passwd_context); - freecon(prev_context); - return PAM_AUTHTOK_ERR; - } - freecon(passwd_context); - } -#endif - pwfile = fopen(PW_TMPFILE, "w"); - umask(oldmask); - if (pwfile == NULL) { - err = 1; - goto done; - } - - opwfile = fopen("/etc/passwd", "r"); - if (opwfile == NULL) { - fclose(pwfile); - err = 1; - goto done; - } - - if (fstat(fileno(opwfile), &st) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - if (fchmod(fileno(pwfile), st.st_mode) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - tmpent = fgetpwent(opwfile); - while (tmpent) { - if (!strcmp(tmpent->pw_name, forwho)) { - /* To shut gcc up */ - union { - const char *const_charp; - char *charp; - } assigned_passwd; - assigned_passwd.const_charp = towhat; - - tmpent->pw_passwd = assigned_passwd.charp; - err = 0; - } - if (putpwent(tmpent, pwfile)) { - D(("error writing entry to password file: %m")); - err = 1; - break; - } - tmpent = fgetpwent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - D(("error writing entries to password file: %m")); - err = 1; - } - -done: - if (!err) { - if (!rename(PW_TMPFILE, "/etc/passwd")) - pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho); - else - err = 1; - } -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - if (setfscreatecon(prev_context)) { - err = 1; - } - if (prev_context) - freecon(prev_context); - prev_context=NULL; - } -#endif - if (!err) { - return PAM_SUCCESS; - } else { - unlink(PW_TMPFILE); - return PAM_AUTHTOK_ERR; - } -} - -static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) -{ - struct spwd *spwdent = NULL, *stmpent = NULL; - struct stat st; - FILE *pwfile, *opwfile; - int err = 1; - int oldmask; - - spwdent = getspnam(forwho); - if (spwdent == NULL) { - return PAM_USER_UNKNOWN; - } - oldmask = umask(077); - -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - security_context_t shadow_context=NULL; - if (getfilecon("/etc/shadow",&shadow_context)<0) { - return PAM_AUTHTOK_ERR; - }; - if (getfscreatecon(&prev_context)<0) { - freecon(shadow_context); - return PAM_AUTHTOK_ERR; - } - if (setfscreatecon(shadow_context)) { - freecon(shadow_context); - freecon(prev_context); - return PAM_AUTHTOK_ERR; - } - freecon(shadow_context); - } -#endif - pwfile = fopen(SH_TMPFILE, "w"); - umask(oldmask); - if (pwfile == NULL) { - err = 1; - goto done; - } - - opwfile = fopen("/etc/shadow", "r"); - if (opwfile == NULL) { - fclose(pwfile); - err = 1; - goto done; - } - - if (fstat(fileno(opwfile), &st) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - if (fchmod(fileno(pwfile), st.st_mode) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - stmpent = fgetspent(opwfile); - while (stmpent) { - - if (!strcmp(stmpent->sp_namp, forwho)) { - stmpent->sp_pwdp = towhat; - stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24); - err = 0; - D(("Set password %s for %s", stmpent->sp_pwdp, forwho)); - } - - if (putspent(stmpent, pwfile)) { - D(("error writing entry to shadow file: %m")); - err = 1; - break; - } - - stmpent = fgetspent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - D(("error writing entries to shadow file: %m")); - err = 1; - } - - done: - if (!err) { - if (!rename(SH_TMPFILE, "/etc/shadow")) - pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho); - else - err = 1; - } - -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - if (setfscreatecon(prev_context)) { - err = 1; - } - if (prev_context) - freecon(prev_context); - prev_context=NULL; - } -#endif - - if (!err) { - return PAM_SUCCESS; - } else { - unlink(SH_TMPFILE); - return PAM_AUTHTOK_ERR; - } -} - static int _do_setpass(pam_handle_t* pamh, const char *forwho, const char *fromwhat, char *towhat, unsigned int ctrl, int remember) @@ -769,9 +315,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, enum clnt_stat err; /* Unlock passwd file to avoid deadlock */ -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif + unlock_pwdf(); unlocked = 1; /* Initialize password information */ @@ -831,129 +375,63 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, } if (_unix_comesfromsource(pamh, forwho, 1, 0)) { -#ifdef USE_LCKPWDF if(unlocked) { - int i = 0; - /* These values for the number of attempts and the sleep time - are, of course, completely arbitrary. - My reading of the PAM docs is that, once pam_chauthtok() has been - called with PAM_UPDATE_AUTHTOK, we are obliged to take any - reasonable steps to make sure the token is updated; so retrying - for 1/10 sec. isn't overdoing it. */ - while((retval = lckpwdf()) != 0 && i < 100) { - usleep(1000); - i++; - } - if(retval != 0) { + if (lock_pwdf() != PAM_SUCCESS) { return PAM_AUTHTOK_LOCK_BUSY; } } +#ifdef WITH_SELINUX + if (unix_selinux_confined()) + return _unix_run_update_binary(pamh, ctrl, forwho, fromwhat, towhat, remember); #endif /* first, save old password */ - if (save_old_password(pamh, forwho, fromwhat, remember)) { + if (save_old_password(forwho, fromwhat, remember)) { retval = PAM_AUTHTOK_ERR; goto done; } - if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) { - retval = _update_shadow(pamh, forwho, towhat); -#ifdef WITH_SELINUX - if (retval != PAM_SUCCESS && SELINUX_ENABLED) - retval = _unix_run_shadow_binary(pamh, ctrl, forwho, fromwhat, towhat); -#endif + if (on(UNIX_SHADOW, ctrl) || is_pwd_shadowed(pwd)) { + retval = unix_update_shadow(pamh, forwho, towhat); if (retval == PAM_SUCCESS) - if (!_unix_shadowed(pwd)) - retval = _update_passwd(pamh, forwho, "x"); + if (!is_pwd_shadowed(pwd)) + retval = unix_update_passwd(pamh, forwho, "x"); } else { - retval = _update_passwd(pamh, forwho, towhat); + retval = unix_update_passwd(pamh, forwho, towhat); } } done: -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif + unlock_pwdf(); return retval; } static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned int ctrl) { - struct passwd *pwd = NULL; /* Password and shadow password */ - struct spwd *spwdent = NULL; /* file entries for the user */ - time_t curdays; - int retval = PAM_SUCCESS; + struct passwd *pwent = NULL; /* Password and shadow password */ + struct spwd *spent = NULL; /* file entries for the user */ + int daysleft; + int retval; - /* UNIX passwords area */ - pwd = getpwnam(user); /* Get password file entry... */ - if (pwd == NULL) - return PAM_AUTHINFO_UNAVAIL; /* We don't need to do the rest... */ + retval = get_account_info(pamh, user, &pwent, &spent); + if (retval == PAM_USER_UNKNOWN) { + return retval; + } - if (_unix_shadowed(pwd)) { - /* ...and shadow password file entry for this user, if shadowing - is enabled */ - setspent(); - spwdent = getspnam(user); - endspent(); + if (retval == PAM_SUCCESS && spent == NULL) + return PAM_SUCCESS; -#ifdef WITH_SELINUX - if (spwdent == NULL && SELINUX_ENABLED ) - spwdent = _unix_run_verify_binary(pamh, ctrl, user); -#endif - if (spwdent == NULL) - return PAM_AUTHINFO_UNAVAIL; - } else { - if (strcmp(pwd->pw_passwd,"*NP*") == 0) { /* NIS+ */ - uid_t save_uid; - - save_uid = geteuid(); - seteuid (pwd->pw_uid); - spwdent = getspnam( user ); - seteuid (save_uid); - - if (spwdent == NULL) - return PAM_AUTHINFO_UNAVAIL; - } else - spwdent = NULL; + if (retval == PAM_UNIX_RUN_HELPER) { + retval = _unix_run_verify_binary(pamh, ctrl, user, &daysleft); + if (retval == PAM_AUTH_ERR || retval == PAM_USER_UNKNOWN) + return retval; } + else if (retval == PAM_SUCCESS) + retval = check_shadow_expiry(pamh, spent, &daysleft); + + if (on(UNIX__IAMROOT, ctrl) || retval == PAM_NEW_AUTHTOK_REQD) + return PAM_SUCCESS; - if (spwdent != NULL) { - /* We have the user's information, now let's check if their account - has expired (60 * 60 * 24 = number of seconds in a day) */ - - if (off(UNIX__IAMROOT, ctrl)) { - /* Get the current number of days since 1970 */ - curdays = time(NULL) / (60 * 60 * 24); - if (curdays < spwdent->sp_lstchg) { - pam_syslog(pamh, LOG_DEBUG, - "account %s has password changed in future", - user); - curdays = spwdent->sp_lstchg; - } - if ((curdays - spwdent->sp_lstchg < spwdent->sp_min) - && (spwdent->sp_min != -1)) - /* - * The last password change was too recent. - */ - retval = PAM_AUTHTOK_ERR; - else if ((curdays - spwdent->sp_lstchg > spwdent->sp_max) - && (curdays - spwdent->sp_lstchg > spwdent->sp_inact) - && (curdays - spwdent->sp_lstchg > - spwdent->sp_max + spwdent->sp_inact) - && (spwdent->sp_max != -1) && (spwdent->sp_inact != -1) - && (spwdent->sp_lstchg != 0)) - /* - * Their password change has been put off too long, - */ - retval = PAM_ACCT_EXPIRED; - else if ((curdays > spwdent->sp_expire) && (spwdent->sp_expire != -1) - && (spwdent->sp_lstchg != 0)) - /* - * OR their account has just plain expired - */ - retval = PAM_ACCT_EXPIRED; - } - } return retval; } @@ -1021,8 +499,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv) { unsigned int ctrl, lctrl; - int retval, i; + int retval; int remember = -1; + int rounds = -1; /* */ const char *user; @@ -1031,7 +510,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, D(("called.")); - ctrl = _set_ctrl(pamh, flags, &remember, argc, argv); + ctrl = _set_ctrl(pamh, flags, &remember, &rounds, argc, argv); /* * First get the name of a user @@ -1240,40 +719,23 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, pass_new = pass_old = NULL; /* tidy up */ return retval; } -#ifdef USE_LCKPWDF - /* These values for the number of attempts and the sleep time - are, of course, completely arbitrary. - My reading of the PAM docs is that, once pam_chauthtok() has been - called with PAM_UPDATE_AUTHTOK, we are obliged to take any - reasonable steps to make sure the token is updated; so retrying - for 1/10 sec. isn't overdoing it. */ - i=0; - while((retval = lckpwdf()) != 0 && i < 100) { - usleep(1000); - i++; - } - if(retval != 0) { + if (lock_pwdf() != PAM_SUCCESS) { return PAM_AUTHTOK_LOCK_BUSY; } -#endif if (pass_old) { retval = _unix_verify_password(pamh, user, pass_old, ctrl); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_NOTICE, "user password changed by another process"); -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif + unlock_pwdf(); return retval; } } retval = _unix_verify_shadow(pamh, user, ctrl); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_NOTICE, "user not authenticated 2"); -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif + pam_syslog(pamh, LOG_NOTICE, "user shadow entry expired"); + unlock_pwdf(); return retval; } @@ -1282,9 +744,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, pam_syslog(pamh, LOG_NOTICE, "new password not acceptable 2"); pass_new = pass_old = NULL; /* tidy up */ -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif + unlock_pwdf(); return retval; } @@ -1297,51 +757,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, * First we encrypt the new password. */ - if (on(UNIX_MD5_PASS, ctrl)) { - tpass = crypt_md5_wrapper(pass_new); - } else { - /* - * Salt manipulation is stolen from Rick Faith's passwd - * program. Sorry Rick :) -- alex - */ - - time_t tm; - char salt[3]; - - time(&tm); - salt[0] = bin_to_ascii(tm & 0x3f); - salt[1] = bin_to_ascii((tm >> 6) & 0x3f); - salt[2] = '\0'; - - if (off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8) { - /* - * to avoid using the _extensions_ of the bigcrypt() - * function we truncate the newly entered password - * [Problems that followed from this are fixed as per - * Bug 521314.] - */ - char *temp = malloc(9); - - if (temp == NULL) { - pam_syslog(pamh, LOG_CRIT, - "out of memory for password"); - pass_new = pass_old = NULL; /* tidy up */ -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif - return PAM_BUF_ERR; - } - /* copy first 8 bytes of password */ - strncpy(temp, pass_new, 8); - temp[8] = '\0'; - - /* no longer need cleartext */ - tpass = bigcrypt(temp, salt); - - _pam_delete(temp); /* tidy up */ - } else { - tpass = bigcrypt(pass_new, salt); - } + tpass = create_password_hash(pass_new, ctrl, rounds); + if (tpass == NULL) { + pam_syslog(pamh, LOG_CRIT, + "out of memory for password"); + pass_new = pass_old = NULL; /* tidy up */ + unlock_pwdf(); + return PAM_BUF_ERR; } D(("password processed")); @@ -1350,7 +772,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, retval = _do_setpass(pamh, user, pass_old, tpass, ctrl, remember); - /* _do_setpass has called ulckpwdf for us */ + /* _do_setpass has called unlock_pwdf for us */ _pam_delete(tpass); pass_old = pass_new = NULL; diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index d8d96687..e984578c 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -73,7 +73,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, D(("called.")); - ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { @@ -107,7 +107,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, D(("called.")); - ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); + ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv); retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 6587bace..6fc4dcce 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -7,12 +7,43 @@ #include "support.h" #include #include +#include #include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include #include "md5.h" #include "bigcrypt.h" #include "passverify.h" +#ifdef WITH_SELINUX +#include +#define SELINUX_ENABLED is_selinux_enabled()>0 +#else +#define SELINUX_ENABLED 0 +#endif + +#ifdef HELPER_COMPILE +#define pam_modutil_getpwnam(h,n) getpwnam(n) +#define pam_modutil_getspnam(h,n) getspnam(n) +#define pam_syslog(h,a,b,c) helper_log_err(a,b,c) +#else +#include +#include +#endif + +#if defined(USE_LCKPWDF) && !defined(HAVE_LCKPWDF) +# include "./lckpwdf.-c" +#endif + int verify_pwd_hash(const char *p, const char *hash, unsigned int nullok) { @@ -70,7 +101,8 @@ verify_pwd_hash(const char *p, const char *hash, unsigned int nullok) return retval; } -int _unix_shadowed(const struct passwd *pwd) +int +is_pwd_shadowed(const struct passwd *pwd) { if (pwd != NULL) { if (strcmp(pwd->pw_passwd, "x") == 0) { @@ -85,12 +117,946 @@ int _unix_shadowed(const struct passwd *pwd) return 0; } +#ifdef HELPER_COMPILE +int +get_account_info(const char *name, + struct passwd **pwd, struct spwd **spwdent) +#else +int +get_account_info(pam_handle_t *pamh, const char *name, + struct passwd **pwd, struct spwd **spwdent) +#endif +{ + /* UNIX passwords area */ + *pwd = pam_modutil_getpwnam(pamh, name); /* Get password file entry... */ + *spwdent = NULL; + + if (*pwd != NULL) { + if (strcmp((*pwd)->pw_passwd, "*NP*") == 0) + { /* NIS+ */ +#ifdef HELPER_COMPILE + uid_t save_euid, save_uid; + + save_euid = geteuid(); + save_uid = getuid(); + if (save_uid == (*pwd)->pw_uid) + setreuid(save_euid, save_uid); + else { + setreuid(0, -1); + if (setreuid(-1, (*pwd)->pw_uid) == -1) { + setreuid(-1, 0); + setreuid(0, -1); + if(setreuid(-1, (*pwd)->pw_uid) == -1) + return PAM_CRED_INSUFFICIENT; + } + } + + *spwdent = pam_modutil_getspnam(pamh, name); + if (save_uid == (*pwd)->pw_uid) + setreuid(save_uid, save_euid); + else { + setreuid(-1, 0); + setreuid(save_uid, -1); + setreuid(-1, save_euid); + } + + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; +#else + /* we must run helper for NIS+ passwords */ + return PAM_UNIX_RUN_HELPER; +#endif + } else if (is_pwd_shadowed(*pwd)) { + /* + * ...and shadow password file entry for this user, + * if shadowing is enabled + */ +#ifndef HELPER_COMPILE + if (geteuid() || SELINUX_ENABLED) + return PAM_UNIX_RUN_HELPER; +#endif + *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } + } else { + return PAM_USER_UNKNOWN; + } + return PAM_SUCCESS; +} + +#ifdef HELPER_COMPILE +int +get_pwd_hash(const char *name, + struct passwd **pwd, char **hash) +#else +int +get_pwd_hash(pam_handle_t *pamh, const char *name, + struct passwd **pwd, char **hash) +#endif +{ + int retval; + struct spwd *spwdent = NULL; + +#ifdef HELPER_COMPILE + retval = get_account_info(name, pwd, &spwdent); +#else + retval = get_account_info(pamh, name, pwd, &spwdent); +#endif + if (retval != PAM_SUCCESS) { + return retval; + } + + if (spwdent) + *hash = x_strdup(spwdent->sp_pwdp); + else + *hash = x_strdup((*pwd)->pw_passwd); + if (*hash == NULL) + return PAM_BUF_ERR; + + return PAM_SUCCESS; +} + +#ifdef HELPER_COMPILE +int +check_shadow_expiry(struct spwd *spent, int *daysleft) +#else +int +check_shadow_expiry(pam_handle_t *pamh, struct spwd *spent, int *daysleft) +#endif +{ + long int curdays; + *daysleft = -1; + curdays = (long int)(time(NULL) / (60 * 60 * 24)); + D(("today is %d, last change %d", curdays, spent->sp_lstchg)); + if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) { + D(("account expired")); + return PAM_ACCT_EXPIRED; + } + if (spent->sp_lstchg == 0) { + D(("need a new password")); + *daysleft = 0; + return PAM_NEW_AUTHTOK_REQD; + } + if (curdays < spent->sp_lstchg) { + pam_syslog(pamh, LOG_DEBUG, + "account %s has password changed in future", + spent->sp_namp); + return PAM_SUCCESS; + } + if ((curdays - spent->sp_lstchg > spent->sp_max) + && (curdays - spent->sp_lstchg > spent->sp_inact) + && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) + && (spent->sp_max != -1) && (spent->sp_inact != -1)) { + *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); + D(("authtok expired")); + return PAM_AUTHTOK_EXPIRED; + } + if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { + D(("need a new password 2")); + return PAM_NEW_AUTHTOK_REQD; + } + if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) + && (spent->sp_max != -1) && (spent->sp_warn != -1)) { + *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); + D(("warn before expiry")); + } + return PAM_SUCCESS; + +} + +/* passwd/salt conversion macros */ + +#define PW_TMPFILE "/etc/npasswd" +#define SH_TMPFILE "/etc/nshadow" +#define OPW_TMPFILE "/etc/security/nopasswd" + +/* + * i64c - convert an integer to a radix 64 character + */ +static int +i64c(int i) +{ + if (i < 0) + return ('.'); + else if (i > 63) + return ('z'); + if (i == 0) + return ('.'); + if (i == 1) + return ('/'); + if (i >= 2 && i <= 11) + return ('0' - 2 + i); + if (i >= 12 && i <= 37) + return ('A' - 12 + i); + if (i >= 38 && i <= 63) + return ('a' - 38 + i); + return ('\0'); +} + +/* must point to a buffer of at least +1 length */ +static void +crypt_make_salt(char *where, int length) +{ + struct timeval tv; + MD5_CTX ctx; + unsigned char tmp[16]; + unsigned char *src = (unsigned char *)where; + int i; +#ifdef PAM_PATH_RANDOMDEV + int fd; + int rv; + + if ((rv = fd = open(PAM_PATH_RANDOMDEV, O_RDONLY)) != -1) { + while ((rv = read(fd, where, length)) != length && errno == EINTR); + close (fd); + } + if (rv != length) { +#endif + /* + * Code lifted from Marek Michalkiewicz's shadow suite. (CG) + * removed use of static variables (AGM) + * + * will work correctly only for length <= 16 */ + src = tmp; + GoodMD5Init(&ctx); + gettimeofday(&tv, (struct timezone *) 0); + GoodMD5Update(&ctx, (void *) &tv, sizeof tv); + i = getpid(); + GoodMD5Update(&ctx, (void *) &i, sizeof i); + i = clock(); + GoodMD5Update(&ctx, (void *) &i, sizeof i); + GoodMD5Update(&ctx, src, length); + GoodMD5Final(tmp, &ctx); +#ifdef PAM_PATH_RANDOMDEV + } +#endif + for (i = 0; i < length; i++) + *where++ = i64c(src[i] & 077); + *where = '\0'; +} + +char * +crypt_md5_wrapper(const char *pass_new) +{ + unsigned char result[16]; + char *cp = (char *) result; + + cp = stpcpy(cp, "$1$"); /* magic for the MD5 */ + crypt_make_salt(cp, 8); + + /* no longer need cleartext */ + cp = Goodcrypt_md5(pass_new, (const char *) result); + pass_new = NULL; + + return cp; +} + +char * +create_password_hash(const char *password, unsigned int ctrl, int rounds) +{ + const char *algoid; + char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */ + char *sp; + + if (on(UNIX_MD5_PASS, ctrl)) { + return crypt_md5_wrapper(password); + } + if (on(UNIX_SHA256_PASS, ctrl)) { + algoid = "$5$"; + } else if (on(UNIX_SHA512_PASS, ctrl)) { + algoid = "$6$"; + } else { /* must be crypt/bigcrypt */ + char tmppass[9]; + char *crypted; + + crypt_make_salt(salt, 2); + if (off(UNIX_BIGCRYPT, ctrl) && strlen(password) > 8) { + strncpy(tmppass, password, sizeof(tmppass)-1); + tmppass[sizeof(tmppass)-1] = '\0'; + password = tmppass; + } + crypted = bigcrypt(password, salt); + memset(tmppass, '\0', sizeof(tmppass)); + password = NULL; + return crypted; + } + + sp = stpcpy(salt, algoid); + if (on(UNIX_ALGO_ROUNDS, ctrl)) { + sp += snprintf(sp, sizeof(salt) - 3, "rounds=%u$", rounds); + } + crypt_make_salt(sp, 8); + /* For now be conservative so the resulting hashes + * are not too long. 8 bytes of salt prevents dictionary + * attacks well enough. */ + sp = crypt(password, salt); + if (strncmp(algoid, sp, strlen(algoid)) != 0) { + /* libc doesn't know the algorithm, use MD5 */ + memset(sp, '\0', strlen(sp)); + return crypt_md5_wrapper(password); + } + + return x_strdup(sp); +} + +#ifdef WITH_SELINUX +int +unix_selinux_confined(void) +{ + static int confined = -1; + int fd; + char tempfile[]="/etc/.pwdXXXXXX"; + + if (confined != -1) + return confined; + + /* cannot be confined without SELinux enabled */ + if (!SELINUX_ENABLED){ + confined = 0; + return confined; + } + + /* let's try opening shadow read only */ + if ((fd=open("/etc/shadow", O_RDONLY)) != -1) { + close(fd); + confined = 0; + return confined; + } + + if (errno == EACCES) { + confined = 1; + return confined; + } + + /* shadow opening failed because of other reasons let's try + creating a file in /etc */ + if ((fd=mkstemp(tempfile)) != -1) { + unlink(tempfile); + close(fd); + confined = 0; + return confined; + } + + confined = 1; + return confined; +} + +#else +int +unix_selinux_confined(void) +{ + return 0; +} +#endif + +#ifdef USE_LCKPWDF +int +lock_pwdf(void) +{ + int i; + int retval; + +#ifndef HELPER_COMPILE + if (unix_selinux_confined()) { + return PAM_SUCCESS; + } +#endif + /* These values for the number of attempts and the sleep time + are, of course, completely arbitrary. + My reading of the PAM docs is that, once pam_chauthtok() has been + called with PAM_UPDATE_AUTHTOK, we are obliged to take any + reasonable steps to make sure the token is updated; so retrying + for 1/10 sec. isn't overdoing it. */ + i=0; + while((retval = lckpwdf()) != 0 && i < 100) { + usleep(1000); + i++; + } + if(retval != 0) { + return PAM_AUTHTOK_LOCK_BUSY; + } + return PAM_SUCCESS; +} + +void +unlock_pwdf(void) +{ +#ifndef HELPER_COMPILE + if (unix_selinux_confined()) { + return; + } +#endif + ulckpwdf(); +} +#else +int +lock_pwdf(void) +{ + return PAM_SUCCESS; +} + +void +unlock_pwdf(void) +{ + return; +} +#endif + +int +save_old_password(const char *forwho, const char *oldpass, + int howmany) +{ + static char buf[16384]; + static char nbuf[16384]; + char *s_luser, *s_uid, *s_npas, *s_pas, *pass; + int npas; + FILE *pwfile, *opwfile; + int err = 0; + int oldmask; + int found = 0; + struct passwd *pwd = NULL; + struct stat st; + security_context_t prev_context=NULL; + + if (howmany < 0) { + return PAM_SUCCESS; + } + + if (oldpass == NULL) { + return PAM_SUCCESS; + } + + oldmask = umask(077); + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + security_context_t passwd_context=NULL; + if (getfilecon("/etc/passwd",&passwd_context)<0) { + return PAM_AUTHTOK_ERR; + }; + if (getfscreatecon(&prev_context)<0) { + freecon(passwd_context); + return PAM_AUTHTOK_ERR; + } + if (setfscreatecon(passwd_context)) { + freecon(passwd_context); + freecon(prev_context); + return PAM_AUTHTOK_ERR; + } + freecon(passwd_context); + } +#endif + pwfile = fopen(OPW_TMPFILE, "w"); + umask(oldmask); + if (pwfile == NULL) { + err = 1; + goto done; + } + + opwfile = fopen(OLD_PASSWORDS_FILE, "r"); + if (opwfile == NULL) { + fclose(pwfile); + err = 1; + goto done; + } + + if (fstat(fileno(opwfile), &st) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + if (fchmod(fileno(pwfile), st.st_mode) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + while (fgets(buf, 16380, opwfile)) { + if (!strncmp(buf, forwho, strlen(forwho))) { + char *sptr = NULL; + found = 1; + if (howmany == 0) + continue; + buf[strlen(buf) - 1] = '\0'; + s_luser = strtok_r(buf, ":", &sptr); + s_uid = strtok_r(NULL, ":", &sptr); + s_npas = strtok_r(NULL, ":", &sptr); + s_pas = strtok_r(NULL, ":", &sptr); + npas = strtol(s_npas, NULL, 10) + 1; + while (npas > howmany) { + s_pas = strpbrk(s_pas, ","); + if (s_pas != NULL) + s_pas++; + npas--; + } + pass = crypt_md5_wrapper(oldpass); + if (s_pas == NULL) + snprintf(nbuf, sizeof(nbuf), "%s:%s:%d:%s\n", + s_luser, s_uid, npas, pass); + else + snprintf(nbuf, sizeof(nbuf),"%s:%s:%d:%s,%s\n", + s_luser, s_uid, npas, s_pas, pass); + _pam_delete(pass); + if (fputs(nbuf, pwfile) < 0) { + err = 1; + break; + } + } else if (fputs(buf, pwfile) < 0) { + err = 1; + break; + } + } + fclose(opwfile); + + if (!found) { + pwd = getpwnam(forwho); + if (pwd == NULL) { + err = 1; + } else { + pass = crypt_md5_wrapper(oldpass); + snprintf(nbuf, sizeof(nbuf), "%s:%lu:1:%s\n", + forwho, (unsigned long)pwd->pw_uid, pass); + _pam_delete(pass); + if (fputs(nbuf, pwfile) < 0) { + err = 1; + } + } + } + + if (fclose(pwfile)) { + D(("error writing entries to old passwords file: %m")); + err = 1; + } + +done: + if (!err) { + if (rename(OPW_TMPFILE, OLD_PASSWORDS_FILE)) + err = 1; + } +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + if (setfscreatecon(prev_context)) { + err = 1; + } + if (prev_context) + freecon(prev_context); + prev_context=NULL; + } +#endif + if (!err) { + return PAM_SUCCESS; + } else { + unlink(OPW_TMPFILE); + return PAM_AUTHTOK_ERR; + } +} + +#ifdef HELPER_COMPILE +int +unix_update_passwd(const char *forwho, const char *towhat) +#else +int +unix_update_passwd(pam_handle_t *pamh, const char *forwho, const char *towhat) +#endif +{ + struct passwd *tmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; + int err = 1; + int oldmask; + security_context_t prev_context=NULL; + + oldmask = umask(077); +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + security_context_t passwd_context=NULL; + if (getfilecon("/etc/passwd",&passwd_context)<0) { + return PAM_AUTHTOK_ERR; + }; + if (getfscreatecon(&prev_context)<0) { + freecon(passwd_context); + return PAM_AUTHTOK_ERR; + } + if (setfscreatecon(passwd_context)) { + freecon(passwd_context); + freecon(prev_context); + return PAM_AUTHTOK_ERR; + } + freecon(passwd_context); + } +#endif + pwfile = fopen(PW_TMPFILE, "w"); + umask(oldmask); + if (pwfile == NULL) { + err = 1; + goto done; + } + + opwfile = fopen("/etc/passwd", "r"); + if (opwfile == NULL) { + fclose(pwfile); + err = 1; + goto done; + } + + if (fstat(fileno(opwfile), &st) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + if (fchmod(fileno(pwfile), st.st_mode) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + tmpent = fgetpwent(opwfile); + while (tmpent) { + if (!strcmp(tmpent->pw_name, forwho)) { + /* To shut gcc up */ + union { + const char *const_charp; + char *charp; + } assigned_passwd; + assigned_passwd.const_charp = towhat; + + tmpent->pw_passwd = assigned_passwd.charp; + err = 0; + } + if (putpwent(tmpent, pwfile)) { + D(("error writing entry to password file: %m")); + err = 1; + break; + } + tmpent = fgetpwent(opwfile); + } + fclose(opwfile); + + if (fclose(pwfile)) { + D(("error writing entries to password file: %m")); + err = 1; + } + +done: + if (!err) { + if (!rename(PW_TMPFILE, "/etc/passwd")) +#ifdef HELPER_COMPILE + helper_log_err( +#else + pam_syslog(pamh, +#endif + LOG_NOTICE, "password changed for %s", forwho); + else + err = 1; + } +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + if (setfscreatecon(prev_context)) { + err = 1; + } + if (prev_context) + freecon(prev_context); + prev_context=NULL; + } +#endif + if (!err) { + return PAM_SUCCESS; + } else { + unlink(PW_TMPFILE); + return PAM_AUTHTOK_ERR; + } +} + +#ifdef HELPER_COMPILE +int +unix_update_shadow(const char *forwho, char *towhat) +#else +int +unix_update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) +#endif +{ + struct spwd *spwdent = NULL, *stmpent = NULL; + struct stat st; + FILE *pwfile, *opwfile; + int err = 1; + int oldmask; + security_context_t prev_context=NULL; + + spwdent = getspnam(forwho); + if (spwdent == NULL) { + return PAM_USER_UNKNOWN; + } + oldmask = umask(077); + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + security_context_t shadow_context=NULL; + if (getfilecon("/etc/shadow",&shadow_context)<0) { + return PAM_AUTHTOK_ERR; + }; + if (getfscreatecon(&prev_context)<0) { + freecon(shadow_context); + return PAM_AUTHTOK_ERR; + } + if (setfscreatecon(shadow_context)) { + freecon(shadow_context); + freecon(prev_context); + return PAM_AUTHTOK_ERR; + } + freecon(shadow_context); + } +#endif + pwfile = fopen(SH_TMPFILE, "w"); + umask(oldmask); + if (pwfile == NULL) { + err = 1; + goto done; + } + + opwfile = fopen("/etc/shadow", "r"); + if (opwfile == NULL) { + fclose(pwfile); + err = 1; + goto done; + } + + if (fstat(fileno(opwfile), &st) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + if (fchmod(fileno(pwfile), st.st_mode) == -1) { + fclose(opwfile); + fclose(pwfile); + err = 1; + goto done; + } + + stmpent = fgetspent(opwfile); + while (stmpent) { + + if (!strcmp(stmpent->sp_namp, forwho)) { + stmpent->sp_pwdp = towhat; + stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24); + err = 0; + D(("Set password %s for %s", stmpent->sp_pwdp, forwho)); + } + + if (putspent(stmpent, pwfile)) { + D(("error writing entry to shadow file: %m")); + err = 1; + break; + } + + stmpent = fgetspent(opwfile); + } + fclose(opwfile); + + if (fclose(pwfile)) { + D(("error writing entries to shadow file: %m")); + err = 1; + } + + done: + if (!err) { + if (!rename(SH_TMPFILE, "/etc/shadow")) +#ifdef HELPER_COMPILE + helper_log_err( +#else + pam_syslog(pamh, +#endif + LOG_NOTICE, "password changed for %s", forwho); + else + err = 1; + } + +#ifdef WITH_SELINUX + if (SELINUX_ENABLED) { + if (setfscreatecon(prev_context)) { + err = 1; + } + if (prev_context) + freecon(prev_context); + prev_context=NULL; + } +#endif + + if (!err) { + return PAM_SUCCESS; + } else { + unlink(SH_TMPFILE); + return PAM_AUTHTOK_ERR; + } +} + +#ifdef HELPER_COMPILE + +int +helper_verify_password(const char *name, const char *p, int nullok) +{ + struct passwd *pwd = NULL; + char *salt = NULL; + int retval; + + retval = get_pwd_hash(name, &pwd, &salt); + + if (pwd == NULL || salt == NULL) { + helper_log_err(LOG_WARNING, "check pass; user unknown"); + retval = PAM_USER_UNKNOWN; + } else { + retval = verify_pwd_hash(p, salt, nullok); + } + + if (salt) { + _pam_overwrite(salt); + _pam_drop(salt); + } + + p = NULL; /* no longer needed here */ + + return retval; +} + +void +helper_log_err(int err, const char *format, ...) +{ + va_list args; + + va_start(args, format); + openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); + vsyslog(err, format, args); + va_end(args); + closelog(); +} + +static void +su_sighandler(int sig) +{ +#ifndef SA_RESETHAND + /* emulate the behaviour of the SA_RESETHAND flag */ + if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) + signal(sig, SIG_DFL); +#endif + if (sig > 0) { + _exit(sig); + } +} + +void +setup_signals(void) +{ + struct sigaction action; /* posix signal structure */ + + /* + * Setup signal handlers + */ + (void) memset((void *) &action, 0, sizeof(action)); + action.sa_handler = su_sighandler; +#ifdef SA_RESETHAND + action.sa_flags = SA_RESETHAND; +#endif + (void) sigaction(SIGILL, &action, NULL); + (void) sigaction(SIGTRAP, &action, NULL); + (void) sigaction(SIGBUS, &action, NULL); + (void) sigaction(SIGSEGV, &action, NULL); + action.sa_handler = SIG_IGN; + action.sa_flags = 0; + (void) sigaction(SIGTERM, &action, NULL); + (void) sigaction(SIGHUP, &action, NULL); + (void) sigaction(SIGINT, &action, NULL); + (void) sigaction(SIGQUIT, &action, NULL); +} + +char * +getuidname(uid_t uid) +{ + struct passwd *pw; + static char username[256]; + + pw = getpwuid(uid); + if (pw == NULL) + return NULL; + + strncpy(username, pw->pw_name, sizeof(username)); + username[sizeof(username) - 1] = '\0'; + + return username; +} + +int +read_passwords(int fd, int npass, char **passwords) +{ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { + rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; + break; + } + if (rbytes == 0) + break; + + while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes)) + != NULL) { + rbytes -= pptr - (passwords[i]+offset) + 1; + i++; + offset = 0; + npass--; + if (rbytes > 0) { + if (npass > 0) + memcpy(passwords[i], pptr+1, rbytes); + memset(pptr+1, '\0', rbytes); + } + } + offset += rbytes; + } + + /* clear up */ + if (offset > 0 && npass > 0) { + memset(passwords[i], '\0', offset); + } + + return i; +} + +#endif /* ****************************************************************** * * Copyright (c) Jan Rêkorajski 1999. * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. - * Copyright (c) Red Hat, Inc. 2007. + * Copyright (c) Red Hat, Inc. 1996, 2007, 2008. