From 59b292aeb314ed4f7c14fa2508a421829da81f93 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 8 Apr 2008 08:56:32 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-04-08 Tomas Mraz * libpam/pam_item.c (TRY_SET): Do not set when destination is identical to source. (pam_set_item): Do not overwrite destination when it is identical to source. --- libpam/pam_item.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) (limited to 'libpam') diff --git a/libpam/pam_item.c b/libpam/pam_item.c index 724ea694..f3d794eb 100644 --- a/libpam/pam_item.c +++ b/libpam/pam_item.c @@ -11,13 +11,15 @@ #include #include -#define TRY_SET(X, Y) \ -{ \ - char *_TMP_ = _pam_strdup(Y); \ - if (_TMP_ == NULL && (Y) != NULL) \ - return PAM_BUF_ERR; \ - free(X); \ - (X) = _TMP_; \ +#define TRY_SET(X, Y) \ +{ \ + if ((X) != (Y)) { \ + char *_TMP_ = _pam_strdup(Y); \ + if (_TMP_ == NULL && (Y) != NULL) \ + return PAM_BUF_ERR; \ + free(X); \ + (X) = _TMP_; \ + } \ } /* functions */ @@ -76,8 +78,10 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) * modules. */ if (__PAM_FROM_MODULE(pamh)) { - _pam_overwrite(pamh->authtok); - TRY_SET(pamh->authtok, item); + if (pamh->authtok != item) { + _pam_overwrite(pamh->authtok); + TRY_SET(pamh->authtok, item); + } } else { retval = PAM_BAD_ITEM; } @@ -90,8 +94,10 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) * modules. */ if (__PAM_FROM_MODULE(pamh)) { - _pam_overwrite(pamh->oldauthtok); - TRY_SET(pamh->oldauthtok, item); + if (pamh->oldauthtok != item) { + _pam_overwrite(pamh->oldauthtok); + TRY_SET(pamh->oldauthtok, item); + } } else { retval = PAM_BAD_ITEM; } @@ -130,6 +136,8 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) break; case PAM_XAUTHDATA: + if (&pamh->xauth == item) + break; if (pamh->xauth.namelen) { _pam_overwrite(pamh->xauth.name); free(pamh->xauth.name); -- cgit v1.2.1 From 09c2e0fcf1bd5b1200c6ef268b7bdd82b4708b9d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 14 May 2008 12:55:02 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-05-14 Tomas Mraz * libpam/pam_modutil_getgrgid.c: Replace hardcoded constant with define PWD_LENGTH_SHIFT. * libpam/pam_modutil_getgrnam.c: Likewise. * libpam/pam_modutil_getpwnam.c: Likewise. * libpam/pam_modutil_getpwuid.c: Likewise. * libpam/pam_modutil_getspnam.c: Likewise. * libpam/pam_modutil_private.h: Adjust values for PWD_ constants. --- libpam/pam_modutil_getgrgid.c | 2 +- libpam/pam_modutil_getgrnam.c | 2 +- libpam/pam_modutil_getpwnam.c | 2 +- libpam/pam_modutil_getpwuid.c | 2 +- libpam/pam_modutil_getspnam.c | 2 +- libpam/pam_modutil_private.h | 5 +++-- 6 files changed, 8 insertions(+), 7 deletions(-) (limited to 'libpam') diff --git a/libpam/pam_modutil_getgrgid.c b/libpam/pam_modutil_getgrgid.c index 03d03daa..600946a1 100644 --- a/libpam/pam_modutil_getgrgid.c +++ b/libpam/pam_modutil_getgrgid.c @@ -115,7 +115,7 @@ pam_modutil_getgrgid(pam_handle_t *pamh, gid_t gid) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getgrnam.c b/libpam/pam_modutil_getgrnam.c index c224db7b..adf7daa2 100644 --- a/libpam/pam_modutil_getgrnam.c +++ b/libpam/pam_modutil_getgrnam.c @@ -104,7 +104,7 @@ pam_modutil_getgrnam(pam_handle_t *pamh, const char *group) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getpwnam.c b/libpam/pam_modutil_getpwnam.c index a9dcd6c3..f4e4d80e 100644 --- a/libpam/pam_modutil_getpwnam.c +++ b/libpam/pam_modutil_getpwnam.c @@ -104,7 +104,7 @@ pam_modutil_getpwnam(pam_handle_t *pamh, const char *user) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getpwuid.c b/libpam/pam_modutil_getpwuid.c index bf364a3e..33a6cf49 100644 --- a/libpam/pam_modutil_getpwuid.c +++ b/libpam/pam_modutil_getpwuid.c @@ -115,7 +115,7 @@ pam_modutil_getpwuid(pam_handle_t *pamh, uid_t uid) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getspnam.c b/libpam/pam_modutil_getspnam.c index 6eaf5d4c..7cc64881 100644 --- a/libpam/pam_modutil_getspnam.c +++ b/libpam/pam_modutil_getspnam.c @@ -104,7 +104,7 @@ pam_modutil_getspnam(pam_handle_t *pamh, const char *user) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_private.h b/libpam/pam_modutil_private.h index f242fdfe..98a30f68 100644 --- a/libpam/pam_modutil_private.h +++ b/libpam/pam_modutil_private.h @@ -13,8 +13,9 @@ #include #include -#define PWD_INITIAL_LENGTH 0x100 -#define PWD_ABSURD_PWD_LENGTH 0x8000 +#define PWD_INITIAL_LENGTH 0x400 +#define PWD_ABSURD_PWD_LENGTH 0x40001 +#define PWD_LENGTH_SHIFT 4 /* 2^4 == 16 */ extern void pam_modutil_cleanup(pam_handle_t *pamh, void *data, -- cgit v1.2.1 From dad5bd7c146a842e11da19c5715db117d62f5677 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 10 Oct 2008 06:53:45 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-10-10 Thorsten Kukuk * configure.in: add modules/pam_pwhistory/Makefile. * doc/sag/Linux-PAM_SAG.xml: Include pam_pwhistory.xml. * doc/sag/pam_pwhistory.xml: New. * libpam/pam_static_modules.h: Add pam_pwhistory data. * modules/Makefile.am: Add pam_pwhistory directory. * modules/pam_pwhistory/Makefile.am: New. * modules/pam_pwhistory/README.xml: New. * modules/pam_pwhistory/opasswd.c: New. * modules/pam_pwhistory/opasswd.h: New. * modules/pam_pwhistory/pam_pwhistory.8.xml: New. * modules/pam_pwhistory/pam_pwhistory.c: New. * modules/pam_pwhistory/tst-pam_pwhistory: New. * xtests/Makefile.am: New. * xtests/run-xtests.sh: New. * xtests/tst-pam_pwhistory1.c: New. * xtests/tst-pam_pwhistory1.pamd: New. * xtests/tst-pam_pwhistory1.sh: New. * po/POTFILES.in: Add modules/pam_pwhistory/. * po/de.po: Update translations. --- libpam/pam_static_modules.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'libpam') diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h index a66b486d..d45f2977 100644 --- a/libpam/pam_static_modules.h +++ b/libpam/pam_static_modules.h @@ -61,6 +61,7 @@ extern struct pam_module _pam_namespace_modstruct; #endif extern struct pam_module _pam_nologin_modstruct; extern struct pam_module _pam_permit_modstruct; +extern struct pam_module _pam_pwhistory_modstruct; extern struct pam_module _pam_rhosts_modstruct; extern struct pam_module _pam_rhosts_auth_modstruct; extern struct pam_module _pam_rootok_modstruct; @@ -119,6 +120,7 @@ static struct pam_module *static_modules[] = { #endif &_pam_nologin_modstruct, &_pam_permit_modstruct, + &_pam_pwhistory_modstruct, &_pam_rhosts_modstruct, &_pam_rhosts_auth_modstruct, &_pam_rootok_modstruct, -- cgit v1.2.1 From 114ed318bea9b5859ab89144261946716776e2ed Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 17 Oct 2008 11:29:55 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-10-17 Tomas Mraz * configure.in: Add modules/pam_tally2/Makefile. * doc/sag/Linux-PAM_SAG.xml: Include pam_tally2.xml. * doc/sag/pam_tally2.xml: New. * libpam/pam_static_modules.h: Add pam_tally2 static struct. * modules/Makefile.am: Add pam_tally2 directory. * modules/pam_tally2/Makefile.am: New. * modules/pam_tally2/README.xml: New. * modules/pam_tally2/tallylog.h: New. * modules/pam_tally2/pam_tally2.8.xml: New. * modules/pam_tally2/pam_tally2.c: New. * modules/pam_tally2/pam_tally2_app.c: New. * modules/pam_tally2/tst-pam_tally2: New. * po/POTFILES.in: Add pam_tally2 sources. --- libpam/pam_static_modules.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'libpam') diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h index d45f2977..2d80cecb 100644 --- a/libpam/pam_static_modules.h +++ b/libpam/pam_static_modules.h @@ -74,6 +74,7 @@ extern struct pam_module _pam_shells_modstruct; extern struct pam_module _pam_stress_modstruct; extern struct pam_module _pam_succeed_if_modstruct; extern struct pam_module _pam_tally_modstruct; +extern struct pam_module _pam_tally2_modstruct; extern struct pam_module _pam_time_modstruct; #ifdef HAVE_AUDIT_TTY_STATUS extern struct pam_module _pam_tty_audit_modstruct; @@ -133,6 +134,7 @@ static struct pam_module *static_modules[] = { &_pam_stress_modstruct, &_pam_succeed_if_modstruct, &_pam_tally_modstruct, + &_pam_tally2_modstruct, &_pam_time_modstruct, #ifdef HAVE_AUDIT_TTY_STATUS &_pam_tty_audit_modstruct, -- cgit v1.2.1 From e6364f057ddd81b7eb06487047b20a04f29022af Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 24 Nov 2008 13:56:29 +0000 Subject: Relevant BUGIDs: rhbz#471762 Purpose of commit: new feature Commit summary: --------------- 2008-11-24 Tomas Mraz * libpam/pam_handlers.c (_pam_parse_conf_file): '-' at beginning of type token marks silent module. (_pam_load_module): Add handler_type