From 2ec68e871038665749338da59d938a33c3248110 Mon Sep 17 00:00:00 2001 From: Louis Sautier Date: Thu, 13 Dec 2018 16:12:42 +0100 Subject: Fix a typo in the documentation --- doc/man/pam_conv.3.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_conv.3.xml b/doc/man/pam_conv.3.xml index 0098ff94..5106ddf7 100644 --- a/doc/man/pam_conv.3.xml +++ b/doc/man/pam_conv.3.xml @@ -133,10 +133,10 @@ struct pam_conv { single form with many messages/prompts on at once. - In passing, it is worth noting that there is a descrepency between + In passing, it is worth noting that there is a discrepancy between the way Linux-PAM handles the const struct pam_message **msg - conversation function argument from the way that Solaris' PAM - (and derivitives, known to include HP/UX, are there others?) does. + conversation function argument and the way that Solaris' PAM + (and derivatives, known to include HP/UX, are there others?) does. Linux-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with -- cgit v1.2.3 From 8daf77a011553e160012899d29765c968c952897 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Fri, 6 Sep 2019 17:10:15 -0400 Subject: Fix a typo There is an extra space where there should not be one. --- doc/man/pam_fail_delay.3.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/man') diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml index 46d89be0..d886e9e0 100644 --- a/doc/man/pam_fail_delay.3.xml +++ b/doc/man/pam_fail_delay.3.xml @@ -75,7 +75,7 @@ and - pam_set_item 3 + pam_set_item3 respectively. The value used to set it should be a function pointer of the following prototype: -- cgit v1.2.3 From 6b10b693f8e20a9d6452fe195f42bd978e9e4ee8 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Fri, 6 Sep 2019 17:11:17 -0400 Subject: Fix the man page for "pam_fail_delay()" This man page contained the incorrect statement that setting the PAM_FAIL_DELAY item to NULL would disable any form of delay on authentication failure. I removed the incorrect statement and added a paragraph explaining how an application should properly avoid delays. Closes #137. --- doc/man/pam_fail_delay.3.xml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml index d886e9e0..53c1f89e 100644 --- a/doc/man/pam_fail_delay.3.xml +++ b/doc/man/pam_fail_delay.3.xml @@ -93,8 +93,15 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); pam_set_item3 . - Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay - will be performed. + + + Note that the PAM_FAIL_DELAY item is set to NULL by default. This + indicates that PAM should perform a random delay as described + above when authentication fails and a delay has been suggested. + If an application does not want the PAM library to perform any + delay on authentication failure, then the application must define + a custom delay function that executes no statements and set + the PAM_FAIL_DELAY item to point to this function. -- cgit v1.2.3 From 65d6735c5949ec233df9813f734e918a93fa36cf Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com> Date: Mon, 16 Sep 2019 17:17:49 +0200 Subject: Add support for a vendor directory and libeconf (#136) With this, it is possible for Linux distributors to store their supplied default configuration files somewhere below /usr, while /etc only contains the changes made by the user. The new option --enable-vendordir defines where Linux-PAM should additional look for pam.d/*, login.defs and securetty if this files are not in /etc. libeconf is a key/value configuration file reading library, which handles the split of configuration files in different locations and merges them transparently for the application. --- doc/man/Makefile.am | 5 +++++ doc/man/pam.8.xml | 17 +++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) (limited to 'doc/man') diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 78c891df..8e76897e 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -59,5 +59,10 @@ pam.d.5: pam.conf.5 pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml +if HAVE_VENDORDIR +XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) +else +XSLTPROC_CUSTOM = --stringparam vendordir "" +endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml index 9839defb..464af0e5 100644 --- a/doc/man/pam.8.xml +++ b/doc/man/pam.8.xml @@ -53,11 +53,12 @@ Vendor-supplied PAM configuration files might be installed in - the system directory /usr/lib/pam.d/ instead + the system directory /usr/lib/pam.d/ or + a configurable vendor specific directory instead of the machine configuration directory /etc/pam.d/. If no machine configuration file is found, the vendor-supplied file