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h index a3ae9210..196e0e33 100644 --- a/modules/pam_unix/passverify.h +++ b/modules/pam_unix/passverify.h @@ -1,11 +1,92 @@ /* * Copyright information at end of file. */ + +#include +#include +#include + +#define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +#define MAXPASS 200 /* the maximum length of a password */ + +#define OLD_PASSWORDS_FILE "/etc/security/opasswd" + int verify_pwd_hash(const char *p, const char *hash, unsigned int nullok); int -_unix_shadowed(const struct passwd *pwd); +is_pwd_shadowed(const struct passwd *pwd); + +char * +crypt_md5_wrapper(const char *pass_new); + +char * +create_password_hash(const char *password, unsigned int ctrl, int rounds); + +int +unix_selinux_confined(void); + +int +lock_pwdf(void); + +void +unlock_pwdf(void); + +int +save_old_password(const char *forwho, const char *oldpass, + int howmany); + +#ifdef HELPER_COMPILE +void +helper_log_err(int err, const char *format,...); + +int +helper_verify_password(const char *name, const char *p, int nullok); + +void +setup_signals(void); + +char * +getuidname(uid_t uid); + +int +read_passwords(int fd, int npass, char **passwords); + +int +get_account_info(const char *name, + struct passwd **pwd, struct spwd **spwdent); + +int +get_pwd_hash(const char *name, + struct passwd **pwd, char **hash); + +int +check_shadow_expiry(struct spwd *spent, int *daysleft); + +int +unix_update_passwd(const char *forwho, const char *towhat); + +int +unix_update_shadow(const char *forwho, char *towhat); +#else +int +get_account_info(pam_handle_t *pamh, const char *name, + struct passwd **pwd, struct spwd **spwdent); + +int +get_pwd_hash(pam_handle_t *pamh, const char *name, + struct passwd **pwd, char **hash); + +int +check_shadow_expiry(pam_handle_t *pamh, struct spwd *spent, int *daysleft); + +int +unix_update_passwd(pam_handle_t *pamh, const char *forwho, const char *towhat); + +int +unix_update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat); +#endif /* ****************************************************************** * * Copyright (c) Red Hat, Inc. 2007. diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 60acc958..b82cad26 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -52,8 +52,8 @@ int _make_remark(pam_handle_t * pamh, unsigned int ctrl, * set the control flags for the UNIX module. */ -int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, - const char **argv) +int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + int argc, const char **argv) { unsigned int ctrl; @@ -109,6 +109,16 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc, *remember = 400; } } + if (rounds != NULL) { + if (j == UNIX_ALGO_ROUNDS) { + *rounds = strtol(*argv + 7, NULL, 10); + if ((*rounds < 1000) || (*rounds == INT_MAX)) + /* don't care about bogus values */ + unset(UNIX_ALGO_ROUNDS, ctrl); + if (*rounds >= 10000000) + *rounds = 9999999; + } + } } ++argv; /* step to next argument */ @@ -375,95 +385,6 @@ int _unix_comesfromsource(pam_handle_t *pamh, return _unix_getpwnam(pamh, name, files, nis, NULL); } -/* - * _unix_blankpasswd() is a quick check for a blank password - * - * returns TRUE if user does not have a password - * - to avoid prompting for one in such cases (CG) - */ - -int -_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) -{ - struct passwd *pwd = NULL; - struct spwd *spwdent = NULL; - char *salt = NULL; - int retval; - - D(("called")); - - /* - * This function does not have to be too smart if something goes - * wrong, return FALSE and let this case to be treated somewhere - * else (CG) - */ - - if (on(UNIX__NONULL, ctrl)) - return 0; /* will fail but don't let on yet */ - - /* UNIX passwords area */ - - /* Get password file entry... */ - pwd = pam_modutil_getpwnam (pamh, name); - - if (pwd != NULL) { - if (strcmp( pwd->pw_passwd, "*NP*" ) == 0) - { /* NIS+ */ - uid_t save_euid, save_uid; - - save_euid = geteuid(); - save_uid = getuid(); - if (save_uid == pwd->pw_uid) - setreuid( save_euid, save_uid ); - else { - setreuid( 0, -1 ); - if (setreuid( -1, pwd->pw_uid ) == -1) { - setreuid( -1, 0 ); - setreuid( 0, -1 ); - if(setreuid( -1, pwd->pw_uid ) == -1) - /* Will fail elsewhere. */ - return 0; - } - } - - spwdent = pam_modutil_getspnam (pamh, name); - if (save_uid == pwd->pw_uid) - setreuid( save_uid, save_euid ); - else { - if (setreuid( -1, 0 ) == -1) - setreuid( save_uid, -1 ); - setreuid( -1, save_euid ); - } - } else if (_unix_shadowed(pwd)) { - /* - * ...and shadow password file entry for this user, - * if shadowing is enabled - */ - spwdent = pam_modutil_getspnam(pamh, name); - } - if (spwdent) - salt = x_strdup(spwdent->sp_pwdp); - else - salt = x_strdup(pwd->pw_passwd); - } - /* Does this user have a password? */ - if (salt == NULL) { - retval = 0; - } else { - if (strlen(salt) == 0) - retval = 1; - else - retval = 0; - } - - /* tidy up */ - - if (salt) - _pam_delete(salt); - - return retval; -} - /* * verify the password of a user */ @@ -518,7 +439,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, } } - if (SELINUX_ENABLED && geteuid() == 0) { + if (geteuid() == 0) { /* must set the real uid to 0 so the helper will not error out if pam is called from setuid binary (su, sudo...) */ setuid(0); @@ -572,11 +493,65 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, return retval; } +/* + * _unix_blankpasswd() is a quick check for a blank password + * + * returns TRUE if user does not have a password + * - to avoid prompting for one in such cases (CG) + */ + +int +_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) +{ + struct passwd *pwd = NULL; + char *salt = NULL; + int retval; + + D(("called")); + + /* + * This function does not have to be too smart if something goes + * wrong, return FALSE and let this case to be treated somewhere + * else (CG) + */ + + if (on(UNIX__NONULL, ctrl)) + return 0; /* will fail but don't let on yet */ + + /* UNIX passwords area */ + + retval = get_pwd_hash(pamh, name, &pwd, &salt); + + if (retval == PAM_UNIX_RUN_HELPER) { + /* salt will not be set here so we can return immediately */ + if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) + return 1; + else + return 0; + } + + /* Does this user have a password? */ + if (salt == NULL) { + retval = 0; + } else { + if (strlen(salt) == 0) + retval = 1; + else + retval = 0; + } + + /* tidy up */ + + if (salt) + _pam_delete(salt); + + return retval; +} + int _unix_verify_password(pam_handle_t * pamh, const char *name ,const char *p, unsigned int ctrl) { struct passwd *pwd = NULL; - struct spwd *spwdent = NULL; char *salt = NULL; char *data_name; int retval; @@ -595,48 +570,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name D(("locating user's record")); - /* UNIX passwords area */ - pwd = pam_modutil_getpwnam (pamh, name); /* Get password file entry... */ - - if (pwd != NULL) { - if (strcmp( pwd->pw_passwd, "*NP*" ) == 0) - { /* NIS+ */ - uid_t save_euid, save_uid; - - save_euid = geteuid(); - save_uid = getuid(); - if (save_uid == pwd->pw_uid) - setreuid( save_euid, save_uid ); - else { - setreuid( 0, -1 ); - if (setreuid( -1, pwd->pw_uid ) == -1) { - setreuid( -1, 0 ); - setreuid( 0, -1 ); - if(setreuid( -1, pwd->pw_uid ) == -1) - return PAM_CRED_INSUFFICIENT; - } - } - - spwdent = pam_modutil_getspnam (pamh, name); - if (save_uid == pwd->pw_uid) - setreuid( save_uid, save_euid ); - else { - if (setreuid( -1, 0 ) == -1) - setreuid( save_uid, -1 ); - setreuid( -1, save_euid ); - } - } else if (_unix_shadowed(pwd)) { - /* - * ...and shadow password file entry for this user, - * if shadowing is enabled - */ - spwdent = pam_modutil_getspnam (pamh, name); - } - if (spwdent) - salt = x_strdup(spwdent->sp_pwdp); - else - salt = x_strdup(pwd->pw_passwd); - } + retval = get_pwd_hash(pamh, name, &pwd, &salt); data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name)); if (data_name == NULL) { @@ -646,20 +580,13 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name); } - retval = PAM_SUCCESS; - if (pwd == NULL || salt == NULL || !strcmp(salt, "x") || ((salt[0] == '#') && (salt[1] == '#') && !strcmp(salt + 2, name))) { - - if (pwd != NULL && (geteuid() || SELINUX_ENABLED)) { - /* we are not root perhaps this is the reason? Run helper */ + if (retval != PAM_SUCCESS) { + if (retval == PAM_UNIX_RUN_HELPER) { D(("running helper binary")); retval = _unix_run_helper_binary(pamh, p, ctrl, name); } else { D(("user's record unavailable")); p = NULL; - if (pwd == NULL) - retval = PAM_USER_UNKNOWN; - else - retval = PAM_AUTHINFO_UNAVAIL; if (on(UNIX_AUDIT, ctrl)) { /* this might be a typo and the user has given a password instead of a username. Careful with this. */ @@ -931,6 +858,7 @@ int _unix_read_password(pam_handle_t * pamh * Copyright (c) Andrew G. Morgan 1996-8. * Copyright (c) Alex O. Yuriev, 1996. * Copyright (c) Cristian Gafton 1996. + * Copyright (c) Red Hat, Inc. 2007. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 94a9b393..9d4f8b85 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -84,8 +84,12 @@ typedef struct { #define UNIX_NOREAP 21 /* don't reap child process */ #define UNIX_BROKEN_SHADOW 22 /* ignore errors reading password aging * information during acct management */ +#define UNIX_SHA256_PASS 23 /* new password hashes will use SHA256 */ +#define UNIX_SHA512_PASS 24 /* new password hashes will use SHA512 */ +#define UNIX_ALGO_ROUNDS 25 /* optional number of rounds for new + password hash algorithms */ /* -------------- */ -#define UNIX_CTRLS_ 23 /* number of ctrl arguments defined */ +#define UNIX_CTRLS_ 26 /* number of ctrl arguments defined */ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = @@ -116,6 +120,9 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = /* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000}, /* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000}, /* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000}, +/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(040420000), 020000000}, +/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(020420000), 040000000}, +/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, }; #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) @@ -131,8 +138,8 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl ,int type, const char *text); -extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc, - const char **argv); +extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds, + int argc, const char **argv); extern int _unix_getpwnam (pam_handle_t *pamh, const char *name, int files, int nis, struct passwd **ret); @@ -150,5 +157,6 @@ extern int _unix_read_password(pam_handle_t * pamh ,const char *data_name ,const void **pass); -extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user); +extern int _unix_run_verify_binary(pam_handle_t *pamh, + unsigned int ctrl, const char *user, int *daysleft); #endif /* _PAM_UNIX_SUPPORT_H */ diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8 deleted file mode 100644 index 02ccfe4a..00000000 --- a/modules/pam_unix/unix_chkpwd.8 +++ /dev/null @@ -1,80 +0,0 @@ -.\" Copyright (C) 2003 International Business Machines Corporation -.\" This file is distributed according to the GNU General Public License. -.\" See the file COPYING in the top level source directory for details. -.\" -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "UNIX_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" -.SH NAME -unix_chkpwd \- helper binary that verifies the password of the current user -.SH "SYNOPSIS" -.ad l -.hy 0 - -/sbin/unix_chkpwd [\fIusername\fR] -.sp -.ad -.hy -.SH "DESCRIPTION" -.PP -\fBunix_chkpwd\fR is a helper program for the pam_unix module that verifies -the password of the current user. It is not intended to be run directly from -the command line and logs a security violation if done so. - -It is typically installed setuid root or setgid shadow. - -.SH "OPTIONS" -.PP -unix_pwdchk optionally takes the following argument: -.TP -\fIusername\fR -The username of the user whose password you want to check: this must match the current user id. - -.SH "INPUTS" -.PP -unix_pwdchk expects the following inputs via stdin: -.TP -\fIoption\fR -Either nullok or nonull, depending on whether the user can have an empty password. -.TP -\fIpassword\fR -The password to verify. - -.SH "RETURN CODES" -.PP -\fBunix_chkpwd\fR has the following return codes: -.TP -1 -unix_chkpwd was inappropriately called from the command line or the password is incorrect. - -.TP -0 -The password is correct. - -.SH "HISTORY" -Written by Andrew Morgan - -.SH "SEE ALSO" - -.PP -\fBpam\fR(8) - -.SH AUTHOR -Emily Ratliff. - diff --git a/modules/pam_unix/unix_chkpwd.8.xml b/modules/pam_unix/unix_chkpwd.8.xml new file mode 100644 index 00000000..a10dbe33 --- /dev/null +++ b/modules/pam_unix/unix_chkpwd.8.xml @@ -0,0 +1,67 @@ + + + + + + + unix_chkpwd + 8 + Linux-PAM Manual + + + + unix_chkpwd + Helper binary that verifies the password of the current user + + + + + unix_chkpwd + + ... + + + + + + + DESCRIPTION + + + unix_chkpwd is a helper program for the + pam_unix module that verifies the + password of the current user. It also checks password and account + expiration dates in shadow. It is not intended to + be run directly from the command line and logs a security violation if + done so. + + + + It is typically installed setuid root or setgid shadow. + + + + The interface of the helper - command line options, and input/output + data format are internal to the pam_unix + module and it should not be called directly from applications. + + + + + SEE ALSO + + + pam_unix8 + + + + + + AUTHOR + + Written by Andrew Morgan and other various people. + + + + diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 1e8944e9..11ac3aac 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -13,7 +13,6 @@ #include "config.h" -#include #include #include #include @@ -25,329 +24,34 @@ #include #include #include -#ifdef WITH_SELINUX -#include -#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) -static security_context_t prev_context=NULL; -static int selinux_enabled=-1; -#else -#define SELINUX_ENABLED 0 -#endif - -#define MAXPASS 200 /* the maximum length of a password */ #include #include #include "passverify.h" -/* syslogging function for errors and other information */ - -static void _log_err(int err, const char *format,...) -{ - va_list args; - - va_start(args, format); - openlog("unix_chkpwd", LOG_CONS | LOG_PID, LOG_AUTHPRIV); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static void su_sighandler(int sig) -{ -#ifndef SA_RESETHAND - /* emulate the behaviour of the SA_RESETHAND flag */ - if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) - signal(sig, SIG_DFL); -#endif - if (sig > 0) { - _log_err(LOG_NOTICE, "caught signal %d.", sig); - exit(sig); - } -} - -static void setup_signals(void) -{ - struct sigaction action; /* posix signal structure */ - - /* - * Setup signal handlers - */ - (void) memset((void *) &action, 0, sizeof(action)); - action.sa_handler = su_sighandler; -#ifdef SA_RESETHAND - action.sa_flags = SA_RESETHAND; -#endif - (void) sigaction(SIGILL, &action, NULL); - (void) sigaction(SIGTRAP, &action, NULL); - (void) sigaction(SIGBUS, &action, NULL); - (void) sigaction(SIGSEGV, &action, NULL); - action.sa_handler = SIG_IGN; - action.sa_flags = 0; - (void) sigaction(SIGTERM, &action, NULL); - (void) sigaction(SIGHUP, &action, NULL); - (void) sigaction(SIGINT, &action, NULL); - (void) sigaction(SIGQUIT, &action, NULL); -} - -static int _verify_account(const char * const uname) +static int _check_expiry(const char *uname) { struct spwd *spent; struct passwd *pwent; - - pwent = getpwnam(uname); - if (!pwent) { - _log_err(LOG_ALERT, "could not identify user (from getpwnam(%s))", uname); - return PAM_USER_UNKNOWN; - } - - spent = getspnam( uname ); - if (!spent) { - _log_err(LOG_ALERT, "could not get username from shadow (%s))", uname); - return PAM_AUTHINFO_UNAVAIL; /* Couldn't get username from shadow */ - } - printf("%ld:%ld:%ld:%ld:%ld:%ld", - spent->sp_lstchg, /* last password change */ - spent->sp_min, /* days until change allowed. */ - spent->sp_max, /* days before change required */ - spent->sp_warn, /* days warning for expiration */ - spent->sp_inact, /* days before account inactive */ - spent->sp_expire); /* date when account expires */ - - return PAM_SUCCESS; -} - -static int _unix_verify_password(const char *name, const char *p, int nullok) -{ - struct passwd *pwd = NULL; - struct spwd *spwdent = NULL; - char *salt = NULL; - int retval = PAM_AUTH_ERR; - - /* UNIX passwords area */ - setpwent(); - pwd = getpwnam(name); /* Get password file entry... */ - endpwent(); - if (pwd != NULL) { - if (_unix_shadowed(pwd)) { - /* - * ...and shadow password file entry for this user, - * if shadowing is enabled - */ - setspent(); - spwdent = getspnam(name); - endspent(); - if (spwdent != NULL) - salt = x_strdup(spwdent->sp_pwdp); - else - pwd = NULL; - } else { - if (strcmp(pwd->pw_passwd, "*NP*") == 0) { /* NIS+ */ - uid_t save_uid; - - save_uid = geteuid(); - seteuid(pwd->pw_uid); - spwdent = getspnam(name); - seteuid(save_uid); - - salt = x_strdup(spwdent->sp_pwdp); - } else { - salt = x_strdup(pwd->pw_passwd); - } - } + int retval; + int daysleft; + + retval = get_account_info(uname, &pwent, &spent); + if (retval != PAM_SUCCESS) { + helper_log_err(LOG_ALERT, "could not obtain user info (%s)", uname); + printf("-1\n"); + return retval; } - if (pwd == NULL || salt == NULL) { - _log_err(LOG_WARNING, "check pass; user unknown"); - retval = PAM_USER_UNKNOWN; - } else { - retval = verify_pwd_hash(p, salt, nullok); - } - - if (salt) { - _pam_overwrite(salt); - _pam_drop(salt); + + if (spent == NULL) { + printf("-1\n"); + return retval; } - p = NULL; /* no longer needed here */ - - return retval; -} - -static char *getuidname(uid_t uid) -{ - struct passwd *pw; - static char username[32]; - - pw = getpwuid(uid); - if (pw == NULL) - return NULL; - - strncpy(username, pw->pw_name, sizeof(username)); - username[sizeof(username) - 1] = '\0'; - - return username; -} - -#define SH_TMPFILE "/etc/nshadow" -static int _update_shadow(const char *forwho) -{ - struct spwd *spwdent = NULL, *stmpent = NULL; - FILE *pwfile, *opwfile; - int err = 1; - int oldmask; - struct stat st; - char pass[MAXPASS + 1]; - char towhat[MAXPASS + 1]; - int npass=0; - - /* read the password from stdin (a pipe from the pam_unix module) */ - - npass = read(STDIN_FILENO, pass, MAXPASS); - - if (npass < 0) { /* is it a valid password? */ - - _log_err(LOG_DEBUG, "no password supplied"); - return PAM_AUTHTOK_ERR; - - } else if (npass >= MAXPASS) { - - _log_err(LOG_DEBUG, "password too long"); - return PAM_AUTHTOK_ERR; - - } else { - /* does pass agree with the official one? */ - int retval=0; - pass[npass] = '\0'; /* NUL terminate */ - retval = _unix_verify_password(forwho, pass, 0); - if (retval != PAM_SUCCESS) { + retval = check_shadow_expiry(spent, &daysleft); + printf("%d\n", daysleft); return retval; - } - } - - /* read the password from stdin (a pipe from the pam_unix module) */ - - npass = read(STDIN_FILENO, towhat, MAXPASS); - - if (npass < 0) { /* is it a valid password? */ - - _log_err(LOG_DEBUG, "no new password supplied"); - return PAM_AUTHTOK_ERR; - - } else if (npass >= MAXPASS) { - - _log_err(LOG_DEBUG, "new password too long"); - return PAM_AUTHTOK_ERR; - - } - - towhat[npass] = '\0'; /* NUL terminate */ - spwdent = getspnam(forwho); - if (spwdent == NULL) { - return PAM_USER_UNKNOWN; - } - oldmask = umask(077); - -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - security_context_t shadow_context=NULL; - if (getfilecon("/etc/shadow",&shadow_context)<0) { - return PAM_AUTHTOK_ERR; - }; - if (getfscreatecon(&prev_context)<0) { - freecon(shadow_context); - return PAM_AUTHTOK_ERR; - } - if (setfscreatecon(shadow_context)) { - freecon(shadow_context); - freecon(prev_context); - return PAM_AUTHTOK_ERR; - } - freecon(shadow_context); - } -#endif - pwfile = fopen(SH_TMPFILE, "w"); - umask(oldmask); - if (pwfile == NULL) { - err = 1; - goto done; - } - - opwfile = fopen("/etc/shadow", "r"); - if (opwfile == NULL) { - fclose(pwfile); - err = 1; - goto done; - } - - if (fstat(fileno(opwfile), &st) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - if (fchmod(fileno(pwfile), st.st_mode) == -1) { - fclose(opwfile); - fclose(pwfile); - err = 1; - goto done; - } - - stmpent = fgetspent(opwfile); - while (stmpent) { - - if (!strcmp(stmpent->sp_namp, forwho)) { - stmpent->sp_pwdp = towhat; - stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24); - err = 0; - D(("Set password %s for %s", stmpent->sp_pwdp, forwho)); - } - - if (putspent(stmpent, pwfile)) { - D(("error writing entry to shadow file: %m")); - err = 1; - break; - } - - stmpent = fgetspent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - D(("error writing entries to shadow file: %m")); - err = 1; - } - - done: - if (!err) { - if (rename(SH_TMPFILE, "/etc/shadow")) - err = 1; - } - -#ifdef WITH_SELINUX - if (SELINUX_ENABLED) { - if (setfscreatecon(prev_context)) { - err = 1; - } - if (prev_context) - freecon(prev_context); - prev_context=NULL; - } -#endif - - if (!err) { - return PAM_SUCCESS; - } else { - unlink(SH_TMPFILE); - return PAM_AUTHTOK_ERR; - } } int main(int argc, char *argv[]) @@ -355,9 +59,10 @@ int main(int argc, char *argv[]) char pass[MAXPASS + 1]; char *option; int npass, nullok; - int force_failure = 0; + int blankpass = 0; int retval = PAM_AUTH_ERR; char *user; + char *passwords[] = { pass }; /* * Catch or ignore as many signal as possible. @@ -374,7 +79,7 @@ int main(int argc, char *argv[]) */ if (isatty(STDIN_FILENO) || argc != 3 ) { - _log_err(LOG_NOTICE + helper_log_err(LOG_NOTICE ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); fprintf(stderr @@ -386,11 +91,9 @@ int main(int argc, char *argv[]) /* * Determine what the current user's name is. - * On a SELinux enabled system with a strict policy leaving the - * existing check prevents shadow password authentication from working. * We must thus skip the check if the real uid is 0. */ - if (SELINUX_ENABLED && getuid() == 0) { + if (getuid() == 0) { user=argv[1]; } else { @@ -404,63 +107,49 @@ int main(int argc, char *argv[]) option=argv[2]; - if (strncmp(argv[2], "verify", 8) == 0) { - /* Get the account information from the shadow file */ - return _verify_account(argv[1]); - } - - if (strncmp(option, "shadow", 8) == 0) { - /* Attempting to change the password */ - return _update_shadow(argv[1]); - } - + if (strcmp(option, "chkexpiry") == 0) + /* Check account information from the shadow file */ + return _check_expiry(argv[1]); /* read the nullok/nonull option */ - if (strncmp(option, "nullok", 8) == 0) + else if (strcmp(option, "nullok") == 0) nullok = 1; - else + else if (strcmp(option, "nonull") == 0) nullok = 0; + else + return PAM_SYSTEM_ERR; /* read the password from stdin (a pipe from the pam_unix module) */ - npass = read(STDIN_FILENO, pass, MAXPASS); + npass = read_passwords(STDIN_FILENO, 1, passwords); - if (npass < 0) { /* is it a valid password? */ - - _log_err(LOG_DEBUG, "no password supplied"); - - } else if (npass >= MAXPASS) { - - _log_err(LOG_DEBUG, "password too long"); - - } else { - if (npass == 0) { - /* the password is NULL */ - - retval = _unix_verify_password(user, NULL, nullok); - - } else { - /* does pass agree with the official one? */ - - pass[npass] = '\0'; /* NUL terminate */ - retval = _unix_verify_password(user, pass, nullok); + if (npass != 1) { /* is it a valid password? */ + helper_log_err(LOG_DEBUG, "no password supplied"); + *pass = '\0'; + } - } + if (*pass == '\0') { + blankpass = 1; } + retval = helper_verify_password(user, pass, nullok); + memset(pass, '\0', MAXPASS); /* clear memory of the password */ /* return pass or fail */ - if ((retval != PAM_SUCCESS) || force_failure) { - _log_err(LOG_NOTICE, "password check failed for user (%s)", user); - return PAM_AUTH_ERR; + if (retval != PAM_SUCCESS) { + if (!nullok || !blankpass) + /* no need to log blank pass test */ + helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user); + return PAM_AUTH_ERR; } else { - return PAM_SUCCESS; + return PAM_SUCCESS; } } /* * Copyright (c) Andrew G. Morgan, 1996. All rights reserved + * Copyright (c) Red Hat, Inc., 2007,2008. All rights reserved * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/modules/pam_unix/unix_update.8.xml b/modules/pam_unix/unix_update.8.xml new file mode 100644 index 00000000..07695951 --- /dev/null +++ b/modules/pam_unix/unix_update.8.xml @@ -0,0 +1,67 @@ + + + + + + + unix_update + 8 + Linux-PAM Manual + + + + unix_update + Helper binary that updates the password of a given user + + + + + unix_update + + ... + + + + + + + DESCRIPTION + + + unix_update is a helper program for the + pam_unix module that updates the + password of a given user. It is not intended to be run directly + from the command line and logs a security violation if done so. + + + + The purpose of the helper is to enable tighter confinement of + login and password changing services. The helper is thus called only + when SELinux is enabled and in the enforcing mode on the system. + + + + The interface of the helper - command line options, and input/output + data format are internal to the pam_unix + module and it should not be called directly from applications. + + + + + SEE ALSO + + + pam_unix8 + + + + + + AUTHOR + + Written by Tomas Mraz and other various people. + + + + diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c new file mode 100644 index 00000000..6dc8ace4 --- /dev/null +++ b/modules/pam_unix/unix_update.c @@ -0,0 +1,194 @@ +/* + * This program is designed to run setuid(root) or with sufficient + * privilege to read all of the unix password databases. It is designed + * to provide a mechanism for the current user (defined by this + * process' uid) to verify their own password. + * + * The password is read from the standard input. The exit status of + * this program indicates whether the user is authenticated or not. + * + * Copyright information is located at the end of the file. + * + */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef WITH_SELINUX +#include +#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) +static int selinux_enabled=-1; +#else +#define SELINUX_ENABLED 0 +#endif + +#include +#include + +#include "passverify.h" + +static int +set_password(const char *forwho, const char *shadow, const char *remember) +{ + struct passwd *pwd = NULL; + int retval; + char pass[MAXPASS + 1]; + char towhat[MAXPASS + 1]; + int npass = 0; + /* we don't care about number format errors because the helper + should be called internally only */ + int doshadow = atoi(shadow); + int nremember = atoi(remember); + char *passwords[] = { pass, towhat }; + + /* read the password from stdin (a pipe from the pam_unix module) */ + + npass = read_passwords(STDIN_FILENO, 2, passwords); + + if (npass != 2) { /* is it a valid password? */ + if (npass == 1) { + helper_log_err(LOG_DEBUG, "no new password supplied"); + memset(pass, '\0', MAXPASS); + } else { + helper_log_err(LOG_DEBUG, "no valid passwords supplied"); + } + return PAM_AUTHTOK_ERR; + } + + if (lock_pwdf() != PAM_SUCCESS) + return PAM_AUTHTOK_LOCK_BUSY; + + pwd = getpwnam(forwho); + + if (pwd == NULL) { + retval = PAM_USER_UNKNOWN; + goto done; + } + + /* does pass agree with the official one? + we always allow change from null pass */ + retval = helper_verify_password(forwho, pass, 1); + if (retval != PAM_SUCCESS) { + goto done; + } + + /* first, save old password */ + if (save_old_password(forwho, pass, nremember)) { + retval = PAM_AUTHTOK_ERR; + goto done; + } + + if (doshadow || is_pwd_shadowed(pwd)) { + retval = unix_update_shadow(forwho, towhat); + if (retval == PAM_SUCCESS) + if (!is_pwd_shadowed(pwd)) + retval = unix_update_passwd(forwho, "x"); + } else { + retval = unix_update_passwd(forwho, towhat); + } + +done: + memset(pass, '\0', MAXPASS); + memset(towhat, '\0', MAXPASS); + + unlock_pwdf(); + + if (retval == PAM_SUCCESS) { + return PAM_SUCCESS; + } else { + return PAM_AUTHTOK_ERR; + } +} + +int main(int argc, char *argv[]) +{ + char *option; + + /* + * Catch or ignore as many signal as possible. + */ + setup_signals(); + + /* + * we establish that this program is running with non-tty stdin. + * this is to discourage casual use. It does *NOT* prevent an + * intruder from repeatadly running this program to determine the + * password of the current user (brute force attack, but one for + * which the attacker must already have gained access to the user's + * account). + */ + + if (isatty(STDIN_FILENO) || argc != 5 ) { + helper_log_err(LOG_NOTICE + ,"inappropriate use of Unix helper binary [UID=%d]" + ,getuid()); + fprintf(stderr + ,"This binary is not designed for running in this way\n" + "-- the system administrator has been informed\n"); + sleep(10); /* this should discourage/annoy the user */ + return PAM_SYSTEM_ERR; + } + + /* We must be root to read/update shadow. + */ + if (geteuid() != 0) { + return PAM_CRED_INSUFFICIENT; + } + + option = argv[2]; + + if (strcmp(option, "update") == 0) { + /* Attempting to change the password */ + return set_password(argv[1], argv[3], argv[4]); + } + + return PAM_SYSTEM_ERR; +} + +/* + * Copyright (c) Andrew G. Morgan, 1996. All rights reserved + * Copyright (c) Red Hat, Inc., 2007, 2008. All rights reserved + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ -- cgit v1.2.3 From 18844525b681b18eec1f18bbfaeb5577c96b28c0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 24 Jan 2008 16:42:58 +0000 Subject: Relevant BUGIDs: 1836981 Purpose of commit: bugfix Commit summary: --------------- 2008-01-24 Tomas Mraz * modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when available. * modules/pam_unix/passverify.c (strip_hpux_aging): New function to strip HP/UX aging info from password hash. (verify_pwd_hash): Call strip_hpux_aging(), use crypt_r() when available. --- ChangeLog | 12 ++++++++++++ modules/pam_unix/bigcrypt.c | 26 +++++++++++++++++++++++--- modules/pam_unix/passverify.c | 38 +++++++++++++++++++++++++++++++++++--- modules/pam_unix/passverify.h | 2 +- 4 files changed, 71 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index a1fee209..415c2ae8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,17 @@ +2008-01-24 Tomas Mraz + + * modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when + available. + * modules/pam_unix/passverify.c (strip_hpux_aging): New function + to strip HP/UX aging info from password hash. + (verify_pwd_hash): Call strip_hpux_aging(), use crypt_r() when + available. + 2008-01-23 Tomas Mraz + * configure.in: Add test for crypt_r(). Add setting/disabling random + device support. + * modules/pam_unix/Makefile.am: Add unix_update.8 manpage generated from XML, generate also unix_chkpwd.8 from XML. * modules/pam_unix/pam_unix_acct.c: Add rounds parameter to _set_ctrl(). diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c index d825bc71..9cd55384 100644 --- a/modules/pam_unix/bigcrypt.c +++ b/modules/pam_unix/bigcrypt.c @@ -51,7 +51,9 @@ char *bigcrypt(const char *key, const char *salt) { char *dec_c2_cryptbuf; - +#ifdef HAVE_CRYPT_R + struct crypt_data *cdata; +#endif unsigned long int keylen, n_seg, j; char *cipher_ptr, *plaintext_ptr, *tmp_ptr, *salt_ptr; char keybuf[KEYBUF_SIZE + 1]; @@ -63,6 +65,14 @@ char *bigcrypt(const char *key, const char *salt) if (!dec_c2_cryptbuf) { return NULL; } +#ifdef HAVE_CRYPT_R + cdata = malloc(sizeof(*cdata)); + if(!cdata) { + free(dec_c2_cryptbuf); + return NULL; + } + cdata->initialized = 0; +#endif memset(keybuf, 0, KEYBUF_SIZE + 1); memset(dec_c2_cryptbuf, 0, CBUF_SIZE); @@ -92,8 +102,11 @@ char *bigcrypt(const char *key, const char *salt) plaintext_ptr = keybuf; /* do the first block with supplied salt */ +#ifdef HAVE_CRYPT_R + tmp_ptr = crypt_r(plaintext_ptr, salt, cdata); /* libc crypt_r() */ +#else tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */ - +#endif /* and place in the static area */ strncpy(cipher_ptr, tmp_ptr, 13); cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; @@ -110,7 +123,11 @@ char *bigcrypt(const char *key, const char *salt) if (n_seg > 1) { for (j = 2; j <= n_seg; j++) { +#ifdef HAVE_CRYPT_R + tmp_ptr = crypt_r(plaintext_ptr, salt_ptr, cdata); +#else tmp_ptr = crypt(plaintext_ptr, salt_ptr); +#endif /* skip the salt for seg!=0 */ strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); @@ -122,7 +139,10 @@ char *bigcrypt(const char *key, const char *salt) } D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf)); - /* this is the terminated encrypted password */ +#ifdef HAVE_CRYPT_R + free(cdata); +#endif + /* this is the terminated encrypted password */ return dec_c2_cryptbuf; } diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 6fc4dcce..9b9f0a42 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -19,6 +19,9 @@ #include #include #include +#ifdef HAVE_CRYPT_H +#include +#endif #include "md5.h" #include "bigcrypt.h" @@ -44,14 +47,32 @@ # include "./lckpwdf.