parameter. Do not log module load error if module is silent. (_pam_add_handler): Pass handler_type to _pam_load_module(). * libpam/pam_private.h: Add PAM_HT_SILENT_MODULE. * doc/man/pam.conf-syntax.xml: Document the '-' at beginning of type. --- libpam/pam_handlers.c | 56 ++++++++++++++++++++++++++++++--------------------- libpam/pam_private.h | 1 + 2 files changed, 34 insertions(+), 23 deletions(-) (limited to 'libpam') diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 848c4fa5..bca3dd31 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -109,22 +109,28 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ - } else if (!strcasecmp("auth", tok)) { - module_type = PAM_T_AUTH; - } else if (!strcasecmp("session", tok)) { - module_type = PAM_T_SESS; - } else if (!strcasecmp("account", tok)) { - module_type = PAM_T_ACCT; - } else if (!strcasecmp("password", tok)) { - module_type = PAM_T_PASS; } else { - /* Illegal module type */ - D(("_pam_init_handlers: bad module type: %s", tok)); - pam_syslog(pamh, LOG_ERR, "(%s) illegal module type: %s", - this_service, tok); - module_type = (requested_module_type != PAM_T_ANY) ? - requested_module_type : PAM_T_AUTH; /* most sensitive */ - handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ + if (tok[0] == '-') { /* do not log module load errors */ + handler_type = PAM_HT_SILENT_MODULE; + ++tok; + } + if (!strcasecmp("auth", tok)) { + module_type = PAM_T_AUTH; + } else if (!strcasecmp("session", tok)) { + module_type = PAM_T_SESS; + } else if (!strcasecmp("account", tok)) { + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); + pam_syslog(pamh, LOG_ERR, "(%s) illegal module type: %s", + this_service, tok); + module_type = (requested_module_type != PAM_T_ANY) ? + requested_module_type : PAM_T_AUTH; /* most sensitive */ + handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ + } } D(("Using %s config entry: %s", handler_type?"BAD ":"", tok)); if (requested_module_type != PAM_T_ANY && @@ -609,7 +615,7 @@ extract_modulename(const char *mod_path) } static struct loaded_module * -_pam_load_module(pam_handle_t *pamh, const char *mod_path) +_pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) { int x = 0; int success; @@ -658,7 +664,8 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path) if (mod->dl_handle == NULL) { D(("_pam_load_module: unable to find static handler %s", mod_path)); - pam_syslog(pamh, LOG_ERR, + if (handler_type != PAM_HT_SILENT_MODULE) + pam_syslog(pamh, LOG_ERR, "unable to open static handler %s", mod_path); /* Didn't find module in dynamic or static..will mark bad */ } else { @@ -694,8 +701,9 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path) } if (mod->dl_handle == NULL) { D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path)); - pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, - _pam_dlerror()); + if (handler_type != PAM_HT_SILENT_MODULE) + pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, + _pam_dlerror()); /* Don't abort yet; static code may be able to find function. * But defaults to abort if nothing found below... */ } else { @@ -710,7 +718,8 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path) mod->dl_handle = NULL; mod->type = PAM_MT_FAULTY_MOD; pamh->handlers.modules_used++; - pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path); + if (handler_type != PAM_HT_SILENT_MODULE) + pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path); success = PAM_SUCCESS; /* We have successfully added a module */ } @@ -748,12 +757,13 @@ int _pam_add_handler(pam_handle_t *pamh D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'", type, handler_type, mod_path)); - if (handler_type == PAM_HT_MODULE && mod_path != NULL) { + if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) && + mod_path != NULL) { if (mod_path[0] == '/') { - mod = _pam_load_module(pamh, mod_path); + mod = _pam_load_module(pamh, mod_path, handler_type); } else if (asprintf(&mod_full_path, "%s%s", DEFAULT_MODULE_PATH, mod_path) >= 0) { - mod = _pam_load_module(pamh, mod_full_path); + mod = _pam_load_module(pamh, mod_full_path, handler_type); _pam_drop(mod_full_path); } else { pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 333f4d0f..62756ad4 