From 1daa323234982df4d7bbb8a13d4eb447106657d1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 11 Dec 2018 09:08:20 +0100 Subject: pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs. * modules/pam_lastlog/pam_lastlog.8.xml: Add the documentation of the LASTLOG_UID_MAX option. * modules/pam_lastlog/pam_lastlog.c: New function get_lastlog_uid_max(). (last_login_date): Check the uid against the get_lastlog_uid_max(). (pam_authenticate): Likewise. --- modules/pam_lastlog/pam_lastlog.8.xml | 10 ++++++++- modules/pam_lastlog/pam_lastlog.c | 42 ++++++++++++++++++++++++++++++++++- 2 files changed, 50 insertions(+), 2 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index 77da9dbc..c8f247e9 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -64,11 +64,19 @@ Some applications may perform this function themselves. In such cases, this module is not necessary. + + The module checks option in + /etc/login.defs and does not update or display + last login records for users with UID higher than its value. + If the option is not present or its value is invalid, no user ID + limit is applied. + If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in. The check is not performed for the root account so the root is never - locked out. + locked out. It is also not performed for users with UID higher + than the value. diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1a796b99..18bf7bec 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -20,6 +20,7 @@ #endif #include #include +#include #include #include #include @@ -50,6 +51,10 @@ struct lastlog { # define _PATH_BTMP "/var/log/btmp" #endif +#ifndef PATH_LOGIN_DEFS +# define PATH_LOGIN_DEFS "/etc/login.defs" +#endif + /* XXX - time before ignoring lock. Is 1 sec enough? */ #define LASTLOG_IGNORE_LOCK_TIME 1 @@ -187,6 +192,37 @@ get_tty(pam_handle_t *pamh) return terminal_line; } +#define MAX_UID_VALUE 0xFFFFFFFFUL + +static uid_t +get_lastlog_uid_max(pam_handle_t *pamh) +{ + uid_t uid_max = MAX_UID_VALUE; + unsigned long ul; + char *s, *ep; + + s = pam_modutil_search_key(pamh, PATH_LOGIN_DEFS, "LASTLOG_UID_MAX"); + if (s == NULL) + return uid_max; + + ep = s + strlen(s); + while (ep > s && isspace(*(--ep))) { + *ep = '\0'; + } + errno = 0; + ul = strtoul(s, &ep, 10); + if (!(ul >= MAX_UID_VALUE + || (uid_t)ul >= MAX_UID_VALUE + || (errno != 0 && ul == 0) + || s == ep + || *ep != '\0')) { + uid_max = (uid_t)ul; + } + free(s); + + return uid_max; +} + static int last_login_open(pam_handle_t *pamh, int announce, uid_t uid) { @@ -418,6 +454,10 @@ last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user, t int retval; int last_fd; + if (uid > get_lastlog_uid_max(pamh)) { + return PAM_SUCCESS; + } + /* obtain the last login date and all the relevant info */ last_fd = last_login_open(pamh, announce, uid); if (last_fd < 0) { @@ -602,7 +642,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, uid = pwd->pw_uid; pwd = NULL; /* tidy up */ - if (uid == 0) + if (uid == 0 || uid > get_lastlog_uid_max(pamh)) return PAM_SUCCESS; /* obtain the last login date and all the relevant info */ -- cgit v1.2.3 From 7d036249a9772c546ede1f38ad68b3f1575216d6 Mon Sep 17 00:00:00 2001 From: Nir Soffer Date: Sun, 6 Jan 2019 00:36:27 +0200 Subject: pam_lastlog: Respect PAM_SILENT flag pam_lastlog module will not log info about failed login if the session was opened with PAM_SILENT flag. Example use case enabled by this change: sudo --non-interactive program If this command is run by another program expecting specific output from the command run by sudo, the unexpected info about failed logins will break this program. * modules/pam_lastlog/pam_lastlog.c: Respect silent option. (_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set. --- modules/pam_lastlog/pam_lastlog.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 18bf7bec..e980c047 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -135,11 +135,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) { int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE); - /* does the appliction require quiet? */ - if (flags & PAM_SILENT) { - ctrl |= LASTLOG_QUIET; - } - /* step through arguments */ for (; argc-- > 0; ++argv) { @@ -168,6 +163,12 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) } } + /* does the appliction require quiet? */ + if (flags & PAM_SILENT) { + ctrl |= LASTLOG_QUIET; + ctrl &= ~LASTLOG_BTMP; + } + D(("ctrl = %o", ctrl)); return ctrl; } -- cgit v1.2.3 From c426914fa166ffb0482b6f6ad659ddf17d5dfaa1 Mon Sep 17 00:00:00 2001 From: Nir Soffer Date: Wed, 9 Jan 2019 23:41:16 +0200 Subject: pam_lastlog: Improve silent option documentation The silent option explicitly silents only