-c" #endif +static void +strip_hpux_aging(char *hash) +{ + static const char valid[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" + "0123456789./"; + if ((*hash != '$') && (strlen(hash) > 13)) { + for (hash += 13; *hash != '\0'; hash++) { + if (strchr(valid, *hash) == NULL) { + *hash = '\0'; + break; + } + } + } +} + int -verify_pwd_hash(const char *p, const char *hash, unsigned int nullok) +verify_pwd_hash(const char *p, char *hash, unsigned int nullok) { - size_t hash_len = strlen(hash); + size_t hash_len; char *pp = NULL; int retval; D(("called")); + strip_hpux_aging(hash); + hash_len = strlen(hash); if (!hash_len) { /* the stored password is NULL */ if (nullok) { /* this means we've succeeded */ @@ -78,9 +99,20 @@ verify_pwd_hash(const char *p, const char *hash, unsigned int nullok) } else { /* * Ok, we don't know the crypt algorithm, but maybe - * libcrypt nows about it? We should try it. + * libcrypt knows about it? We should try it. */ +#ifdef HAVE_CRYPT_R + struct crypt_data *cdata; + cdata = malloc(sizeof(*cdata)); + if (cdata != NULL) { + cdata->initialized = 0; + pp = x_strdup(crypt_r(p, hash, cdata)); + memset(cdata, '\0', sizeof(*cdata)); + free(cdata); + } +#else pp = x_strdup(crypt(p, hash)); +#endif } p = NULL; /* no longer needed here */ diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h index 196e0e33..e8e112d0 100644 --- a/modules/pam_unix/passverify.h +++ b/modules/pam_unix/passverify.h @@ -13,7 +13,7 @@ #define OLD_PASSWORDS_FILE "/etc/security/opasswd" int -verify_pwd_hash(const char *p, const char *hash, unsigned int nullok); +verify_pwd_hash(const char *p, char *hash, unsigned int nullok); int is_pwd_shadowed(const struct passwd *pwd); -- cgit v1.2.3 From 03b88d95ae88955dacf12c7c2ee3f03bd0f7403b Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 28 Jan 2008 13:20:29 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-01-28 Thorsten Kukuk * modules/pam_unix/passverify.c: Fix compiling without SELinux support. --- ChangeLog | 7 ++++++- modules/pam_unix/passverify.c | 28 +++++++++++++++++----------- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 415c2ae8..7b0e3bf9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2008-01-28 Thorsten Kukuk + + * modules/pam_unix/passverify.c: Fix compiling without SELinux + support. + 2008-01-24 Tomas Mraz * modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when @@ -30,7 +35,7 @@ macros. Add prototype for create_password_hash(). * modules/pam_unix/unix_update.8.xml: New file. * modules/pam_unix/unix_chkpwd.8.xml: Likewise. - + * modules/pam_unix/Makefile.am: Add unix_update helper. * modules/pam_unix/pam_unix_passwd.c: Move functions i64c(), crypt_md5_wrapper(), save_old_password(), _update_passwd() and diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 9b9f0a42..6d588e63 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -125,7 +125,7 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) retval = PAM_AUTH_ERR; } } - + if (pp) _pam_delete(pp); D(("done [%d].", retval)); @@ -234,7 +234,7 @@ get_pwd_hash(pam_handle_t *pamh, const char *name, retval = get_account_info(name, pwd, &spwdent); #else retval = get_account_info(pamh, name, pwd, &spwdent); -#endif +#endif if (retval != PAM_SUCCESS) { return retval; } @@ -329,7 +329,7 @@ i64c(int i) /* must point to a buffer of at least +1 length */ static void crypt_make_salt(char *where, int length) -{ +{ struct timeval tv; MD5_CTX ctx; unsigned char tmp[16]; @@ -428,7 +428,7 @@ create_password_hash(const char *password, unsigned int ctrl, int rounds) memset(sp, '\0', strlen(sp)); return crypt_md5_wrapper(password); } - + return x_strdup(sp); } @@ -448,7 +448,7 @@ unix_selinux_confined(void) confined = 0; return confined; } - + /* let's try opening shadow read only */ if ((fd=open("/etc/shadow", O_RDONLY)) != -1) { close(fd); @@ -460,8 +460,8 @@ unix_selinux_confined(void) confined = 1; return confined; } - - /* shadow opening failed because of other reasons let's try + + /* shadow opening failed because of other reasons let's try creating a file in /etc */ if ((fd=mkstemp(tempfile)) != -1) { unlink(tempfile); @@ -469,7 +469,7 @@ unix_selinux_confined(void) confined = 0; return confined; } - + confined = 1; return confined; } @@ -549,7 +549,9 @@ save_old_password(const char *forwho, const char *oldpass, int found = 0; struct passwd *pwd = NULL; struct stat st; +#ifdef WITH_SELINUX security_context_t prev_context=NULL; +#endif if (howmany < 0) { return PAM_SUCCESS; @@ -706,7 +708,9 @@ unix_update_passwd(pam_handle_t *pamh, const char *forwho, const char *towhat) FILE *pwfile, *opwfile; int err = 1; int oldmask; +#ifdef WITH_SELINUX security_context_t prev_context=NULL; +#endif oldmask = umask(077); #ifdef WITH_SELINUX @@ -794,7 +798,7 @@ done: #ifdef HELPER_COMPILE helper_log_err( #else - pam_syslog(pamh, + pam_syslog(pamh, #endif LOG_NOTICE, "password changed for %s", forwho); else @@ -831,7 +835,9 @@ unix_update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) FILE *pwfile, *opwfile; int err = 1; int oldmask; +#ifdef WITH_SELINUX security_context_t prev_context=NULL; +#endif spwdent = getspnam(forwho); if (spwdent == NULL) { @@ -922,7 +928,7 @@ unix_update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) #ifdef HELPER_COMPILE helper_log_err( #else - pam_syslog(pamh, + pam_syslog(pamh, #endif LOG_NOTICE, "password changed for %s", forwho); else @@ -1072,7 +1078,7 @@ read_passwords(int fd, int npass, char **passwords) } } offset += rbytes; - } + } /* clear up */ if (offset > 0 && npass > 0) { -- cgit v1.2.3 From 93852756cbb7f5f003c8ef82d306255ba99200f1 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 28 Jan 2008 14:50:21 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- 2008-01-28 Thorsten Kukuk * libpam/pam_audit.c: Include pam_modutil_private.h. * libpam/pam_item.c (pam_set_item): Fix compiler warning. * libpam/pam_end.c (pam_end): Cast to correct pointer type. * libpam/include/security/_pam_macros.h (_pam_overwrite_n): Use unsigned int. --- ChangeLog | 10 +++++++++- libpam/include/security/_pam_macros.h | 6 +++--- libpam/pam_audit.c | 3 ++- libpam/pam_end.c | 4 ++-- libpam/pam_item.c | 3 ++- 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7b0e3bf9..0358a2fe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,12 @@ -2008-01-28 Thorsten Kukuk +2008-01-28 Thorsten Kukuk + + * libpam/pam_audit.c: Include pam_modutil_private.h. + + * libpam/pam_item.c (pam_set_item): Fix compiler warning. + + * libpam/pam_end.c (pam_end): Cast to correct pointer type. + * libpam/include/security/_pam_macros.h (_pam_overwrite_n): Use + unsigned int. * modules/pam_unix/passverify.c: Fix compiling without SELinux support. diff --git a/libpam/include/security/_pam_macros.h b/libpam/include/security/_pam_macros.h index 72aaf468..bd107cfb 100644 --- a/libpam/include/security/_pam_macros.h +++ b/libpam/include/security/_pam_macros.h @@ -28,7 +28,7 @@ do { \ #define _pam_overwrite_n(x,n) \ do { \ register char *__xx__; \ - register int __i__ = 0; \ + register unsigned int __i__ = 0; \ if ((__xx__=(x))) \ for (;__i__ */ -#include "pam_private.h" #include #include +#include "pam_private.h" +#include "pam_modutil_private.h" #ifdef HAVE_LIBAUDIT #include diff --git a/libpam/pam_end.c b/libpam/pam_end.c index f400c325..c96dc384 100644 --- a/libpam/pam_end.c +++ b/libpam/pam_end.c @@ -78,9 +78,9 @@ int pam_end(pam_handle_t *pamh, int pam_status) _pam_overwrite(pamh->xauth.name); _pam_drop(pamh->xauth.name); - _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen); + _pam_overwrite_n(pamh->xauth.data, (unsigned int)pamh->xauth.datalen); _pam_drop(pamh->xauth.data); - _pam_overwrite_n(&pamh->xauth, sizeof(pamh->xauth)); + _pam_overwrite_n((char *)&pamh->xauth, sizeof(pamh->xauth)); /* and finally liberate the memory for the pam_handle structure */ diff --git a/libpam/pam_item.c b/libpam/pam_item.c index 41d90087..f1bd9725 100644 --- a/libpam/pam_item.c +++ b/libpam/pam_item.c @@ -148,7 +148,8 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) free(pamh->xauth.name); } if (pamh->xauth.datalen) { - _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen); + _pam_overwrite_n(pamh->xauth.data, + (unsigned int) pamh->xauth.datalen); free(pamh->xauth.data); } pamh->xauth = *((const struct pam_xauth_data *) item); -- cgit v1.2.3 From 7ac2dea8a4726532f775479a44fc4c80404980e2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 29 Jan 2008 15:09:29 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-01-29 Miloslav Trmac * modules/pam_tty_audit/README.xml: Add notes section. * modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns support and open_only option. Add notes. * modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add support for pattern matching and the open_only option. --- ChangeLog | 8 ++++++ modules/pam_tty_audit/README.xml | 5 ++++ modules/pam_tty_audit/pam_tty_audit.8.xml | 47 +++++++++++++++++++++++-------- modules/pam_tty_audit/pam_tty_audit.c | 42 +++++++++++++-------------- 4 files changed, 69 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0358a2fe..ff4a228e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2008-01-29 Miloslav Trmac + + * modules/pam_tty_audit/README.xml: Add notes section. + * modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns + support and open_only option. Add notes. + * modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add + support for pattern matching and the open_only option. + 2008-01-28 Thorsten Kukuk * libpam/pam_audit.c: Include pam_modutil_private.h. diff --git a/modules/pam_tty_audit/README.xml b/modules/pam_tty_audit/README.xml index 85b27733..4dad6bbe 100644 --- a/modules/pam_tty_audit/README.xml +++ b/modules/pam_tty_audit/README.xml @@ -23,6 +23,11 @@ href="pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-options"]/*)'/> +
+ +
+
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index f65762ad..f6f0602f 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -19,10 +19,10 @@ pam_tty_audit.so - disable=usernames + disable=patterns - enable=usernames + enable=patterns @@ -40,27 +40,40 @@ - + - For each user matching one of comma-separated - , disable + For each user matching one of comma-separated glob + , disable TTY auditing. This overrides any previous - option for the same user name on the command line. + option matchin the same user name on the command line. - + - For each user matching one of comma-separated - , enable + For each user matching one of comma-separated glob + , enable TTY auditing. This overrides any previous - option for the same user name on the command line. + option matching the same user name on the command line. + + + + + + + + + + Set the TTY audit flag when opening the session, but do not restore + it when closing the session. Using this option is necessary for + some services that don't fork() to run the + authenticated session, such as sudo. @@ -99,12 +112,24 @@ + + NOTES + + When TTY auditing is enabled, it is inherited by all processes started by + that user. In particular, daemons restarted by an user will still have + TTY auditing enabled, and audit TTY input even by other users unless + auditing for these users is explicitly disabled. Therefore, it is + recommended to use as the first option for + most daemons using PAM. + + + EXAMPLES Audit all administrative actions. -session required pam_tty_audit.so enable=root +session required pam_tty_audit.so disable=* enable=root diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 5e6211bc..d57dbbe3 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -1,4 +1,4 @@ -/* Copyright © 2007 Red Hat, Inc. All rights reserved. +/* Copyright © 2007, 2008 Red Hat, Inc. All rights reserved. Red Hat author: Miloslav Trmač Redistribution and use in source and binary forms of Linux-PAM, with @@ -37,7 +37,7 @@ DAMAGE. */ #include -#include +#include #include #include #include @@ -200,9 +200,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) enum command command; struct audit_tty_status *old_status, new_status; const char *user; - uid_t user_uid; - struct passwd *pwd; - int i, fd; + int i, fd, open_only; (void)flags; @@ -211,15 +209,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) pam_syslog (pamh, LOG_ERR, "error determining target user's name"); return PAM_SESSION_ERR; } - pwd = pam_modutil_getpwnam (pamh, user); - if (pwd == NULL) - { - pam_syslog (pamh, LOG_ERR, "error determining target user's UID: %m"); - return PAM_SESSION_ERR; - } - user_uid = pwd->pw_uid; command = CMD_NONE; + open_only = 0; for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -235,13 +227,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; tok = strtok_r (NULL, ",", &tok_data)) { - pwd = pam_modutil_getpwnam (pamh, tok); - if (pwd == NULL) - { - pam_syslog (pamh, LOG_WARNING, "unknown user %s", tok); - continue; - } - if (pwd->pw_uid == user_uid) + if (fnmatch (tok, user, 0) == 0) { command = this_command; break; @@ -249,6 +235,13 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } free (copy); } + else if (strcmp (argv[i], "open_only") == 0) + open_only = 1; + else + { + pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); + return PAM_SESSION_ERR; + } } if (command == CMD_NONE) return PAM_SUCCESS; @@ -269,13 +262,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SESSION_ERR; } - if (old_status->enabled == (command == CMD_ENABLE ? 1 : 0)) + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + if (old_status->enabled == new_status.enabled) { free (old_status); goto ok_fd; } - if (pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) + if (open_only == 0 + && pam_set_data (pamh, DATANAME, old_status, cleanup_old_status) != PAM_SUCCESS) { pam_syslog (pamh, LOG_ERR, "error saving old audit status"); @@ -284,13 +279,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SESSION_ERR; } - new_status.enabled = (command == CMD_ENABLE ? 1 : 0); if (nl_send (fd, AUDIT_TTY_SET, NLM_F_ACK, &new_status, sizeof (new_status)) != 0 || nl_recv_ack (fd) != 0) { pam_syslog (pamh, LOG_ERR, "error setting current audit status: %m"); close (fd); + if (open_only != 0) + free (old_status); return PAM_SESSION_ERR; } /* Fall through */ @@ -298,6 +294,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) close (fd); pam_syslog (pamh, LOG_DEBUG, "changed status from %d to %d", old_status->enabled, new_status.enabled); + if (open_only != 0) + free (old_status); return PAM_SUCCESS; } -- cgit v1.2.3 From 538dad819245deb53f1d55109130dce2199c6730 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 29 Jan 2008 15:38:34 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-01-29 Tomas Mraz * configure.in: Test for setkeycreatecon needs libselinux. Add new module pam_sepermit. * modules/Makefile.am: Add new module pam_sepermit. * modules/pam_sepermit/.cvsignore: New file. * modules/pam_sepermit/Makefile.am: Likewise. * modules/pam_sepermit/README.xml: Likewise. * modules/pam_sepermit/pam_sepermit.8.xml: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_sepermit/sepermit.conf: Likewise. * modules/pam_sepermit/tst-pam_sepermit: Likewise. * doc/sag/pam_sepermit.xml: Likewise. * doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG. --- ChangeLog | 16 ++ NEWS | 2 + configure.in | 8 +- doc/sag/pam_sepermit.xml | 38 +++ doc/sag/pam_tty_audit.xml | 38 +++ modules/pam_sepermit/.cvsignore | 10 + modules/pam_sepermit/Makefile.am | 43 ++++ modules/pam_sepermit/README.xml | 41 ++++ modules/pam_sepermit/pam_sepermit.8.xml | 189 +++++++++++++++ modules/pam_sepermit/pam_sepermit.c | 405 ++++++++++++++++++++++++++++++++ modules/pam_sepermit/sepermit.conf | 11 + modules/pam_sepermit/tst-pam_sepermit | 2 + 12 files changed, 802 insertions(+), 1 deletion(-) create mode 100644 doc/sag/pam_sepermit.xml create mode 100644 doc/sag/pam_tty_audit.xml create mode 100644 modules/pam_sepermit/.cvsignore create mode 100644 modules/pam_sepermit/Makefile.am create mode 100644 modules/pam_sepermit/README.xml create mode 100644 modules/pam_sepermit/pam_sepermit.8.xml create mode 100644 modules/pam_sepermit/pam_sepermit.c create mode 100644 modules/pam_sepermit/sepermit.conf create mode 100755 modules/pam_sepermit/tst-pam_sepermit diff --git a/ChangeLog b/ChangeLog index ff4a228e..86adc731 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2008-01-29 Tomas Mraz + + * configure.in: Test for setkeycreatecon needs libselinux. + Add new module pam_sepermit. + * modules/Makefile.am: Add new module pam_sepermit. + * modules/pam_sepermit/.cvsignore: New file. + * modules/pam_sepermit/Makefile.am: Likewise. + * modules/pam_sepermit/README.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.8.xml: Likewise. + * modules/pam_sepermit/pam_sepermit.c: Likewise. + * modules/pam_sepermit/sepermit.conf: Likewise. + * modules/pam_sepermit/tst-pam_sepermit: Likewise. + * doc/sag/pam_sepermit.xml: Likewise. + + * doc/sag/pam_tty_audit.xml: Add pam_tty_audit to SAG. + 2008-01-29 Miloslav Trmac * modules/pam_tty_audit/README.xml: Add notes section. diff --git a/NEWS b/NEWS index 44e93d5a..edd84e38 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,8 @@ Linux-PAM NEWS -- history of user-visible changes. and number of sessions (pam_limits) to the Linux audit subsystem. * Support sha256 and sha512 algorithms in pam_unix when they are supported by crypt(). +* New pam_sepermit.so module for allowing/rejecting access based on + SELinux mode. Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/configure.in b/configure.in index cd92f80a..90349a14 100644 --- a/configure.in +++ b/configure.in @@ -393,6 +393,7 @@ AC_SUBST(LIBDB) AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"]) AC_CHECK_LIB([nsl],[yp_get_default_domain], LIBNSL="-lnsl", LIBNSL="") +BACKUP_LIBS=$LIBS LIBS="$LIBS $LIBNSL" AC_CHECK_FUNCS(yp_get_default_domain) LIBS=$BACKUP_LIBS @@ -410,6 +411,10 @@ AC_SUBST(LIBSELINUX) AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"]) if test ! -z "$LIBSELINUX" ; then AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in]) + BACKUP_LIBS=$LIBS + LIBS="$LIBS $LIBSELINUX" + AC_CHECK_FUNCS(setkeycreatecon) + LIBS=$BACKUP_LIBS fi dnl Checks for header files. @@ -442,7 +447,7 @@ AC_CHECK_FUNCS(fseeko gethostname gettimeofday lckpwdf mkdir select) AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) AC_CHECK_FUNCS(getgrouplist getline getdelim) -AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon) +AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af) AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) @@ -531,6 +536,7 @@ AC_OUTPUT(Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \ modules/pam_rhosts/Makefile \ modules/pam_rootok/Makefile modules/pam_exec/Makefile \ modules/pam_securetty/Makefile modules/pam_selinux/Makefile \ + modules/pam_sepermit/Makefile \ modules/pam_shells/Makefile modules/pam_stress/Makefile \ modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \ modules/pam_time/Makefile modules/pam_tty_audit/Makefile \ diff --git a/doc/sag/pam_sepermit.xml b/doc/sag/pam_sepermit.xml new file mode 100644 index 00000000..6ef9e0f8 --- /dev/null +++ b/doc/sag/pam_sepermit.xml @@ -0,0 +1,38 @@ + + +
+ pam_sepermit - allow/reject access based on SELinux mode + + + +
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
diff --git a/doc/sag/pam_tty_audit.xml b/doc/sag/pam_tty_audit.xml new file mode 100644 index 00000000..55e73862 --- /dev/null +++ b/doc/sag/pam_tty_audit.xml @@ -0,0 +1,38 @@ + + +
+ pam_tty_audit - enable/disable tty auditing + + + +
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
diff --git a/modules/pam_sepermit/.cvsignore b/modules/pam_sepermit/.cvsignore new file mode 100644 index 00000000..258e7207 --- /dev/null +++ b/modules/pam_sepermit/.cvsignore @@ -0,0 +1,10 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_sepermit.8 diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am new file mode 100644 index 00000000..09a60a3a --- /dev/null +++ b/modules/pam_sepermit/Makefile.am @@ -0,0 +1,43 @@ +# +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk +# Copyright (c) 2008 Red Hat, Inc. +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit + +if HAVE_LIBSELINUX + TESTS = tst-pam_sepermit + man_MANS = pam_sepermit.8 +endif + +XMLS = README.xml pam_sepermit.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +sepermitlockdir = /var/run/sepermit + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(top_srcdir)/libpam_misc/include \ + -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ + -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" + +pam_sepermit_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +secureconf_DATA = sepermit.conf +sepermitlock_DATA = + +if HAVE_LIBSELINUX + securelib_LTLIBRARIES = pam_sepermit.la +endif +if ENABLE_REGENERATE_MAN +noinst_DATA = README pam_sepermit.8 +README: pam_sepermit.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_sepermit/README.xml b/modules/pam_sepermit/README.xml new file mode 100644 index 00000000..bb65951c --- /dev/null +++ b/modules/pam_sepermit/README.xml @@ -0,0 +1,41 @@ + + +--> +]> + +
+ + + + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_sepermit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_sepermit-name"]/*)'/> + + + + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml new file mode 100644 index 00000000..c2546b62 --- /dev/null +++ b/modules/pam_sepermit/pam_sepermit.8.xml @@ -0,0 +1,189 @@ + + + + + + + pam_sepermit + 8 + Linux-PAM Manual + + + + pam_sepermit + PAM module to allow/deny login depending on SELinux enforcement state + + + + + pam_sepermit.so + + debug + + + conf=/path/to/config/file + + + + + + DESCRIPTION + + The pam_sepermit module allows or denies login depending on SELinux + enforcement state. + + + When the user which is logging in matches an entry in the config file + he is allowed access only when the SELinux is in enforcing mode. Otherwise + he is denied access. For users not matching any entry in the config file + the pam_sepermit module returns PAM_IGNORE return value. + + + The config file contains a simple list of user names one per line. If the + name is prefixed with @ character it means that all + users in the group name match. If it is prefixed + with a % character the SELinux user is used to match against the name + instead of the account name. Note that when SELinux is disabled the + SELinux user assigned to the account cannot be determined. This means that + such entries are never matched when SELinux is disabled and pam_sepermit + will return PAM_IGNORE. + + + Each user name in the configuration file can have optional arguments separated + by : character. The only currently recognized argument is exclusive. + The pam_sepermit module will allow only single concurrent user session for + the user with this argument specified and it will attempt to kill all processes + of the user after logout. + + + + + OPTIONS + + + + + + + + Turns on debugging via + + syslog3 + . + + + + + + + + + + Path to alternative config file overriding the default. + + + + + + + + MODULE SERVICES PROVIDED + + Only the and + services are supported. + + + + + RETURN VALUES + + + PAM_AUTH_ERR + + + SELinux is disabled or in the permissive mode and the user + matches. + + + + + PAM_SUCCESS + + + SELinux is in the enforcing mode and the user matches. + + + + + PAM_IGNORE + + + The user does not match any entry in the config file. + + + + + PAM_USER_UNKNOWN + + + The module was unable to determine the user's name. + + + + + PAM_SERVICE_ERR + + + Error during reading or parsing the config file. + + + + + + + + FILES + + + /etc/security/sepermit.conf + + Default configuration file + + + + + + + EXAMPLES + +auth [success=done ignore=ignore default=bad] pam_sepermit.so +auth required pam_unix.so +account required pam_unix.so +session required pam_permit.so + + + + + SEE ALSO + + + pam.conf5 + , + + pam.d8 + , + + pam8 + + + + + + AUTHOR + + pam_sepermit was written by Tomas Mraz <tmraz@redhat.com>. + + + + diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c new file mode 100644 index 00000000..377fc2c5 --- /dev/null +++ b/modules/pam_sepermit/pam_sepermit.c @@ -0,0 +1,405 @@ +/****************************************************************************** + * A module for Linux-PAM that allows/denies acces based on SELinux state. + * + * Copyright (c) 2007, 2008 Red Hat, Inc. + * Originally written by Tomas Mraz + * Contributions by Dan Walsh + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT + +#include +#include +#include +#include + +#include + +#define MODULE "pam_sepermit" +#define OPT_DELIM ":" + +struct lockfd { + uid_t uid; + int fd; + int debug; +}; + +#define PROC_BASE "/proc" +#define MAX_NAMES (int)(sizeof(unsigned long)*8) + +static int +match_process_uid(pid_t pid, uid_t uid) +{ + char buf[128]; + uid_t puid; + FILE *f; + int re = 0; + + snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid); + if (!(f = fopen (buf, "r"))) + return 0; + + while (fgets(buf, sizeof buf, f)) { + if (sscanf (buf, "Uid:\t%d", &puid)) { + re = uid == puid; + break; + } + } + fclose(f); + return re; +} + +static int +check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug) +{ + DIR *dir; + struct dirent *de; + pid_t *pid_table, pid, self; + int i; + int pids, max_pids; + int running = 0; + self = getpid(); + if (!(dir = opendir(PROC_BASE))) { + pam_syslog(pamh, LOG_ERR, "Failed to open proc directory file %s:", PROC_BASE); + return -1; + } + max_pids = 256; + pid_table = malloc(max_pids * sizeof (pid_t)); + if (!pid_table) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + pids = 0; + while ((de = readdir (dir)) != NULL) { + if (!(pid = (pid_t)atoi(de->d_name)) || pid == self) + continue; + + if (pids == max_pids) { + if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + max_pids *= 2; + } + pid_table[pids++] = pid; + } + + (void)closedir(dir); + + for (i = 0; i < pids; i++) { + pid_t id; + + if (match_process_uid(pid_table[i], uid) == 0) + continue; + id = pid_table[i]; + + if (killall) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Attempting to kill %d", id); + kill(id, SIGKILL); + } + running++; + } + + free(pid_table); + return running; +} + +static void +sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED) +{ + struct lockfd *lockfd = plockfd; + struct flock fl; + + memset(&fl, 0, sizeof(fl)); + fl.l_type = F_UNLCK; + fl.l_whence = SEEK_SET; + + if (lockfd->debug) + pam_syslog(pamh, LOG_ERR, "Unlocking fd: %d uid: %d", lockfd->fd, lockfd->uid); + + /* Don't kill uid==0 */ + if (lockfd->uid) + /* This is a DOS but it prevents an app from forking to prevent killing */ + while(check_running(pamh, lockfd->uid, 1, lockfd->debug) > 0) + continue; + + fcntl(lockfd->fd, F_SETLK, &fl); + close(lockfd->fd); + free(lockfd); +} + +static int +sepermit_lock(pam_handle_t *pamh, const char *user, int debug) +{ + char buf[PATH_MAX]; + struct flock fl; + + memset(&fl, 0, sizeof(fl)); + fl.l_type = F_WRLCK; + fl.l_whence = SEEK_SET; + + struct passwd *pw = pam_modutil_getpwnam( pamh, user ); + if (!pw) { + pam_syslog(pamh, LOG_ERR, "Unable to find uid for user %s", user); + return -1; + } + if (check_running(pamh, pw->pw_uid, 0, debug) > 0) { + pam_syslog(pamh, LOG_ERR, "User %s processes are running. Exclusive login not allowed", user); + return -1; + } + + snprintf(buf, sizeof(buf), "%s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); + int fd = open(buf, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR); + if (fd < 0) { + pam_syslog(pamh, LOG_ERR, "Unable to open lock file %s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid); + return -1; + } + + if (fcntl(fd, F_SETLK, &fl) == -1) { + pam_syslog(pamh, LOG_ERR, "User %s with exclusive login already logged in", user); + close(fd); + return -1; + } + struct lockfd *lockfd=calloc(1, sizeof(struct lockfd)); + if (!lockfd) { + close(fd); + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + lockfd->uid = pw->pw_uid; + lockfd->debug = debug; + lockfd->fd=fd; + pam_set_data(pamh, MODULE, lockfd, sepermit_unlock); + return 0; +} + +/* return 0 when matched, -1 when unmatched, pam error otherwise */ +static int +sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, + const char *seuser, int debug) +{ + FILE *f; + char *line = NULL; + char *start; + size_t len = 0; + int matched = 0; + int exclusive = 0; + + f = fopen(cfgfile, "r"); + + if (!f) { + pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile); + return PAM_SERVICE_ERR; + } + + while (!matched && getline(&line, &len, f) != -1) { + size_t n; + char *sptr; + char *opt; + + if (line[0] == '#') + continue; + + start = line; + while (isspace(*start)) + ++start; + n = strlen(start); + while (n > 0 && isspace(start[n-1])) { + --n; + } + if (n == 0) + continue; + + start[n] = '\0'; + start = strtok_r(start, OPT_DELIM, &sptr); + + switch (start[0]) { + case '@': + ++start; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start); + if (pam_modutil_user_in_group_nam_nam(pamh, user, start)) { + matched = 1; + } + break; + case '%': + ++start; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); + if (strcmp(seuser, start) == 0) { + matched = 1; + } + break; + default: + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against user %s", user, start); + if (strcmp(user, start) == 0) { + matched = 1; + } + } + if (matched) + while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) { + if (strcmp(opt, "exclusive") == 0) + exclusive = 1; + else if (debug) { + pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt); + } + } + } + + free(line); + fclose(f); + if (matched) + return exclusive ? sepermit_lock(pamh, user, debug) : 0; + else + return -1; +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i; + int rv; + int debug = 0; + int sense = PAM_AUTH_ERR; + const char *user = NULL; + char *seuser = NULL; + char *level = NULL; + const char *cfgfile = SEPERMIT_CONF_FILE; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + if (strcmp(argv[i], "conf=") == 0) { + cfgfile = argv[i] + 5; + } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); + + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + || *user == '\0') { + pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); + return PAM_USER_UNKNOWN; + } + + if (is_selinux_enabled() > 0) { + if (security_getenforce() == 1) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match"); + sense = PAM_SUCCESS; + } + + if (getseuserbyname(user, &seuser, &level) != 0) { + seuser = NULL; + level = NULL; + pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m"); + } + } + + if (debug && sense != PAM_SUCCESS) + pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); + + rv = sepermit_match(pamh, cfgfile, user, seuser, debug); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); + + free(seuser); + free(level); + + switch (rv) { + case -1: + return PAM_IGNORE; + case 0: + return sense; + } + + return rv; +} + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_access_modstruct = { + "pam_sepermit", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + NULL, + NULL, + NULL +}; +#endif + diff --git a/modules/pam_sepermit/sepermit.conf b/modules/pam_sepermit/sepermit.conf new file mode 100644 index 00000000..951f3dfe --- /dev/null +++ b/modules/pam_sepermit/sepermit.conf @@ -0,0 +1,11 @@ +# /etc/security/sepermit.conf +# +# Each line contains either: +# - an user name +# - a group name, with @group syntax +# - a SELinux user name, with %seuser syntax +# Each line can contain optional arguments separated by : +# The possible arguments are: +# - exclusive - only single login session will +# be allowed for the user and the user's processes +# will be killed on logout diff --git a/modules/pam_sepermit/tst-pam_sepermit b/modules/pam_sepermit/tst-pam_sepermit new file mode 100755 index 00000000..6e6d2363 --- /dev/null +++ b/modules/pam_sepermit/tst-pam_sepermit @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_sepermit.so -- cgit v1.2.3 From 2535f925c1a6049e5ad9ee4f313bcaa79131932b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 1 Feb 2008 16:22:23 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-02-01 Tomas Mraz * modules/pam_namespace/namespace.conf.5.xml: Add documentation for tmpfs and tmpdir polyinst and for ~ user list modifier. * modules/pam_namespace/namespace.init: Add documentation for the new init parameter. Add home directory initialization script. * modules/pam_namespace/pam_namespace.8.xml: Document the new init parameter of the namespace.init script. * modules/pam_namespace/pam_namespace.c(copy_ent): Copy exclusive flag. (cleanup_data): New function. (process_line): Set exclusive flag. Add tmpfs and tmpdir methods. (ns_override): Change behavior on the exclusive flag. (poly_name): Process tmpfs and tmpdir methods. (inst_init): Add flag for new directory initialization. (create_dirs): Process the tmpdir method, add the new directory flag. (ns_setup): Remove unused code. Process the tmpfs method. (cleanup_tmpdirs): New function. (setup_namespace): Set data for proper cleanup. Cleanup the tmpdirs on failures. (pam_sm_close_session): Instead of parsing the config file again use the previously set data for cleanup. * modules/pam_namespace/pam_namespace.h: Add TMPFS and TMPDIR methods and exclusive flag. --- ChangeLog | 25 ++++ NEWS | 1 + modules/pam_namespace/namespace.conf.5.xml | 12 +- modules/pam_namespace/namespace.init | 40 +++--- modules/pam_namespace/pam_namespace.8.xml | 4 +- modules/pam_namespace/pam_namespace.c | 211 ++++++++++++++++++++++------- modules/pam_namespace/pam_namespace.h | 4 + 7 files changed, 224 insertions(+), 73 deletions(-) diff --git a/ChangeLog b/ChangeLog index 86adc731..f42dd1d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,28 @@ +2008-02-01 Tomas Mraz + + * modules/pam_namespace/namespace.conf.5.xml: Add documentation for + tmpfs and tmpdir polyinst and for ~ user list modifier. + * modules/pam_namespace/namespace.init: Add documentation for the + new init parameter. Add home directory initialization script. + * modules/pam_namespace/pam_namespace.8.xml: Document the new + init parameter of the namespace.init script. + * modules/pam_namespace/pam_namespace.c(copy_ent): Copy exclusive flag. + (cleanup_data): New function. + (process_line): Set exclusive flag. Add tmpfs and tmpdir methods. + (ns_override): Change behavior on the exclusive flag. + (poly_name): Process tmpfs and tmpdir methods. + (inst_init): Add flag for new directory initialization. + (create_dirs): Process the tmpdir method, add the new directory + flag. + (ns_setup): Remove unused code. Process the tmpfs method. + (cleanup_tmpdirs): New function. + (setup_namespace): Set data for proper cleanup. Cleanup the tmpdirs + on failures. + (pam_sm_close_session): Instead of parsing the config file again use + the previously set data for cleanup. + * modules/pam_namespace/pam_namespace.h: Add TMPFS and TMPDIR methods + and exclusive flag. + 2008-01-29 Tomas Mraz * configure.in: Test for setkeycreatecon needs libselinux. diff --git a/NEWS b/NEWS index edd84e38..6ba96793 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,7 @@ Linux-PAM NEWS -- history of user-visible changes. by crypt(). * New pam_sepermit.so module for allowing/rejecting access based on SELinux mode. +* Improved functionality of pam_namespace.so module. Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index db48cdcb..9fbefc49 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -72,10 +72,13 @@ The third field, method, is the method - used for polyinstantiation. It can take 3 different values; "user" + used for polyinstantiation. It can take these values; "user" for polyinstantiation based on user name, "level" for - polyinstantiation based on process MLS level and user name, and "context" for - polyinstantiation based on process security context and user name + polyinstantiation based on process MLS level and user name, "context" for + polyinstantiation based on process security context and user name, + "tmpfs" for mounting tmpfs filesystem as an instance dir, and + "tmpdir" for creating temporary directory as an instance dir which is + removed when the user's session is closed. Methods "context" and "level" are only available with SELinux. This field cannot be blank. @@ -84,7 +87,8 @@ The fourth field, list_of_uids, is a comma separated list of user names for whom the polyinstantiation is not performed. If left blank, polyinstantiation will be performed - for all users. + for all users. If the list is preceded with a single "~" character, + polyinstantiation is performed only for users in the list. diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init index 0e9be68f..424c6d0c 100755 --- a/modules/pam_namespace/namespace.init +++ b/modules/pam_namespace/namespace.init @@ -1,24 +1,24 @@ #!