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -60,6 +60,7 @@ struct handler { #define PAM_HT_MODULE 0 #define PAM_HT_MUST_FAIL 1 #define PAM_HT_SUBSTACK 2 +#define PAM_HT_SILENT_MODULE 3 struct loaded_module { char *name; -- cgit v1.2.1 From 4a67d64dd0cb01c40e675f48f0c6ea3d08e53664 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 28 Nov 2008 14:29:12 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-11-28 Tomas Mraz * modules/pam_tally2/pam_tally2.c (tally_check): Fix info format to be the same as in pam_tally. * configure.in: Add modules/pam_timestamp/Makefile. * doc/sag/Linux-PAM_SAG.xml: Include pam_timestamp.xml. * doc/sag/pam_timestamp.xml: New. * libpam/pam_static_modules.h: Add pam_timestamp static struct. * modules/Makefile.am: Add pam_timestamp directory. * modules/pam_timestamp/Makefile.am: New. * modules/pam_timestamp/README.xml: New. * modules/pam_timestamp/hmacsha1.h: New. * modules/pam_timestamp/sha1.h: New. * modules/pam_timestamp/pam_timestamp.8.xml: New. * modules/pam_timestamp/pam_timestamp_check.8.xml: New. * modules/pam_timestamp/pam_timestamp.c: New. * modules/pam_timestamp/pam_timestamp_check.c: New. * modules/pam_timestamp/hmacfile.c: New. * modules/pam_timestamp/hmacsha1.c: New. * modules/pam_timestamp/sha1.c: New. * modules/pam_timestamp/tst-pam_timestamp: New. * po/POTFILES.in: Add pam_timestamp sources. * po/*.po: Regenerate. * po/cs.po: Updated translations. --- libpam/pam_static_modules.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'libpam') diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h index 2d80cecb..999adc2a 100644 --- a/libpam/pam_static_modules.h +++ b/libpam/pam_static_modules.h @@ -76,6 +76,7 @@ extern struct pam_module _pam_succeed_if_modstruct; extern struct pam_module _pam_tally_modstruct; extern struct pam_module _pam_tally2_modstruct; extern struct pam_module _pam_time_modstruct; +extern struct pam_module _pam_timestamp_modstruct; #ifdef HAVE_AUDIT_TTY_STATUS extern struct pam_module _pam_tty_audit_modstruct; #endif @@ -136,6 +137,7 @@ static struct pam_module *static_modules[] = { &_pam_tally_modstruct, &_pam_tally2_modstruct, &_pam_time_modstruct, + &_pam_timestamp_modstruct, #ifdef HAVE_AUDIT_TTY_STATUS &_pam_tty_audit_modstruct, #endif -- cgit v1.2.1 From f326d04ccd16631d57134487e56bb73074f0dd0e Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 3 Dec 2008 14:16:33 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-12-03 Thorsten Kukuk * doc/man/Makefile.am: Add pam_get_authtok.3.xml. * doc/man/pam_get_authtok.3.xml: New. * libpam/Makefile.am: Add pam_get_authtok.c. * libpam/libpam.map: Export pam_get_authtok. * libpam/pam_get_authtok.c: New. * libpam/pam_private.h: Add mod_argc and mod_argv to pam_handle. * libpam_include/security/pam_ext.h: Add pam_get_authtok prototype. * modules/pam_cracklib/pam_cracklib.c: Use pam_get_authtok. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * po/POTFILES.in: Add libpam/pam_get_authtok.c. * xtests/tst-pam_cracklib1.c: Adjust error codes. * modules/pam_timestamp/Makefile.am: Remove hmactest.c from EXTRA_DIST. * po/*.po: Regenerated. --- libpam/Makefile.am | 5 +- libpam/include/security/pam_ext.h | 5 +- libpam/libpam.map | 5 ++ libpam/pam_dispatch.c | 8 +- libpam/pam_get_authtok.c | 166 ++++++++++++++++++++++++++++++++++++++ libpam/pam_private.h | 2 + 6 files changed, 186 insertions(+), 5 deletions(-) create mode 100644 libpam/pam_get_authtok.c (limited to 'libpam') diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 75e55954..70a11133 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -20,7 +20,7 @@ include_HEADERS = include/security/_pam_compat.h \ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h pam_static_modules.h -libpam_la_LDFLAGS = -no-undefined -version-info 81:11:81 +libpam_la_LDFLAGS = -no-undefined -version-info 82:0:82 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ if STATIC_MODULES @@ -34,7 +34,8 @@ endif lib_LTLIBRARIES = libpam.la libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ - pam_dispatch.c pam_end.c pam_env.c pam_handlers.c pam_item.c \ + pam_dispatch.c pam_end.c pam_env.c pam_get_authtok.c \ + pam_handlers.c pam_item.c \ pam_misc.c pam_password.c pam_prelude.c \ pam_session.c pam_start.c pam_static.c pam_strerror.c \ pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ diff --git a/libpam/include/security/pam_ext.h b/libpam/include/security/pam_ext.h index 111dd633..26f7156c 100644 --- a/libpam/include/security/pam_ext.h +++ b/libpam/include/security/pam_ext.