the last login message and not bad logins. Add a note to the manual to make this clear. * modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed" --- modules/pam_lastlog/pam_lastlog.8.xml | 1 + 1 file changed, 1 insertion(+) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index c8f247e9..bc2e1bee 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -102,6 +102,7 @@ Don't inform the user about any previous login, just update the /var/log/lastlog file. + This option does not affect display of bad login attempts. -- cgit v1.2.3 From 9349333a9ae958205294cd25e97fd6b4805bd82b Mon Sep 17 00:00:00 2001 From: Carlos Santos Date: Tue, 10 Sep 2019 23:08:30 -0300 Subject: pam_lastlog: prevent crash due to reduced 'fsize' limit It a reduced fsize limit is set in /etc/security/limits.conf and pam_limits is in use pam_lastlog may cause a crash, e.g. ----- begin /etc/pam.d/su ---- auth sufficient pam_rootok.so auth required pam_wheel.so use_uid auth required pam_env.so auth required pam_unix.so nullok account required pam_unix.so password required pam_unix.so nullok session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_lastlog.so ----- end /etc/pam.d/su ----- ----- begin /etc/security/limits.d/fsize.conf ----- * soft fsize 1710 * hard fsize 1710 ----- end /etc/security/limits.d/fsize.conf ----- # id user1 uid=1000(user1) gid=1000(user1) groups=1000(user1) # su - user1 Last login: Wed Sep 11 01:52:44 UTC 2019 on console $ exit # id user2 uid=60000(user2) gid=60000(user2) groups=60000(user2) # su - user2 File size limit exceeded This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog attempts to write /var/log/lastlog, leading to a SIGXFSZ signal. In order to fix this, and an 'unlimited' option, which leads to saving the 'fsize' limit and set it to unlimited before writing lastlog. After that, restore the saved value. If 'fsize' is already unlimited nothing is done. Failing to set the 'fsize' limit is not a fatal error. With luck the configured limit will suffice, so we try to write lastlog anyway, even under the risk of dying due to a SIGXFSZ. Failing to restore the 'fsize' limit is a fatal error, since we don't want to keep it unlimited. Signed-off-by: Carlos Santos --- modules/pam_lastlog/pam_lastlog.c | 66 +++++++++++++++++++++++++++++++++------ 1 file changed, 57 insertions(+), 9 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index e980c047..a135c9f7 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -25,6 +25,8 @@ #include #include #include +#include +#include #include #include @@ -82,15 +84,16 @@ struct lastlog { /* argument parsing */ -#define LASTLOG_DATE 01 /* display the date of the last login */ -#define LASTLOG_HOST 02 /* display the last host used (if set) */ -#define LASTLOG_LINE 04 /* display the last terminal used */ -#define LASTLOG_NEVER 010 /* display a welcome message for first login */ -#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ -#define LASTLOG_QUIET 040 /* keep quiet about things */ -#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ -#define LASTLOG_BTMP 0200 /* display failed login info from btmp */ -#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ +#define LASTLOG_DATE 01 /* display the date of the last login */ +#define LASTLOG_HOST 02 /* display the last host used (if set) */ +#define LASTLOG_LINE 04 /* display the last terminal used */ +#define LASTLOG_NEVER 010 /* display a welcome message for first login */ +#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ +#define LASTLOG_QUIET 040 /* keep quiet about things */ +#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ +#define LASTLOG_BTMP 0200 /* display failed login info from btmp */ +#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ +#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */ static int _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, @@ -158,6 +161,8 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE); } else if (!strcmp(*argv,"showfailed")) { ctrl |= LASTLOG_BTMP; + } else if (!strcmp(*argv,"unlimited")) { + ctrl |= LASTLOG_UNLIMITED; } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -373,6 +378,12 @@ static int last_login_write(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, const char *user) { + static struct rlimit no_limit = { + RLIM_INFINITY, + RLIM_INFINITY + }; + struct rlimit old_limit; + int setrlimit_res; struct flock last_lock; struct lastlog last_login; time_t ll_time; @@ -427,6 +438,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, sleep(LASTLOG_IGNORE_LOCK_TIME); } + /* + * Failing to set the 'fsize' limit is not a fatal error. We try to write + * lastlog anyway, under the risk of dying due to a