/bin/sh -p -# This is only a boilerplate for the instance initialization script. -# It receives polydir path as $1 and the instance path as $2. +# It receives polydir path as $1, the instance path as $2, +# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, +# and user name in $4. # -# If you intend to polyinstantiate /tmp and you also want to use the X windows -# environment, you will have to use this script to bind mount the socket that -# is used by the X server to communicate with its clients. X server places -# this socket in /tmp/.X11-unix directory, which will get obscured by -# polyinstantiation. Uncommenting the following lines will bind mount -# the relevant directory at an alternative location (/.tmp/.X11-unix) such -# that the X server, window manager and X clients, can still find the -# socket X0 at the polyinstanted /tmp/.X11-unix. -# -#if [ $1 = /tmp ]; then -# if [ ! -f /.tmp/.X11-unix ]; then -# mkdir -p /.tmp/.X11-unix -# fi -# mount --bind /tmp/.X11-unix /.tmp/.X11-unix -# cp -fp -- /tmp/.X0-lock "$2/.X0-lock" -# mkdir -- "$2/.X11-unix" -# ln -fs -- /.tmp/.X11-unix/X0 "$2/.X11-unix/X0" -#fi +# The following section will copy the contents of /etc/skel if this is a +# newly created home directory. +if [ "$3" = 1 ]; then + # This line will fix the labeling on all newly created directories + [ -x /sbin/restorecon ] && /sbin/restorecon "$1" + user="$4" + passwd=$(getent passwd "$user") + homedir=$(echo "$passwd" | cut -f6 -d":") + if [ "$1" = "$homedir" ]; then + gid=$(echo "$passwd" | cut -f4 -d":") + cp -rT /etc/skel "$homedir" + chown -R "$user":"$gid" "$homedir" + mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs) + chmod ${mode:-700} "$homedir" + [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" + fi +fi exit 0 diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index e1b307ae..f47bb81b 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -60,7 +60,9 @@ script /etc/security/namespace.init exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated - directory path and the instance directory path as its arguments. + directory path, the instance directory path, flag whether the instance + directory was newly created (0 for no, 1 for yes), and the user name + as its arguments. diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index d3612f59..a47b0698 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -43,6 +43,7 @@ static int copy_ent(const struct polydir_s *ent, struct polydir_s *pent) strcpy(pent->instance_prefix, ent->instance_prefix); pent->method = ent->method; pent->num_uids = ent->num_uids; + pent->exclusive = ent->exclusive; if (ent->num_uids) { uid_t *pptr, *eptr; @@ -120,6 +121,10 @@ static void del_polydir_list(struct polydir_s *polydirs_ptr) } } +static void cleanup_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) +{ + del_polydir_list(data); +} /* * Called from parse_config_file, this function processes a single line @@ -140,6 +145,7 @@ static int process_line(char *line, const char *home, poly.uid = NULL; poly.num_uids = 0; + poly.exclusive = 0; /* * skip the leading white space @@ -222,18 +228,6 @@ static int process_line(char *line, const char *home, instance_prefix = expanded; } - /* - * Ensure that all pathnames are absolute path names. - */ - if ((dir[0] != '/') || (instance_prefix[0] != '/')) { - pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must start with '/'"); - goto skipping; - } - if (strstr(dir, "..") || strstr(instance_prefix, "..")) { - pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must not contain '..'"); - goto skipping; - } - /* * Populate polyinstantiated directory structure with appropriate * pathnames and the method with which to polyinstantiate. @@ -241,6 +235,7 @@ static int process_line(char *line, const char *home, if (strlen(dir) >= sizeof(poly.dir) || strlen(instance_prefix) >= sizeof(poly.instance_prefix)) { pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + goto skipping; } strcpy(poly.dir, dir); strcpy(poly.instance_prefix, instance_prefix); @@ -248,6 +243,18 @@ static int process_line(char *line, const char *home, poly.method = NONE; if (strcmp(method, "user") == 0) poly.method = USER; + + if (strcmp(method, "tmpdir") == 0) { + poly.method = TMPDIR; + if (sizeof(poly.instance_prefix) - strlen(poly.instance_prefix) < 7) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + goto skipping; + } + strcat(poly.instance_prefix, "XXXXXX"); + } + + if (strcmp(method, "tmpfs") == 0) + poly.method = TMPFS; #ifdef WITH_SELINUX if (strcmp(method, "level") == 0) { @@ -266,11 +273,23 @@ static int process_line(char *line, const char *home, #endif - if ( poly.method == NONE) { + if (poly.method == NONE) { pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method"); goto skipping; } + /* + * Ensure that all pathnames are absolute path names. + */ + if ((dir[0] != '/') || (poly.method != TMPFS && instance_prefix[0] != '/')) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must start with '/'"); + goto skipping; + } + if (strstr(dir, "..") || strstr(instance_prefix, "..")) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must not contain '..'"); + goto skipping; + } + /* * If the line in namespace.conf for a directory to polyinstantiate * contains a list of override users (users for whom polyinstantiation @@ -281,7 +300,11 @@ static int process_line(char *line, const char *home, uid_t *uidptr; const char *ustr, *sstr; int count, i; - + + if (*uids == '~') { + poly.exclusive = 1; + uids++; + } for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++) sstr = strchr(ustr, ','); @@ -419,6 +442,7 @@ static int parse_config_file(struct instance_data *idata) * directory's list of override uids. If the uid is one of the override * uids for the polyinstantiated directory, polyinstantiation is not * performed for that user for that directory. + * If exclusive is set the returned values are opposite. */ static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, uid_t uid) @@ -432,11 +456,11 @@ static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, for (i = 0; i < polyptr->num_uids; i++) { if (uid == polyptr->uid[i]) { - return 1; + return !polyptr->exclusive; } } - return 0; + return polyptr->exclusive; } /* @@ -623,6 +647,12 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, #endif /* WITH_SELINUX */ + case TMPDIR: + case TMPFS: + if ((*i_name=strdup("")) == NULL) + goto fail; + return PAM_SUCCESS; + default: if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); @@ -643,7 +673,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, hash = NULL; } else { char *newname; - if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash), + if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash), *i_name, hash) < 0) { goto fail; } @@ -726,8 +756,8 @@ static int check_inst_parent(char *ipath, struct instance_data *idata) * execute it and pass directory to polyinstantiate and instance * directory as arguments. */ -static int inst_init(const struct polydir_s *polyptr, char *ipath, - struct instance_data *idata) +static int inst_init(const struct polydir_s *polyptr, const char *ipath, + struct instance_data *idata, int newdir) { pid_t rc, pid; sighandler_t osighand = NULL; @@ -757,7 +787,7 @@ static int inst_init(const struct polydir_s *polyptr, char *ipath, } #endif if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT, - polyptr->dir, ipath, (char *)NULL) < 0) + polyptr->dir, ipath, newdir?"1":"0", idata->user, (char *)NULL) < 0) exit(1); } else if (pid > 0) { while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && @@ -792,16 +822,17 @@ out: * Create polyinstantiated instance directory (ipath). */ #ifdef WITH_SELINUX -static int create_dirs(const struct polydir_s *polyptr, char *ipath, +static int create_dirs(struct polydir_s *polyptr, char *ipath, security_context_t icontext, security_context_t ocontext, struct instance_data *idata) #else -static int create_dirs(const struct polydir_s *polyptr, char *ipath, +static int create_dirs(struct polydir_s *polyptr, char *ipath, struct instance_data *idata) #endif { struct stat statbuf, newstatbuf; int rc, fd; + int newdir = 0; /* * stat the directory to polyinstantiate, so its owner-group-mode @@ -835,7 +866,17 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath, * attributes to match that of the original directory that is being * polyinstantiated. */ - if (mkdir(ipath, S_IRUSR) < 0) { + + if (polyptr->method == TMPDIR) { + if (mkdtemp(polyptr->instance_prefix) == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m", + polyptr->instance_prefix); + polyptr->method = NONE; /* do not clean up! */ + return PAM_SESSION_ERR; + } + /* copy the actual directory name to ipath */ + strcpy(ipath, polyptr->instance_prefix); + } else if (mkdir(ipath, S_IRUSR) < 0) { if (errno == EEXIST) goto inst_init; else { @@ -845,6 +886,7 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath, } } + newdir = 1; /* Open a descriptor to it to prevent races */ fd = open(ipath, O_DIRECTORY | O_RDONLY); if (fd < 0) { @@ -909,7 +951,7 @@ static int create_dirs(const struct polydir_s *polyptr, char *ipath, */ inst_init: - rc = inst_init(polyptr, ipath, idata); + rc = inst_init(polyptr, ipath, idata, newdir); return rc; } @@ -921,13 +963,12 @@ inst_init: * security attributes, and performs bind mount to setup the process * namespace. */ -static int ns_setup(const struct polydir_s *polyptr, +static int ns_setup(struct polydir_s *polyptr, struct instance_data *idata) { int retval = 0; char *inst_dir = NULL; char *instname = NULL; - char *dir; #ifdef WITH_SELINUX security_context_t instcontext = NULL, origcontext = NULL; #endif @@ -936,9 +977,15 @@ static int ns_setup(const struct polydir_s *polyptr, pam_syslog(idata->pamh, LOG_DEBUG, "Set namespace for directory %s", polyptr->dir); - dir = strrchr(polyptr->dir, '/'); - if (dir && strlen(dir) > 1) - dir++; + if (polyptr->method == TMPFS) { + if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", + polyptr->dir); + return PAM_SESSION_ERR; + } + /* we must call inst_init after the mount in this case */ + return inst_init(polyptr, "tmpfs", idata, 1); + } /* * Obtain the name of instance pathname based on the @@ -1044,6 +1091,58 @@ static int cwd_in(char *dir, struct instance_data *idata) return retval; } +static int cleanup_tmpdirs(struct instance_data *idata) +{ + struct polydir_s *pptr; + pid_t rc, pid; + sighandler_t osighand = NULL; + int status; + + osighand = signal(SIGCHLD, SIG_DFL); + if (osighand == SIG_ERR) { + pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value"); + rc = PAM_SESSION_ERR; + goto out; + } + + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { + if (pptr->method == TMPDIR && access(pptr->instance_prefix, F_OK) == 0) { + pid = fork(); + if (pid == 0) { +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + if (setexeccon(NULL) < 0) + exit(1); + } +#endif + if (execl("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, (char *)NULL) < 0) + exit(1); + } else if (pid > 0) { + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && + (errno == EINTR)); + if (rc == (pid_t)-1) { + pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m"); + rc = PAM_SESSION_ERR; + goto out; + } + if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error removing %s", pptr->instance_prefix); + } + } else if (pid < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Cannot fork to run namespace init script, %m"); + rc = PAM_SESSION_ERR; + goto out; + } + } + } + + rc = PAM_SUCCESS; +out: + signal(SIGCHLD, osighand); + return rc; +} /* * This function checks to see if polyinstantiation is needed for any @@ -1112,13 +1211,22 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) * disassociate from the parent namespace. */ if (need_poly) { + if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, + cleanup_data) != PAM_SUCCESS) { + pam_syslog(idata->pamh, LOG_ERR, + "Unable to set namespace data"); + return PAM_SYSTEM_ERR; + } if (unshare(CLONE_NEWNS) < 0) { - pam_syslog(idata->pamh, LOG_ERR, + pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); + pam_syslog(idata->pamh, LOG_ERR, "Unable to unshare from parent namespace, %m"); return PAM_SESSION_ERR; } - } else + } else { + del_polydir_list(idata->polydirs_ptr); return PAM_SUCCESS; + } /* * Again cycle through all polyinstantiated directories, this time, @@ -1145,7 +1253,8 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) * umount */ if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) { - return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; + goto out; } else if (changing_dir) { if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd"); @@ -1173,8 +1282,10 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) int saved_errno = errno; pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", pptr->dir); - if (saved_errno != EINVAL) - return PAM_SESSION_ERR; + if (saved_errno != EINVAL) { + retval = PAM_SESSION_ERR; + goto out; + } } else if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", pptr->dir); @@ -1186,7 +1297,9 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) break; } } - +out: + if (retval != PAM_SUCCESS) + cleanup_tmpdirs(idata); return retval; } @@ -1225,8 +1338,10 @@ static int orig_namespace(struct instance_data *idata) } else if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded", pptr->dir); - } + } } + + cleanup_tmpdirs(idata); return 0; } @@ -1351,7 +1466,8 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, } else if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate"); - del_polydir_list(idata.polydirs_ptr); + if (retval != PAM_SUCCESS) + del_polydir_list(idata.polydirs_ptr); return retval; } @@ -1366,6 +1482,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, struct instance_data idata; char *user_name; struct passwd *pwd; + void *polyptr; /* init instance data */ idata.flags = 0; @@ -1429,16 +1546,12 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, strncat(idata.user, user_name, sizeof(idata.user) - 1); idata.uid = pwd->pw_uid; - /* - * Parse namespace configuration file which lists directories that - * are polyinstantiated, directories where instance directories are - * created and the method used for polyinstantiation. - */ - retval = parse_config_file(&idata); - if ((retval != PAM_SUCCESS) || !idata.polydirs_ptr) { - del_polydir_list(idata.polydirs_ptr); - return PAM_SESSION_ERR; - } + retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, (const void **)&polyptr); + if (retval != PAM_SUCCESS || polyptr == NULL) + /* nothing to reset */ + return PAM_SUCCESS; + + idata.polydirs_ptr = polyptr; if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d", @@ -1453,7 +1566,9 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, pam_syslog(idata.pamh, LOG_DEBUG, "resetting namespace ok for pid %d", getpid()); } - del_polydir_list(idata.polydirs_ptr); + + pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); + return PAM_SUCCESS; } diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 0847ec08..4b438899 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -90,6 +90,7 @@ #define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ #define NAMESPACE_MAX_DIR_LEN 80 +#define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data" /* * Polyinstantiation method options, based on user, security context @@ -100,6 +101,8 @@ enum polymethod { USER, CONTEXT, LEVEL, + TMPDIR, + TMPFS }; /* @@ -128,6 +131,7 @@ struct polydir_s { enum polymethod method; /* method used to polyinstantiate */ unsigned int num_uids; /* number of override uids */ uid_t *uid; /* list of override uids */ + int exclusive; /* polyinstatiate exclusively for override uids */ struct polydir_s *next; /* pointer to the next polydir entry */ }; -- cgit v1.2.3 From 50b42a659b9e1aeb46deebe56dfb652088d27a99 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 4 Feb 2008 13:37:35 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfixes Commit summary: --------------- 2008-02-04 Thorsten Kukuk * libpam/pam_static_modules.h: Add _pam_sepermit_modstruct. * modules/pam_sepermit/pam_sepermit.c: Fix typo. * README: Add --disable-pie to configure options for static library. * doc/man/Makefile.am: Fix building outside of src directory. --- ChangeLog | 9 +++++++++ README | 2 +- doc/man/Makefile.am | 2 +- libpam/Makefile.am | 2 +- libpam/pam_static_modules.h | 2 ++ modules/pam_sepermit/pam_sepermit.c | 2 +- 6 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index f42dd1d3..5905e1f7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2008-02-04 Thorsten Kukuk + + * libpam/pam_static_modules.h: Add _pam_sepermit_modstruct. + * modules/pam_sepermit/pam_sepermit.c: Fix typo. + + * README: Add --disable-pie to configure options for static library. + + * doc/man/Makefile.am: Fix building outside of src directory. + 2008-02-01 Tomas Mraz * modules/pam_namespace/namespace.conf.5.xml: Add documentation for diff --git a/README b/README index 86cf1838..81159140 100644 --- a/README +++ b/README @@ -50,7 +50,7 @@ Backup all important data before! If you do not wish to make the modules dynamically loadable, but build a static libpam including all PAM modules, you have to call: - ./configure --enable-static-modules + ./configure --enable-static-modules --disable-pie In this case you cannot use pam_unix in the PAM config files instead you have to use pam_unix_acct, pam_unix_auth, pam_unix_passwd and diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index ca8be05e..52e5caab 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -47,7 +47,7 @@ XMLS = pam.3.xml pam.8.xml \ if ENABLE_REGENERATE_MAN PAM.8: pam.8 pam.d.5: pam.conf.5 - test -f pam\\.d.5 && mv pam\\.d.5 pam.d.5 + test -f $(srcdir)/pam\\.d.5 && mv $(srcdir)/pam\\.d.5 $(srcdir)/pam.d.5 ||: pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 0c188fdc..0daca423 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -20,7 +20,7 @@ include_HEADERS = include/security/_pam_compat.h \ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h pam_static_modules.h -libpam_la_LDFLAGS = -no-undefined -version-info 81:9:81 +libpam_la_LDFLAGS = -no-undefined -version-info 81:10:81 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ if STATIC_MODULES diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h index 42dcf8f0..a66b486d 100644 --- a/libpam/pam_static_modules.h +++ b/libpam/pam_static_modules.h @@ -67,6 +67,7 @@ extern struct pam_module _pam_rootok_modstruct; extern struct pam_module _pam_securetty_modstruct; #ifdef WITH_SELINUX extern struct pam_module _pam_selinux_modstruct; +extern struct pam_module _pam_sepermit_modstruct; #endif extern struct pam_module _pam_shells_modstruct; extern struct pam_module _pam_stress_modstruct; @@ -124,6 +125,7 @@ static struct pam_module *static_modules[] = { &_pam_securetty_modstruct, #ifdef WITH_SELINUX &_pam_selinux_modstruct, + &_pam_sepermit_modstruct, #endif &_pam_shells_modstruct, &_pam_stress_modstruct, diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 377fc2c5..47f95030 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -392,7 +392,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, /* static module data */ -struct pam_module _pam_access_modstruct = { +struct pam_module _pam_sepermit_modstruct = { "pam_sepermit", pam_sm_authenticate, pam_sm_setcred, -- cgit v1.2.3 From edb845c1fe5ab4db17abd44ce60f53a37d5b9968 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 4 Feb 2008 14:00:20 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-02-04 Thorsten Kukuk * modules/Makefile.am: Add pam_sepermit. --- ChangeLog | 4 ++++ modules/Makefile.am | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5905e1f7..8fa5b600 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ * doc/man/Makefile.am: Fix building outside of src directory. + * libpam/Makefile.am: Bump version number of libpam. + + * modules/Makefile.am: Add pam_sepermit. + 2008-02-01 Tomas Mraz * modules/pam_namespace/namespace.conf.5.xml: Add documentation for diff --git a/modules/Makefile.am b/modules/Makefile.am index 88d7fe4e..c79f5957 100644 --- a/modules/Makefile.am +++ b/modules/Makefile.am @@ -6,10 +6,10 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ pam_env pam_filter pam_ftp pam_group pam_issue pam_keyinit \ pam_lastlog pam_limits pam_listfile pam_localuser pam_mail \ pam_mkhomedir pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \ - pam_securetty pam_selinux pam_shells pam_stress pam_succeed_if \ - pam_tally pam_time pam_tty_audit pam_umask pam_unix pam_userdb \ - pam_warn pam_wheel pam_xauth pam_exec pam_namespace pam_loginuid \ - pam_faildelay + pam_securetty pam_selinux pam_sepermit pam_shells pam_stress \ + pam_succeed_if pam_tally pam_time pam_tty_audit pam_umask \ + pam_unix pam_userdb pam_warn pam_wheel pam_xauth pam_exec \ + pam_namespace pam_loginuid pam_faildelay CLEANFILES = *~ -- cgit v1.2.3 From 5a6300b673e53fa3a63ed2cd00951f794e3b981f Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 4 Feb 2008 15:05:51 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfixes Commit summary: --------------- 2008-02-04 Thorsten Kukuk * modules/pam_sepermit/Makefile.am: Install config file only if we build the module. * doc/Makefile.am: Fix build out of source directory. * po/POTFILES.in: Add pam_sepermit.c. --- ChangeLog | 6 ++++++ doc/Makefile.am | 2 +- modules/pam_sepermit/Makefile.am | 8 ++++---- po/POTFILES.in | 1 + 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8fa5b600..2ae0d805 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ * libpam/pam_static_modules.h: Add _pam_sepermit_modstruct. * modules/pam_sepermit/pam_sepermit.c: Fix typo. + * modules/pam_sepermit/Makefile.am: Install config file only + if we build the module. * README: Add --disable-pie to configure options for static library. @@ -11,6 +13,10 @@ * modules/Makefile.am: Add pam_sepermit. + * doc/Makefile.am: Fix build out of source directory. + + * po/POTFILES.in: Add pam_sepermit.c. + 2008-02-01 Tomas Mraz * modules/pam_namespace/namespace.conf.5.xml: Add documentation for diff --git a/doc/Makefile.am b/doc/Makefile.am index 3b893899..4a300e15 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -14,7 +14,7 @@ releasedocs: all $(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs cp -av specs/draft-morgan-pam-current.txt \ $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/ - cp -av specs/rfc86.0.txt \ + cp -av $(srcdir)/specs/rfc86.0.txt \ $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/ make -C sag releasedocs make -C adg releasedocs diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index 09a60a3a..579e142f 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -17,7 +17,7 @@ XMLS = README.xml pam_sepermit.8.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -sepermitlockdir = /var/run/sepermit +sepermitlockdir = ${localstatedir}/run/sepermit AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include \ @@ -30,10 +30,10 @@ if HAVE_VERSIONING pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -secureconf_DATA = sepermit.conf -sepermitlock_DATA = - if HAVE_LIBSELINUX + secureconf_DATA = sepermit.conf + sepermitlock_DATA = + securelib_LTLIBRARIES = pam_sepermit.la endif if ENABLE_REGENERATE_MAN diff --git a/po/POTFILES.in b/po/POTFILES.in index 8a668f56..12a2d75c 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -64,6 +64,7 @@ ./modules/pam_securetty/pam_securetty.c ./modules/pam_selinux/pam_selinux.c ./modules/pam_selinux/pam_selinux_check.c +./modules/pam_sepermit/pam_sepermit.c ./modules/pam_shells/pam_shells.c ./modules/pam_stress/pam_stress.c ./modules/pam_succeed_if/pam_succeed_if.c -- cgit v1.2.3 From 6962e7e541546253d6d8d4d8e4bc5ca5290b8e5a Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 4 Feb 2008 15:27:31 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-02-04 Thorsten Kukuk * modules/pam_exec/pam_exec.c: Set PAM environment variables and add 'quiet' option. * modules/pam_exec/pam_exec.8.xml: Document new behavior. Patch from Julien Lecomte . --- ChangeLog | 5 ++++ modules/pam_exec/pam_exec.8.xml | 28 ++++++++++++++++++ modules/pam_exec/pam_exec.c | 63 +++++++++++++++++++++++++++++++++++++++-- 3 files changed, 93 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2ae0d805..fbe3a36b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,11 @@ * po/POTFILES.in: Add pam_sepermit.c. + * modules/pam_exec/pam_exec.c: Set PAM environment variables and + add 'quiet' option. + * modules/pam_exec/pam_exec.8.xml: Document new behavior. + Patch from Julien Lecomte . + 2008-02-01 Tomas Mraz * modules/pam_namespace/namespace.conf.5.xml: Add documentation for diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml index 1e8bb0ba..f4dc1e15 100644 --- a/modules/pam_exec/pam_exec.8.xml +++ b/modules/pam_exec/pam_exec.8.xml @@ -24,6 +24,9 @@ seteuid + + quiet + log=file @@ -45,6 +48,18 @@ an external command. + + The child's environment is set to the current PAM environment list, as + returned by + + pam_getenvlist3 + + In addition, the following PAM items are + exported as environment variables: PAM_RHOST, + PAM_RUSER, PAM_SERVICE, + PAM_TTY, and PAM_USER. + + @@ -76,6 +91,19 @@ + + + + + + + Per default pam_exec.so will echo the exit status of the + external command if it fails. + Specifying this option will suppress the message. + + + + diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 49790d80..766c0a06 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -59,11 +59,24 @@ #include #include +#define ENV_ITEM(n) { (n), #n } +static struct { + int item; + const char *name; +} env_items[] = { + ENV_ITEM(PAM_SERVICE), + ENV_ITEM(PAM_USER), + ENV_ITEM(PAM_TTY), + ENV_ITEM(PAM_RHOST), + ENV_ITEM(PAM_RUSER), +}; + static int call_exec (pam_handle_t *pamh, int argc, const char **argv) { int debug = 0; int call_setuid = 0; + int quiet = 0; int optargc; const char *logfile = NULL; pid_t pid; @@ -85,6 +98,8 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) logfile = &argv[optargc][4]; else if (strcasecmp (argv[optargc], "seteuid") == 0) call_setuid = 1; + else if (strcasecmp (argv[optargc], "quiet") == 0) + quiet = 1; else break; /* Unknown option, assume program to execute. */ } @@ -115,6 +130,7 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) { pam_syslog (pamh, LOG_ERR, "%s failed: exit code %d", argv[optargc], WEXITSTATUS(status)); + if (!quiet) pam_error (pamh, _("%s failed: exit code %d"), argv[optargc], WEXITSTATUS(status)); } @@ -123,6 +139,7 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) pam_syslog (pamh, LOG_ERR, "%s failed: caught signal %d%s", argv[optargc], WTERMSIG(status), WCOREDUMP(status) ? " (core dumped)" : ""); + if (!quiet) pam_error (pamh, _("%s failed: caught signal %d%s"), argv[optargc], WTERMSIG(status), WCOREDUMP(status) ? " (core dumped)" : ""); @@ -131,6 +148,7 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) { pam_syslog (pamh, LOG_ERR, "%s failed: unknown status 0x%x", argv[optargc], status); + if (!quiet) pam_error (pamh, _("%s failed: unknown status 0x%x"), argv[optargc], status); } @@ -211,19 +229,58 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) arggv[i] = strdup(argv[i+optargc]); arggv[i] = NULL; + char **envlist, **tmp; + int envlen, nitems; + + /* + * Set up the child's environment list. It consists of the PAM + * environment, plus a few hand-picked PAM items. + */ + envlist = pam_getenvlist(pamh); + for (envlen = 0; envlist[envlen] != NULL; ++envlen) + /* nothing */ ; + nitems = sizeof(env_items) / sizeof(*env_items); + tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist)); + if (tmp == NULL) + { + free(envlist); + pam_syslog (pamh, LOG_ERR, "realloc environment failed : %m"); + exit (ENOMEM); + } + envlist = tmp; + for (i = 0; i < nitems; ++i) + { + const void *item; + char *envstr; + + if (pam_get_item(pamh, env_items[i].item, &item) != PAM_SUCCESS || item == NULL) + continue; + asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item); + if (envstr == NULL) + { + free(envlist); + pam_syslog (pamh, LOG_ERR, "prepare environment failed : %m"); + exit (ENOMEM); + } + envlist[envlen++] = envstr; + envlist[envlen] = NULL; + } + if (debug) pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]); - if (execv (arggv[0], arggv) == -1) + if (execve (arggv[0], arggv, envlist) == -1) { int err = errno; - pam_syslog (pamh, LOG_ERR, "execv(%s,...) failed: %m", + pam_syslog (pamh, LOG_ERR, "execve(%s,...) failed: %m", arggv[0]); + free(envlist); exit (err); } + free(envlist); exit (1); /* should never be reached. */ } - return PAM_SYSTEM_ERR; + return PAM_SYSTEM_ERR; /* will never be reached. */ } PAM_EXTERN int -- cgit v1.2.3 From 5607d7250357a548f04fe5e31cc960a2e54cf908 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 13 Feb 2008 12:49:43 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix, new feature Commit summary: --------------- 2008-02-13 Tomas Mraz * modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d dir. * modules/pam_namespace/argv_parse.c: New file. * modules/pam_namespace/argv_parse.h: New file. * modules/pam_namespace/namespace.conf.5.xml: Document new features. * modules/pam_namespace/pam_namespace.8.xml: Likewise. * modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define. Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags and polydir flags. (polydir_s): Add rdir, replace exclusive with flags, add init_script, owner, group, and mode. (instance_data): Add ruser, gid, and ruid. * modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent(). (add_polydir_entry): Add the entry directly, no copy. (del_polydir): New function. (del_polydir_list): Call del_polydir(). (expand_variables, parse_create_params, parse_iscript_params, parse_method): New functions. (process_line): Call expand_variables() on polydir and instance prefix. Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap. (parse_config_file): Parse .conf files from namespace.d dir after namespace.conf. (form_context): Call getcon() or get_default_context_with_level() when appropriate flags are set. (poly_name): Handle shared polydir flag. (inst_init): Execute non-default init script when specified. (create_polydir): New function. (create_dirs): Remove the code which checks the polydir. Do not call inst_init() when noinit flag is set. (ns_setup): Check the polydir and eventually create it if the create flag is set. (setup_namespace): Use ruser uid from idata. Set the namespace polydir pam data only when namespace was set up correctly. Unmount polydir based on ruser. (get_user_data): New function. (pam_sm_open_session): Check for use_current_context and use_default_context options. Call get_user_data(). (pam_sm_close_session): Call get_user_data(). --- ChangeLog | 41 ++ NEWS | 3 +- modules/pam_namespace/Makefile.am | 9 +- modules/pam_namespace/argv_parse.c | 165 ++++++ modules/pam_namespace/argv_parse.h | 43 ++ modules/pam_namespace/namespace.conf.5.xml | 68 ++- modules/pam_namespace/pam_namespace.8.xml | 58 +- modules/pam_namespace/pam_namespace.c | 917 +++++++++++++++++++---------- modules/pam_namespace/pam_namespace.h | 38 +- 9 files changed, 1013 insertions(+), 329 deletions(-) create mode 100644 modules/pam_namespace/argv_parse.c create mode 100644 modules/pam_namespace/argv_parse.h diff --git a/ChangeLog b/ChangeLog index fbe3a36b..31a1fd02 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,44 @@ +2008-02-13 Tomas Mraz + + * modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d + dir. + * modules/pam_namespace/argv_parse.c: New file. + * modules/pam_namespace/argv_parse.h: New file. + * modules/pam_namespace/namespace.conf.5.xml: Document new features. + * modules/pam_namespace/pam_namespace.8.xml: Likewise. + * modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define. + Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags + and polydir flags. + (polydir_s): Add rdir, replace exclusive with flags, add init_script, + owner, group, and mode. + (instance_data): Add ruser, gid, and ruid. + * modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent(). + (add_polydir_entry): Add the entry directly, no copy. + (del_polydir): New function. + (del_polydir_list): Call del_polydir(). + (expand_variables, parse_create_params, parse_iscript_params, + parse_method): New functions. + (process_line): Call expand_variables() on polydir and instance prefix. + Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap. + (parse_config_file): Parse .conf files from namespace.d dir after + namespace.conf. + (form_context): Call getcon() or get_default_context_with_level() when + appropriate flags are set. + (poly_name): Handle shared polydir flag. + (inst_init): Execute non-default init script when specified. + (create_polydir): New function. + (create_dirs): Remove the code which checks the polydir. Do not call + inst_init() when noinit flag is set. + (ns_setup): Check the polydir and eventually create it if the create flag + is set. + (setup_namespace): Use ruser uid from idata. Set the namespace polydir + pam data only when namespace was set up correctly. Unmount polydir + based on ruser. + (get_user_data): New function. + (pam_sm_open_session): Check for use_current_context and + use_default_context options. Call get_user_data(). + (pam_sm_close_session): Call get_user_data(). + 2008-02-04 Thorsten Kukuk * libpam/pam_static_modules.h: Add _pam_sepermit_modstruct. diff --git a/NEWS b/NEWS index 6ba96793..ea835334 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,8 @@ Linux-PAM NEWS -- history of user-visible changes. by crypt(). * New pam_sepermit.so module for allowing/rejecting access based on SELinux mode. -* Improved functionality of pam_namespace.so module. +* Improved functionality of pam_namespace.so module (method flags, + namespace.d configuration directory, new options). Release 0.99.9.0 * misc_conv no longer blocks SIGINT; applications that don't want diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 002678ba..e8598e8f 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -15,13 +15,14 @@ endif EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace -noinst_HEADERS = md5.h +noinst_HEADERS = md5.h argv_parse.h securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) +namespaceddir = $(SCONFIGDIR)/namespace.d AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DPAM_NAMESPACE_CONFIG=\"$(SCONFIGDIR)/namespace.conf\" + -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -29,11 +30,13 @@ endif if HAVE_UNSHARE securelib_LTLIBRARIES = pam_namespace.la -pam_namespace_la_SOURCES = pam_namespace.c pam_namespace.h md5.c md5.h +pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c pam_namespace_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ secureconf_DATA = namespace.conf secureconf_SCRIPTS = namespace.init +namespaced_DATA = + TESTS = tst-pam_namespace man_MANS = $(MAN5) $(MAN8) endif diff --git a/modules/pam_namespace/argv_parse.c b/modules/pam_namespace/argv_parse.c new file mode 100644 index 00000000..acc76d74 --- /dev/null +++ b/modules/pam_namespace/argv_parse.c @@ -0,0 +1,165 @@ +/* + * argv_parse.c --- utility function for parsing a string into a + * argc, argv array. + * + * This file defines a function argv_parse() which parsing a + * passed-in string, handling double quotes and backslashes, and + * creates an allocated argv vector which can be freed using the + * argv_free() function. + * + * See argv_parse.h for the formal definition of the functions. + * + * Copyright 1999 by Theodore Ts'o. + * + * Permission to use, copy, modify, and distribute this software for + * any purpose with or without fee is hereby granted, provided that + * the above copyright notice and this permission notice appear in all + * copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE + * AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't + * it sick that the U.S. culture of lawsuit-happy lawyers requires + * this kind of disclaimer?) + * + * Version 1.1, modified 2/27/1999 + */ + +#include +#include +#include +#include "argv_parse.h" + +#define STATE_WHITESPACE 1 +#define STATE_TOKEN 2 +#define STATE_QUOTED 3 + +/* + * Returns 0 on success, -1 on failure. + */ +int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv) +{ + int argc = 0, max_argc = 0; + char **argv, **new_argv, *buf, ch; + const char *cp = 0; + char *outcp = 0; + int state = STATE_WHITESPACE; + + buf = malloc(strlen(in_buf)+1); + if (!buf) + return -1; + + max_argc = 0; argc = 0; argv = 0; + outcp = buf; + for (cp = in_buf; (ch = *cp); cp++) { + if (state == STATE_WHITESPACE) { + if (isspace((int) ch)) + continue; + /* Not whitespace, so start a new token */ + state = STATE_TOKEN; + if (argc >= max_argc) { + max_argc += 3; + new_argv = realloc(argv, + (max_argc+1)*sizeof(char *)); + if (!new_argv) { + if (argv) free(argv); + free(buf); + return -1; + } + argv = new_argv; + } + argv[argc++] = outcp; + } + if (state == STATE_QUOTED) { + if (ch == '"') + state = STATE_TOKEN; + else + *outcp++ = ch; + continue; + } + /* Must be processing characters in a word */ + if (isspace((int) ch)) { + /* + * Terminate the current word and start + * looking for the beginning of the next word. + */ + *outcp++ = 0; + state = STATE_WHITESPACE; + continue; + } + if (ch == '"') { + state = STATE_QUOTED; + continue; + } + if (ch == '\\') { + ch = *++cp; + switch (ch) { + case '\0': + ch = '\\'; cp--; break; + case 'n': + ch = '\n'; break; + case 't': + ch = '\t'; break; + case 'b': + ch = '\b'; break; + } + } + *outcp++ = ch; + } + if (state != STATE_WHITESPACE) + *outcp++ = '\0'; + if (argv == 0) { + argv = malloc(sizeof(char *)); + free(buf); + } + argv[argc] = 0; + if (ret_argc) + *ret_argc = argc; + if (ret_argv) + *ret_argv = argv; + return 0; +} + +void argv_free(char **argv) +{ + if (*argv) + free(*argv); + free(argv); +} + +#ifdef DEBUG_ARGV_PARSE +/* + * For debugging + */ + +#include + +int main(int argc, char **argv) +{ + int ac, ret; + char **av, **cpp; + char buf[256]; + + while (!feof(stdin)) { + if (fgets(buf, sizeof(buf), stdin) == NULL) + break; + ret = argv_parse(buf, &ac, &av); + if (ret != 0) { + printf("Argv_parse returned %d!