is used. All files in /etc/pam.d/ override - files with the same name in /usr/lib/pam.d/. + files with the same name in other directories. From the point of view of the system administrator, for whom this @@ -157,6 +158,18 @@ closing hook for modules to affect the services available to a user. + + %vendordir%/pam.d + + + the Linux-PAM vendor configuration + directory. Files in /etc/pam.d and + /usr/lib/pam.d override files with the same + name in this directory. Only available if Linux-PAM was compiled + with vendordir enabled. + + + -- cgit v1.2.3 From 3419569e8e469c9e9769be0f977b88f7bf4be2d5 Mon Sep 17 00:00:00 2001 From: MIZUTA Takeshi Date: Sat, 5 Oct 2019 00:18:35 +0900 Subject: doc: fix typo in manpage --- doc/man/misc_conv.3.xml | 8 ++++---- doc/man/pam_setcred.3.xml | 2 +- doc/man/pam_start.3.xml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'doc/man') diff --git a/doc/man/misc_conv.3.xml b/doc/man/misc_conv.3.xml index 041f4eb0..d902ba83 100644 --- a/doc/man/misc_conv.3.xml +++ b/doc/man/misc_conv.3.xml @@ -46,7 +46,7 @@ The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something. The - five variabls are as follows: + five variables are as follows: @@ -70,7 +70,7 @@ const char *pam_misc_conv_warn_line; - Used in conjuction with + Used in conjunction with pam_misc_conv_warn_time, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching. Its @@ -103,7 +103,7 @@ const char *pam_misc_conv_die_line; - Used in conjuction with + Used in conjunction with pam_misc_conv_die_time, this variable is a pointer to the string that will be displayed when the conversation times out. Its default value is a translated @@ -120,7 +120,7 @@ Following a return from the Linux-PAM - libraray, the value of this variable indicates whether the + library, the value of this variable indicates whether the conversation has timed out. A value of 1 indicates the time-out occurred. diff --git a/doc/man/pam_setcred.3.xml b/doc/man/pam_setcred.3.xml index 77e9382f..62922482 100644 --- a/doc/man/pam_setcred.3.xml +++ b/doc/man/pam_setcred.3.xml @@ -144,7 +144,7 @@ A NULL pointer was submitted as PAM handle, the function was called by a module or another system - error occured. + error occurred. diff --git a/doc/man/pam_start.3.xml b/doc/man/pam_start.3.xml index 9b370f52..50a65a47 100644 --- a/doc/man/pam_start.3.xml +++ b/doc/man/pam_start.3.xml @@ -83,7 +83,7 @@ pam_get_item3 . - The PAM handle cannot be used for mulitiple authentications at the + The PAM handle cannot be used for multiple authentications at the same time as long as pam_end was not called on it before. -- cgit v1.2.3 From 375825bd5d88ee66375fd400c40af7844c1b0608 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 13 Feb 2019 08:21:02 +0000 Subject: Miscellaneous grammar fixes --- doc/man/pam_get_item.3.xml | 4 ++-- doc/man/pam_set_item.3.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_get_item.3.xml b/doc/man/pam_get_item.3.xml index d07862e0..1145273c 100644 --- a/doc/man/pam_get_item.3.xml +++ b/doc/man/pam_get_item.3.xml @@ -19,7 +19,7 @@ pam_get_item - getting PAM informations + getting PAM information @@ -45,7 +45,7 @@ DESCRIPTION The pam_get_item function allows applications - and PAM service modules to access and retrieve PAM informations + and PAM service modules to access and retrieve PAM information of item_type. Upon successful return, item contains a pointer to the value of the corresponding item. Note, this is a pointer to the diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml index 39758313..7630adbd 100644 --- a/doc/man/pam_set_item.3.xml +++ b/doc/man/pam_set_item.3.xml @@ -19,7 +19,7 @@ pam_set_item - set and update PAM informations + set and update PAM information @@ -45,7 +45,7 @@ DESCRIPTION The pam_set_item function allows applications - and PAM service modules to access and to update PAM informations + and PAM service modules to access and to update PAM information of item_type. For this a copy of the object pointed to by the item argument is created. The following item_types are -- cgit v1.2.3 From 7e15186e3e9720c1415ca301222e66c994fc0529 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 13 Feb 2019 08:26:37 +0000 Subject: Miscellaneous spelling fixes --- doc/man/pam_prompt.3.xml | 2 +- doc/man/pam_set_item.3.