SIGXFSZ. + */ + D(("setting limit for 'fsize'")); + + if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */ + setrlimit_res = -1; + } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) { + if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */ + setrlimit_res = -1; + } else { + setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit); + if (setrlimit_res != 0) + pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m"); + } + } else { + setrlimit_res = -1; + if (errno == EINVAL) { + pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m"); + } else { + pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m"); + } + } + D(("writing to the lastlog file")); if (pam_modutil_write (last_fd, (char *) &last_login, sizeof (last_login)) != sizeof(last_login)) { @@ -434,6 +470,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, retval = PAM_SERVICE_ERR; } + /* + * Failing to restore the 'fsize' limit is a fatal error. + */ + D(("restoring limit for 'fsize'")); + if (setrlimit_res == 0) { + setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit); + if (setrlimit_res != 0) { + pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m"); + retval = PAM_SERVICE_ERR; + } + } + last_lock.l_type = F_UNLCK; (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ D(("unlocked")); -- cgit v1.2.3 From 3a3e70739834cd5cbd17469907ef718c81ae40c0 Mon Sep 17 00:00:00 2001 From: Carlos Santos Date: Wed, 11 Sep 2019 11:50:28 -0300 Subject: pam_lastlog: document the 'unlimited' option Signed-off-by: Carlos Santos --- modules/pam_lastlog/pam_lastlog.8.xml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index bc2e1bee..f10e94a0 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -48,6 +48,9 @@ inactive=<days> + + unlimited + @@ -196,6 +199,18 @@ + + + + + + + If the fsize limit is set, this option can be + used to override it, preventing failures on systems with large UID + values that lead lastlog to become a huge sparse file. + + + @@ -300,6 +315,9 @@ SEE ALSO + + limits.conf5 + , pam.conf5 , -- cgit v1.2.3 From 1781f0165c6f83601088f47681a05956ad9c21e1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 18 Dec 2019 13:55:23 +0100 Subject: Do not use CFLAGS for warning flags set from configure To be able to set CFLAGS from make command-line but not to lose the warning flags. * configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS. * */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS. --- modules/pam_lastlog/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index 1c639327..e71e15e8 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -15,7 +15,8 @@ XMLS = README.xml pam_lastlog.8.xml TESTS = tst-pam_lastlog -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -- cgit v1.2.3 From 375825bd5d88ee66375fd400c40af7844c1b0608 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 13 Feb 2019 08:21:02 +0000 Subject: Miscellaneous grammar fixes --- modules/pam_lastlog/pam_lastlog.8.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index f10e94a0..a2f14fc2 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -218,7 +218,7 @@ MODULE TYPES PROVIDED The and module type - allows to lock out users which did not login recently enough. + allows one to lock out users who did not login recently enough. The module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files. -- cgit v1.2.3 From 4dd9b97b762cc73816cb867d49c9d0d0b91d642c Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sat, 25 Jan 2020 11:11:18 +0100 Subject: configure.ac: add --enable-doc option Allow the user to disable documentation through --disable-doc (enabled by default), this is especially useful when cross-compiling for embedded targets Signed-off-by: Fabrice Fontaine --- modules/pam_lastlog/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index e71e15e8..4d69e596 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -10,7 +10,9 @@ secureconfdir = $(SCONFIGDIR) EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog +if HAVE_DOC man_MANS = pam_lastlog.8 +endif XMLS = README.xml pam_lastlog.8.xml TESTS = tst-pam_lastlog -- cgit v1.2.3 From ad6946722a0537778db8614effc4bffcbb1a1904 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 16 Mar 2020 21:02:18 +0000 Subject: modules/pam_lastlog: use pam_str_skip_prefix * modules/pam_lastlog/pam_lastlog.c: Include "pam_inline.h". (_pam_auth_parse, get_tty): Use pam_str_skip_prefix instead of ugly strncmp invocations. --- modules/pam_lastlog/pam_lastlog.