\n", ret); + continue; + } + printf("Argv_parse returned %d arguments...\n", ac); + for (cpp = av; *cpp; cpp++) { + if (cpp != av) + printf(", "); + printf("'%s'", *cpp); + } + printf("\n"); + argv_free(av); + } + exit(0); +} +#endif diff --git a/modules/pam_namespace/argv_parse.h b/modules/pam_namespace/argv_parse.h new file mode 100644 index 00000000..c7878fc1 --- /dev/null +++ b/modules/pam_namespace/argv_parse.h @@ -0,0 +1,43 @@ +/* + * argv_parse.h --- header file for the argv parser. + * + * This file defines the interface for the functions argv_parse() and + * argv_free(). + * + *********************************************************************** + * int argv_parse(char *in_buf, int *ret_argc, char ***ret_argv) + * + * This function takes as its first argument a string which it will + * parse into an argv argument vector, with each white-space separated + * word placed into its own slot in the argv. This function handles + * double quotes and backslashes so that the parsed words can contain + * special characters. The count of the number words found in the + * parsed string, as well as the argument vector, are returned into + * ret_argc and ret_argv, respectively. + *********************************************************************** + * extern void argv_free(char **argv); + * + * This function frees the argument vector created by argv_parse(). + *********************************************************************** + * + * Copyright 1999 by Theodore Ts'o. + * + * Permission to use, copy, modify, and distribute this software for + * any purpose with or without fee is hereby granted, provided that + * the above copyright notice and this permission notice appear in all + * copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE + * AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't + * it sick that the U.S. culture of lawsuit-happy lawyers requires + * this kind of disclaimer?) + * + * Version 1.1, modified 2/27/1999 + */ + +extern int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv); +extern void argv_free(char **argv); diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index 9fbefc49..a1769600 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -20,8 +20,9 @@ DESCRIPTION - This module allows setup of private namespaces with polyinstantiated - directories. Directories can be polyinstantiated based on user name + The pam_namespace.so module allows setup of + private namespaces with polyinstantiated directories. + Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context. If an executable script /etc/security/namespace.init exists, it is used to initialize the namespace every time a new instance @@ -38,19 +39,23 @@ When someone logs in, the file namespace.conf is - scanned where each non comment line represents one polyinstantiated - directory with space separated fields as follows: + scanned. Comments are marked by # characters. + Each non comment line represents one polyinstantiated + directory. The fields are separated by spaces but can be quoted by + " characters also escape + sequences \b, \n, and + \t are recognized. The fields are as follows: - - polydir instance_prefix method list_of_uids + polydir instance_prefix method list_of_uids The first field, polydir, is the absolute - pathname of the directory to polyinstantiate. Special entry $HOME is - supported to designate user's home directory. This field cannot be - blank. + pathname of the directory to polyinstantiate. The special string + $HOME is replaced with the user's home directory, + and $USER with the username. This field cannot + be blank. @@ -62,12 +67,9 @@ instance directory path. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column. - The special string $HOME is replaced with the user's home directory, - and $USER with the username. This field cannot be blank. - The directory where polyinstantiated instances are to be - created, must exist and must have, by default, the mode of 000. The - requirement that the instance parent be of mode 000 can be overridden - with the command line option ignore_instance_parent_mode + The special string $HOME is replaced with the + user's home directory, and $USER with the username. + This field cannot be blank. @@ -91,6 +93,39 @@ polyinstantiation is performed only for users in the list. + + The method field can contain also following + optional flags separated by : characters. + + + create=mode,owner,group + - create the polyinstantiated directory. The mode, owner and group parameters + are optional. The default for mode is determined by umask, the default + owner is the user whose session is opened, the default group is the + primary group of the user. + + + iscript=path + - path to the instance directory init script. The base directory for relative + paths is /etc/security/namespace.d. + + + noinit + - instance directory init script will not be executed. + + + shared + - the instance directories for "context" and "level" methods will not + contain the user name and will be shared among all users. + + + + The directory where polyinstantiated instances are to be + created, must exist and must have, by default, the mode of 0000. The + requirement that the instance parent be of mode 0000 can be overridden + with the command line option ignore_instance_parent_mode + + In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing @@ -105,7 +140,7 @@ method and <user name>_<raw directory context> for "context" and "level" methods. If the whole string is too long the end of it is replaced with md5sum of itself. Also when command line option - gen_hash is used the whole string is replaced + gen_hash is used the whole string is replaced with md5sum of itself. @@ -169,6 +204,7 @@ AUTHORS The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. + More features added by Tomas Mraz <tmraz@redhat.com>. diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index f47bb81b..32c5359d 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -46,6 +46,12 @@ no_unmount_on_close + + use_current_context + + + use_default_context + @@ -200,13 +206,42 @@ + + + + + + + Useful for services which do not change the SELinux context + with setexeccon call. The module will use the current SELinux + context of the calling process for the level and context + polyinstantiation. + + + + + + + + + + + Useful for services which do not use pam_selinux for changing + the SELinux context with setexeccon call. The module will use + the default SELinux context of the user for the level and context + polyinstantiation. + + + + MODULE SERVICES PROVIDED - The service is supported. + The service is supported. The module must not + be called from multithreaded processes. @@ -246,7 +281,21 @@ /etc/security/namespace.conf - Configuration file + Main configuration file + + + + + /etc/security/namespace.d + + Directory for additional configuration files + + + + + /etc/security/namespace.init + + Init script for instance directories @@ -332,7 +381,10 @@ The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers. - The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>. + The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, + Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>. + Additional improvements by Xavier Toth <txtoth@gmail.com> and Tomas Mraz + <tmraz@redhat.com>. diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index a47b0698..d0741fd2 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -3,11 +3,13 @@ * establishing a session via PAM. * * (C) Copyright IBM Corporation 2005 - * (C) Copyright Red Hat 2006 + * (C) Copyright Red Hat, Inc. 2006, 2008 * All Rights Reserved. * * Written by: Janak Desai * With Revisions by: Steve Grubb + * Contributions by: Xavier Toth , + * Tomas Mraz * Derived from a namespace setup patch by Chad Sellers * * Permission is hereby granted, free of charge, to any person obtaining a @@ -31,80 +33,36 @@ */ #include "pam_namespace.h" - -/* - * Copies the contents of ent into pent - */ -static int copy_ent(const struct polydir_s *ent, struct polydir_s *pent) -{ - unsigned int i; - - strcpy(pent->dir, ent->dir); - strcpy(pent->instance_prefix, ent->instance_prefix); - pent->method = ent->method; - pent->num_uids = ent->num_uids; - pent->exclusive = ent->exclusive; - if (ent->num_uids) { - uid_t *pptr, *eptr; - - pent->uid = (uid_t *) malloc(ent->num_uids * sizeof(uid_t)); - if (!(pent->uid)) { - return -1; - } - for (i = 0, pptr = pent->uid, eptr = ent->uid; i < ent->num_uids; - i++, eptr++, pptr++) - *pptr = *eptr; - } else - pent->uid = NULL; - return 0; -} +#include "argv_parse.h" /* * Adds an entry for a polyinstantiated directory to the linked list of * polyinstantiated directories. It is called from process_line() while * parsing the namespace configuration file. */ -static int add_polydir_entry(struct instance_data *idata, - const struct polydir_s *ent) +static void add_polydir_entry(struct instance_data *idata, + struct polydir_s *ent) { - struct polydir_s *pent; - int rc = 0; - - /* - * Allocate an entry to hold information about a directory to - * polyinstantiate, populate it with information from 2nd argument - * and add the entry to the linked list of polyinstantiated - * directories. - */ - pent = (struct polydir_s *) malloc(sizeof(struct polydir_s)); - if (!pent) { - rc = -1; - goto out; - } - /* Make copy */ - rc = copy_ent(ent,pent); - if(rc < 0) - goto out_clean; - /* Now attach to linked list */ - pent->next = NULL; + ent->next = NULL; if (idata->polydirs_ptr == NULL) - idata->polydirs_ptr = pent; + idata->polydirs_ptr = ent; else { struct polydir_s *tail; tail = idata->polydirs_ptr; while (tail->next) tail = tail->next; - tail->next = pent; + tail->next = ent; } - goto out; -out_clean: - free(pent); -out: - return rc; } +static void del_polydir(struct polydir_s *poly) +{ + free(poly->uid); + free(poly->init_script); + free(poly); +} /* * Deletes all the entries in the linked list. @@ -116,8 +74,7 @@ static void del_polydir_list(struct polydir_s *polydirs_ptr) while (dptr) { struct polydir_s *tptr = dptr; dptr = dptr->next; - free(tptr->uid); - free(tptr); + del_polydir(tptr); } } @@ -126,6 +83,176 @@ static void cleanup_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) del_polydir_list(data); } +static char *expand_variables(const char *orig, const char *var_names[], const char *var_values[]) +{ + const char *src = orig; + char *dst; + char *expanded; + char c; + size_t dstlen = 0; + while (*src) { + if (*src == '$') { + int i; + for (i = 0; var_names[i]; i++) { + int namelen = strlen(var_names[i]); + if (strncmp(var_names[i], src+1, namelen) == 0) { + dstlen += strlen(var_values[i]) - 1; /* $ */ + src += namelen; + break; + } + } + } + ++dstlen; + ++src; + } + if ((dst=expanded=malloc(dstlen + 1)) == NULL) + return NULL; + src = orig; + while ((c=*src) != '\0') { + if (c == '$') { + int i; + for (i = 0; var_names[i]; i++) { + int namelen = strlen(var_names[i]); + if (strncmp(var_names[i], src+1, namelen) == 0) { + dst = stpcpy(dst, var_values[i]); + --dst; + c = *dst; /* replace $ */ + src += namelen; + break; + } + } + } + *dst = c; + ++dst; + ++src; + } + *dst = '\0'; + return expanded; +} + +static int parse_create_params(char *params, struct polydir_s *poly) +{ + char *sptr; + struct passwd *pwd; + struct group *grp; + + poly->mode = (mode_t)ULONG_MAX; + poly->owner = (uid_t)ULONG_MAX; + poly->group = (gid_t)ULONG_MAX; + + if (*params != '=') + return 0; + params++; + + params = strtok_r(params, ",", &sptr); + if (params == NULL) + return 0; + + errno = 0; + poly->mode = (mode_t)strtoul(params, NULL, 0); + if (errno != 0) { + poly->mode = (mode_t)ULONG_MAX; + } + + params = strtok_r(NULL, ",", &sptr); + if (params == NULL) + return 0; + + pwd = getpwnam(params); /* session modules are not reentrant */ + if (pwd == NULL) + return -1; + poly->owner = pwd->pw_uid; + + params = strtok_r(NULL, ",", &sptr); + if (params == NULL) { + poly->group = pwd->pw_gid; + return 0; + } + grp = getgrnam(params); + if (grp == NULL) + return -1; + poly->group = grp->gr_gid; + + return 0; +} + +static int parse_iscript_params(char *params, struct polydir_s *poly) +{ + if (*params != '=') + return 0; + params++; + + if (*params != '\0') { + if (*params != '/') { /* path is relative to NAMESPACE_D_DIR */ + if (asprintf(&poly->init_script, "%s%s", NAMESPACE_D_DIR, params) == -1) + return -1; + } else { + poly->init_script = strdup(params); + } + if (poly->init_script == NULL) + return -1; + } + return 0; +} + +static int parse_method(char *method, struct polydir_s *poly, + struct instance_data *idata) +{ + enum polymethod pm; + char *sptr; + static const char *method_names[] = { "user", "context", "level", "tmpdir", + "tmpfs", NULL }; + static const char *flag_names[] = { "create", "noinit", "iscript", + "shared", NULL }; + static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT, + POLYDIR_ISCRIPT, POLYDIR_SHARED }; + int i; + char *flag; + + method = strtok_r(method, ":", &sptr); + pm = NONE; + + for (i = 0; method_names[i]; i++) { + if (strcmp(method, method_names[i]) == 0) { + pm = i + 1; /* 0 = NONE */ + } + } + + if (pm == NONE) { + pam_syslog(idata->pamh, LOG_NOTICE, "Unknown method"); + return -1; + } + + poly->method = pm; + + while ((flag=strtok_r(NULL, ":", &sptr)) != NULL) { + for (i = 0; flag_names[i]; i++) { + int namelen = strlen(flag_names[i]); + + if (strncmp(flag, flag_names[i], namelen) == 0) { + poly->flags |= flag_values[i]; + switch (flag_values[i]) { + case POLYDIR_CREATE: + if (parse_create_params(flag+namelen, poly) != 0) { + pam_syslog(idata->pamh, LOG_CRIT, "Invalid create parameters"); + return -1; + } + break; + + case POLYDIR_ISCRIPT: + if (parse_iscript_params(flag+namelen, poly) != 0) { + pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); + return -1; + }; + break; + } + } + } + } + + return 0; +} + /* * Called from parse_config_file, this function processes a single line * of the namespace configuration file. It skips over comments and incomplete @@ -134,18 +261,23 @@ static void cleanup_data(pam_handle_t *pamh UNUSED , void *data, int err UNUSED) * polyinstatiated directory structure and then calling add_polydir_entry to * add that entry to the linked list of polyinstantiated directories. */ -static int process_line(char *line, const char *home, +static int process_line(char *line, const char *home, const char *rhome, struct instance_data *idata) { - const char *dir, *instance_prefix; - const char *method, *uids; + char *dir = NULL, *instance_prefix = NULL, *rdir = NULL; + char *method, *uids; char *tptr; - struct polydir_s poly; + struct polydir_s *poly; int retval = 0; + char **config_options = NULL; + static const char *var_names[] = {"HOME", "USER", NULL}; + const char *var_values[] = {home, idata->user}; + const char *rvar_values[] = {rhome, idata->ruser}; + int len; - poly.uid = NULL; - poly.num_uids = 0; - poly.exclusive = 0; + poly = calloc(1, sizeof(*poly)); + if (poly == NULL) + goto erralloc; /* * skip the leading white space @@ -177,19 +309,27 @@ static int process_line(char *line, const char *home, * Initialize and scan the five strings from the line from the * namespace configuration file. */ - dir = strtok_r(line, " \t", &tptr); + retval = argv_parse(line, NULL, &config_options); + if (retval != 0) { + goto erralloc; + } + + dir = config_options[0]; if (dir == NULL) { pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing polydir"); goto skipping; } - instance_prefix = strtok_r(NULL, " \t", &tptr); + instance_prefix = config_options[1]; if (instance_prefix == NULL) { pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing instance_prefix"); + instance_prefix = NULL; goto skipping; } - method = strtok_r(NULL, " \t", &tptr); + method = config_options[2]; if (method == NULL) { pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing method"); + instance_prefix = NULL; + dir = NULL; goto skipping; } @@ -199,93 +339,82 @@ static int process_line(char *line, const char *home, * any of the other fields are blank, the line is incomplete so * skip it. */ - uids = strtok_r(NULL, " \t", &tptr); + uids = config_options[3]; /* - * If the directory being polyinstantiated is the home directory - * of the user who is establishing a session, we have to swap - * the "$HOME" string with the user's home directory that is - * passed in as an argument. + * Expand $HOME and $USER in poly dir and instance dir prefix */ - if (strcmp(dir, "$HOME") == 0) { - dir = home; + if ((rdir=expand_variables(dir, var_names, rvar_values)) == NULL) { + instance_prefix = NULL; + dir = NULL; + goto erralloc; + } + + if ((dir=expand_variables(dir, var_names, var_values)) == NULL) { + instance_prefix = NULL; + goto erralloc; + } + + if ((instance_prefix=expand_variables(instance_prefix, var_names, var_values)) + == NULL) { + goto erralloc; } - /* - * Expand $HOME and $USER in instance dir prefix - */ - if ((tptr = strstr(instance_prefix, "$USER")) != 0) { - /* FIXME: should only support this if method is USER or BOTH */ - char *expanded = alloca(strlen(idata->user) + strlen(instance_prefix)-5+1); - *tptr = 0; - sprintf(expanded, "%s%s%s", instance_prefix, idata->user, tptr+5); - instance_prefix = expanded; + if (idata->flags & PAMNS_DEBUG) { + pam_syslog(idata->pamh, LOG_DEBUG, "Expanded polydir: '%s'", dir); + pam_syslog(idata->pamh, LOG_DEBUG, "Expanded ruser polydir: '%s'", rdir); + pam_syslog(idata->pamh, LOG_DEBUG, "Expanded instance prefix: '%s'", instance_prefix); } - if ((tptr = strstr(instance_prefix, "$HOME")) != 0) { - char *expanded = alloca(strlen(home)+strlen(instance_prefix)-5+1); - *tptr = 0; - sprintf(expanded, "%s%s%s", instance_prefix, home, tptr+5); - instance_prefix = expanded; + + len = strlen(dir); + if (len > 0 && dir[len-1] == '/') { + dir[len-1] = '\0'; } + len = strlen(rdir); + if (len > 0 && rdir[len-1] == '/') { + rdir[len-1] = '\0'; + } + + if (dir[0] == '\0' || rdir[0] == '\0') { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir"); + goto skipping; + } + /* * Populate polyinstantiated directory structure with appropriate * pathnames and the method with which to polyinstantiate. */ - if (strlen(dir) >= sizeof(poly.dir) - || strlen(instance_prefix) >= sizeof(poly.instance_prefix)) { + if (strlen(dir) >= sizeof(poly->dir) + || strlen(rdir) >= sizeof(poly->rdir) + || strlen(instance_prefix) >= sizeof(poly->instance_prefix)) { pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); goto skipping; } - strcpy(poly.dir, dir); - strcpy(poly.instance_prefix, instance_prefix); + strcpy(poly->dir, dir); + strcpy(poly->rdir, rdir); + strcpy(poly->instance_prefix, instance_prefix); - poly.method = NONE; - if (strcmp(method, "user") == 0) - poly.method = USER; - - if (strcmp(method, "tmpdir") == 0) { - poly.method = TMPDIR; - if (sizeof(poly.instance_prefix) - strlen(poly.instance_prefix) < 7) { - pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); - goto skipping; - } - strcat(poly.instance_prefix, "XXXXXX"); + if (parse_method(method, poly, idata) != 0) { + goto skipping; } - - if (strcmp(method, "tmpfs") == 0) - poly.method = TMPFS; -#ifdef WITH_SELINUX - if (strcmp(method, "level") == 0) { - if (idata->flags & PAMNS_CTXT_BASED_INST) - poly.method = LEVEL; - else - poly.method = USER; - } - - if (strcmp(method, "context") == 0) { - if (idata->flags & PAMNS_CTXT_BASED_INST) - poly.method = CONTEXT; - else - poly.method = USER; - } - -#endif - - if (poly.method == NONE) { - pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method"); - goto skipping; + if (poly->method == TMPDIR) { + if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + goto skipping; + } + strcat(poly->instance_prefix, "XXXXXX"); } /* * Ensure that all pathnames are absolute path names. */ - if ((dir[0] != '/') || (poly.method != TMPFS && instance_prefix[0] != '/')) { + if ((poly->dir[0] != '/') || (poly->method != TMPFS && poly->instance_prefix[0] != '/')) { pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must start with '/'"); goto skipping; } - if (strstr(dir, "..") || strstr(instance_prefix, "..")) { + if (strstr(dir, "..") || strstr(poly->instance_prefix, "..")) { pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must not contain '..'"); goto skipping; } @@ -302,18 +431,17 @@ static int process_line(char *line, const char *home, int count, i; if (*uids == '~') { - poly.exclusive = 1; + poly->flags |= POLYDIR_EXCLUSIVE; uids++; } for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++) sstr = strchr(ustr, ','); - poly.num_uids = count; - poly.uid = (uid_t *) malloc(count * sizeof (uid_t)); - uidptr = poly.uid; + poly->num_uids = count; + poly->uid = (uid_t *) malloc(count * sizeof (uid_t)); + uidptr = poly->uid; if (uidptr == NULL) { - pam_syslog(idata->pamh, LOG_NOTICE, "out of memory"); - goto skipping; + goto erralloc; } ustr = uids; @@ -327,7 +455,7 @@ static int process_line(char *line, const char *home, pwd = pam_modutil_getpwnam(idata->pamh, ustr); if (pwd == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr); - poly.num_uids--; + poly->num_uids--; } else { *uidptr = pwd->pw_uid; uidptr++; @@ -340,20 +468,24 @@ static int process_line(char *line, const char *home, * Add polyinstantiated directory structure to the linked list * of all polyinstantiated directory structures. */ - if (add_polydir_entry(idata, &poly) < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Allocation Error"); - retval = PAM_SERVICE_ERR; - } - free(poly.uid); + add_polydir_entry(idata, poly); goto out; +erralloc: + pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); + skipping: if (idata->flags & PAMNS_IGN_CONFIG_ERR) retval = 0; else retval = PAM_SERVICE_ERR; + del_polydir(poly); out: + free(rdir); + free(dir); + free(instance_prefix); + argv_free(config_options); return retval; } @@ -367,15 +499,15 @@ out: static int parse_config_file(struct instance_data *idata) { FILE *fil; - char *home; + char *home, *rhome; + const char *confname; struct passwd *cpwd; - char *line = NULL; + char *line; int retval; size_t len = 0; - - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, "Parsing config file %s", - PAM_NAMESPACE_CONFIG); + glob_t globbuf; + const char *oldlocale; + size_t n; /* * Extract the user's home directory to resolve $HOME entries @@ -387,35 +519,86 @@ static int parse_config_file(struct instance_data *idata) "Error getting home dir for '%s'", idata->user); return PAM_SESSION_ERR; } - home = strdupa(cpwd->pw_dir); + if ((home=strdup(cpwd->pw_dir)) == NULL) { + pam_syslog(idata->pamh, LOG_CRIT, + "Memory allocation error"); + return PAM_SESSION_ERR; + } + + cpwd = pam_modutil_getpwnam(idata->pamh, idata->ruser); + if (!cpwd) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting home dir for '%s'", idata->ruser); + free(home); + return PAM_SESSION_ERR; + } + + if ((rhome=strdup(cpwd->pw_dir)) == NULL) { + pam_syslog(idata->pamh, LOG_CRIT, + "Memory allocation error"); + free(home); + return PAM_SESSION_ERR; + } /* * Open configuration file, read one line at a time and call * process_line to process each line. */ - fil = fopen(PAM_NAMESPACE_CONFIG, "r"); - if (fil == NULL) { - pam_syslog(idata->pamh, LOG_ERR, "Error opening config file"); - return PAM_SERVICE_ERR; - } - /* Use unlocked IO */ - __fsetlocking(fil, FSETLOCKING_BYCALLER); + memset(&globbuf, '\0', sizeof(globbuf)); + oldlocale = setlocale(LC_COLLATE, "C"); + glob(NAMESPACE_D_GLOB, 0, NULL, &globbuf); + if (oldlocale != NULL) + setlocale(LC_COLLATE, oldlocale); - /* loop reading the file */ - while (getline(&line, &len, fil) > 0) { - retval = process_line(line, home, idata); - if (retval) { - pam_syslog(idata->pamh, LOG_ERR, - "Error processing conf file line %s", line); - fclose(fil); - free(line); - return PAM_SERVICE_ERR; - } - } - fclose(fil); - free(line); + confname = PAM_NAMESPACE_CONFIG; + n = 0; + for (;;) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Parsing config file %s", + confname); + fil = fopen(confname, "r"); + if (fil == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s", + confname); + globfree(&globbuf); + free(rhome); + free(home); + return PAM_SERVICE_ERR; + } + + /* Use unlocked IO */ + __fsetlocking(fil, FSETLOCKING_BYCALLER); + + line = NULL; + /* loop reading the file */ + while (getline(&line, &len, fil) > 0) { + retval = process_line(line, home, rhome, idata); + if (retval) { + pam_syslog(idata->pamh, LOG_ERR, + "Error processing conf file %s line %s", confname, line); + fclose(fil); + free(line); + globfree(&globbuf); + free(rhome); + free(home); + return PAM_SERVICE_ERR; + } + } + fclose(fil); + free(line); + if (n >= globbuf.gl_pathc) + break; + + confname = globbuf.gl_pathv[n]; + n++; + } + + globfree(&globbuf); + free(rhome); + free(home); + /* All done...just some debug stuff */ if (idata->flags & PAMNS_DEBUG) { struct polydir_s *dptr = idata->polydirs_ptr; @@ -456,11 +639,11 @@ static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, for (i = 0; i < polyptr->num_uids; i++) { if (uid == polyptr->uid[i]) { - return !polyptr->exclusive; + return !(polyptr->flags & POLYDIR_EXCLUSIVE); } } - return polyptr->exclusive; + return !!(polyptr->flags & POLYDIR_EXCLUSIVE); } /* @@ -514,7 +697,19 @@ static int form_context(const struct polydir_s *polyptr, if (polyptr->method == USER) return PAM_SUCCESS; - rc = getexeccon(&scon); + if (idata->flags & PAMNS_USE_CURRENT_CONTEXT) { + rc = getcon(&scon); + } else if (idata->flags & PAMNS_USE_DEFAULT_CONTEXT) { + char *seuser = NULL, *level = NULL; + + if ((rc=getseuserbyname(idata->user, &seuser, &level)) == 0) { + rc = get_default_context_with_level(seuser, level, NULL, &scon); + free(seuser); + free(level); + } + } else { + rc = getexeccon(&scon); + } if (rc < 0 || scon == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Error getting exec context, %m"); @@ -589,7 +784,7 @@ static int form_context(const struct polydir_s *polyptr, /* * poly_name returns the name of the polyinstantiated instance directory - * based on the method used for polyinstantiation (user, context or both) + * based on the method used for polyinstantiation (user, context or level) * In addition, the function also returns the security contexts of the * original directory to polyinstantiate and the polyinstantiated instance * directory. @@ -605,6 +800,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, { int rc; char *hash = NULL; + enum polymethod pm; #ifdef WITH_SELINUX security_context_t rawcon = NULL; #endif @@ -624,7 +820,23 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, * Set the name of the polyinstantiated instance dir based on the * polyinstantiation method. */ - switch (polyptr->method) { + + pm = polyptr->method; + if (pm == LEVEL || pm == USER) { +#ifdef WITH_SELINUX + if (!(idata->flags & PAMNS_CTXT_BASED_INST)) +#else + pam_syslog(idata->pamh, LOG_NOTICE, + "Context and level methods not available, using user method"); +#endif + if (polyptr->flags & POLYDIR_SHARED) { + rc = PAM_IGNORE; + goto fail; + } + pm = USER; + } + + switch (pm) { case USER: if (asprintf(i_name, "%s", idata->user) < 0) { *i_name = NULL; @@ -638,10 +850,17 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context"); goto fail; - } - if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { - *i_name = NULL; - goto fail; + } + if (polyptr->flags & POLYDIR_SHARED) { + if (asprintf(i_name, "%s", rawcon) < 0) { + *i_name = NULL; + goto fail; + } + } else { + if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { + *i_name = NULL; + goto fail; + } } break; @@ -762,6 +981,7 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, pid_t rc, pid; sighandler_t osighand = NULL; int status; + const char *init_script = NAMESPACE_INIT_SCRIPT; osighand = signal(SIGCHLD, SIG_DFL); if (osighand == SIG_ERR) { @@ -770,8 +990,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, goto out; } - if (access(NAMESPACE_INIT_SCRIPT, F_OK) == 0) { - if (access(NAMESPACE_INIT_SCRIPT, X_OK) < 0) { + if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script) + init_script = polyptr->init_script; + + if (access(init_script, F_OK) == 0) { + if (access(init_script, X_OK) < 0) { if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Namespace init script not executable"); @@ -786,7 +1009,7 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, exit(1); } #endif - if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT, + if (execl(init_script, init_script, polyptr->dir, ipath, newdir?"1":"0", idata->user, (char *)NULL) < 0) exit(1); } else if (pid > 0) { @@ -818,47 +1041,116 @@ out: return rc; } +static int create_polydir(struct polydir_s *polyptr, + struct instance_data *idata) +{ + mode_t mode; + int rc; +#ifdef WITH_SELINUX + security_context_t dircon, oldcon = NULL; +#endif + const char *dir = polyptr->dir; + + if (polyptr->mode != (mode_t)ULONG_MAX) + mode = polyptr->mode; + else + mode = 0777; + +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + getfscreatecon(&oldcon); + rc = matchpathcon(dir, S_IFDIR, &dircon); + if (rc) { + pam_syslog(idata->pamh, LOG_NOTICE, + "Unable to get default context for directory %s, check your policy: %m", dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir %s context: %s", dir, (char *)dircon); + if (setfscreatecon(dircon) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error setting context for directory %s: %m", dir); + freecon(dircon); + } + matchpathcon_fini(); + } +#endif + + rc = mkdir(dir, mode); + if (rc != 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating directory %s: %m", dir); + return PAM_SESSION_ERR; + } + +#ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { + if (setfscreatecon(oldcon) != 0) + pam_syslog(idata->pamh, LOG_NOTICE, + "Error resetting fs create context: %m"); + freecon(oldcon); + } +#endif + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Created polydir %s", dir); + + if (polyptr->mode != (mode_t)ULONG_MAX) { + /* explicit mode requested */ + if (chmod(dir, mode) != 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error changing mode of directory %s: %m", dir); + rmdir(dir); + return PAM_SESSION_ERR; + } + } + + if (polyptr->owner != (uid_t)ULONG_MAX) { + if (chown(dir, polyptr->owner, polyptr->group) != 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Unable to change owner on directory %s: %m", dir); + rmdir(dir); + return PAM_SESSION_ERR; + } + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir owner %u group %u from configuration", polyptr->owner, polyptr->group); + } else { + if (chown(dir, idata->uid, idata->gid) != 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Unable to change owner on directory %s: %m", dir); + rmdir(dir); + return PAM_SESSION_ERR; + } + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir owner %u group %u", idata->uid, idata->gid); + } + + return PAM_SUCCESS; +} + /* * Create polyinstantiated instance directory (ipath). */ #ifdef WITH_SELINUX -static int create_dirs(struct polydir_s *polyptr, char *ipath, +static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, security_context_t icontext, security_context_t ocontext, struct instance_data *idata) #else -static int create_dirs(struct polydir_s *polyptr, char *ipath, +static int create_dirs(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, struct instance_data *idata) #endif { - struct stat statbuf, newstatbuf; - int rc, fd; - int newdir = 0; - - /* - * stat the directory to polyinstantiate, so its owner-group-mode - * can be propagated to instance directory - */ - rc = PAM_SUCCESS; - if (stat(polyptr->dir, &statbuf) < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", - polyptr->dir); - return PAM_SESSION_ERR; - } + struct stat newstatbuf; + int fd; + int newdir = 0; /* - * Make sure we are dealing with a directory + * Check to make sure instance parent is valid. */ - if (!S_ISDIR(statbuf.st_mode)) { - pam_syslog(idata->pamh, LOG_ERR, "poly dir %s is not a dir", - polyptr->dir); - return PAM_SESSION_ERR; - } - - /* - * Check to make sure instance parent is valid. - */ - if (check_inst_parent(ipath, idata)) - return PAM_SESSION_ERR; + if (check_inst_parent(ipath, idata)) + return PAM_SESSION_ERR; /* * Create instance directory and set its security context to the context @@ -923,9 +1215,9 @@ static int create_dirs(struct polydir_s *polyptr, char *ipath, rmdir(ipath); return PAM_SESSION_ERR; } - if (newstatbuf.st_uid != statbuf.st_uid || - newstatbuf.st_gid != statbuf.st_gid) { - if (fchown(fd, statbuf.st_uid, statbuf.st_gid) < 0) { + if (newstatbuf.st_uid != statbuf->st_uid || + newstatbuf.st_gid != statbuf->st_gid) { + if (fchown(fd, statbuf->st_uid, statbuf->st_gid) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error changing owner for %s, %m", ipath); @@ -934,7 +1226,7 @@ static int create_dirs(struct polydir_s *polyptr, char *ipath, return PAM_SESSION_ERR; } } - if (fchmod(fd, statbuf.st_mode & 07777) < 0) { + if (fchmod(fd, statbuf->st_mode & 07777) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error changing mode for %s, %m", ipath); close(fd); @@ -951,8 +1243,10 @@ static int create_dirs(struct polydir_s *polyptr, char *ipath, */ inst_init: - rc = inst_init(polyptr, ipath, idata, newdir); - return rc; + if (polyptr->flags & POLYDIR_NOINIT) + return PAM_SUCCESS; + + return inst_init(polyptr, ipath, idata, newdir); } @@ -969,6 +1263,7 @@ static int ns_setup(struct polydir_s *polyptr, int retval = 0; char *inst_dir = NULL; char *instname = NULL; + struct stat statbuf; #ifdef WITH_SELINUX security_context_t instcontext = NULL, origcontext = NULL; #endif @@ -977,6 +1272,27 @@ static int ns_setup(struct polydir_s *polyptr, pam_syslog(idata->pamh, LOG_DEBUG, "Set namespace for directory %s", polyptr->dir); + while (stat(polyptr->dir, &statbuf) < 0) { + if (retval || !