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_prompt.3.xml b/doc/man/pam_prompt.3.xml index 8b502a9d..bf0c9bf6 100644 --- a/doc/man/pam_prompt.3.xml +++ b/doc/man/pam_prompt.3.xml @@ -75,7 +75,7 @@ PAM_SUCCESS - Conversation succeded, response is set. + Conversation succeeded, response is set. diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml index 7630adbd..30ab92b9 100644 --- a/doc/man/pam_set_item.3.xml +++ b/doc/man/pam_set_item.3.xml @@ -74,7 +74,7 @@ - Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before + Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reset before returning to the application. Which means an application is not able to access the authentication tokens. -- cgit v1.2.3 From aea5d57019696554a1235fad872e6abec1fe1369 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 13 Feb 2019 08:28:25 +0000 Subject: Further grammar fixes Signed-off-by: Russ Allbery Bug-Debian: https://bugs.debian.org/651560 --- doc/man/pam_putenv.3.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/man') diff --git a/doc/man/pam_putenv.3.xml b/doc/man/pam_putenv.3.xml index 619b218a..2d4afbc5 100644 --- a/doc/man/pam_putenv.3.xml +++ b/doc/man/pam_putenv.3.xml @@ -79,7 +79,7 @@ name_value, which means in contrast to putenv3 - , the application is responsible to free the data. + , the application is responsible for freeing the data. -- cgit v1.2.3 From 7a84910896d5579bd9c016696224d7d69a307bd9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 24 Feb 2020 18:19:57 +0100 Subject: New API call pam_start_confdir() To load PAM stack configurations from specified directory --- doc/man/pam_start.3.xml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'doc/man') diff --git a/doc/man/pam_start.3.xml b/doc/man/pam_start.3.xml index 50a65a47..1d544e64 100644 --- a/doc/man/pam_start.3.xml +++ b/doc/man/pam_start.3.xml @@ -12,6 +12,7 @@ pam_start + pam_start_confdir initialization of PAM transaction @@ -27,6 +28,14 @@ const struct pam_conv *pam_conversation pam_handle_t **pamh + + int pam_start_confdir + const char *service_name + const char *user + const struct pam_conv *pam_conversation + const char *confdir + pam_handle_t **pamh + @@ -87,6 +96,17 @@ same time as long as pam_end was not called on it before. + + + The pam_start_confdir function behaves + like the pam_start function but it also + allows setting confdir argument with + a path to a directory to override the default + (/etc/pam.d) path for service policy + files. If the confdir is NULL, the function + works exactly the same as pam_start. + + RETURN VALUES @@ -111,7 +131,7 @@ PAM_SUCCESS - Transaction was successful created. + Transaction was successfully started. -- cgit v1.2.3 From 897c7412b26ca618af6822dcaa7e6be68772dc52 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 28 Mar 2020 18:19:41 +0000 Subject: Fix various typos found using codespell tool --- doc/man/pam.3.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/man') diff --git a/doc/man/pam.3.xml b/doc/man/pam.3.xml index 3efffd95..0b1efccf 100644 --- a/doc/man/pam.3.xml +++ b/doc/man/pam.3.xml @@ -153,7 +153,7 @@ pam_get_item3 functions allows applications and PAM service modules to set and - retrieve PAM informations. + retrieve PAM information. The -- cgit v1.2.3 From ea951fdc8682146f7f03216a7839441678d45657 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 28 Apr 2020 10:10:08 +0000 Subject: build: rework vendordir substitution Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used, remove stereotypic definitions from other Makefiles, this way we no longer have to worry about vendordir being used somewhere else in documentation files. Likewise, define VENDORDIR in config.h and remove stereotypic -DVENDORDIR= additions from other Makefiles, this way we no longer have to worry about VENDORDIR being used somewhere else in the code. * configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR. (AC_DEFINE_UNQUOTED): Add VENDORDIR. (AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR. * Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with @STRINGPARAM_VENDORDIR@. * doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove. * libpam/Makefile.am [HAVE_VENDORDIR]: Remove. * modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove. (XSLTPROC_CUSTOM): Remove. * modules/pam_securetty/pam_securetty.c: Move definitions of local macros after config.h to benefit from macros defined there. --- doc/man/Makefile.am | 5 ----- 1 file changed, 5 deletions(-) (limited to 'doc/man') diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 8e76897e..78c891df 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -59,10 +59,5 @@ pam.d.5: pam.conf.5 pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml -if HAVE_VENDORDIR -XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) -else -XSLTPROC_CUSTOM = --stringparam vendordir "" -endif -include $(top_srcdir)/Make.xml.rules