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index a135c9f7..2edac5bf 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -81,6 +81,7 @@ struct lastlog { #include #include #include +#include "pam_inline.h" /* argument parsing */ @@ -110,6 +111,7 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, /* step through arguments */ for (; argc-- > 0; ++argv) { + const char *str; char *ep = NULL; long l; @@ -117,9 +119,9 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, ctrl |= LASTLOG_DEBUG; } else if (!strcmp(*argv,"silent")) { ctrl |= LASTLOG_QUIET; - } else if (!strncmp(*argv,"inactive=", 9)) { - l = strtol(*argv+9, &ep, 10); - if (ep != *argv+9 && l > 0 && l < MAX_INACTIVE_DAYS) + } else if ((str = pam_str_skip_prefix(*argv, "inactive=")) != NULL) { + l = strtol(str, &ep, 10); + if (ep != str && l > 0 && l < MAX_INACTIVE_DAYS) *inactive = l; else { pam_syslog(pamh, LOG_ERR, "bad option value: %s", *argv); @@ -183,6 +185,7 @@ get_tty(pam_handle_t *pamh) { const void *void_terminal_line = NULL; const char *terminal_line; + const char *str; if (pam_get_item(pamh, PAM_TTY, &void_terminal_line) != PAM_SUCCESS || void_terminal_line == NULL) { @@ -190,10 +193,12 @@ get_tty(pam_handle_t *pamh) } else { terminal_line = void_terminal_line; } - if (!strncmp("/dev/", terminal_line, 5)) { - /* strip leading "/dev/" from tty. */ - terminal_line += 5; - } + + /* strip leading "/dev/" from tty. */ + str = pam_str_skip_prefix(terminal_line, "/dev/"); + if (str != NULL) + terminal_line = str; + D(("terminal = %s", terminal_line)); return terminal_line; } -- cgit v1.2.3 From 897c7412b26ca618af6822dcaa7e6be68772dc52 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 28 Mar 2020 18:19:41 +0000 Subject: Fix various typos found using codespell tool --- modules/pam_lastlog/pam_lastlog.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 2edac5bf..1f707d93 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -104,7 +104,7 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, *inactive = DEFAULT_INACTIVE_DAYS; - /* does the appliction require quiet? */ + /* does the application require quiet? */ if (flags & PAM_SILENT) { ctrl |= LASTLOG_QUIET; } @@ -170,7 +170,7 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) } } - /* does the appliction require quiet? */ + /* does the application require quiet? */ if (flags & PAM_SILENT) { ctrl |= LASTLOG_QUIET; ctrl &= ~LASTLOG_BTMP; @@ -449,7 +449,7 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, */ D(("setting limit for 'fsize'")); - if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */ + if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimited */ setrlimit_res = -1; } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) { if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */ -- cgit v1.2.3 From 0f5b1b11d286a1ac070b75b49631f6327b286fb4 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: list tests in EXTRA_DIST uniformly The change was prepared using the following script: git grep -l '^TESTS = tst-pam_' modules/ |while read m; do t="$(sed '/^TESTS = tst-pam_/!d;s/^TESTS = //;q' -- "$m")" sed -i "/^EXTRA_DIST =/ s/$t\\>/\$(TESTS)/" -- "$m" done * modules/pam_access/Makefile.am (EXTRA_DIST): Replace tst-pam_access with $(TESTS). * modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace tst-pam_cracklib with $(TESTS). * modules/pam_debug/Makefile.am (EXTRA_DIST): Replace tst-pam_debug with $(TESTS). * modules/pam_deny/Makefile.am (EXTRA_DIST): Replace tst-pam_deny with $(TESTS). * modules/pam_echo/Makefile.am (EXTRA_DIST): Replace tst-pam_echo with $(TESTS). * modules/pam_env/Makefile.am (EXTRA_DIST): Replace tst-pam_env with $(TESTS). * modules/pam_exec/Makefile.am (EXTRA_DIST): Replace tst-pam_exec with $(TESTS). * modules/pam_faildelay/Makefile.am (EXTRA_DIST): Replace tst-pam_faildelay with $(TESTS). * modules/pam_filter/Makefile.am (EXTRA_DIST): Replace tst-pam_filter with $(TESTS). * modules/pam_ftp/Makefile.am (EXTRA_DIST): Replace tst-pam_ftp with $(TESTS). * modules/pam_group/Makefile.am (EXTRA_DIST): Replace tst-pam_group with $(TESTS). * modules/pam_issue/Makefile.am (EXTRA_DIST): Replace tst-pam_issue with $(TESTS). * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace tst-pam_keyinit with $(TESTS). * modules/pam_lastlog/Makefile.am (EXTRA_DIST): Replace tst-pam_lastlog with $(TESTS). * modules/pam_limits/Makefile.am (EXTRA_DIST): Replace tst-pam_limits with $(TESTS). * modules/pam_listfile/Makefile.am (EXTRA_DIST): Replace tst-pam_listfile with $(TESTS). * modules/pam_localuser/Makefile.am (EXTRA_DIST): Replace tst-pam_localuser with $(TESTS). * modules/pam_loginuid/Makefile.am (EXTRA_DIST): Replace tst-pam_loginuid with $(TESTS). * modules/pam_mail/Makefile.am (EXTRA_DIST): Replace tst-pam_mail with $(TESTS). * modules/pam_mkhomedir/Makefile.am (EXTRA_DIST): Replace tst-pam_mkhomedir with $(TESTS). * modules/pam_motd/Makefile.am (EXTRA_DIST): Replace tst-pam_motd with $(TESTS). * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace tst-pam_namespace with $(TESTS). * modules/pam_nologin/Makefile.am (EXTRA_DIST): Replace tst-pam_nologin with $(TESTS). * modules/pam_permit/Makefile.am (EXTRA_DIST): Replace tst-pam_permit with $(TESTS). * modules/pam_pwhistory/Makefile.am (EXTRA_DIST): Replace tst-pam_pwhistory with $(TESTS). * modules/pam_rhosts/Makefile.am (EXTRA_DIST): Replace tst-pam_rhosts with $(TESTS). * modules/pam_rootok/Makefile.am (EXTRA_DIST): Replace tst-pam_rootok with $(TESTS). * modules/pam_securetty/Makefile.am (EXTRA_DIST): Replace tst-pam_securetty with $(TESTS). * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace tst-pam_sepermit with $(TESTS). * modules/pam_setquota/Makefile.am (EXTRA_DIST): Replace tst-pam_setquota with $(TESTS). * modules/pam_shells/Makefile.am (EXTRA_DIST): Replace tst-pam_shells with $(TESTS). * modules/pam_stress/Makefile.am (EXTRA_DIST): Replace tst-pam_stress with $(TESTS). * modules/pam_succeed_if/Makefile.am (EXTRA_DIST): Replace tst-pam_succeed_if with $(TESTS). * modules/pam_tally/Makefile.am (EXTRA_DIST): Replace tst-pam_tally with $(TESTS). * modules/pam_tally2/Makefile.am (EXTRA_DIST): Replace tst-pam_tally2 with $(TESTS). * modules/pam_time/Makefile.am (EXTRA_DIST): Replace tst-pam_time with $(TESTS). * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace tst-pam_tty_audit with $(TESTS). * modules/pam_umask/Makefile.am (EXTRA_DIST): Replace tst-pam_umask with $(TESTS). * modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace tst-pam_userdb with $(TESTS). * modules/pam_usertype/Makefile.am (EXTRA_DIST): Replace tst-pam_usertype with $(TESTS). * modules/pam_warn/Makefile.am (EXTRA_DIST): Replace tst-pam_warn with $(TESTS). * modules/pam_wheel/Makefile.am (EXTRA_DIST): Replace tst-pam_wheel with $(TESTS). * modules/pam_xauth/Makefile.am (EXTRA_DIST): Replace tst-pam_xauth with $(TESTS). --- modules/pam_lastlog/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index 4d69e596..79333a3e 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -8,7 +8,7 @@ MAINTAINERCLEANFILES = $(MANS) README securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_lastlog +EXTRA_DIST = README $(MANS) $(XMLS) $(TESTS) if HAVE_DOC man_MANS = pam_lastlog.8 -- cgit v1.2.3 From bd849daab0c0a1107512d4575404f22525db5f96 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: list prerequisites of README target uniformly There is no need to list prerequisites of README targets manually as all README targets depend on $(XMLS). The change is performed automatically using the following script: sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am * modules/pam_access/Makefile.am (README): Replace pam_access.8.xml and access.conf.5.xml with $(XMLS). * modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml with $(XMLS). * modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml with $(XMLS). * modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml with $(XMLS). * modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml with $(XMLS). * modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and pam_env.conf.5.xml with $(XMLS). * modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml with $(XMLS). * modules/pam_faildelay/Makefile.am (README): Replace pam_faildelay.8.xml with $(XMLS). * modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml with $(XMLS). * modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with $(XMLS). * modules/pam_group/Makefile.am (README): Replace pam_group.8.xml and group.conf.5.xml with $(XMLS). * modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml with $(XMLS). * modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml with $(XMLS). * modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml with $(XMLS). * modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml and limits.conf.5.xml with $(XMLS). * modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml with $(XMLS). * modules/pam_localuser/Makefile.am (README): Replace pam_localuser.8.xml with $(XMLS). * modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml with $(XMLS). * modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml with $(XMLS). * modules/pam_mkhomedir/Makefile.am (README): Replace pam_mkhomedir.8.xml with $(XMLS). * modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml with $(XMLS). * modules/pam_namespace/Makefile.am (README): Replace pam_namespace.8.xml, namespace.conf.5.xml, and pam_namespace_helper.8.xml with $(XMLS). * modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml with $(XMLS). * modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml with $(XMLS). * modules/pam_pwhistory/Makefile.am (README): Replace pam_pwhistory.8.xml with $(XMLS). * modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml with $(XMLS). * modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml with $(XMLS). * modules/pam_securetty/Makefile.am (README): Replace pam_securetty.8.xml with $(XMLS). * modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml with $(XMLS). * modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml with $(XMLS). * modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml with $(XMLS). * modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml with $(XMLS). * modules/pam_succeed_if/Makefile.am (README): Replace pam_succeed_if.8.xml with $(XMLS). * modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml with $(XMLS). * modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml with $(XMLS). * modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and time.conf.5.xml with $(XMLS). * modules/pam_timestamp/Makefile.am (README): Replace pam_timestamp.8.xml with $(XMLS). * modules/pam_tty_audit/Makefile.am (README): Replace pam_tty_audit.8.xml with $(XMLS). * modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml with $(XMLS). * modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml with $(XMLS). * modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml with $(XMLS). * modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml with $(XMLS). * modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml with $(XMLS). * modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml with $(XMLS). * modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml with $(XMLS). --- modules/pam_lastlog/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index 79333a3e..beca380c 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -29,6 +29,6 @@ pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil if ENABLE_REGENERATE_MAN noinst_DATA = README -README: pam_lastlog.8.xml +README: $(XMLS) -include $(top_srcdir)/Make.xml.rules endif -- cgit v1.2.3 From 1886b6020c510cab239b3ae8db20a66991d8f8db Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: build: move README prerequisites rule from modules/*/Makefile.am to Make.xml.rules As the rule is now the same in every modules/*/Makefile.am file, move it to Make.xml.rules. * Make.xml.rules (README): New prerequisites rule. * modules/pam_access/Makefile.am (README): Remove rule. * modules/pam_cracklib/Makefile.am (README): Likewise. * modules/pam_debug/Makefile.am (README): Likewise. * modules/pam_deny/Makefile.am (README): Likewise. * modules/pam_echo/Makefile.am (README): Likewise. * modules/pam_env/Makefile.am (README): Likewise. * modules/pam_exec/Makefile.am (README): Likewise. * modules/pam_faildelay/Makefile.am (README): Likewise. * modules/pam_filter/Makefile.am (README): Likewise. * modules/pam_ftp/Makefile.am (README): Likewise. * modules/pam_group/Makefile.am (README): Likewise. * modules/pam_issue/Makefile.am (README): Likewise. * modules/pam_keyinit/Makefile.am (README): Likewise. * modules/pam_lastlog/Makefile.am (README): Likewise. * modules/pam_limits/Makefile.am (README): Likewise. * modules/pam_listfile/Makefile.am (README): Likewise. * modules/pam_localuser/Makefile.am (README): Likewise. * modules/pam_loginuid/Makefile.am (README): Likewise. * modules/pam_mail/Makefile.am (README): Likewise. * modules/pam_mkhomedir/Makefile.am (README): Likewise. * modules/pam_motd/Makefile.am (README): Likewise. * modules/pam_namespace/Makefile.am (README): Likewise. * modules/pam_nologin/Makefile.am (README): Likewise. * modules/pam_permit/Makefile.am (README): Likewise. * modules/pam_pwhistory/Makefile.am (README): Likewise. * modules/pam_rhosts/Makefile.am (README): Likewise. * modules/pam_rootok/Makefile.am (README): Likewise. * modules/pam_securetty/Makefile.am (README): Likewise. * modules/pam_selinux/Makefile.am (README): Likewise. * modules/pam_sepermit/Makefile.am (README): Likewise. * modules/pam_setquota/Makefile.am (README): Likewise. * modules/pam_shells/Makefile.am (README): Likewise. * modules/pam_succeed_if/Makefile.am (README): Likewise. * modules/pam_tally/Makefile.am (README): Likewise. * modules/pam_tally2/Makefile.am (README): Likewise. * modules/pam_time/Makefile.am (README): Likewise. * modules/pam_timestamp/Makefile.am (README): Likewise. * modules/pam_tty_audit/Makefile.am (README): Likewise. * modules/pam_umask/Makefile.am (README): Likewise. * modules/pam_unix/Makefile.am (README): Likewise. * modules/pam_userdb/Makefile.am (README): Likewise. * modules/pam_usertype/Makefile.am (README): Likewise. * modules/pam_warn/Makefile.am (README): Likewise. * modules/pam_wheel/Makefile.am (README): Likewise. * modules/pam_xauth/Makefile.am (README): Likewise. --- modules/pam_lastlog/Makefile.am | 1 - 1 file changed, 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index beca380c..ac0ecedd 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -29,6 +29,5 @@ pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil if ENABLE_REGENERATE_MAN noinst_DATA = README -README: $(XMLS) -include $(top_srcdir)/Make.xml.rules endif -- cgit v1.2.3 From d9fe742a06af41711faba73d2f97f4d13b1b0534 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: reorder lines to promote uniformity This is essentially a no-op change that makes modules/*/Makefile.am files less divergent. --- modules/pam_lastlog/Makefile.am | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index ac0ecedd..7cc4c84a 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -5,18 +5,17 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) - EXTRA_DIST = README $(MANS) $(XMLS) $(TESTS) if HAVE_DOC man_MANS = pam_lastlog.8 endif XMLS = README.xml pam_lastlog.8.xml - TESTS = tst-pam_lastlog +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module -- cgit v1.2.3 From d8a518391c4fd93a05e19d145a01bdc8f54a2ff8 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: replace README with $(DATA) in EXTRA_DIST Since the GNU Automake distributes README files by default, the only reason why README had to be listed in EXTRA_DIST was to make these README files generated. Since README is also listed in noinst_DATA, we can safely replace README in EXTRA_DIST with $(DATA), this also opens the way for further EXTRA_DIST cleanup. * modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA). --- modules/pam_lastlog/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index 7cc4c84a..d6b652ca 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -5,7 +5,7 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) $(TESTS) +EXTRA_DIST = $(DATA) $(MANS) $(XMLS) $(TESTS) if HAVE_DOC man_MANS = pam_lastlog.8 -- cgit v1.2.3 From 97887fd27d83278d045f69759c9d45730c6e01c3 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 3 May 2020 01:18:44 +0000 Subject: modules/*/Makefile.am: add dist_ prefix to *_DATA ... and remove $(DATA) from EXTRA_DIST. The change is performed automatically using the following script: sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am --- modules/pam_lastlog/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index d6b652ca..1361436f 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -5,7 +5,7 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = $(DATA) $(MANS) $(XMLS) $(TESTS) +EXTRA_DIST = $(MANS) $(XMLS) $(TESTS) if HAVE_DOC man_MANS = pam_lastlog.8 @@ -27,6 +27,6 @@ securelib_LTLIBRARIES = pam_lastlog.la pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil if ENABLE_REGENERATE_MAN -noinst_DATA = README +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif -- cgit v1.2.3 From b0321cdeccdc90f77623e14f5c9e0a52b1c5b8a6 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 3 May 2020 01:18:44 +0000 Subject: modules/*/Makefile.am: rename man_MANS to dist_man_MANS ... and remove $(MANS) from EXTRA_DIST. The change is performed automatically using the following script: sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am --- modules/pam_lastlog/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index 1361436f..eda816a0 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -5,10 +5,10 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = $(MANS) $(XMLS) $(TESTS) +EXTRA_DIST = $(XMLS) $(TESTS) if HAVE_DOC -man_MANS = pam_lastlog.8 +dist_man_MANS = pam_lastlog.8 endif XMLS = README.xml pam_lastlog.8.xml TESTS = tst-pam_lastlog -- cgit v1.2.3 From f7d09edb72f605a2f7e1ec7989ab01c947bb1bee Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 3 May 2020 12:21:11 +0000 Subject: modules/*/Makefile.am: rename TESTS to dist_check_SCRIPTS ... and remove $(TESTS) from EXTRA_DIST. The change is performed automatically using the following script: sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \ -e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am --- modules/pam_lastlog/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index eda816a0..dc0c7c4c 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -5,13 +5,14 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = $(XMLS) $(TESTS) +EXTRA_DIST = $(XMLS) if HAVE_DOC dist_man_MANS = pam_lastlog.8 endif XMLS = README.xml pam_lastlog.8.xml -TESTS = tst-pam_lastlog +dist_check_SCRIPTS = tst-pam_lastlog +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -- cgit v1.2.3 From 37b5259298be9137f5b40eef16027152ddb803ff Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 19:20:12 +0000 Subject: modules: remove PAM_SM_* macros Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect. --- modules/pam_lastlog/pam_lastlog.