(polyptr->flags & POLYDIR_CREATE)) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", + polyptr->dir); + return PAM_SESSION_ERR; + } else { + if (create_polydir(polyptr, idata) != PAM_SUCCESS) + return PAM_SESSION_ERR; + retval = PAM_SESSION_ERR; /* bail out on next failed stat */ + } + } + + /* + * Make sure we are dealing with a directory + */ + if (!S_ISDIR(statbuf.st_mode)) { + pam_syslog(idata->pamh, LOG_ERR, "Polydir %s is not a dir", + polyptr->dir); + return PAM_SESSION_ERR; + } + if (polyptr->method == TMPFS) { if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", @@ -999,9 +1315,10 @@ static int ns_setup(struct polydir_s *polyptr, retval = poly_name(polyptr, &instname, idata); #endif - if (retval) { - pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name"); - goto error_out; + if (retval != PAM_SUCCESS) { + if (retval != PAM_IGNORE) + pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name"); + goto cleanup; } else { #ifdef WITH_SELINUX if ((idata->flags & PAMNS_DEBUG) && @@ -1023,10 +1340,10 @@ static int ns_setup(struct polydir_s *polyptr, * contexts, owner, group and mode bits. */ #ifdef WITH_SELINUX - retval = create_dirs(polyptr, inst_dir, instcontext, + retval = create_dirs(polyptr, inst_dir, &statbuf, instcontext, origcontext, idata); #else - retval = create_dirs(polyptr, inst_dir, idata); + retval = create_dirs(polyptr, inst_dir, &statbuf, idata); #endif if (retval < 0) { @@ -1155,34 +1472,18 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) int retval = 0, need_poly = 0, changing_dir = 0; char *cptr, *fptr, poly_parent[PATH_MAX]; struct polydir_s *pptr; - uid_t req_uid; - const void *ruser_name; - struct passwd *pwd; if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d", getpid()); - retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name); - if (ruser_name == NULL || retval != PAM_SUCCESS) { - retval = PAM_SUCCESS; - req_uid = getuid(); - } else { - pwd = pam_modutil_getpwnam(idata->pamh, ruser_name); - if (pwd != NULL) { - req_uid = pwd->pw_uid; - } else { - req_uid = getuid(); - } - } - /* * Cycle through all polyinstantiated directory entries to see if * polyinstantiation is needed at all. */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { if (ns_override(pptr, idata, idata->uid)) { - if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { + if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Overriding poly for user %d for dir %s", @@ -1191,7 +1492,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Need unmount ns for user %d for dir %s", - idata->uid, pptr->dir); + idata->ruid, pptr->dir); need_poly = 1; break; } @@ -1207,18 +1508,11 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) } /* - * If polyinstnatiation is needed, call the unshare system call to + * If polyinstantiation is needed, call the unshare system call to * disassociate from the parent namespace. */ if (need_poly) { - if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, - cleanup_data) != PAM_SUCCESS) { - pam_syslog(idata->pamh, LOG_ERR, - "Unable to set namespace data"); - return PAM_SYSTEM_ERR; - } if (unshare(CLONE_NEWNS) < 0) { - pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); pam_syslog(idata->pamh, LOG_ERR, "Unable to unshare from parent namespace, %m"); return PAM_SESSION_ERR; @@ -1235,7 +1529,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { enum unmnt_op dir_unmnt = unmnt; if (ns_override(pptr, idata, idata->uid)) { - if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { + if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { continue; } else { dir_unmnt = UNMNT_ONLY; @@ -1252,7 +1546,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) * bind mounted instance_parent directory that we are trying to * umount */ - if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) { + if ((changing_dir = cwd_in(pptr->rdir, idata)) < 0) { retval = PAM_SESSION_ERR; goto out; } else if (changing_dir) { @@ -1265,7 +1559,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) * directory where original contents of the polydir * are available from */ - strcpy(poly_parent, pptr->dir); + strcpy(poly_parent, pptr->rdir); fptr = strchr(poly_parent, '/'); cptr = strrchr(poly_parent, '/'); if (fptr && cptr && (fptr == cptr)) @@ -1278,21 +1572,23 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) } } - if (umount(pptr->dir) < 0) { + if (umount(pptr->rdir) < 0) { int saved_errno = errno; pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", - pptr->dir); + pptr->rdir); if (saved_errno != EINVAL) { retval = PAM_SESSION_ERR; goto out; } } else if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", - pptr->dir); + pptr->rdir); } if (dir_unmnt != UNMNT_ONLY) { retval = ns_setup(pptr, idata); + if (retval == PAM_IGNORE) + retval = PAM_SUCCESS; if (retval != PAM_SUCCESS) break; } @@ -1300,6 +1596,12 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) out: if (retval != PAM_SUCCESS) cleanup_tmpdirs(idata); + else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, + cleanup_data) != PAM_SUCCESS) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace data"); + cleanup_tmpdirs(idata); + return PAM_SYSTEM_ERR; + } return retval; } @@ -1354,7 +1656,7 @@ static int orig_namespace(struct instance_data *idata) * The return value from this function is used when selecting the * polyinstantiation method. If context change is not requested then * the polyinstantiation method is set to USER, even if the configuration - * file lists the method as "context" or "both". + * file lists the method as "context" or "level". */ static int ctxt_based_inst_needed(void) { @@ -1372,6 +1674,55 @@ static int ctxt_based_inst_needed(void) #endif +static int get_user_data(struct instance_data *idata) +{ + int retval; + char *user_name; + struct passwd *pwd; + /* + * Lookup user and fill struct items + */ + retval = pam_get_item(idata->pamh, PAM_USER, (void*) &user_name ); + if ( user_name == NULL || retval != PAM_SUCCESS ) { + pam_syslog(idata->pamh, LOG_ERR, "Error recovering pam user name"); + return PAM_SESSION_ERR; + } + + pwd = pam_modutil_getpwnam(idata->pamh, user_name); + if (!pwd) { + pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name); + return PAM_USER_UNKNOWN; + } + + /* + * Add the user info to the instance data so we can refer to them later. + */ + idata->user[0] = 0; + strncat(idata->user, user_name, sizeof(idata->user) - 1); + idata->uid = pwd->pw_uid; + idata->gid = pwd->pw_gid; + + /* Fill in RUSER too */ + retval = pam_get_item(idata->pamh, PAM_RUSER, (void*) &user_name ); + if ( user_name != NULL && retval == PAM_SUCCESS && user_name[0] != '\0' ) { + strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1); + pwd = pam_modutil_getpwnam(idata->pamh, user_name); + } else { + pwd = pam_modutil_getpwuid(idata->pamh, getuid()); + } + if (!pwd) { + pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name); + return PAM_USER_UNKNOWN; + } + user_name = pwd->pw_name; + + idata->ruser[0] = 0; + strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1); + idata->ruid = pwd->pw_uid; + + return PAM_SUCCESS; +} + /* * Entry point from pam_open_session call. */ @@ -1380,8 +1731,6 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, { int i, retval; struct instance_data idata; - char *user_name; - struct passwd *pwd; enum unmnt_op unmnt = NO_UNMNT; /* init instance data */ @@ -1405,6 +1754,14 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, idata.flags |= PAMNS_IGN_CONFIG_ERR; if (strcmp(argv[i], "ignore_instance_parent_mode") == 0) idata.flags |= PAMNS_IGN_INST_PARENT_MODE; + if (strcmp(argv[i], "use_current_context") == 0) { + idata.flags |= PAMNS_USE_CURRENT_CONTEXT; + idata.flags |= PAMNS_CTXT_BASED_INST; + } + if (strcmp(argv[i], "use_default_context") == 0) { + idata.flags |= PAMNS_USE_DEFAULT_CONTEXT; + idata.flags |= PAMNS_CTXT_BASED_INST; + } if (strcmp(argv[i], "unmnt_remnt") == 0) unmnt = UNMNT_REMNT; if (strcmp(argv[i], "unmnt_only") == 0) @@ -1420,27 +1777,9 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "open_session - start"); - /* - * Lookup user and fill struct items - */ - retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name"); - return PAM_SESSION_ERR; - } - - pwd = pam_modutil_getpwnam(idata.pamh, user_name); - if (!pwd) { - pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name); - return PAM_SESSION_ERR; - } - - /* - * Add the user info to the instance data so we can refer to them later. - */ - idata.user[0] = 0; - strncat(idata.user, user_name, sizeof(idata.user) - 1); - idata.uid = pwd->pw_uid; + retval = get_user_data(&idata); + if (retval != PAM_SUCCESS) + return retval; /* * Parse namespace configuration file which lists directories to @@ -1480,8 +1819,6 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, { int i, retval; struct instance_data idata; - char *user_name; - struct passwd *pwd; void *polyptr; /* init instance data */ @@ -1524,27 +1861,9 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, return PAM_SUCCESS; } - /* - * Lookup user and fill struct items - */ - retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - pam_syslog(idata.pamh, LOG_ERR, "Error recovering pam user name"); - return PAM_SESSION_ERR; - } - - pwd = pam_modutil_getpwnam(idata.pamh, user_name); - if (!pwd) { - pam_syslog(idata.pamh, LOG_ERR, "user unknown '%s'", user_name); - return PAM_SESSION_ERR; - } - - /* - * Add the user info to the instance data so we can refer to them later. - */ - idata.user[0] = 0; - strncat(idata.user, user_name, sizeof(idata.user) - 1); - idata.uid = pwd->pw_uid; + retval = get_user_data(&idata); + if (retval != PAM_SUCCESS) + return retval; retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, (const void **)&polyptr); if (retval != PAM_SUCCESS || polyptr == NULL) diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 4b438899..bfc0da17 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -56,6 +57,8 @@ #include #include #include +#include +#include #include "security/pam_modules.h" #include "security/pam_modutil.h" #include "security/pam_ext.h" @@ -63,6 +66,7 @@ #ifdef WITH_SELINUX #include +#include #include #endif @@ -73,14 +77,16 @@ /* * Module defines */ -#ifndef PAM_NAMESPACE_CONFIG -#define PAM_NAMESPACE_CONFIG "/etc/security/namespace.conf" +#ifndef SECURECONF_DIR +#define SECURECONF_DIR "/etc/security/" #endif -#ifndef NAMESPACE_INIT_SCRIPT -#define NAMESPACE_INIT_SCRIPT "/etc/security/namespace.init" -#endif +#define PAM_NAMESPACE_CONFIG (SECURECONF_DIR "namespace.conf") +#define NAMESPACE_INIT_SCRIPT (SECURECONF_DIR "namespace.init") +#define NAMESPACE_D_DIR (SECURECONF_DIR "namespace.d/") +#define NAMESPACE_D_GLOB (SECURECONF_DIR "namespace.d/*.conf") +/* module flags */ #define PAMNS_DEBUG 0x00000100 /* Running in debug mode */ #define PAMNS_SELINUX_ENABLED 0x00000400 /* SELinux is enabled */ #define PAMNS_CTXT_BASED_INST 0x00000800 /* Context based instance needed */ @@ -88,6 +94,16 @@ #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ #define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ +#define PAMNS_USE_CURRENT_CONTEXT 0x00020000 /* use getcon instead of getexeccon */ +#define PAMNS_USE_DEFAULT_CONTEXT 0x00040000 /* use get_default_context instead of getexeccon */ + +/* polydir flags */ +#define POLYDIR_EXCLUSIVE 0x00000001 /* polyinstatiate exclusively for override uids */ +#define POLYDIR_CREATE 0x00000002 /* create the polydir */ +#define POLYDIR_NOINIT 0x00000004 /* no init script */ +#define POLYDIR_SHARED 0x00000008 /* share context/level instances among users */ +#define POLYDIR_ISCRIPT 0x00000010 /* non default init script */ + #define NAMESPACE_MAX_DIR_LEN 80 #define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data" @@ -127,11 +143,16 @@ enum unmnt_op { */ struct polydir_s { char dir[PATH_MAX]; /* directory to polyinstantiate */ + char rdir[PATH_MAX]; /* directory to unmount (based on RUSER) */ char instance_prefix[PATH_MAX]; /* prefix for instance dir path name */ enum polymethod method; /* method used to polyinstantiate */ unsigned int num_uids; /* number of override uids */ uid_t *uid; /* list of override uids */ - int exclusive; /* polyinstatiate exclusively for override uids */ + unsigned int flags; /* polydir flags */ + char *init_script; /* path to init script */ + uid_t owner; /* user which should own the polydir */ + gid_t group; /* group which should own the polydir */ + mode_t mode; /* mode of the polydir */ struct polydir_s *next; /* pointer to the next polydir entry */ }; @@ -139,6 +160,9 @@ struct instance_data { pam_handle_t *pamh; /* The pam handle for this instance */ struct polydir_s *polydirs_ptr; /* The linked list pointer */ char user[LOGIN_NAME_MAX]; /* User name */ + char ruser[LOGIN_NAME_MAX]; /* Requesting user name */ uid_t uid; /* The uid of the user */ - unsigned long flags; /* Flags for debug, selinux etc */ + gid_t gid; /* The gid of the user's primary group */ + uid_t ruid; /* The uid of the requesting user */ + unsigned long flags; /* Flags for debug, selinux etc */ }; -- cgit v1.2.3 From 0f27b084fe6c0ddeec3293ef86730b6c8d9b5120 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 13 Feb 2008 14:39:41 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-02-13 Thorsten Kukuk * modules/pam_rhosts/Makefile.am: Remove pam_rhosts_auth. * modules/pam_rhosts/pam_rhosts_auth.c: Removed. * modules/pam_rhosts/tst-pam_rhosts_auth: Removed. * modules/pam_namespace/Makefile.am (noinst_HEADERS): Add pam_namespace.h. --- ChangeLog | 17 + NEWS | 8 + modules/pam_filter/upperLOWER/upperLOWER.c | 5 +- modules/pam_namespace/Makefile.am | 2 +- modules/pam_rhosts/Makefile.am | 9 +- modules/pam_rhosts/pam_rhosts_auth.c | 782 ----------------------------- modules/pam_rhosts/tst-pam_rhosts_auth | 2 - modules/pam_unix/unix_update.c | 13 +- po/Linux-PAM.pot | 43 +- po/POTFILES.in | 1 - po/ar.po | 43 +- po/ca.po | 43 +- po/cs.po | 43 +- po/da.po | 43 +- po/de.po | 49 +- po/es.po | 43 +- po/fi.po | 43 +- po/fr.po | 43 +- po/hu.po | 43 +- po/it.po | 43 +- po/ja.po | 43 +- po/km.po | 43 +- po/nb.po | 43 +- po/nl.po | 43 +- po/pa.po | 43 +- po/pl.po | 43 +- po/pt.po | 43 +- po/pt_BR.po | 43 +- po/ru.po | 43 +- po/sv.po | 43 +- po/tr.po | 43 +- po/uk.po | 43 +- po/zh_CN.po | 43 +- po/zh_TW.po | 43 +- po/zu.po | 43 +- 35 files changed, 583 insertions(+), 1380 deletions(-) delete mode 100644 modules/pam_rhosts/pam_rhosts_auth.c delete mode 100755 modules/pam_rhosts/tst-pam_rhosts_auth diff --git a/ChangeLog b/ChangeLog index 31a1fd02..3edeaf3f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2008-02-13 Thorsten Kukuk + + * modules/pam_rhosts/Makefile.am: Remove pam_rhosts_auth. + * modules/pam_rhosts/pam_rhosts_auth.c: Removed. + * modules/pam_rhosts/tst-pam_rhosts_auth: Removed. + + * modules/pam_namespace/Makefile.am (noinst_HEADERS): Add + pam_namespace.h. + 2008-02-13 Tomas Mraz * modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d @@ -39,6 +48,14 @@ use_default_context options. Call get_user_data(). (pam_sm_close_session): Call get_user_data(). +2008-02-06 Thorsten Kukuk + + * po/de.po: Translate some more strings. + +2008-02-05 Thorsten Kukuk + + * modules/pam_unix/unix_update.c: Remove unused declarations. + 2008-02-04 Thorsten Kukuk * libpam/pam_static_modules.h: Add _pam_sepermit_modstruct. diff --git a/NEWS b/NEWS index ea835334..4cceb634 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ Linux-PAM NEWS -- history of user-visible changes. +Release 0.99.10.0 + * New substack directive in config file syntax. * New module pam_tty_audit.so for enabling and disabling tty auditing. @@ -12,17 +14,23 @@ Linux-PAM NEWS -- history of user-visible changes. SELinux mode. * Improved functionality of pam_namespace.so module (method flags, namespace.d configuration directory, new options). +* Finaly removed deprecated pam_rhosts_auth module. + Release 0.99.9.0 + * misc_conv no longer blocks SIGINT; applications that don't want user-interruptable prompts should block SIGINT themselves * Merge fixes from Debian * Fix parser for pam_group and pam_time + Release 0.99.8.1 + * Fix a regression in audit code introduced with last release * Fix compiling with --disable-nls + Release 0.99.8.0 * Add translations for ar, ca, da, ru, sv and zu. diff --git a/modules/pam_filter/upperLOWER/upperLOWER.c b/modules/pam_filter/upperLOWER/upperLOWER.c index c0fc5b17..0ede4a0d 100644 --- a/modules/pam_filter/upperLOWER/upperLOWER.c +++ b/modules/pam_filter/upperLOWER/upperLOWER.c @@ -7,6 +7,7 @@ #include "config.h" +#include #include #include #include @@ -15,14 +16,10 @@ #include #include "pam_filter.h" -#include -#include #include /* ---------------------------------------------------------------- */ -#include - static void do_transpose(char *buffer,int len) { int i; diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index e8598e8f..05d47cf3 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -15,7 +15,7 @@ endif EXTRA_DIST = README namespace.conf namespace.init $(MAN5) $(MAN8) $(XMLS) tst-pam_namespace -noinst_HEADERS = md5.h argv_parse.h +noinst_HEADERS = md5.h pam_namespace.h argv_parse.h securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am index 26fdf9c6..547ad621 100644 --- a/modules/pam_rhosts/Makefile.am +++ b/modules/pam_rhosts/Makefile.am @@ -1,12 +1,12 @@ # -# Copyright (c) 2005, 2006 Thorsten Kukuk +# Copyright (c) 2005, 2006, 2008 Thorsten Kukuk # CLEANFILES = *~ -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts_auth tst-pam_rhosts +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts -TESTS = tst-pam_rhosts_auth tst-pam_rhosts +TESTS = tst-pam_rhosts man_MANS = pam_rhosts.8 @@ -21,8 +21,7 @@ if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -securelib_LTLIBRARIES = pam_rhosts_auth.la pam_rhosts.la -pam_rhosts_auth_la_LIBADD = -L$(top_builddir)/libpam -lpam +securelib_LTLIBRARIES = pam_rhosts.la pam_rhosts_la_LIBADD = -L$(top_builddir)/libpam -lpam if ENABLE_REGENERATE_MAN diff --git a/modules/pam_rhosts/pam_rhosts_auth.c b/modules/pam_rhosts/pam_rhosts_auth.c deleted file mode 100644 index db28290a..00000000 --- a/modules/pam_rhosts/pam_rhosts_auth.c +++ /dev/null @@ -1,782 +0,0 @@ -/*---------------------------------------------------------------------- - * Modified for Linux-PAM by Al Longyear 96/5/5 - * Modifications, Cristian Gafton 97/2/8 - * Modifications, Peter Allgeyer 97/3 - * Modifications (netgroups and fixes), Nicolai Langfeldt 97/3/21 - * Security fix: 97/10/2 - gethostbyname called repeatedly without care - * Modification (added privategroup option) Andrew - *---------------------------------------------------------------------- - * Copyright (c) 1983, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "config.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_SYS_FSUID_H -#include -#endif /* HAVE_SYS_FSUID_H */ -#ifdef HAVE_NET_IF_H -#include -#endif -#include -#include -#include - -#ifndef MAXDNAME -#define MAXDNAME 256 -#endif - -#ifndef _PATH_HEQUIV -#define _PATH_HEQUIV "/etc/hosts.equiv" -#endif /* _PATH_HEQUIV */ - -#define USER_RHOSTS_FILE "/.rhosts" /* prefixed by user's home dir */ - -#define PAM_SM_AUTH /* only defines this management group */ - -#include -#include -#include -#include - -/* - * Options for this module - */ - -struct _options { - int opt_no_hosts_equiv; - int opt_hosts_equiv_rootok; - int opt_no_rhosts; - int opt_debug; - int opt_nowarn; - int opt_disallow_null_authtok; - int opt_silent; - int opt_promiscuous; - int opt_suppress; - int opt_private_group; - int opt_no_uid_check; - const char *superuser; - const char *last_error; -}; - -static void -set_option (const pam_handle_t *pamh, struct _options *opts, const char *arg) -{ - if (strcmp(arg, "no_hosts_equiv") == 0) { - opts->opt_no_hosts_equiv = 1; - return; - } - - if (strcmp(arg, "hosts_equiv_rootok") == 0) { - opts->opt_hosts_equiv_rootok = 1; - return; - } - - if (strcmp(arg, "no_rhosts") == 0) { - opts->opt_no_rhosts = 1; - return; - } - - if (strcmp(arg, "debug") == 0) { - D(("debugging enabled")); - opts->opt_debug = 1; - return; - } - - if (strcmp(arg, "no_warn") == 0) { - opts->opt_nowarn = 1; - return; - } - - if (strcmp(arg, "promiscuous") == 0) { - opts->opt_promiscuous = 1; /* used to permit '+' in ...hosts file */ - return; - } - - if (strcmp(arg, "suppress") == 0) { - opts->opt_suppress = 1; /* used to suppress failure warning message */ - return; - } - - if (strcmp(arg, "privategroup") == 0) { - opts->opt_private_group = 1; /* used to permit group write on .rhosts - file if group has same name as owner */ - return; - } - - if (strcmp(arg, "no_uid_check") == 0) { - opts->opt_no_uid_check = 1; /* NIS optimization */ - return; - } - - if (strncmp(arg, "superuser=", sizeof("superuser=")-1) == 0) { - opts->superuser = arg+sizeof("superuser=")-1; - return; - } - /* - * All other options are ignored at the present time. - */ - pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", arg); -} - -static void -set_parameters (const pam_handle_t *pamh, struct _options *opts, - int flags, int argc, const char **argv) -{ - opts->opt_silent = flags & PAM_SILENT; - opts->opt_disallow_null_authtok = flags & PAM_DISALLOW_NULL_AUTHTOK; - - while (argc-- > 0) { - set_option (pamh, opts, *argv); - ++argv; - } -} - -/* - * Obtain the name of the remote host. Currently, this is simply by - * requesting the contents of the PAM_RHOST item. - */ - -static int -pam_get_rhost (pam_handle_t *pamh, const char **rhost) -{ - int retval; - const void *current; - - retval = pam_get_item (pamh, PAM_RHOST, ¤t); - if (retval != PAM_SUCCESS) - return retval; - - if (current == NULL) { - return PAM_AUTH_ERR; - } - *rhost = current; - - return retval; /* pass on any error from conversation */ -} - -/* - * Obtain the name of the remote user. Currently, this is simply by - * requesting the contents of the PAM_RUSER item. - */ - -static int -pam_get_ruser(pam_handle_t *pamh, const char **ruser) -{ - int retval; - const void *current; - - retval = pam_get_item (pamh, PAM_RUSER, ¤t); - if (retval != PAM_SUCCESS) { - return retval; - } - - if (current == NULL) { - return PAM_AUTH_ERR; - } - *ruser = current; - - return retval; /* pass on any error from conversation */ -} - -/* - * Returns 1 if positive match, 0 if no match, -1 if negative match. - */ - -static int -__icheckhost (pam_handle_t *pamh, struct _options *opts, u_int32_t raddr - , register char *lhost, const char *rhost) -{ - struct hostent *hp; - u_int32_t laddr; - int negate=1; /* Multiply return with this to get -1 instead of 1 */ - char **pp; - const void *user; - - /* Check nis netgroup. We assume that pam has done all needed - paranoia checking before we are handed the rhost */ - if (strncmp("+@",lhost,2) == 0) - return(innetgr(&lhost[2],rhost,NULL,NULL)); - - if (strncmp("-@",lhost,2) == 0) - return(-innetgr(&lhost[2],rhost,NULL,NULL)); - - /* -host */ - if (strncmp("-",lhost,1) == 0) { - negate=-1; - lhost++; - } else if (strcmp("+",lhost) == 0) { - (void) pam_get_item(pamh, PAM_USER, &user); - D(("user %s has a `+' host entry", user)); - if (opts->opt_promiscuous) - return (1); /* asking for trouble, but ok.. */ - /* If not promiscuous: handle as negative */ - return (-1); - } else if (strncmp("+",lhost,1) == 0) { - /* '+hostname' is supposed to be equivalent to 'hostname' */ - lhost++; - } - - - /* Try for raw ip address first. */ - if (isdigit(*lhost) && (int32_t)(laddr = inet_addr(lhost)) != -1) - return (negate*(! (raddr ^ laddr))); - - /* Better be a hostname. */ - hp = gethostbyname(lhost); - if (hp == NULL) - return (0); - - /* Spin through ip addresses. */ - for (pp = hp->h_addr_list; *pp; ++pp) - if (!memcmp (&raddr, *pp, sizeof (u_int32_t))) - return (negate); - - /* No match. */ - return (0); -} - -/* Returns 1 on positive match, 0 on no match, -1 on negative match */ - -static int -__icheckuser (pam_handle_t *pamh, struct _options *opts, - const char *luser, const char *ruser) -{ - /* - luser is user entry from .rhosts/hosts.equiv file - ruser is user id on remote host - */ - const void *user; - - /* [-+]@netgroup */ - if (strncmp("+@",luser,2) == 0) - return (innetgr(&luser[2],NULL,ruser,NULL)); - - if (strncmp("-@",luser,2) == 0) - return (-innetgr(&luser[2],NULL,ruser,NULL)); - - /* -user */ - if (strncmp("-",luser,1) == 0) - return(-(strcmp(&luser[1],ruser) == 0)); - - /* + */ - if (strcmp("+",luser) == 0) { - (void) pam_get_item(pamh, PAM_USER, &user); - pam_syslog(pamh, LOG_WARNING, "user %s has a `+' user entry", - (const char *) user); - if (opts->opt_promiscuous) - return(1); - /* If not promiscuous we handle it as a negative match */ - return(-1); - } - - /* simple string match */ - return (strcmp(ruser, luser) == 0); -} - -/* - * Returns 1 for blank lines (or only comment lines) and 0 otherwise - */ - -static int __isempty(char *p) -{ - while (*p && isspace(*p)) { - ++p; - } - - return (*p == '\0' || *p == '#') ? 1:0 ; -} - -/* - * Returns 0 if positive match, 1 if _not_ ok. - */ - -static int -__ivaliduser (pam_handle_t *pamh, struct _options *opts, - FILE *hostf, u_int32_t raddr, - const char *luser, const char *ruser, const char *rhost) -{ - register const char *user; - register char *p; - int hcheck, ucheck; - int retval = 1; -#ifdef HAVE_GETLINE - char *buf=NULL; - size_t buflen=0; - - while (getline(&buf,&buflen,hostf) > 0) { -#else - char buf[MAXHOSTNAMELEN + 128]; /* host + login */ - - while (fgets(buf, sizeof(buf), hostf) != NULL) { /* hostf file line */ -#endif - p = buf; /* from beginning of file.. */ - - /* Skip empty or comment lines */ - if (__isempty(p)) { - continue; - } - - /* Skip lines that are too long. */ - if (strchr(p, '\n') == NULL) { - int ch = getc(hostf); - - while (ch != '\n' && ch != EOF) - ch = getc(hostf); - continue; - } - - /* - * If there is a hostname at the start of the line. Set it to - * lower case. A leading ' ' or '\t' indicates no hostname - */ - - for (;*p && !isspace(*p); ++p) { - *p = tolower(*p); - } - - /* - * next we want to find the permitted name for the remote user - */ - - if (*p == ' ' || *p == '\t') { - - /* terminate hostname and skip spaces */ - for (*p++='\0'; *p && isspace(*p); ++p); - - user = p; /* this is the user's name */ - while (*p && !isspace(*p)) - ++p; /* find end of user's name */ - } else - user = p; - - *p = '\0'; /* terminate username (+host?) */ - - /* buf -> host(?) ; user -> username(?) */ - - /* First check host part */ - hcheck=__icheckhost(pamh, opts, raddr, buf, rhost); - - if (hcheck<0) - break; - - if (hcheck) { - /* Then check user part */ - if (! (*user)) - user = luser; - - ucheck=__icheckuser(pamh, opts, user, ruser); - - /* Positive 'host user' match? */ - if (ucheck>0) { - retval = 0; - break; - } - - /* Negative 'host -user' match? */ - if (ucheck<0) - break; - - /* Neither, go on looking for match */ - } - } -#ifdef HAVE_GETLINE - if(buf)free(buf); -#endif - - return retval; -} - -/* - * New .rhosts strategy: We are passed an ip address. We spin through - * hosts.equiv and .rhosts looking for a match. When the .rhosts only - * has ip addresses, we don't have to trust a nameserver. When it - * contains hostnames, we spin through the list of addresses the nameserver - * gives us and look for a match. - * - * Returns 0 if ok, -1 if not ok. - */ - -static int -pam_iruserok(pam_handle_t *pamh, - struct _options *opts, u_int32_t raddr, int superuser, - const char *ruser, const char *luser, const char *rhost) -{ - const char *cp; - struct stat sbuf; - struct passwd *pwd; - FILE *hostf; - uid_t uid; - int answer; - char *fpath; - - if ((!superuser||opts->opt_hosts_equiv_rootok) && !opts->opt_no_hosts_equiv ) { - - /* try to open system hosts.equiv file */ - hostf = fopen (_PATH_HEQUIV, "r"); - if (hostf) { - answer = __ivaliduser(pamh, opts, hostf, raddr, luser - , ruser, rhost); - (void) fclose(hostf); - if (answer == 0) - return 0; /* remote host is equivalent to localhost */ - } /* else { - No hosts.equiv file on system. - } */ - } - - if ( opts->opt_no_rhosts ) - return 1; - - /* - * Identify user's local .rhosts file - */ - - pwd = pam_modutil_getpwnam(pamh, luser); - if (pwd == NULL) { - /* - * luser is assumed to be valid because of an earlier check for uid = 0 - * we don't log this error twice. However, this shouldn't happen ! - * --cristiang - */ - return(1); - } - - if (asprintf (&fpath, "%s%s", pwd->pw_dir, USER_RHOSTS_FILE) < 0) { - pam_syslog (pamh, LOG_ALERT, "Running out of memory"); - return 1; - } - - /* - * Change effective uid while _reading_ .rhosts. (not just - * opening). If root and reading an NFS mounted file system, - * can't read files that are 0600 as .rhosts files should be. - */ - - /* We are root, this will not fail */ -#ifdef __linux__ - /* If we are on linux the better way is setfsuid */ - uid = setfsuid(pwd->pw_uid); - hostf = fopen(fpath, "r"); -#else - uid = geteuid(); - (void) seteuid(pwd->pw_uid); - hostf = fopen(fpath, "r"); -#endif - - if (hostf == NULL) { - if (opts->opt_debug) - pam_syslog(pamh, LOG_DEBUG, "Could not open %s: %m", fpath); - answer = 1; - goto exit_function; - } - - /* - * If not a regular file, or is owned by someone other than - * user or root or if writeable by anyone but the owner, quit. - */ - - cp = NULL; - if (lstat(fpath, &sbuf) < 0 || !S_ISREG(sbuf.st_mode)) - cp = ".rhosts not regular file"; - else if (fstat(fileno(hostf), &sbuf) < 0) - cp = ".rhosts fstat failed"; - else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) - cp = "bad .rhosts owner"; - else if (sbuf.st_mode & S_IWOTH) - cp = ".rhosts writable by other!"; - else if (sbuf.st_mode & S_IWGRP) { - - /* private group caveat */ - if (opts->opt_private_group) { - struct group *grp = pam_modutil_getgrgid(pamh, sbuf.st_gid); - - if (NULL == grp || NULL == grp->gr_name - || strcmp(luser,grp->gr_name)) { - cp = ".rhosts writable by public group"; - } else if (grp->gr_mem) { - int gcount; - - /* require at most one member (luser) of this group */ - for (gcount=0; grp->gr_mem[gcount]; ++gcount) { - if (strcmp(grp->gr_mem[gcount], luser)) { - gcount = -1; - break; - } - } - if (gcount < 0) { - cp = ".rhosts writable by other members of group"; - } - } - } else { - cp = ".rhosts writable by group"; - } - - } /* It is _NOT_ safe to append an else here... Do so prior to - * S_IWGRP check */ - - /* If there were any problems, quit. */ - if (cp) { - opts->last_error = cp; - answer = 1; - goto exit_function; - } - - answer = __ivaliduser (pamh, opts, hostf, raddr, luser, ruser, rhost); - -exit_function: - /* - * Go here to exit after the fsuid/euid has been adjusted so that - * they are reset before we exit. - */ - -#ifdef __linux__ - setfsuid(uid); -#else - (void)seteuid(uid); -#endif - - free (fpath); - - if (hostf != NULL) - (void) fclose(hostf); - - return answer; -} - -static int -pam_ruserok (pam_handle_t *pamh, - struct _options *opts, const char *rhost, int superuser, - const char *ruser, const char *luser) -{ - struct hostent *hp; - int answer = 1; /* default to failure */ - u_int32_t *addrs; - int n, i; - - opts->last_error = (char *) 0; - hp = gethostbyname(rhost); /* identify host */ - - if (hp != NULL) { - /* First of all check the address length */ - if (hp->h_length != 4) { - pam_syslog(pamh, LOG_ALERT, - "pam_rhosts module can't work with non-IPv4 addresses"); - return 1; /* not allowed */ - } - - /* loop though address list */ - for (n = 0; hp->h_addr_list[n]; n++); - D(("rhosts: %d addresses", n)); - - if (n) { - addrs = calloc (n, hp->h_length); - for (i = 0; i < n; i++) - memcpy (addrs+i, hp->h_addr_list[i], hp->h_length); - - for (i = 0; i < n && answer; i++) { - D(("rhosts: address %d is %04x", i, addrs[i])); - answer = pam_iruserok(pamh, opts, addrs[i], superuser, - ruser, luser, rhost); - /* answer == 0 means success */ - } - - free (addrs); - } - } - - return answer; -} - -/* - * Internal function to do authentication - */ - -static int _pam_auth_rhosts (pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - int retval; - const char *luser = NULL; - const char *ruser = NULL, *rhost = NULL; - struct _options opts; - int as_root = 0; - - /* - * Look at the options and set the flags accordingly. - */ - memset (&opts, 0, sizeof (opts)); - set_parameters (pamh, &opts, flags, argc, argv); - /* - * Obtain the parameters for the various items - */ - for (;;) { /* abuse loop to avoid goto */ - - /* get the remotehost */ - D(("getting rhost")); - retval = pam_get_rhost(pamh, &rhost); - (void) pam_set_item(pamh, PAM_RHOST, rhost); - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) { - pam_syslog(pamh, LOG_DEBUG, - "could not get the remote host name"); - } - break; - } - - /* get the remote user */ - D(("getting ruser")); - retval = pam_get_ruser(pamh, &ruser); - (void) pam_set_item(pamh, PAM_RUSER, ruser); - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) - pam_syslog(pamh, LOG_DEBUG, - "could not get the remote username"); - break; - } - - /* get the local user */ - D(("getting user")); - retval = pam_get_user(pamh, &luser, NULL); - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) - pam_syslog(pamh, LOG_DEBUG, - "could not determine name of local user"); - break; - } - - if (opts.superuser && !strcmp(opts.superuser, luser)) { - as_root = 1; - } - - /* check if the luser uid == 0... --cristiang */ - if (! opts.opt_no_uid_check) { - struct passwd *luser_pwd; - - luser_pwd = pam_modutil_getpwnam(pamh, luser); - if (luser_pwd == NULL) { - if (opts.opt_debug) - pam_syslog(pamh, LOG_DEBUG, - "user '%s' unknown to this system", luser); - retval = PAM_AUTH_ERR; - break; - } - if (luser_pwd->pw_uid == 0) - as_root = 1; - luser_pwd = NULL; /* forget */ - } -/* - * Validate the account information. - */ - if (pam_ruserok (pamh, &opts, rhost, as_root, ruser, luser) != 0) { - if ( !opts.opt_suppress ) { - pam_syslog(pamh, LOG_WARNING, "denied to %s@%s as %s: %s", - ruser, rhost, luser, (opts.last_error==NULL) ? - "access not allowed":opts.last_error); - } - retval = PAM_AUTH_ERR; - } else { - pam_syslog(pamh, LOG_NOTICE, "allowed to %s@%s as %s", - ruser, rhost, luser); - } - break; - } - - return retval; -} - -/* --- authentication management functions --- */ - -PAM_EXTERN -int pam_sm_authenticate (pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - int retval; - - if (sizeof(u_int32_t) != 4) { - pam_syslog (pamh, LOG_ALERT, - "pam_rhosts module can\'t work on this hardware (yet)"); - return PAM_AUTH_ERR; - } - sethostent(1); - retval = _pam_auth_rhosts (pamh, flags, argc, argv); - endhostent(); - return retval; -} - -PAM_EXTERN int -pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - return PAM_SUCCESS; -} - -/* end of module definition */ - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_rhosts_auth_modstruct = { - "pam_rhosts_auth", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif diff --git a/modules/pam_rhosts/tst-pam_rhosts_auth b/modules/pam_rhosts/tst-pam_rhosts_auth deleted file mode 100755 index 6b14ec51..00000000 --- a/modules/pam_rhosts/tst-pam_rhosts_auth +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_rhosts_auth.so diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 6dc8ace4..595b7f8b 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -26,13 +26,6 @@ #include #include #include -#ifdef WITH_SELINUX -#include -#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) -static int selinux_enabled=-1; -#else -#define SELINUX_ENABLED 0 -#endif #include #include @@ -71,13 +64,13 @@ set_password(const char *forwho, const char *shadow, const char *remember) return PAM_AUTHTOK_LOCK_BUSY; pwd = getpwnam(forwho); - + if (pwd == NULL) { retval = PAM_USER_UNKNOWN; goto done; } - /* does pass agree with the official one? + /* does pass agree with the official one? we always allow change from null pass */ retval = helper_verify_password(forwho, pass, 1); if (retval != PAM_SUCCESS) { @@ -146,7 +139,7 @@ int main(int argc, char *argv[]) if (geteuid() != 0) { return PAM_CRED_INSUFFICIENT; } - + option = argv[2]; if (strcmp(option, "update") == 0) { diff --git a/po/Linux-PAM.pot b/po/Linux-PAM.pot index a5d0922b..14855268 100644 --- a/po/Linux-PAM.pot +++ b/po/Linux-PAM.