From 73bdfac8c091492f466342feb8f2f5daa2f4c39b Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 25 Mar 2015 14:49:46 +0100 Subject: pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation --- modules/pam_env/pam_env.8.xml | 39 ++++++++++++++++++++++++-------------- modules/pam_env/pam_env.c | 15 ++++++++++++++- modules/pam_env/pam_env.conf.5.xml | 11 +++++++---- 3 files changed, 46 insertions(+), 19 deletions(-) (limited to 'modules/pam_env') diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index 309643fd..6eac6c8d 100644 --- a/modules/pam_env/pam_env.8.xml +++ b/modules/pam_env/pam_env.8.xml @@ -53,17 +53,23 @@ PAM_RHOST. - By default rules for (un)setting of variables is taken from the - config file /etc/security/pam_env.conf if - no other file is specified. + By default rules for (un)setting of variables are taken from the + config file /etc/security/pam_env.conf. An + alternate file can be specified with the conffile + option. - This module can also parse a file with simple - KEY=VAL pairs on separate lines - (/etc/environment by default). You can - change the default file to parse, with the envfile - flag and turn it on or off by setting the readenv - flag to 1 or 0 respectively. + Second a file (/etc/environment by default) with simple + KEY=VAL pairs on separate lines will be read. + With the envfile option an alternate file can be specified. + And with the readenv option this can be completly disabled. + + + Third it will read a user configuration file + ($HOME/.pam_environment by default). + The default file file can be changed with the + user_envfile option + and it can be turned on and off with the user_readenv option. Since setting of PAM environment variables can have side effects @@ -107,8 +113,11 @@ Indicate an alternative environment - file to override the default. This can be useful when different - services need different environments. + file to override the default. The syntax are simple + KEY=VAL pairs on separate lines. The + export instruction can be specified for bash + compatibility, but will be ignored. + This can be useful when different services need different environments. @@ -133,9 +142,11 @@ Indicate an alternative .pam_environment - file to override the default. This can be useful when different - services need different environments. The filename is relative to - the user home directory. + file to override the default.The syntax is the same as + for /etc/environment. + The filename is relative to the user home directory. + This can be useful when different services need different + environments. diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index e04f5b53..1bfdf089 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -676,7 +676,7 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) const void *itemval; D(("Called.")); - if (strcmp(name, "PAM_USER") == 0) { + if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) { item = PAM_USER; } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { item = PAM_USER_PROMPT; @@ -696,6 +696,19 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) D(("pam_get_item failed")); return NULL; /* let pam_get_item() log the error */ } + + if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) { + struct passwd *user_entry; + user_entry = pam_modutil_getpwnam (pamh, (char *) itemval); + if (!user_entry) { + pam_syslog(pamh, LOG_ERR, "No such user!?"); + return NULL; + } + return (strcmp(name, "SHELL") == 0) ? + user_entry->pw_shell : + user_entry->pw_dir; + } + D(("Exit.")); return itemval; } diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml index 45950b8c..4040275a 100644 --- a/modules/pam_env/pam_env.conf.5.xml +++ b/modules/pam_env/pam_env.conf.5.xml @@ -43,14 +43,16 @@ (Possibly non-existent) environment variables may be used in values - using the ${string} syntax and (possibly non-existent) PAM_ITEMs may - be used in values using the @{string} syntax. Both the $ and @ - characters can be backslash escaped to be used as literal values + using the ${string} syntax and (possibly non-existent) PAM_ITEMs as well + as HOME and SHELL may be used in values using the @{string} syntax. Both + the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many environment variables that you would like to use may not be set by the time the module is called. - For example, HOME is used below several times, but + For example, ${HOME} is