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2006 Thorsten Kukuk. + * Copyright (C) 2005, 2006, 2008 Thorsten Kukuk. * * * @@ -74,6 +74,9 @@ pam_prompt (pam_handle_t *pamh, int style, char **response, #define pam_info(pamh, fmt...) pam_prompt(pamh, PAM_TEXT_INFO, NULL, fmt) #define pam_vinfo(pamh, fmt, args) pam_vprompt(pamh, PAM_TEXT_INFO, NULL, fmt, args) +extern int PAM_NONNULL((1,3)) +pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, + const char *prompt); #ifdef __cplusplus } #endif diff --git a/libpam/libpam.map b/libpam/libpam.map index e37fc356..227e8372 100644 --- a/libpam/libpam.map +++ b/libpam/libpam.map @@ -30,6 +30,11 @@ LIBPAM_EXTENSION_1.0 { pam_vsyslog; }; +LIBPAM_EXTENSION_1.1 { + global: + pam_get_authtok; +} LIBPAM_EXTENSION_1.0; + LIBPAM_MODUTIL_1.0 { global: pam_modutil_getpwnam; diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c index fa4e5ed4..42482573 100644 --- a/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c @@ -87,7 +87,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } /* remember state if we are entering a substack */ - if (prev_level < stack_level) { + if (prev_level < stack_level) { substates[stack_level].impression = impression; substates[stack_level].status = status; } @@ -105,8 +105,12 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } else { D(("passing control to module...")); pamh->mod_name=h->mod_name; + pamh->mod_argc = h->argc; + pamh->mod_argv = h->argv; retval = h->func(pamh, flags, h->argc, h->argv); pamh->mod_name=NULL; + pamh->mod_argc = 0; + pamh->mod_argv = NULL; D(("module returned: %s", pam_strerror(pamh, retval))); } @@ -286,7 +290,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } } continue; - + decision_made: /* by getting here we have made a decision */ while (h->next != NULL && h->next->stack_level >= stack_level) { h = h->next; diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c new file mode 100644 index 00000000..83b3f530 --- /dev/null +++ b/libpam/pam_get_authtok.c @@ -0,0 +1,166 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "pam_private.h" + +#include + +#define PROMPT _("Password: ") +/* For Translators: "%s%s" could be replaced with " " or "". */ +#define PROMPT1 _("New %s%spassword: ") +/* For Translators: "%s%s" could be replaced with " " or "". */ +#define PROMPT2 _("Retype new %s%spassword: ") +#define MISTYPED_PASS _("Sorry, passwords do not match.") + +static const char * +get_option (pam_handle_t *pamh, const char *option) +{ + int i; + size_t len; + + + if (option == NULL || pamh == NULL || + pamh->mod_argc == 0 || pamh->mod_argv == NULL) + return NULL; + + len = strlen (option); + + for (i = 0; i < pamh->mod_argc; i++) + { + if (strncmp (option, pamh->mod_argv[i], len) == 0) + { + if (pamh->mod_argv[i][len] == '=') + return &(pamh->mod_argv[i][len+1]); + else if (pamh->mod_argv[i][len] == '\0') + return ""; + } + } + return NULL; +} + + +int +pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, + const char *prompt) + +{ + char *resp[2] = {NULL, NULL}; + const void* prevauthtok; + const char *type = ""; + int ask_twice = 0; /* Password change, ask twice for it */ + int retval; + + if (authtok == NULL) + return PAM_SYSTEM_ERR; + + /* PAM_AUTHTOK in password stack returns new password, + which needs to be verified. */ + if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK) + { + ask_twice = 1; + type = get_option (pamh, "type"); + if (type == NULL) + type = ""; + } + + retval = pam_get_item (pamh, item, &prevauthtok); + if (retval == PAM_SUCCESS && prevauthtok != NULL) + { + *authtok = prevauthtok; + return PAM_SUCCESS; + } + else if (get_option (pamh, "use_first_pass") || + (ask_twice && get_option (pamh, "use_authtok"))) + { + if (prevauthtok == NULL) + { + if (ask_twice) + return PAM_AUTHTOK_ERR; + else + return PAM_AUTH_ERR; + } + else + return retval; + } + + if (prompt != NULL) + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + "%s", prompt); + if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + _("Retype %s"), prompt); + } + else if (ask_twice) + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPT1, type, + strlen (type) > 0?" ":""); + if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + PROMPT2, type, + strlen (type) > 0?" ":""); + } + else + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s", + PROMPT); + + if (resp[0] == NULL || (ask_twice && resp[1] == NULL)) + { + /* We want to abort the password change */ + pam_error (pamh, _("Password change aborted.")); + return PAM_AUTHTOK_ERR; + } + + if (ask_twice && strcmp (resp[0], resp[1]) != 0) + { + pam_error (pamh, MISTYPED_PASS); + _pam_overwrite (resp[0]); + _pam_drop (resp[0]); + _pam_overwrite (resp[1]); + _pam_drop (resp[1]); + return PAM_TRY_AGAIN; + } + + _pam_overwrite (resp[1]); + _pam_drop (resp[1]); + + retval = pam_set_item (pamh, item, resp[0]); + _pam_overwrite (resp[0]); + _pam_drop (resp[0]); + if (retval != PAM_SUCCESS) + return retval; + + return pam_get_item(pamh, item, (const void **)authtok); +} diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 62756ad4..777fd2d7 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -162,6 +162,8 @@ struct pam_handle { struct _pam_former_state former; /* library state - support for event driven applications */ const char *mod_name; /* Name of the module currently executed */ + int mod_argc; /* Number of module arguments */ + char **mod_argv; /* module arguments */ int choice; /* Which function we call from the module */ #ifdef HAVE_LIBAUDIT -- cgit v1.2.1 From a1131337d71a61da5b3b5e129545d3257a709480 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 11 Dec 2008 19:41:49 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature Commit summary: --------------- 2008-12-10 Thorsten Kukuk * doc/man/pam_item_types_ext.inc.xml: Document PAM_AUTHTOK_TYPE. * libpam/pam_end.c (pam_end): Free authtok_type. * tests/tst-pam_get_item.c: Add PAM_AUTHTOK_TYPE as test case. * tests/tst-pam_set_item.c: Likewise. * libpam/pam_start.c (pam_start): Initialize xdisplay, xauth and authtok_type. * libpam/pam_get_authtok.c (pam_get_authtok): Rename "type" to "authtok_type". * modules/pam_cracklib/pam_cracklib.8.xml: Replace "type=" with "authtok_type=". * doc/man/pam_get_authtok.3.xml: Document authtok_type argument. * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Set type= argument as PAM_AUTHTOK_TYPE item. * libpam/pam_get_authtok.c (pam_get_authtok): If no type argument given, use PAM_AUTHTOK_TYPE item. * libpam/pam_item.c (pam_get_item): Fetch PAM_AUTHTOK_TYPE item. (pam_set_item): Store PAM_AUTHTOK_TYPE item. * libpam/pam_private.h: Add authtok_type to pam_handle. * libpam/include/security/_pam_types.h (PAM_AUTHTOK_TYPE): New. --- libpam/include/security/_pam_types.h | 1 + libpam/pam_end.c | 3 +++ libpam/pam_get_authtok.c | 20 ++++++++++++-------- libpam/pam_item.c | 10 +++++++++- libpam/pam_private.h | 1 + libpam/pam_start.c | 7 +++++-- 6 files changed, 31 insertions(+), 11 deletions(-) (limited to 'libpam') diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h index 2f7e807f..2d684bce 100644 --- a/libpam/include/security/_pam_types.h +++ b/libpam/include/security/_pam_types.h @@ -143,6 +143,7 @@ typedef struct pam_handle pam_handle_t; delays */ #define PAM_XDISPLAY 11 /* X display name */ #define PAM_XAUTHDATA 12 /* X server authentication data */ +#define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */ /* -------------- Special defines used by Linux-PAM -------------- */ diff --git a/libpam/pam_end.c b/libpam/pam_end.c index c96dc384..942253d8 100644 --- a/libpam/pam_end.c +++ b/libpam/pam_end.c @@ -82,6 +82,9 @@ int pam_end(pam_handle_t *pamh, int pam_status) _pam_drop(pamh->xauth.data); _pam_overwrite_n((char *)&pamh->xauth, sizeof(pamh->xauth)); + _pam_overwrite(pamh->authtok_type); + _pam_drop(pamh->authtok_type); + /* and finally liberate the memory for the pam_handle structure */ _pam_drop(pamh); diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c index 83b3f530..9e9f8409 100644 --- a/libpam/pam_get_authtok.c +++ b/libpam/pam_get_authtok.c @@ -77,7 +77,7 @@ pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, { char *resp[2] = {NULL, NULL}; const void* prevauthtok; - const char *type = ""; + const char *authtok_type = ""; int ask_twice = 0; /* Password change, ask twice for it */ int retval; @@ -89,9 +89,13 @@ pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK) { ask_twice = 1; - type = get_option (pamh, "type"); - if (type == NULL) - type = ""; + authtok_type = get_option (pamh, "authtok_type"); + if (authtok_type == NULL) + { + retval = pam_get_item (pamh, PAM_AUTHTOK_TYPE, (const void **)&authtok_type); + if (retval != PAM_SUCCESS || authtok_type == NULL) + authtok_type = ""; + } } retval = pam_get_item (pamh, item, &prevauthtok); @@ -125,12 +129,12 @@ pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, else if (ask_twice) { retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], - PROMPT1, type, - strlen (type) > 0?" ":""); + PROMPT1, authtok_type, + strlen (authtok_type) > 0?" ":""); if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], - PROMPT2, type, - strlen (type) > 0?" ":""); + PROMPT2, authtok_type, + strlen (authtok_type) > 0?" ":""); } else retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s", diff --git a/libpam/pam_item.c b/libpam/pam_item.c index f3d794eb..ed478a4a 100644 --- a/libpam/pam_item.c +++ b/libpam/pam_item.c @@ -151,7 +151,7 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) if ((pamh->xauth.name=_pam_strdup(pamh->xauth.name)) == NULL) { memset(&pamh->xauth, '\0', sizeof(pamh->xauth)); return PAM_BUF_ERR; - } + } if ((pamh->xauth.data=_pam_memdup(pamh->xauth.data, pamh->xauth.datalen)) == NULL) { _pam_overwrite(pamh->xauth.name); @@ -161,6 +161,10 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) } break; + case PAM_AUTHTOK_TYPE: + TRY_SET(pamh->authtok_type, item); + break; + default: retval = PAM_BAD_ITEM; } @@ -251,6 +255,10 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item) *item = &pamh->xauth; break; + case PAM_AUTHTOK_TYPE: + *item = pamh->authtok_type; + break; + default: retval = PAM_BAD_ITEM; } diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 777fd2d7..134dc726 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -154,6 +154,7 @@ struct pam_handle { char *ruser; char *tty; char *xdisplay; + char *authtok_type; /* PAM_AUTHTOK_TYPE */ struct pam_data *data; struct pam_environ *env; /* structure to maintain environment list */ struct _pam_fail_delay fail_delay; /* helper function for easy delays */ diff --git a/libpam/pam_start.c b/libpam/pam_start.c index 7b0d3aa4..b7cd771e 100644 --- a/libpam/pam_start.c +++ b/libpam/pam_start.c @@ -51,7 +51,7 @@ int pam_start ( else. Forbid paths. */ if (strrchr(service_name, '/') != NULL) service_name = strrchr(service_name, '/') + 1; - + /* Mark the caller as the application - permission to do certain things is limited to a module or an application */ @@ -92,6 +92,9 @@ int pam_start ( #ifdef HAVE_LIBAUDIT (*pamh)->audit_state = 0; #endif + (*pamh)->xdisplay = NULL; + (*pamh)->authtok_type = NULL; + memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth)); if (((*pamh)->pam_conversation = (struct pam_conv *) malloc(sizeof(struct pam_conv))) == NULL) { @@ -129,7 +132,7 @@ int pam_start ( _pam_drop(*pamh); return PAM_ABORT; } - + D(("exiting pam_start successfully")); return PAM_SUCCESS; -- cgit v1.2.1 From 4e53d8d8c64e89a05c24e4a208675f28680f7aa7 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 17 Feb 2009 16:34:47 +0000 Subject: Relevant BUGIDs: bugzilla.novell.com#470337 Purpose of commit: bugfix Commit summary: --------------- 2009-02-17 Thorsten Kukuk * doc/man/pam_sm_chauthtok.3.xml: Document that sufficient can break the PRELIM_CHECK chain. * libpam/pam_dispatch.c: Don't freeze chain for chauthtok [bugzilla.novell.com#470337] --- libpam/pam_dispatch.