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -30,7 +30,7 @@ msgstr "" msgid "erroneous conversation (%d)\n" msgstr "" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "" @@ -228,17 +228,17 @@ msgstr "" msgid "BAD PASSWORD: %s" msgstr "" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -459,28 +459,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "" msgstr[1] "" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, c-format msgid "Warning: your password will expire in %d days" msgstr "" @@ -489,35 +488,35 @@ msgstr "" msgid "Password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, c-format msgid "Changing password for %s." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "" diff --git a/po/POTFILES.in b/po/POTFILES.in index 12a2d75c..7887aad7 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -58,7 +58,6 @@ ./modules/pam_namespace/pam_namespace.c ./modules/pam_nologin/pam_nologin.c ./modules/pam_permit/pam_permit.c -./modules/pam_rhosts/pam_rhosts_auth.c ./modules/pam_rhosts/pam_rhosts.c ./modules/pam_rootok/pam_rootok.c ./modules/pam_securetty/pam_securetty.c diff --git a/po/ar.po b/po/ar.po index 2734bcbe..024da797 100644 --- a/po/ar.po +++ b/po/ar.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2001-07-13 15:36+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -29,7 +29,7 @@ msgstr "...عذرًا، انتهى الوقت!\n" msgid "erroneous conversation (%d)\n" msgstr "محادثة خاطئة (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "تسجيل الدخول:" @@ -212,12 +212,12 @@ msgid "has been already used" msgstr "كلمة السر مستخدمة بالفعل" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "لم يتم إدخال كلمة السر" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "لم يتم تغيير كلمة السر" @@ -227,17 +227,17 @@ msgstr "لم يتم تغيير كلمة السر" msgid "BAD PASSWORD: %s" msgstr "كلمة سر سيئة: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -464,28 +464,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: لا يمكن إعادة تعيين كافة المستخدمين إلى رقم غير الصفر\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "انتهت مدة صلاحية الحساب الخاص بك؛ الرجاء الاتصال بمسؤول النظام" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "مطلوب منك تغيير كلمة السر على الفور (مفروض بواسطة المسؤول)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "مطلوب منك تغيير كلمة السر على الفور (كلمة السر قديمة جدًا)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "تحذير: سوف تنتهي مدة صلاحية كلمة السر الخاصة بك خلال %d يوم%.2s" msgstr[1] "تحذير: سوف تنتهي مدة صلاحية كلمة السر الخاصة بك خلال %d يوم%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "تحذير: سوف تنتهي مدة صلاحية كلمة السر الخاصة بك خلال %d يوم%.2s" @@ -494,36 +493,36 @@ msgstr "تحذير: سوف تنتهي مدة صلاحية كلمة السر ال msgid "Password: " msgstr "كلمة السر: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "تعذر تغيير كلمة السر الخاصة بـ NIS." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "يجب اختيار كلمة سر أطول" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "كلمة السر التي تم إدخالها مستخدمة بالفعل. اختر كلمة سر أخرى." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "تغيير كلمة سر STRESS لـ" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "كلمة سر UNIX (الحالية): " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "يجب الانتظار فترة أطول لتغيير كلمة السر" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "أدخل كلمة سر UNIX الجديدة: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "أعد كتابة كلمة سر UNIX الجديدة: " diff --git a/po/ca.po b/po/ca.po index a23ca548..ff631577 100644 --- a/po/ca.po +++ b/po/ca.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2007-02-22 20:57+0100\n" "Last-Translator: Anna \n" "Language-Team: Catalan\n" @@ -30,7 +30,7 @@ msgstr "...S'ha acabat el temps.\n" msgid "erroneous conversation (%d)\n" msgstr "conversa errònia (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "entrada:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "ja s'ha fet servir" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "No s'ha proporcionat cap contrasenya" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "No s'ha canviat la contrasenya" @@ -229,17 +229,17 @@ msgstr "No s'ha canviat la contrasenya" msgid "BAD PASSWORD: %s" msgstr "CONTRASENYA INCORRECTA: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -467,29 +467,28 @@ msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: no es poden restablir tots els usuaris a un valor diferent de zero\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "El vostre compte ha caducat. Contacteu amb l'administrador del sistema" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Heu de canviar la contrasenya immediatament (us hi obliga l'usuari primari)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Heu de canviar la contrasenya immediatament (la contrasenya és antiga)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Atenció: la contrasenya venç d'aquí a %d dia%.2s" msgstr[1] "Atenció: la contrasenya venç d'aquí a %d dia%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Atenció: la contrasenya venç d'aquí a %d dia%.2s" @@ -498,36 +497,36 @@ msgstr "Atenció: la contrasenya venç d'aquí a %d dia%.2s" msgid "Password: " msgstr "Contrasenya: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "No s'ha pogut canviar la contrasenya NIS." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Heu de triar una contrasenya més llarga" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Aquesta contrasenya ja s'ha fet servir. Trieu-ne una altra." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "S'està canviant la contrasenya d'STRESS per a " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "contrasenya (actual) d'UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Heu d'esperar més temps abans de canviar la contrasenya" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Introduïu la nova contrasenya d'UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Torneu a escriure la nova contrasenya d'UNIX: " diff --git a/po/cs.po b/po/cs.po index 386883a5..efa1d68e 100644 --- a/po/cs.po +++ b/po/cs.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2007-10-01 15:54+0100\n" "Last-Translator: Tomas Mraz \n" "Language-Team: cs_CZ \n" @@ -30,7 +30,7 @@ msgstr "...Čas vypršel!\n" msgid "erroneous conversation (%d)\n" msgstr "nesprávná konverzace (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login:" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "již bylo použito" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Nezadáno heslo" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Heslo nebylo změněno" @@ -228,17 +228,17 @@ msgstr "Heslo nebylo změněno" msgid "BAD PASSWORD: %s" msgstr "ŠPATNÉ HESLO: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "%s selhal: návratový kód %d" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "%s selhal: dostal signál %d%s" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "%s selhal: neznámý kód stavu 0x%x" @@ -462,19 +462,19 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Nelze resetovat všechny uživatele nenulově\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Váš účet vypršel; kontaktujte prosím svého správce systému" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Musíte okamžitě změnit své heslo (vynuceno rootem)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Musíte okamžitě změnit své heslo (heslo vypršelo)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -482,9 +482,8 @@ msgstr[0] "Varování: Vaše heslo vyprší za %d den" msgstr[1] "Varování: Vaše heslo vyprší za %d dny" msgstr[2] "Varování: Vaše heslo vyprší za %d dní" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Varování: Počet dní do vypršení hesla: %d" @@ -493,35 +492,35 @@ msgstr "Varování: Počet dní do vypršení hesla: %d" msgid "Password: " msgstr "Heslo: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS heslo se nepodařilo změnit." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Musíte zvolit delší heslo" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Heslo již bylo použito. Zvolte jiné." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, c-format msgid "Changing password for %s." msgstr "Změna hesla pro %s." -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(současné) UNIX heslo: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Na změnu svého hesla musíte počkat déle" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Zadejte nové UNIX heslo: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Opakujte nové UNIX heslo: " diff --git a/po/da.po b/po/da.po index 0662bcb1..58630763 100644 --- a/po/da.po +++ b/po/da.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2005-08-16 20:00+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -31,7 +31,7 @@ msgstr "...Din tid er desværre gået!\n" msgid "erroneous conversation (%d)\n" msgstr "konversationsfejl (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login:" @@ -217,12 +217,12 @@ msgid "has been already used" msgstr "er allerede blevet brugt" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Der er ikke angivet nogen adgangskode" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Adgangskoden er uændret" @@ -232,17 +232,17 @@ msgstr "Adgangskoden er uændret" msgid "BAD PASSWORD: %s" msgstr "DÅRLIG ADGANGSKODE: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, fuzzy, c-format msgid "%s failed: exit code %d" msgstr "'{0}' script mislykkedes med afslutningskode '{1}'" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -471,28 +471,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Alle brugere kunne ikke nulstilles til ikke-nul\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Din konto er udløbet. Kontakt din systemadministrator" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Du skal omgående ændre din adgangskode (gennemtvunget af roden)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Du skal omgående ændre din adgangskode (for gammel adgangskode)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Advarsel: Din adgangskode udløber om %d dage%.2s" msgstr[1] "Advarsel: Din adgangskode udløber om %d dage%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Advarsel: Din adgangskode udløber om %d dage%.2s" @@ -501,36 +500,36 @@ msgstr "Advarsel: Din adgangskode udløber om %d dage%.2s" msgid "Password: " msgstr "Adgangskode: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS-adgangskoden kunne ikke ændres." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Du skal vælge en længere adgangskode" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Adgangskoden er allerede blevet brugt. Vælg en anden." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Ændrer STRESS-adgangskode for" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(nuværende) UNIX-adgangskode: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Du skal vente lidt længere for at ændre din adgangskode" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Indtast ny UNIX-adgangskode: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Genindtast ny UNIX-adgangskode: " diff --git a/po/de.po b/po/de.po index 2126a361..9f81c254 100644 --- a/po/de.po +++ b/po/de.po @@ -7,8 +7,8 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" -"PO-Revision-Date: 2008-01-07 14:59+01:00\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" +"PO-Revision-Date: 2008-02-06 15:19+01:00\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" "MIME-Version: 1.0\n" @@ -29,7 +29,7 @@ msgstr "...Ihre Zeit ist abgelaufen.\n" msgid "erroneous conversation (%d)\n" msgstr "fehlerhafte Kommunikation (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login:" @@ -216,12 +216,12 @@ msgid "has been already used" msgstr "es wurde bereits verwendet" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Kein Passwort angegeben" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Passwort nicht geändert" @@ -231,17 +231,17 @@ msgstr "Passwort nicht geändert" msgid "BAD PASSWORD: %s" msgstr "Schlechtes Passwort: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "%s schlug fehl: Fehlercode %d" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "%s schlug fehl: Signal %d%s erhalten" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "%s schlug fehl: Unbekannter Status 0x%x" @@ -326,7 +326,7 @@ msgstr "Verzeichnis %s kann nicht erstellt werden: %m" #: modules/pam_selinux/pam_selinux.c:94 msgid "Error connecting to audit system." -msgstr "" +msgstr "Fehler beim Zugriff auf das Audit-Subsystem." #: modules/pam_selinux/pam_selinux.c:98 msgid "Error translating default context." @@ -338,7 +338,7 @@ msgstr "" #: modules/pam_selinux/pam_selinux.c:113 msgid "Error sending audit message." -msgstr "" +msgstr "Fehler beim Schreiben einer Audit-Meldung." #: modules/pam_selinux/pam_selinux.c:164 msgid "Would you like to enter a security context? [N] " @@ -464,28 +464,27 @@ msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: Es können nicht alle Benutzer auf Nicht-null zurückgesetzt werden\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Ihr Konto ist abgelaufen. Wenden Sie sich an den Systemadministrator" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Sie müssen Ihr Passwort sofort ändern (von Root erzwungen)." -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Sie müssen Ihr Passwort sofort ändern (Passwortablauf)." -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Warnung: Ihr Passwort läuft in %d Tag ab." msgstr[1] "Warnung: Ihr Passwort läuft in %d Tagen ab." -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Warnung: Ihr Passwort läuft in %d Tagen ab." @@ -494,36 +493,36 @@ msgstr "Warnung: Ihr Passwort läuft in %d Tagen ab." msgid "Password: " msgstr "Passwort: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "Änderung des NIS-Passworts nicht möglich." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Sie müssen ein längeres Passwort auswählen." -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Passwort wurde bereits verwendet. Wählen Sie ein anderes aus." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, c-format msgid "Changing password for %s." msgstr "Ändern des Passworts für %s." -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(aktuelles) UNIX Passwort: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Sie können Ihr Passwort noch nicht ändern" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Geben Sie ein neues UNIX Passwort ein: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Geben Sie das neue UNIX Passwort erneut ein: " diff --git a/po/es.po b/po/es.po index 2fe8d372..857a8022 100644 --- a/po/es.po +++ b/po/es.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-04 08:32+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...Lo sentimos, el tiempo se ha agotado.\n" msgid "erroneous conversation (%d)\n" msgstr "conversación incorrecta (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "inicio de sesión:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "ya se ha utilizado" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "No se ha proporcionado ninguna contraseña" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "La contraseña no ha cambiado" @@ -229,17 +229,17 @@ msgstr "La contraseña no ha cambiado" msgid "BAD PASSWORD: %s" msgstr "CONTRASEÑA INCORRECTA: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -469,30 +469,29 @@ msgstr "" "%s: No es posible restaurar a todos los usuarios a un número distinto de " "cero\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" "La cuenta ha caducado, póngase en contacto con el administrador del sistema" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Debe cambiar la contraseña inmediatamente (aplicado por el usuario root)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Debe cambiar la contraseña inmediatamente (la contraseña ha caducado)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Advertencia: la contraseña caducará dentro de %d día%.2s" msgstr[1] "Advertencia: la contraseña caducará dentro de %d día%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Advertencia: la contraseña caducará dentro de %d día%.2s" @@ -501,36 +500,36 @@ msgstr "Advertencia: la contraseña caducará dentro de %d día%.2s" msgid "Password: " msgstr "Contraseña:" -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "No es posible cambiar la contraseña NIS." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Debe elegir una contraseña más larga" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "La contraseña ya se ha utilizado. Seleccione otra." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Cambiando la contraseña STRESS para" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(actual) contraseña de UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Debe esperar más tiempo para cambiar la contraseña" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Introduzca la nueva contraseña de UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Vuelva a escribir la nueva contraseña de UNIX:" diff --git a/po/fi.po b/po/fi.po index 24916d5a..5b31d061 100644 --- a/po/fi.po +++ b/po/fi.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-04 08:30+0200\n" "Last-Translator: Jyri Palokangas \n" "Language-Team: \n" @@ -32,7 +32,7 @@ msgstr "...Aikasi on loppunut!\n" msgid "erroneous conversation (%d)\n" msgstr "virheellinen keskustelu (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "kirjautuminen:" @@ -215,12 +215,12 @@ msgid "has been already used" msgstr "on jo käytetty" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Et antanut salasanaa" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Salasanaa ei vaihdettu" @@ -230,17 +230,17 @@ msgstr "Salasanaa ei vaihdettu" msgid "BAD PASSWORD: %s" msgstr "HUONO SALASANA: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -468,28 +468,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Ei voida palauttaa kaikkia käyttäjiä ei-nolliksi\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Käyttäjätilisi on vanhentunut; ota yhteyttä järjestelmän ylläpitäjään" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Salasanasi täytyy vaihtaa heti (pääkäyttäjän vaatimus)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Salasanasi täytyy vaihtaa heti (salasana vanhentunut)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Varoitus: salasanasi vanhenee %d päivässä%.2s" msgstr[1] "Varoitus: salasanasi vanhenee %d päivässä%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Varoitus: salasanasi vanhenee %d päivässä%.2s" @@ -498,36 +497,36 @@ msgstr "Varoitus: salasanasi vanhenee %d päivässä%.2s" msgid "Password: " msgstr "Salasana: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS-salasanaa ei voitu vaihtaa." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Salasanan tulee olla pidempi" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Salasana on jo käytetty. Valitse toinen." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Vaihdetaan STRESS-salasana " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(nykyinen) UNIX salasana: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Sinun täytyy odottaa kauemmin vaihtaaksesi salasanan" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Anna uusi UNIX-salasana: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Anna uusi UNIX-salasana uudelleen: " diff --git a/po/fr.po b/po/fr.po index 9c8bde5f..8febc56f 100644 --- a/po/fr.po +++ b/po/fr.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-04 08:29+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...Votre temps est épuisé !\n" msgid "erroneous conversation (%d)\n" msgstr "erreurs de conversation (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login : " @@ -219,12 +219,12 @@ msgid "has been already used" msgstr "a déjà été utilisé" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Aucun mot de passe fourni" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Mot de passe inchangé" @@ -234,17 +234,17 @@ msgstr "Mot de passe inchangé" msgid "BAD PASSWORD: %s" msgstr "MOT DE PASSE INCORRECT : %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -471,29 +471,28 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Impossible de réinitialiser tous les utilisateurs à non-zéro\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Votre compte a expiré. Contactez votre administrateur système" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Vous devez changer votre mot de passe immédiatement (imposé par root)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "" "Vous devez changer votre mot de passe immédiatement (mot de passe périmé)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Avertissement : votre mot de passe expire dans %d jour%.2s" msgstr[1] "Avertissement : votre mot de passe expire dans %d jour%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Avertissement : votre mot de passe expire dans %d jour%.2s" @@ -502,36 +501,36 @@ msgstr "Avertissement : votre mot de passe expire dans %d jour%.2s" msgid "Password: " msgstr "Mot de passe : " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "Le mot de passe NIS n'a pas pu être changé." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Vous devez choisir un mot de passe plus long" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Mot de passe déjà utilisé. Choisissez-en un autre." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Changement du mot de passe STRESS pour " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "Mot de passe UNIX (actuel) : " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Vous devez encore attendre avant de changer votre mot de passe" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Entrez le nouveau mot de passe UNIX : " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Retapez le nouveau mot de passe UNIX : " diff --git a/po/hu.po b/po/hu.po index 24833981..f9e82907 100644 --- a/po/hu.po +++ b/po/hu.po @@ -11,7 +11,7 @@ msgid "" msgstr "" "Project-Id-Version: hu.new\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2007-02-15 17:40+0100\n" "Last-Translator: Kalman Kemenczy \n" "Language-Team: \n" @@ -34,7 +34,7 @@ msgstr "...Elnézést, de az idő lejárt!\n" msgid "erroneous conversation (%d)\n" msgstr "hibás beszélgetés (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "belépés:" @@ -220,12 +220,12 @@ msgid "has been already used" msgstr "A jelszót már használta. Válasszon egy másikat." #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Nem lett megadva jelszó" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "A jelszó nem változott" @@ -235,17 +235,17 @@ msgstr "A jelszó nem változott" msgid "BAD PASSWORD: %s" msgstr "ROSSZ JELSZÓ: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "%s hiba: kimeneti érték %d" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "%s hiba: kimeneti signal %d%s" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "%s hiba: ismeretlen állapot 0x%x" @@ -472,28 +472,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Nem állítható vissza minden felhasználó nem nullára\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "A fiók érvényessége lejárt; keresse meg a rendszergazdát" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Azonnal meg kell változtatnia a jelszavát (a root írta elő)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Azonnal meg kell változtatnia a jelszavát (a jelszó elévült)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Figyelmeztetés: a jelszava lejár %d nap múlva" msgstr[1] "Figyelmeztetés: a jelszava lejár %d nap múlva" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Figyelmeztetés: a jelszava lejár %d nap múlva" @@ -502,36 +501,36 @@ msgstr "Figyelmeztetés: a jelszava lejár %d nap múlva" msgid "Password: " msgstr "Jelszó: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "A NIS-jelszó nem módosítható." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Hosszabb jelszót kell választania" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "A jelszót már használta. Válasszon egy másikat." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESS jelszó megváltoztatása - " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "A (jelenlegi) UNIX jelszó: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Tovább kell várnia a jelszó módosítására" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Adja meg az új UNIX jelszót: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Írja be újra a UNIX jelszót: " diff --git a/po/it.po b/po/it.po index 9b7c802e..f032dc4e 100644 --- a/po/it.po +++ b/po/it.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2007-11-24 13:39+0100\n" "Last-Translator: Luca Bruno \n" "Language-Team: Italian \n" @@ -29,7 +29,7 @@ msgstr "...Tempo scaduto!\n" msgid "erroneous conversation (%d)\n" msgstr "conversazione errata (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login:" @@ -216,12 +216,12 @@ msgid "has been already used" msgstr "è già stata utilizzata" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Nessuna password fornita" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Password non modificata" @@ -231,17 +231,17 @@ msgstr "Password non modificata" msgid "BAD PASSWORD: %s" msgstr "PASSWORD ERRATA: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "%s fallita: codice d'uscita %d" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "%s fallita: intercettato il segnale %d%s" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "%s fallita: stato sconosciuto 0x%x" @@ -463,31 +463,30 @@ msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: Impossibile ripristinare tutti gli utenti a valori diversi da zero\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Account scaduto; contattare l'amministratore di sistema" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" "È richiesta la modifica immediata della password (imposto " "dall'amministratore)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "" "È richiesta la modifica immediata della password (password troppo vecchia)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Avviso: la password scadrà tra %d giorno" msgstr[1] "Avviso: la password scadrà tra %d giorno" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Avviso: la password scadrà tra %d giorni" @@ -496,35 +495,35 @@ msgstr "Avviso: la password scadrà tra %d giorni" msgid "Password: " msgstr "Password: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "Impossibile modificare la password NIS." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Scegliere una password più lunga" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Password già utilizzata. Sceglierne un'altra." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, c-format msgid "Changing password for %s." msgstr "Cambio password per %s." -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "Password UNIX (corrente): " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Attendere ancora per cambiare la password" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Immettere nuova password UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Reimmettere la nuova password UNIX: " diff --git a/po/ja.po b/po/ja.po index 18675f72..83fa284c 100644 --- a/po/ja.po +++ b/po/ja.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 22:00+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...時間切れです。\n" msgid "erroneous conversation (%d)\n" msgstr "誤った会話(%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "ログイン::" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "パスワードはすでに使用されています。" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "パスワードが与えられていません" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "パスワードが変更されていません" @@ -226,17 +226,17 @@ msgstr "パスワードが変更されていません" msgid "BAD PASSWORD: %s" msgstr "よくないパスワード: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -463,29 +463,28 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: すべてのユーザを非ゼロにリセットできません\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" "アカウントの有効期限が切れました。システム管理者にお問い合わせください。" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "パスワードを直ちに変更する必要があります(強制されたルート)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "パスワードを直ちに変更する必要があります(古いパスワード)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "警告: パスワードは%d日で有効期限が切れます。%.2s" msgstr[1] "警告: パスワードは%d日で有効期限が切れます。%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "警告: パスワードは%d日で有効期限が切れます。%.2s" @@ -494,37 +493,37 @@ msgstr "警告: パスワードは%d日で有効期限が切れます。%.2s" msgid "Password: " msgstr "パスワード:" -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NISパスワードを変更できませんでした。" -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "長いパスワードを選択する必要があります" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "" "パスワードはすでに使用されています。 別のパスワードを選択してください。" -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESSパスワードの変更元" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "現在のUNIXパスワード:" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "パスワードを変更するには長く待つ必要があります" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "新しいUNIXパスワードを入力してください:" -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "新しいUNIX パスワードを再入力してください:" diff --git a/po/km.po b/po/km.po index 6062fef6..c5beb939 100644 --- a/po/km.po +++ b/po/km.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-03-17 10:32+0700\n" "Last-Translator: Khoem Sokhem \n" "Language-Team: Khmer \n" @@ -30,7 +30,7 @@ msgstr "...សូម​ទោស អ្នក​អស់​ពេល​ហើ msgid "erroneous conversation (%d)\n" msgstr "សន្ទនាច្រឡំ (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "ចូល ៖" @@ -216,12 +216,12 @@ msgid "has been already used" msgstr "បាន​ប្រើ​រួច​ហើយ" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "មិន​បាន​ផ្ដល់​ពាក្យសម្ងាត់" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "ពាក្យសម្ងាត់​មិន​បាន​ផ្លាស់ប្ដូរ​ឡើយ" @@ -231,17 +231,17 @@ msgstr "ពាក្យសម្ងាត់​មិន​បាន​ផ្ល msgid "BAD PASSWORD: %s" msgstr "ពាក្យ​សម្ងាត់​មិន​ល្អ ៖ %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -468,28 +468,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s ៖ មិន​អាច​កំណត់​អ្នក​ប្រើ​ទាំងអស់​ទៅ​មិនមែន​សូន្យ​ឡើងវិញ​បានទេ\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "គណនី​របស់​អ្នក​បាន​ផុតកំណត់​ហើយ សូម​ទាក់ទង​អ្នក​គ្រប់គ្រង​ប្រព័ន្ធ​របស់​អ្នក" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "អ្នក​ត្រូវ​តែ​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់​របស់​អ្នក​ឥឡូវ​នេះ (root បាន​ចេញ​បញ្ជា)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "អ្នក​ត្រូវ​តែ​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់​របស់​អ្នក​ឥឡូវ​នេះ (ពាក្យសម្ងាត់​ចាស់​ហើយ)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "ការ​ព្រមាន ៖ ពាក្យសម្ងាត់​របស់​អ្នក​នឹង​ផុតកំណត់​ក្នុង​រយៈពេល %d ថ្ងៃ %.2s ។" msgstr[1] "ការ​ព្រមាន ៖ ពាក្យសម្ងាត់​របស់​អ្នក​នឹង​ផុតកំណត់​ក្នុង​រយៈពេល %d ថ្ងៃ %.2s ។" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "ការ​ព្រមាន ៖ ពាក្យសម្ងាត់​របស់​អ្នក​នឹង​ផុតកំណត់​ក្នុង​រយៈពេល %d ថ្ងៃ %.2s ។" @@ -498,36 +497,36 @@ msgstr "ការ​ព្រមាន ៖ ពាក្យសម្ងាត់ msgid "Password: " msgstr "ពាក្យសម្ងាត់ ៖ " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "មិន​អាច​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់ NIS បាន​ឡើយ ។" -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "អ្នក​ត្រូវ​តែ​ជ្រើស​ពាក្យសម្ងាត់​វែង​ជាង​នេះ" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "ពាក្យសម្ងាត់​ត្រូវ​បាន​ប្រើ​រួច​ហើយ ។ សូម​ជ្រើស​មួយ​ទៀត ។" -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "ការ​ផ្លាស់ប្ដូរ​ពាក្យ​សម្ងាត់ STRESS សម្រាប់ " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(បច្ចុប្បន្ន) ពាក្យ​សម្ងាត់ UNIX ៖" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "អ្នក​ត្រូវ​តែ​រង់ចាំ​បន្តិច ដើម្បី​ផ្លាស់ប្ដូរ​ពាក្យសម្ងាត់​របស់​អ្នក" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "បញ្ចូល​ពាក្យ​សម្ងាត់ UNIX ថ្មី ៖ " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "វាយ​ពាក្យ​សម្ងាត់ UNIX ថ្មី​ម្ដង​ទៀត ៖ " diff --git a/po/nb.po b/po/nb.po index 075cc292..af79e8cb 100644 --- a/po/nb.po +++ b/po/nb.