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1f707d93..1c46d03a 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -1,6 +1,6 @@ -/* pam_lastlog module */ - /* + * pam_lastlog module + * * Written by Andrew Morgan 1996/3/11 * * This module does the necessary work to display the last login @@ -66,17 +66,6 @@ struct lastlog { #define DEFAULT_INACTIVE_DAYS 90 #define MAX_INACTIVE_DAYS 100000 -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include -- cgit v1.2.3 From 5aca62a102b7309f1d96ded01ad1e7f94310fade Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 15 May 2020 08:00:00 +0000 Subject: modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS If pam_get_user returned PAM_SUCCESS, the user name is guaranteed to be a valid C string, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check for NULL the user name returned by pam_get_user when the latter returned PAM_SUCCESS. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise. * modules/pam_filter/pam_filter.c (process_args): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_wheel/pam_wheel.c (perform_check): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise. --- modules/pam_lastlog/pam_lastlog.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1c46d03a..3e27b3ed 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -669,8 +669,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } -- cgit v1.2.3 From b52bd25910c9a8a32a49be7627a709a081a3768c Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 16 May 2020 08:00:00 +0000 Subject: modules: do not check user name for emptyness before passing it to pam_modutil_getpwnam pam_modutil_getpwnam is perfectly capable of handling empty strings as user names, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check the user name for emptyness before passing it to pam_modutil_getpwnam. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise. * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. --- modules/pam_lastlog/pam_lastlog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 3e27b3ed..e244cb71 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -669,7 +669,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } -- cgit v1.2.3 From aac5a8fdc4aa3f7e56335a6343774cc1b63b408d Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 22 May 2020 11:00:00 +0000 Subject: modules: downgrade syslog level for pam_get_user errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise. * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_xauth/pam_xauth.c (pam_sm_open_session, pam_sm_close_session): Likewise. * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Downgrade the syslog level for pam_get_user errors from LOG_WARNING to LOG_NOTICE. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. Suggested-by: Tomáš Mráz --- modules/pam_lastlog/pam_lastlog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index e244cb71..a8686df7 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -670,7 +670,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } -- cgit v1.2.3 From eec5fe0da3ec2af71995864840b3ab7599e598f1 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 22 May 2020 11:00:00 +0000 Subject: modules: downgrade syslog level for errors related to pam_get_user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade the syslog level for diagnostics of errors returned by pam_modutil_getpwnam for users returned by pam_get_user from LOG_ERR to LOG_NOTICE. * modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise. * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise. * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_xauth/pam_xauth.c (pam_sm_open_session, pam_sm_close_session): Likewise. * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade the syslog level for diagnostics of errors returned by pam_modutil_getpwnam for users returned by pam_get_user from LOG_WARNING to LOG_NOTICE. Suggested-by: Tomáš Mráz --- modules/pam_lastlog/pam_lastlog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_lastlog') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index a8686df7..abd048df 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -678,7 +678,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, pwd = pam_modutil_getpwnam (pamh, user); if (pwd == NULL) { - pam_syslog(pamh, LOG_ERR, "user unknown"); + pam_syslog(pamh, LOG_NOTICE, "user unknown"); return PAM_USER_UNKNOWN; } uid = pwd->pw_uid; -- cgit v1.2.3