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'libpam') diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c index 42482573..98c69c60 100644 --- a/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c @@ -132,11 +132,10 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } /* - * use_cached_chain is how we ensure that the setcred/close_session - * and chauthtok(2) modules are called in the same order as they did - * when they were invoked as auth/open_session/chauthtok(1). This - * feature was added in 0.75 to make the behavior of pam_setcred - * sane. It was debugged by release 0.76. + * use_cached_chain is how we ensure that the setcred and + * close_session modules are called in the same order as they did + * when they were invoked as auth/open_session. This feature was + * added in 0.75 to make the behavior of pam_setcred sane. */ if (use_cached_chain != _PAM_PLEASE_FREEZE) { @@ -358,9 +357,6 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) break; case PAM_CHAUTHTOK: h = pamh->handlers.conf.chauthtok; - if (flags & PAM_UPDATE_AUTHTOK) { - use_cached_chain = _PAM_MUST_BE_FROZEN; - } break; default: pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); -- cgit v1.2.1 From 2afda8880a7bdec2cae03ba4d210916fe7289804 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 18 Feb 2009 21:25:46 +0000 Subject: Relevant BUGIDs: Purpose of commit: sanity check Commit summary: --------------- 2009-02-18 Thorsten Kukuk * libpam/pam_password.c (pam_chauthtok): Make sure applications don't set internal flags. --- libpam/pam_password.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'libpam') diff --git a/libpam/pam_password.c b/libpam/pam_password.c index 7100979f..70917c58 100644 --- a/libpam/pam_password.c +++ b/libpam/pam_password.c @@ -24,6 +24,13 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) return PAM_SYSTEM_ERR; } + /* applications are not allowed to set this flags */ + if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) { + pam_syslog (pamh, LOG_ERR, + "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application"); + return PAM_SYSTEM_ERR; + } + if (pamh->former.choice == PAM_NOT_STACKED) { _pam_start_timer(pamh); /* we try to make the time for a failure independent of the time it takes to @@ -58,4 +65,3 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) return retval; } - -- cgit v1.2.1 From 48a26b6141fb6bf276208bc1a06f5105880e843e Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 25 Feb 2009 17:05:22 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2009-02-25 Thorsten Kukuk * libpam/pam_misc.c (_pam_StrTok): Use unsigned char instead of int. Reported by Marcus Granado. * tests/Makefile.am (TESTS): Add tst-pam_mkargv. * tests/tst-pam_mkargv.c (main): Test case for _pam_mkargv. * po/de.po: Update fuzzy translations. --- libpam/pam_misc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'libpam') diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c index 574a570e..b690fd3e 100644 --- a/libpam/pam_misc.c +++ b/libpam/pam_misc.c @@ -59,10 +59,11 @@ char *_pam_StrTok(char *from, const char *format, char **next) /* initialize table */ for (i=1; i<256; table[i++] = '\0'); - for (i=0; format[i] ; table[(int)format[i++]] = 'y'); + for (i=0; format[i] ; + table[(unsigned char)format[i++]] = 'y'); /* look for first non-format char */ - while (*from && table[(int)*from]) { + while (*from && table[(unsigned char)*from]) { ++from; } @@ -92,7 +93,7 @@ char *_pam_StrTok(char *from, const char *format, char **next) remains */ } else if (*from) { /* simply look for next blank char */ - for (end=from; *end && !table[(int)*end]; ++end); + for (end=from; *end && !table[(unsigned char)*end]; ++end); } else { return (*next = NULL); /* no tokens left */ } -- cgit v1.2.1 From 72855d240704c34326c9ae2db56e18f926218b3b Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 9 Mar 2009 13:07:34 +0000 Subject: Relevant BUGIDs: Purpose of commit: release Commit summary: --------------- 2009-03-09 Thorsten Kukuk * release version 1.0.91 * libpam/Makefile.am (libpam_la_LDFLAGS): Bump version number. * xtests/Makefile.am: Add tst-pam_unix4.pamd, tst-pam_unix4.sh and time.conf. --- libpam/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libpam') diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 70a11133..c38e1fee 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -20,7 +20,7 @@ include_HEADERS = include/security/_pam_compat.h \ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h pam_static_modules.h -libpam_la_LDFLAGS = -no-undefined -version-info 82:0:82 +libpam_la_LDFLAGS = -no-undefined -version-info 82:1:82 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ if STATIC_MODULES -- cgit v1.2.1