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 22:04+0200\n" "Last-Translator: Olav Pettershagen \n" "Language-Team: \n" @@ -28,7 +28,7 @@ msgstr "...Beklager, tiden er utløpt!\n" msgid "erroneous conversation (%d)\n" msgstr "mislykket dialog (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "logg inn:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "er allerede benyttet" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Passord ikke angitt" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Passord uendret" @@ -226,17 +226,17 @@ msgstr "Passord uendret" msgid "BAD PASSWORD: %s" msgstr "SVAKT PASSORD: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -463,28 +463,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Kan ikke tilbakestille alle brukere til non-zero\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Din konto er utløpt; kontakt systemadministratoren" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Du må straks endre passordet ditt (ordre fra rot)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Du må straks endre passordet ditt (passord for gammelt)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Advarsel: passordet ditt vil utløpe om %d dager%.2s" msgstr[1] "Advarsel: passordet ditt vil utløpe om %d dager%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Advarsel: passordet ditt vil utløpe om %d dager%.2s" @@ -493,36 +492,36 @@ msgstr "Advarsel: passordet ditt vil utløpe om %d dager%.2s" msgid "Password: " msgstr "Passord: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS-passord kunne ikke endres." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Du må velge et lengre passord" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Passordet er allerede benyttet. Velg et annet." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Endrer STRESS-passord for " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(gjeldende) UNIX-passord: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Du må vente lenger før du kan endre passordet" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Angi nytt UNIX-passord: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Bekreft nytt UNIX-passord: " diff --git a/po/nl.po b/po/nl.po index 3ce5313f..aa991303 100644 --- a/po/nl.po +++ b/po/nl.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.nl\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 22:02+0200\n" "Last-Translator: Rinse de Vries \n" "Language-Team: Dutch \n" @@ -31,7 +31,7 @@ msgstr "...Helaas, uw tijd is verlopen!\n" msgid "erroneous conversation (%d)\n" msgstr "foute conversatie (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "gebruikersnaam:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "is al gebruikt" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Geen wachtwoord opgegeven" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Wachtwoord is niet gewijzigd" @@ -229,17 +229,17 @@ msgstr "Wachtwoord is niet gewijzigd" msgid "BAD PASSWORD: %s" msgstr "SLECHT WACHTWOORD: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -467,30 +467,29 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: kan niet alle gebruikers terugzetten naar non-zero\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Uw account is verlopen. Een contact op met uw systeembeheerder" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" "U dient onmiddellijk uw wachtwoord te wijzigen (op last van systeembeheerder)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "" "U dient onmiddellijk uw wachtwoord te wijzigen (wachtwoord is verouderd)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Waarschuwing: uw wachtwoord zal over %d day%.2s verlopen" msgstr[1] "Waarschuwing: uw wachtwoord zal over %d day%.2s verlopen" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Waarschuwing: uw wachtwoord zal over %d day%.2s verlopen" @@ -499,36 +498,36 @@ msgstr "Waarschuwing: uw wachtwoord zal over %d day%.2s verlopen" msgid "Password: " msgstr "Wachtwoord: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS-wachtwoord kon niet worden gewijzigd." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Kies een langer wachtwoord" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Dit wachtwoord is al gebruikt. Kies een ander wachtwoord." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESS-wachtwoord wijzigen voor " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(huidig) UNIX-wachtwoord: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "U moet langer wachten om uw wachtwoord te wijzigen" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Nieuw UNIX-wachtwoord invoeren: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Nieuw UNIX-wachtwoord herhalen: " diff --git a/po/pa.po b/po/pa.po index d12add57..defa8d80 100644 --- a/po/pa.po +++ b/po/pa.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.pa\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2005-08-06 08:34+0530\n" "Last-Translator: Amanpreet Singh Alam[ਆਲਮ] \n" "Language-Team: Panjabi \n" @@ -31,7 +31,7 @@ msgstr "...ਅਫ਼ਸੋਸ, ਤੁਹਾਡਾ ਸਮਾਂ ਸਮਾਪਤ msgid "erroneous conversation (%d)\n" msgstr "" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "" @@ -217,12 +217,12 @@ msgid "has been already used" msgstr "ਗੁਪਤ-ਕੋਡ ਪਹਿਲਾਂ ਵੀ ਵਰਤਿਆ ਗਿਆ ਹੈ। ਵੱਖਰਾ ਚੁਣੋ।" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "ਕੋਈ ਗੁਪਤ-ਕੋਡ ਨਹੀਂ ਦਿੱਤਾ ਗਿਆ" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "ਗੁਪਤ-ਕੋਡ ਨਾ-ਤਬਦੀਲ ਹੈ" @@ -232,17 +232,17 @@ msgstr "ਗੁਪਤ-ਕੋਡ ਨਾ-ਤਬਦੀਲ ਹੈ" msgid "BAD PASSWORD: %s" msgstr "" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -469,28 +469,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "ਸਾਵਧਾਨ: ਤੁਹਾਡਾ ਗੁਪਤ-ਕੋਡ ਦੀ ਮਿਆਦ %d ਦਿਨ%.2s 'ਚ ਪੁੱਗ ਜਾਵੇਗੀ।" msgstr[1] "ਸਾਵਧਾਨ: ਤੁਹਾਡਾ ਗੁਪਤ-ਕੋਡ ਦੀ ਮਿਆਦ %d ਦਿਨ%.2s 'ਚ ਪੁੱਗ ਜਾਵੇਗੀ।" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "ਸਾਵਧਾਨ: ਤੁਹਾਡਾ ਗੁਪਤ-ਕੋਡ ਦੀ ਮਿਆਦ %d ਦਿਨ%.2s 'ਚ ਪੁੱਗ ਜਾਵੇਗੀ।" @@ -500,37 +499,37 @@ msgstr "ਸਾਵਧਾਨ: ਤੁਹਾਡਾ ਗੁਪਤ-ਕੋਡ ਦੀ ਮ msgid "Password: " msgstr "ਗੁਪਤ-ਕੋਡ ਨਾ-ਤਬਦੀਲ ਹੈ" -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS ਗੁਪਤ-ਕੋਡ ਤਬਦੀਲ ਨਹੀਂ ਕੀਤਾ ਜਾ ਸਕਿਆ ਹੈ।" -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "ਤੁਹਾਨੂੰ ਲੰਮੇ ਗੁਪਤ-ਕੋਡ ਦੀ ਚੋਣ ਕਰਨੀ ਚਾਹੀਦੀ ਹੈ" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "ਗੁਪਤ-ਕੋਡ ਪਹਿਲਾਂ ਵੀ ਵਰਤਿਆ ਗਿਆ ਹੈ। ਵੱਖਰਾ ਚੁਣੋ।" -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, c-format msgid "Changing password for %s." msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 #, fuzzy msgid "Enter new UNIX password: " msgstr "ਨਵਾਂ STRESS ਗੁਪਤ-ਕੋਡ ਦਿਓ: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 #, fuzzy msgid "Retype new UNIX password: " msgstr "ਨਵਾਂ STRESS ਗੁਪਤ-ਕੋਡ ਮੁੜ-ਲਿਖੋ: " diff --git a/po/pl.po b/po/pl.po index 0e3c4f5b..61cc6356 100644 --- a/po/pl.po +++ b/po/pl.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 21:58+0200\n" "Last-Translator: Wojciech Kapusta \n" "Language-Team: \n" @@ -33,7 +33,7 @@ msgstr "... czas minął.\n" msgid "erroneous conversation (%d)\n" msgstr "błędna konwersacja (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login:" @@ -216,12 +216,12 @@ msgid "has been already used" msgstr "było już używane" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Nie podano hasła" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Hasło nie zmienione" @@ -231,17 +231,17 @@ msgstr "Hasło nie zmienione" msgid "BAD PASSWORD: %s" msgstr "ZŁE HASŁO: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -468,19 +468,19 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Nie można przywrócić wszystkich użytkowników\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Konto użytkownika wygasło ; proszę skontaktować się z administratorem" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Należy natychmiast zmienić hasło (wymuszone przez administratora)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Należy natychmiast zmienić hasło (hasło wygasło)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -488,9 +488,8 @@ msgstr[0] "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" msgstr[1] "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" msgstr[2] "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" @@ -499,36 +498,36 @@ msgstr "Ostrzeżenie: hasło wygaśnie za %d dni%.2s" msgid "Password: " msgstr "Hasło: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "Nie można zmienić hasła NIS." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Proszę podać dłuższe hasło" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Hasło było już używane. Proszę wybrać inne." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Zmiana hasła STRESS dla " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "Bieżące hasło UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Proszę poczekać dłużej aby zmienić hasło" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Nowe hasło UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Powtórzenie hasła UNIX: " diff --git a/po/pt.po b/po/pt.po index 6210f8cd..3db65c38 100644 --- a/po/pt.po +++ b/po/pt.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.pt\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 21:54+0200\n" "Last-Translator: Antonio Cardoso Martins \n" "Language-Team: portuguese\n" @@ -29,7 +29,7 @@ msgstr "...Lamento, o seu tempo esgotou-se!\n" msgid "erroneous conversation (%d)\n" msgstr "conversação errónea (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login:" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "já foi utilizada" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Não foi fornecida uma palavra passe" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Palavra passe inalterada" @@ -228,17 +228,17 @@ msgstr "Palavra passe inalterada" msgid "BAD PASSWORD: %s" msgstr "MÁ PALAVRA PASSE: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -465,32 +465,31 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Não foi possível reiniciar todos os utilizadores para não zero\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" "A sua conta de utilizador expirou; por favor contacte o seu administrador de " "sistema" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" "É obrigatório que altere de imediato a sua palavra passe (forçado pelo root)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "" "É obrigatório que altere de imediato a sua palavra passe (forçado pela idade)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Aviso: a sua palavra passe expira em %d dia%.2s" msgstr[1] "Aviso: a sua palavra passe expira em %d dia%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Aviso: a sua palavra passe expira em %d dia%.2s" @@ -499,36 +498,36 @@ msgstr "Aviso: a sua palavra passe expira em %d dia%.2s" msgid "Password: " msgstr "Palavra passe: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "A palavra passe de NIS não pode ser alterada." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Deve escolher uma palavra passe mais longa" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "A palavra passe já foi anteriormente utilizada. Escolha outra." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "A alterar a palavra passe de STRESS para " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "palavra passe UNIX (actual): " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Tem de esperar mais antes de poder alterar a sua palavra passe" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Digite a nova palavra passe UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Digite novamente a nova palavra passe UNIX: " diff --git a/po/pt_BR.po b/po/pt_BR.po index fcde82aa..601a7eb9 100644 --- a/po/pt_BR.po +++ b/po/pt_BR.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 21:55+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...Tempo contando.\n" msgid "erroneous conversation (%d)\n" msgstr "conversação errônea (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "login:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "já foi usada" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Nenhuma senha informada" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Senha inalterada" @@ -226,17 +226,17 @@ msgstr "Senha inalterada" msgid "BAD PASSWORD: %s" msgstr "SENHA INCORRETA: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -463,28 +463,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Impossível redefinir todos os usuários para não-zero\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Sua conta expirou; entre em contato com o administrador do sistema" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Mude sua senha imediatamente (aplicado pela raiz)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Mude sua senha imediatamente (senha expirada)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Aviso: sua senha expirará em %d dia%.2s" msgstr[1] "Aviso: sua senha expirará em %d dia%.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Aviso: sua senha expirará em %d dia%.2s" @@ -493,36 +492,36 @@ msgstr "Aviso: sua senha expirará em %d dia%.2s" msgid "Password: " msgstr "Senha:" -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "A senha NIS não pôde ser mudada." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Escolha uma senha mais longa" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "A senha já foi usada. Escolha outra." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Mudando senha STRESS para" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "Senha UNIX (atual):" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Aguarde mais tempo para mudar a senha" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Digite a nova senha UNIX:" -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Redigite a nova senha UNIX:" diff --git a/po/ru.po b/po/ru.po index a67f9047..3f0ded37 100644 --- a/po/ru.po +++ b/po/ru.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: @PACKAGE@\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-01-04 08:58+0100\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -31,7 +31,7 @@ msgstr "...Извините, ваше время истекло!\n" msgid "erroneous conversation (%d)\n" msgstr "ошибочный диалог (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "регистрация:" @@ -220,13 +220,13 @@ msgid "has been already used" msgstr "уже был использован" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Пароль не указан" # password dialog title #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Пароль не изменен" @@ -236,17 +236,17 @@ msgstr "Пароль не изменен" msgid "BAD PASSWORD: %s" msgstr "НЕВЕРНЫЙ ПАРОЛЬ: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, fuzzy, c-format msgid "%s failed: exit code %d" msgstr "Ошибочное выполнение скрипта '{0}' с кодом '{1}'" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -478,21 +478,21 @@ msgid "%s: Can't reset all users to non-zero\n" msgstr "" "%s: не удается выполнить сброс всех пользователей в ненулевое значение\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" "Срок действия учетной записи истек; обратитесь к системному администратору" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Вам необходимо немедленно сменить пароль (по требованию пользователя root)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Вам необходимо немедленно сменить пароль (пароль устарел)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -500,9 +500,8 @@ msgstr[0] "Предупреждение: срок действия пароля msgstr[1] "Предупреждение: срок действия пароля истекает через %d дней" msgstr[2] "Предупреждение: срок действия пароля истекает через %d дней" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Предупреждение: срок действия пароля истекает через %d дней" @@ -512,38 +511,38 @@ msgid "Password: " msgstr "Пароль: " # password dialog title -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "Пароль NIS изменить нельзя." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Выберите пароль большей длины" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Этот пароль уже был использован. Выберите другой." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Смена пароля STRESS для" # Keep the newlines and spaces after ':'! -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(текущий) пароль UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "До смены пароля должно пройти больше времени" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Введите новый пароль UNIX: " # Keep the newlines and spaces after ':'! -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Повторите ввод нового пароля UNIX: " diff --git a/po/sv.po b/po/sv.po index 9fad3c6d..932ebda5 100644 --- a/po/sv.po +++ b/po/sv.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2007-12-24 13:39+0100\n" "Last-Translator: Christer Andersson \n" "Language-Team: Swedish \n" @@ -29,7 +29,7 @@ msgstr "...Ledsen, din tid msgid "erroneous conversation (%d)\n" msgstr "felaktig konversation (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "inloggning:" @@ -212,12 +212,12 @@ msgid "has been already used" msgstr "har redan anvnts" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Inget lsenord angivet" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Ofrndrat lsenord" @@ -227,17 +227,17 @@ msgstr "Of msgid "BAD PASSWORD: %s" msgstr "DLIGT LSENORD: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "%s misslyckades: slutstatus %d" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "%s misslyckades: fngade signalen %d%s" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "%s misslyckades: oknd status 0x%x" @@ -459,28 +459,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Kan inte stlla om alla anvndare till nollskilt vrde\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Ditt konto har gtt ut. Kontakta din systemadministratr" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Du mste ndra ditt lsenord omedelbart (ptvingat av root)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Du mste ndra ditt lsenord omedelbart (lsenord fr gammalt)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Varning: ditt lsenord gr ut om %d dag" msgstr[1] "Varning: ditt lsenord gr ut om %d dagar" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, c-format msgid "Warning: your password will expire in %d days" msgstr "Varning: ditt lsenord gr ut om %d dagar" @@ -489,35 +488,35 @@ msgstr "Varning: ditt l msgid "Password: " msgstr "Lsenord: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS-lsenord kunde inte ndras." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Du mste vlja ett lngre lsenord" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Lsenordet har redan anvnds. Vlj ett annat." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, c-format msgid "Changing password for %s." msgstr "ndrar lsenord fr %s." -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(nuvarande) UNIX-lsenord: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Du mste vnta lngre innan du kan ndra lsenord" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Ange nytt UNIX-lsenord: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Ange nytt UNIX-lsenord igen: " diff --git a/po/tr.po b/po/tr.po index 340e3851..a77c5c89 100644 --- a/po/tr.po +++ b/po/tr.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 19:00+0200\n" "Last-Translator: Koray Löker \n" "Language-Team: Türkçe \n" @@ -30,7 +30,7 @@ msgstr "...Üzgünüm, süreniz doldu!\n" msgid "erroneous conversation (%d)\n" msgstr "hatalı etkileşim (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "giriş:" @@ -213,12 +213,12 @@ msgid "has been already used" msgstr "daha önce kullanıldı" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Parola girilmedi" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Parola değiştirilmedi" @@ -228,17 +228,17 @@ msgstr "Parola değiştirilmedi" msgid "BAD PASSWORD: %s" msgstr "YANLIŞ PAROLA: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -465,27 +465,26 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "Hesabınızın süresi doldu; lütfen sistem yöneticinizle bağlantıya geçin" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Parolanızı en kısa sürede değiştirmeniz gerekiyor (yönetici bildirimi)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Parolanızı en kısa sürede değiştirmeniz gerekiyor (parola eski)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Dikkat: Parolanızın geçerlilik süresi %d gün%.2s sonra doluyor" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Dikkat: Parolanızın geçerlilik süresi %d gün%.2s sonra doluyor" @@ -494,36 +493,36 @@ msgstr "Dikkat: Parolanızın geçerlilik süresi %d gün%.2s sonra doluyor" msgid "Password: " msgstr "Parola: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "NIS parolası değiştirilemiyor" -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Daha uzun bir parola girmelisiniz" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Parola kullanımda. Lütfen başka bir parola seçin." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "STRESS parolası değiştiriliyor " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(geçerli) parola: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Parolanızı değiştirmek için daha sonra denemelisiniz" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Yeni parolayı girin: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Yeni parolayı tekrar girin: " diff --git a/po/uk.po b/po/uk.po index 5625804d..9e7e1173 100644 --- a/po/uk.po +++ b/po/uk.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM.uk\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 18:59+0200\n" "Last-Translator: Ivan Petrouchtchak \n" "Language-Team: Ukrainian \n" @@ -31,7 +31,7 @@ msgstr "...Вибачте, ваш час закінчився!\n" msgid "erroneous conversation (%d)\n" msgstr "помилкова розмова (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "користувач:" @@ -214,12 +214,12 @@ msgid "has been already used" msgstr "вже вживався" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Не встановлений пароль" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Пароль не змінено" @@ -229,17 +229,17 @@ msgstr "Пароль не змінено" msgid "BAD PASSWORD: %s" msgstr "ПОГАНИЙ ПАРОЛЬ: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -467,21 +467,21 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: Не вдається скинути всіх користувачів до не-нуль\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" "Ваш рахунок застарів, будь ласка, зверніться до вашого системного " "адміністратора" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "Вам необхідно негайно змінити пароль (вимога адміністратора)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "Вам необхідно негайно змінити пароль (поточний пароль застарів)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" @@ -489,9 +489,8 @@ msgstr[0] "Попередження: ваш пароль застаріє чер msgstr[1] "Попередження: ваш пароль застаріє через %d дні(в) %.2s" msgstr[2] "Попередження: ваш пароль застаріє через %d дні(в) %.2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Попередження: ваш пароль застаріє через %d дні(в) %.2s" @@ -500,36 +499,36 @@ msgstr "Попередження: ваш пароль застаріє чере msgid "Password: " msgstr "Пароль: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "Не вдалося змінити пароль NIS." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Необхідно вибрати довший пароль" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Пароль вже вживається. Виберіть інший." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Зміна пароля STRESS для " -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(поточний) пароль UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Ви повинні зачекати довше, щоб змінити ваш пароль" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Введіть новий пароль UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Повторіть новий пароль UNIX: " diff --git a/po/zh_CN.po b/po/zh_CN.po index afdf54f9..4307a183 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux_PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 18:59+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...对不起,您的时间已经耗尽!\n" msgid "erroneous conversation (%d)\n" msgstr "有错误的转换 (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "登录:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "已使用" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "口令未提供" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "口令未更改" @@ -226,17 +226,17 @@ msgstr "口令未更改" msgid "BAD PASSWORD: %s" msgstr "无效的口令: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -462,28 +462,27 @@ msgstr "%s: [--文件 根文件名] [--用户 用户名] [--重设置[=n]] [-- msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: 无法将所有用户重设置为非零\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "您的帐户已失效;请与系统管理员取得联系" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "您需要立即更改口令(root 强制)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "您需要立即更改口令(口令过期)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "" msgstr[1] "" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, c-format msgid "Warning: your password will expire in %d days" msgstr "" @@ -492,36 +491,36 @@ msgstr "" msgid "Password: " msgstr "口令:" -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "无法更改 NIS 口令。" -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "必须选择更长的口令" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "口令已使用。请选择其他口令。" -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "更改 STRESS 口令以" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(当前)UNIX 口令:" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "您必须等待更长时间以更改口令" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "输入新的 UNIX 口令:" -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "重新输入新的 UNIX 口令:" diff --git a/po/zh_TW.po b/po/zh_TW.po index b287c5bd..834fdbf5 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux_PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-05-03 18:55+0200\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -28,7 +28,7 @@ msgstr "...抱歉,您的時間已到!\n" msgid "erroneous conversation (%d)\n" msgstr "錯誤的交談 (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "登入:" @@ -211,12 +211,12 @@ msgid "has been already used" msgstr "已經由其他使用者使用" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "未提供密碼" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "密碼未變更" @@ -226,17 +226,17 @@ msgstr "密碼未變更" msgid "BAD PASSWORD: %s" msgstr "不良的密碼: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -463,28 +463,27 @@ msgstr "" msgid "%s: Can't reset all users to non-zero\n" msgstr "%s: 無法將所有使用者重新設定為非零\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "您的帳戶已經逾期,請洽詢您的系統管理員" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "您必須立刻變更您的密碼 (root 強制執行)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "您必須立刻變更您的密碼 (密碼使用過久)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "警告:您的密碼將在 %d 天之後逾期。%2s" msgstr[1] "警告:您的密碼將在 %d 天之後逾期。%2s" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "警告:您的密碼將在 %d 天之後逾期。%2s" @@ -493,36 +492,36 @@ msgstr "警告:您的密碼將在 %d 天之後逾期。%2s" msgid "Password: " msgstr "密碼:" -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "無法變更 NIS 密碼。" -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "您必須選擇更長的密碼" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "密碼已經由其他使用者使用。請選擇其他密碼。" -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "正在變更 STRESS 密碼" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "(目前) UNIX 密碼:" -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "您必須久候,以變更您的密碼。" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "輸入新的 UNIX 密碼:" -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "再次輸入新的 UNIX 密碼:" diff --git a/po/zu.po b/po/zu.po index 1ba240f5..073ed6cb 100644 --- a/po/zu.po +++ b/po/zu.po @@ -5,7 +5,7 @@ msgid "" msgstr "" "Project-Id-Version: Linux-PAM\n" "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2008-01-07 15:09+0100\n" +"POT-Creation-Date: 2008-02-04 16:29+0100\n" "PO-Revision-Date: 2006-11-03 12:03\n" "Last-Translator: Novell Language \n" "Language-Team: Novell Language \n" @@ -26,7 +26,7 @@ msgstr "...Uxolo, isikhathi sakho sesiphelile!\n" msgid "erroneous conversation (%d)\n" msgstr "ingxoxo enephutha (%d)\n" -#: libpam/pam_item.c:297 +#: libpam/pam_item.c:298 msgid "login:" msgstr "ngena:" @@ -209,12 +209,12 @@ msgid "has been already used" msgstr "isisetshenziswe ngothile." #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "No password supplied" msgstr "Ayikho iphasiwedi enikeziwe" #: modules/pam_cracklib/pam_cracklib.c:526 -#: modules/pam_unix/pam_unix_passwd.c:978 +#: modules/pam_unix/pam_unix_passwd.c:456 msgid "Password unchanged" msgstr "Iphasiwedi ayishintshwanga" @@ -224,17 +224,17 @@ msgstr "Iphasiwedi ayishintshwanga" msgid "BAD PASSWORD: %s" msgstr "IPHASIWEDI ENGASEBENZI: %s" -#: modules/pam_exec/pam_exec.c:118 +#: modules/pam_exec/pam_exec.c:134 #, c-format msgid "%s failed: exit code %d" msgstr "" -#: modules/pam_exec/pam_exec.c:126 +#: modules/pam_exec/pam_exec.c:143 #, c-format msgid "%s failed: caught signal %d%s" msgstr "" -#: modules/pam_exec/pam_exec.c:134 +#: modules/pam_exec/pam_exec.c:152 #, c-format msgid "%s failed: unknown status 0x%x" msgstr "" @@ -463,33 +463,32 @@ msgstr "" "%s: Ayikwazi ukusetha kabusha bonke abasebenzisi ibase enombolweni ongelona " "iqanda\n" -#: modules/pam_unix/pam_unix_acct.c:275 modules/pam_unix/pam_unix_acct.c:302 +#: modules/pam_unix/pam_unix_acct.c:229 modules/pam_unix/pam_unix_acct.c:251 msgid "Your account has expired; please contact your system administrator" msgstr "" "I-akhawunti yakho isiphelelwe isikhathi, sicela uthintana nomqondisi " "wesistimu yakho" -#: modules/pam_unix/pam_unix_acct.c:284 +#: modules/pam_unix/pam_unix_acct.c:237 msgid "You are required to change your password immediately (root enforced)" msgstr "" "Kudingeka ukuba ushintshe iphasiwedi yakho ngokushesha (iphoqelelwa " "ngumqondisi)" -#: modules/pam_unix/pam_unix_acct.c:311 +#: modules/pam_unix/pam_unix_acct.c:243 msgid "You are required to change your password immediately (password aged)" msgstr "" "Kudingeka ukuba ushintshe iphasiwedi yakho ngokushesha (iphasiwedi indala)" -#: modules/pam_unix/pam_unix_acct.c:324 modules/pam_unix/pam_unix_acct.c:331 +#: modules/pam_unix/pam_unix_acct.c:261 modules/pam_unix/pam_unix_acct.c:268 #, fuzzy, c-format msgid "Warning: your password will expire in %d day" msgid_plural "Warning: your password will expire in %d days" msgstr[0] "Isexwayiso: Iphasiwedi yakho izophelelwa isikhathi %d usuku%.2s[T1]" msgstr[1] "Isexwayiso: Iphasiwedi yakho izophelelwa isikhathi %d usuku%.2s[T1]" -#. TRANSLATORS: only used if dngettext is not support -#. ed -#: modules/pam_unix/pam_unix_acct.c:337 +#. TRANSLATORS: only used if dngettext is not supported +#: modules/pam_unix/pam_unix_acct.c:273 #, fuzzy, c-format msgid "Warning: your password will expire in %d days" msgstr "Isexwayiso: Iphasiwedi yakho izophelelwa isikhathi %d usuku%.2s[T1]" @@ -498,36 +497,36 @@ msgstr "Isexwayiso: Iphasiwedi yakho izophelelwa isikhathi %d usuku%.2s[T1]" msgid "Password: " msgstr "Iphasiwedi: " -#: modules/pam_unix/pam_unix_passwd.c:822 +#: modules/pam_unix/pam_unix_passwd.c:366 msgid "NIS password could not be changed." msgstr "Iphasiwedi ye-NIS ayivumanga ukushintshwa." -#: modules/pam_unix/pam_unix_passwd.c:999 +#: modules/pam_unix/pam_unix_passwd.c:477 msgid "You must choose a longer password" msgstr "Kumelwe ukhethe iphasiwedi ethe ukuba yinjana" -#: modules/pam_unix/pam_unix_passwd.c:1004 +#: modules/pam_unix/pam_unix_passwd.c:482 msgid "Password has been already used. Choose another." msgstr "Le phasiwedi isetshenziswa ngothile. Khetha enye." -#: modules/pam_unix/pam_unix_passwd.c:1104 +#: modules/pam_unix/pam_unix_passwd.c:583 #, fuzzy, c-format msgid "Changing password for %s." msgstr "Ukushintsha iphasiwedi ye-STRESS ye-" -#: modules/pam_unix/pam_unix_passwd.c:1115 +#: modules/pam_unix/pam_unix_passwd.c:594 msgid "(current) UNIX password: " msgstr "Iphasiwedi ye-UNIX (yamanje): " -#: modules/pam_unix/pam_unix_passwd.c:1150 +#: modules/pam_unix/pam_unix_passwd.c:629 msgid "You must wait longer to change your password" msgstr "Kumelwe ulinde isikhashana ukuze ushintshe iphasiwedi yakho" -#: modules/pam_unix/pam_unix_passwd.c:1210 +#: modules/pam_unix/pam_unix_passwd.c:689 msgid "Enter new UNIX password: " msgstr "Faka iphasiwedi entsha ye-UNIX: " -#: modules/pam_unix/pam_unix_passwd.c:1211 +#: modules/pam_unix/pam_unix_passwd.c:690 msgid "Retype new UNIX password: " msgstr "Thayipha iphasiwedi entsha ye-UNIX: " -- cgit v1.2.3 From b2661a54ac276d20268dba45b4e025d58458241e Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 13 Feb 2008 15:19:16 +0000 Subject: Relevant BUGIDs: Purpose of commit: prepare release Commit summary: --------------- Missing pieces for a 0.99.10.0 release 2008-02-13 Thorsten Kukuk * release version 0.99.10.0 * configure.in: set version number. --- ChangeLog | 4 ++++ configure.in | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3edeaf3f..fa01eac7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2008-02-13 Thorsten Kukuk + * release version 0.99.10.0 + + * configure.in: set version number. + * modules/pam_rhosts/Makefile.am: Remove pam_rhosts_auth. * modules/pam_rhosts/pam_rhosts_auth.c: Removed. * modules/pam_rhosts/tst-pam_rhosts_auth: Removed. diff --git a/configure.in b/configure.in index 90349a14..d22c0aa2 100644 --- a/configure.in +++ b/configure.in @@ -1,6 +1,6 @@ dnl Process this file with autoconf to produce a configure script. AC_INIT(conf/pam_conv1/pam_conv_y.y) -AM_INIT_AUTOMAKE("Linux-PAM", 0.99.9.0) +AM_INIT_AUTOMAKE("Linux-PAM", 0.99.10.0) AC_PREREQ([2.60]) AM_CONFIG_HEADER(config.h) AC_CANONICAL_HOST @@ -45,6 +45,13 @@ dnl Add security to include directory then includedir="${prefix}/include/security" fi + +dnl Add /var directory + if test ${localstatedir} = '${prefix}/var' + then + localstatedir="/var" + fi + fi dnl -- cgit v1.2.3