endif -- cgit v1.2.3 From 3c10a035c9b996add3ca4d409ad5b22d2141f09f Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 19:20:12 +0000 Subject: doc: remove references to PAM_SM_* macros Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect. --- doc/man/pam_sm_acct_mgmt.3.xml | 1 - doc/man/pam_sm_authenticate.3.xml | 1 - doc/man/pam_sm_chauthtok.3.xml | 1 - doc/man/pam_sm_close_session.3.xml | 1 - doc/man/pam_sm_open_session.3.xml | 1 - doc/man/pam_sm_setcred.3.xml | 1 - 6 files changed, 6 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_sm_acct_mgmt.3.xml b/doc/man/pam_sm_acct_mgmt.3.xml index ff998676..b37dc306 100644 --- a/doc/man/pam_sm_acct_mgmt.3.xml +++ b/doc/man/pam_sm_acct_mgmt.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_ACCOUNT #include <security/pam_modules.h> int pam_sm_acct_mgmt diff --git a/doc/man/pam_sm_authenticate.3.xml b/doc/man/pam_sm_authenticate.3.xml index 42997265..ef3a8f15 100644 --- a/doc/man/pam_sm_authenticate.3.xml +++ b/doc/man/pam_sm_authenticate.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_AUTH #include <security/pam_modules.h> int pam_sm_authenticate diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml index d8f36d69..25e17d02 100644 --- a/doc/man/pam_sm_chauthtok.3.xml +++ b/doc/man/pam_sm_chauthtok.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_PASSWORD #include <security/pam_modules.h> int pam_sm_chauthtok diff --git a/doc/man/pam_sm_close_session.3.xml b/doc/man/pam_sm_close_session.3.xml index db579ffa..6d8278ec 100644 --- a/doc/man/pam_sm_close_session.3.xml +++ b/doc/man/pam_sm_close_session.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_SESSION #include <security/pam_modules.h> int pam_sm_close_session diff --git a/doc/man/pam_sm_open_session.3.xml b/doc/man/pam_sm_open_session.3.xml index 0c9ec77f..ead7ca77 100644 --- a/doc/man/pam_sm_open_session.3.xml +++ b/doc/man/pam_sm_open_session.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_SESSION #include <security/pam_modules.h> int pam_sm_open_session diff --git a/doc/man/pam_sm_setcred.3.xml b/doc/man/pam_sm_setcred.3.xml index 5cfe899f..bb04a2df 100644 --- a/doc/man/pam_sm_setcred.3.xml +++ b/doc/man/pam_sm_setcred.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_AUTH #include <security/pam_modules.h> int pam_sm_setcred -- cgit v1.2.3 From ee296a1093f879b6447769d29f0850bba0491e93 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 2 May 2020 00:09:48 +0000 Subject: man: document other valid pam_get_user return values * doc/man/pam_get_user.3.xml (pam_get_user-return_values): Add PAM_BUF_ERR, PAM_ABORT, and PAM_CONV_AGAIN. --- doc/man/pam_get_user.3.xml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'doc/man') diff --git a/doc/man/pam_get_user.3.xml b/doc/man/pam_get_user.3.xml index 16ef5483..8bb176e4 100644 --- a/doc/man/pam_get_user.3.xml +++ b/doc/man/pam_get_user.3.xml @@ -115,6 +115,31 @@ + + PAM_BUF_ERR + + + Memory buffer error. + + + + + PAM_ABORT + + + Error resuming an old conversation. + + + + + PAM_CONV_AGAIN + + + The conversation method supplied by the application + is waiting for an event. + + + -- cgit v1.2.3 From 2e16ac35a0a535d394931711186b4f90e67b91ed Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 17 May 2020 08:00:00 +0000 Subject: doc: fix the description of stack jump effects Every stack jump, besides the jump itself, has a side effect which is one of 'ignore', 'ok', or 'bad'. Unfortunately, the side effect is far from obvious because it depends on the PAM function call, and the documentation that contradicts the implementation does not help either. * doc/man/pam.conf-syntax.xml (actionN): Rewrite the description of stack jump effects to match the implementation. Fixes: 871a6e14d65c3c446ae0af51166dabc7a47a2b56 --- doc/man/pam.conf-syntax.xml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml index da7cfb70..7b4edbf2 100644 --- a/doc/man/pam.conf-syntax.xml +++ b/doc/man/pam.conf-syntax.xml @@ -306,9 +306,19 @@ N (an unsigned integer) - equivalent to ok with the side effect of jumping over the - next N modules in the stack. Note that N equal to 0 is not - allowed (and it would be identical to ok in such case). + jump over the next N modules in the stack. + Note that N equal to 0 is not allowed, + it would be treated as ignore in such case. + The side effect depends on the PAM function call: + for pam_authenticate, + pam_acct_mgmt, + pam_chauthtok, and + pam_open_session + it is ignore; + for pam_setcred and + pam_close_session it is + one of ignore, ok, + or bad depending on the module's return value. -- cgit v1.2.3