used below several times, but many PAM applications don't make it available by the time you need it. + The special variables @{HOME} and @{SHELL} are expanded to the values + for the user from his passwd entry. @@ -92,6 +94,7 @@ NNTPSERVER DEFAULT=localhost PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 + XDG_DATA_HOME @{HOME}/share/ -- cgit v1.2.3 From 51e2581a6cbedefebbb7bbe3fd8f3374049bc7c5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 17 Feb 2016 14:57:15 +0100 Subject: pam_env: Document the /etc/environment file. * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. * modules/pam_env/pam_env.8.xml: Add environ(7) reference. * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. Add a paragraph about /etc/environment. Add environ(7) reference. --- modules/pam_env/Makefile.am | 3 ++- modules/pam_env/pam_env.8.xml | 3 +++ modules/pam_env/pam_env.conf.5.xml | 14 ++++++++++++-- 3 files changed, 17 insertions(+), 3 deletions(-) (limited to 'modules/pam_env') diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am index 7b8d9afe..d6f081ff 100644 --- a/modules/pam_env/Makefile.am +++ b/modules/pam_env/Makefile.am @@ -7,7 +7,7 @@ MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment -man_MANS = pam_env.conf.5 pam_env.8 +man_MANS = pam_env.conf.5 pam_env.8 environment.5 XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml @@ -30,6 +30,7 @@ sysconf_DATA = environment if ENABLE_REGENERATE_MAN noinst_DATA = README README: pam_env.8.xml pam_env.conf.5.xml +environment.5: pam_env.conf.5.xml -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index 6eac6c8d..d6e20a2e 100644 --- a/modules/pam_env/pam_env.8.xml +++ b/modules/pam_env/pam_env.8.xml @@ -247,6 +247,9 @@ , pam8 + , + + environ7 . diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml index 4040275a..c47f17d9 100644 --- a/modules/pam_env/pam_env.conf.5.xml +++ b/modules/pam_env/pam_env.conf.5.xml @@ -12,7 +12,8 @@ pam_env.conf - the environment variables config file + environment + the environment variables config files @@ -60,6 +61,14 @@ at front) can be used to mark this line as a comment line. + + The /etc/environment file specifies + the environment variables to be set. The file must consist of simple + NAME=VALUE pairs on separate lines. + The pam_env8 + module will read the file after the pam_env.conf + file. + @@ -113,7 +122,8 @@ pam_env8, pam.d5, - pam8 + pam8, + environ7 -- cgit v1.2.3 From a684595c0bbd88df71285f43fb27630e3829121e Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 29 Mar 2016 14:14:03 +0200 Subject: Remove "--enable-static-modules" option and support from Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part. --- modules/pam_env/pam_env.c | 28 ++++++---------------------- 1 file changed, 6 insertions(+), 22 deletions(-) (limited to 'modules/pam_env') diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index 1bfdf089..0b8002f8 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -768,7 +768,7 @@ static void _clean_var(VAR *var) /* --- authentication management functions (only) --- */ -PAM_EXTERN int +int pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) { @@ -839,7 +839,7 @@ handle_env (pam_handle_t *pamh, int argc, const char **argv) return retval; } -PAM_EXTERN int +int pam_sm_acct_mgmt (pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) { @@ -847,7 +847,7 @@ pam_sm_acct_mgmt (pam_handle_t *pamh UNUSED, int flags UNUSED, return PAM_SERVICE_ERR; } -PAM_EXTERN int +int pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { @@ -855,7 +855,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, return handle_env (pamh, argc, argv); } -PAM_EXTERN int +int pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { @@ -863,7 +863,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return handle_env (pamh, argc, argv); } -PAM_EXTERN int +int pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) { @@ -871,7 +871,7 @@ pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, return PAM_SUCCESS; } -PAM_EXTERN int +int pam_sm_chauthtok (pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) { @@ -879,20 +879,4 @@ pam_sm_chauthtok (pam_handle_t *pamh UNUSED, int flags UNUSED, return PAM_SERVICE_ERR; } -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_env_modstruct = { - "pam_env", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; - -#endif - /* end of module definition */ -- cgit v1.2.3