From 1781f0165c6f83601088f47681a05956ad9c21e1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 18 Dec 2019 13:55:23 +0100 Subject: Do not use CFLAGS for warning flags set from configure To be able to set CFLAGS from make command-line but not to lose the warning flags. * configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS. * */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS. --- modules/pam_localuser/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 64f2ef3f..10bb3b7a 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -15,7 +15,8 @@ XMLS = README.xml pam_localuser.8.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -- cgit v1.2.3 From 4dd9b97b762cc73816cb867d49c9d0d0b91d642c Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sat, 25 Jan 2020 11:11:18 +0100 Subject: configure.ac: add --enable-doc option Allow the user to disable documentation through --disable-doc (enabled by default), this is especially useful when cross-compiling for embedded targets Signed-off-by: Fabrice Fontaine --- modules/pam_localuser/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 10bb3b7a..c31c7532 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -9,7 +9,9 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_localuser TESTS = tst-pam_localuser +if HAVE_DOC man_MANS = pam_localuser.8 +endif XMLS = README.xml pam_localuser.8.xml securelibdir = $(SECUREDIR) -- cgit v1.2.3 From 14d9ee846db42a95880abda26a08fd30e7d9c0f1 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 16 Mar 2020 21:02:18 +0000 Subject: modules/pam_localuser: use pam_str_skip_prefix * modules/pam_localuser/pam_localuser.c: Include "pam_inline.h". (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp invocations. --- modules/pam_localuser/pam_localuser.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index e32ea6d7..ac51e4ef 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -52,6 +52,7 @@ #include #include #include +#include "pam_inline.h" #define MODULE_NAME "pam_localuser" @@ -73,8 +74,10 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } for(i = 0; i < argc; i++) { - if(strncmp("file=", argv[i], 5) == 0) { - filename = argv[i] + 5; + const char *str; + + if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { + filename = str; if(debug) { pam_syslog (pamh, LOG_DEBUG, "set filename to \"%s\"", -- cgit v1.2.3 From 0f5b1b11d286a1ac070b75b49631f6327b286fb4 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: list tests in EXTRA_DIST uniformly The change was prepared using the following script: git grep -l '^TESTS = tst-pam_' modules/ |while read m; do t="$(sed '/^TESTS = tst-pam_/!d;s/^TESTS = //;q' -- "$m")" sed -i "/^EXTRA_DIST =/ s/$t\\>/\$(TESTS)/" -- "$m" done * modules/pam_access/Makefile.am (EXTRA_DIST): Replace tst-pam_access with $(TESTS). * modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace tst-pam_cracklib with $(TESTS). * modules/pam_debug/Makefile.am (EXTRA_DIST): Replace tst-pam_debug with $(TESTS). * modules/pam_deny/Makefile.am (EXTRA_DIST): Replace tst-pam_deny with $(TESTS). * modules/pam_echo/Makefile.am (EXTRA_DIST): Replace tst-pam_echo with $(TESTS). * modules/pam_env/Makefile.am (EXTRA_DIST): Replace tst-pam_env with $(TESTS). * modules/pam_exec/Makefile.am (EXTRA_DIST): Replace tst-pam_exec with $(TESTS). * modules/pam_faildelay/Makefile.am (EXTRA_DIST): Replace tst-pam_faildelay with $(TESTS). * modules/pam_filter/Makefile.am (EXTRA_DIST): Replace tst-pam_filter with $(TESTS). * modules/pam_ftp/Makefile.am (EXTRA_DIST): Replace tst-pam_ftp with $(TESTS). * modules/pam_group/Makefile.am (EXTRA_DIST): Replace tst-pam_group with $(TESTS). * modules/pam_issue/Makefile.am (EXTRA_DIST): Replace tst-pam_issue with $(TESTS). * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace tst-pam_keyinit with $(TESTS). * modules/pam_lastlog/Makefile.am (EXTRA_DIST): Replace tst-pam_lastlog with $(TESTS). * modules/pam_limits/Makefile.am (EXTRA_DIST): Replace tst-pam_limits with $(TESTS). * modules/pam_listfile/Makefile.am (EXTRA_DIST): Replace tst-pam_listfile with $(TESTS). * modules/pam_localuser/Makefile.am (EXTRA_DIST): Replace tst-pam_localuser with $(TESTS). * modules/pam_loginuid/Makefile.am (EXTRA_DIST): Replace tst-pam_loginuid with $(TESTS). * modules/pam_mail/Makefile.am (EXTRA_DIST): Replace tst-pam_mail with $(TESTS). * modules/pam_mkhomedir/Makefile.am (EXTRA_DIST): Replace tst-pam_mkhomedir with $(TESTS). * modules/pam_motd/Makefile.am (EXTRA_DIST): Replace tst-pam_motd with $(TESTS). * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace tst-pam_namespace with $(TESTS). * modules/pam_nologin/Makefile.am (EXTRA_DIST): Replace tst-pam_nologin with $(TESTS). * modules/pam_permit/Makefile.am (EXTRA_DIST): Replace tst-pam_permit with $(TESTS). * modules/pam_pwhistory/Makefile.am (EXTRA_DIST): Replace tst-pam_pwhistory with $(TESTS). * modules/pam_rhosts/Makefile.am (EXTRA_DIST): Replace tst-pam_rhosts with $(TESTS). * modules/pam_rootok/Makefile.am (EXTRA_DIST): Replace tst-pam_rootok with $(TESTS). * modules/pam_securetty/Makefile.am (EXTRA_DIST): Replace tst-pam_securetty with $(TESTS). * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace tst-pam_sepermit with $(TESTS). * modules/pam_setquota/Makefile.am (EXTRA_DIST): Replace tst-pam_setquota with $(TESTS). * modules/pam_shells/Makefile.am (EXTRA_DIST): Replace tst-pam_shells with $(TESTS). * modules/pam_stress/Makefile.am (EXTRA_DIST): Replace tst-pam_stress with $(TESTS). * modules/pam_succeed_if/Makefile.am (EXTRA_DIST): Replace tst-pam_succeed_if with $(TESTS). * modules/pam_tally/Makefile.am (EXTRA_DIST): Replace tst-pam_tally with $(TESTS). * modules/pam_tally2/Makefile.am (EXTRA_DIST): Replace tst-pam_tally2 with $(TESTS). * modules/pam_time/Makefile.am (EXTRA_DIST): Replace tst-pam_time with $(TESTS). * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace tst-pam_tty_audit with $(TESTS). * modules/pam_umask/Makefile.am (EXTRA_DIST): Replace tst-pam_umask with $(TESTS). * modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace tst-pam_userdb with $(TESTS). * modules/pam_usertype/Makefile.am (EXTRA_DIST): Replace tst-pam_usertype with $(TESTS). * modules/pam_warn/Makefile.am (EXTRA_DIST): Replace tst-pam_warn with $(TESTS). * modules/pam_wheel/Makefile.am (EXTRA_DIST): Replace tst-pam_wheel with $(TESTS). * modules/pam_xauth/Makefile.am (EXTRA_DIST): Replace tst-pam_xauth with $(TESTS). --- modules/pam_localuser/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index c31c7532..4569561b 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -5,7 +5,7 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_localuser +EXTRA_DIST = README $(MANS) $(XMLS) $(TESTS) TESTS = tst-pam_localuser -- cgit v1.2.3 From bd849daab0c0a1107512d4575404f22525db5f96 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: list prerequisites of README target uniformly There is no need to list prerequisites of README targets manually as all README targets depend on $(XMLS). The change is performed automatically using the following script: sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am * modules/pam_access/Makefile.am (README): Replace pam_access.8.xml and access.conf.5.xml with $(XMLS). * modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml with $(XMLS). * modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml with $(XMLS). * modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml with $(XMLS). * modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml with $(XMLS). * modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and pam_env.conf.5.xml with $(XMLS). * modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml with $(XMLS). * modules/pam_faildelay/Makefile.am (README): Replace pam_faildelay.8.xml with $(XMLS). * modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml with $(XMLS). * modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with $(XMLS). * modules/pam_group/Makefile.am (README): Replace pam_group.8.xml and group.conf.5.xml with $(XMLS). * modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml with $(XMLS). * modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml with $(XMLS). * modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml with $(XMLS). * modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml and limits.conf.5.xml with $(XMLS). * modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml with $(XMLS). * modules/pam_localuser/Makefile.am (README): Replace pam_localuser.8.xml with $(XMLS). * modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml with $(XMLS). * modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml with $(XMLS). * modules/pam_mkhomedir/Makefile.am (README): Replace pam_mkhomedir.8.xml with $(XMLS). * modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml with $(XMLS). * modules/pam_namespace/Makefile.am (README): Replace pam_namespace.8.xml, namespace.conf.5.xml, and pam_namespace_helper.8.xml with $(XMLS). * modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml with $(XMLS). * modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml with $(XMLS). * modules/pam_pwhistory/Makefile.am (README): Replace pam_pwhistory.8.xml with $(XMLS). * modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml with $(XMLS). * modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml with $(XMLS). * modules/pam_securetty/Makefile.am (README): Replace pam_securetty.8.xml with $(XMLS). * modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml with $(XMLS). * modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml with $(XMLS). * modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml with $(XMLS). * modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml with $(XMLS). * modules/pam_succeed_if/Makefile.am (README): Replace pam_succeed_if.8.xml with $(XMLS). * modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml with $(XMLS). * modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml with $(XMLS). * modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and time.conf.5.xml with $(XMLS). * modules/pam_timestamp/Makefile.am (README): Replace pam_timestamp.8.xml with $(XMLS). * modules/pam_tty_audit/Makefile.am (README): Replace pam_tty_audit.8.xml with $(XMLS). * modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml with $(XMLS). * modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml with $(XMLS). * modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml with $(XMLS). * modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml with $(XMLS). * modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml with $(XMLS). * modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml with $(XMLS). * modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml with $(XMLS). --- modules/pam_localuser/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 4569561b..e37a19aa 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -29,6 +29,6 @@ pam_localuser_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README -README: pam_localuser.8.xml +README: $(XMLS) -include $(top_srcdir)/Make.xml.rules endif -- cgit v1.2.3 From 1886b6020c510cab239b3ae8db20a66991d8f8db Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: build: move README prerequisites rule from modules/*/Makefile.am to Make.xml.rules As the rule is now the same in every modules/*/Makefile.am file, move it to Make.xml.rules. * Make.xml.rules (README): New prerequisites rule. * modules/pam_access/Makefile.am (README): Remove rule. * modules/pam_cracklib/Makefile.am (README): Likewise. * modules/pam_debug/Makefile.am (README): Likewise. * modules/pam_deny/Makefile.am (README): Likewise. * modules/pam_echo/Makefile.am (README): Likewise. * modules/pam_env/Makefile.am (README): Likewise. * modules/pam_exec/Makefile.am (README): Likewise. * modules/pam_faildelay/Makefile.am (README): Likewise. * modules/pam_filter/Makefile.am (README): Likewise. * modules/pam_ftp/Makefile.am (README): Likewise. * modules/pam_group/Makefile.am (README): Likewise. * modules/pam_issue/Makefile.am (README): Likewise. * modules/pam_keyinit/Makefile.am (README): Likewise. * modules/pam_lastlog/Makefile.am (README): Likewise. * modules/pam_limits/Makefile.am (README): Likewise. * modules/pam_listfile/Makefile.am (README): Likewise. * modules/pam_localuser/Makefile.am (README): Likewise. * modules/pam_loginuid/Makefile.am (README): Likewise. * modules/pam_mail/Makefile.am (README): Likewise. * modules/pam_mkhomedir/Makefile.am (README): Likewise. * modules/pam_motd/Makefile.am (README): Likewise. * modules/pam_namespace/Makefile.am (README): Likewise. * modules/pam_nologin/Makefile.am (README): Likewise. * modules/pam_permit/Makefile.am (README): Likewise. * modules/pam_pwhistory/Makefile.am (README): Likewise. * modules/pam_rhosts/Makefile.am (README): Likewise. * modules/pam_rootok/Makefile.am (README): Likewise. * modules/pam_securetty/Makefile.am (README): Likewise. * modules/pam_selinux/Makefile.am (README): Likewise. * modules/pam_sepermit/Makefile.am (README): Likewise. * modules/pam_setquota/Makefile.am (README): Likewise. * modules/pam_shells/Makefile.am (README): Likewise. * modules/pam_succeed_if/Makefile.am (README): Likewise. * modules/pam_tally/Makefile.am (README): Likewise. * modules/pam_tally2/Makefile.am (README): Likewise. * modules/pam_time/Makefile.am (README): Likewise. * modules/pam_timestamp/Makefile.am (README): Likewise. * modules/pam_tty_audit/Makefile.am (README): Likewise. * modules/pam_umask/Makefile.am (README): Likewise. * modules/pam_unix/Makefile.am (README): Likewise. * modules/pam_userdb/Makefile.am (README): Likewise. * modules/pam_usertype/Makefile.am (README): Likewise. * modules/pam_warn/Makefile.am (README): Likewise. * modules/pam_wheel/Makefile.am (README): Likewise. * modules/pam_xauth/Makefile.am (README): Likewise. --- modules/pam_localuser/Makefile.am | 1 - 1 file changed, 1 deletion(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index e37a19aa..4102ba30 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -29,6 +29,5 @@ pam_localuser_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README -README: $(XMLS) -include $(top_srcdir)/Make.xml.rules endif -- cgit v1.2.3 From d9fe742a06af41711faba73d2f97f4d13b1b0534 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: reorder lines to promote uniformity This is essentially a no-op change that makes modules/*/Makefile.am files less divergent. --- modules/pam_localuser/Makefile.am | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 4102ba30..242cb6a2 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -7,12 +7,11 @@ MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = README $(MANS) $(XMLS) $(TESTS) -TESTS = tst-pam_localuser - if HAVE_DOC man_MANS = pam_localuser.8 endif XMLS = README.xml pam_localuser.8.xml +TESTS = tst-pam_localuser securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -- cgit v1.2.3 From d8a518391c4fd93a05e19d145a01bdc8f54a2ff8 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 27 Apr 2020 15:34:04 +0000 Subject: modules/*/Makefile.am: replace README with $(DATA) in EXTRA_DIST Since the GNU Automake distributes README files by default, the only reason why README had to be listed in EXTRA_DIST was to make these README files generated. Since README is also listed in noinst_DATA, we can safely replace README in EXTRA_DIST with $(DATA), this also opens the way for further EXTRA_DIST cleanup. * modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA). --- modules/pam_localuser/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 242cb6a2..e91e55a2 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -5,7 +5,7 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = README $(MANS) $(XMLS) $(TESTS) +EXTRA_DIST = $(DATA) $(MANS) $(XMLS) $(TESTS) if HAVE_DOC man_MANS = pam_localuser.8 -- cgit v1.2.3 From 97887fd27d83278d045f69759c9d45730c6e01c3 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 3 May 2020 01:18:44 +0000 Subject: modules/*/Makefile.am: add dist_ prefix to *_DATA ... and remove $(DATA) from EXTRA_DIST. The change is performed automatically using the following script: sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am --- modules/pam_localuser/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index e91e55a2..80a2a5f5 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -5,7 +5,7 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = $(DATA) $(MANS) $(XMLS) $(TESTS) +EXTRA_DIST = $(MANS) $(XMLS) $(TESTS) if HAVE_DOC man_MANS = pam_localuser.8 @@ -27,6 +27,6 @@ securelib_LTLIBRARIES = pam_localuser.la pam_localuser_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN -noinst_DATA = README +dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules endif -- cgit v1.2.3 From b0321cdeccdc90f77623e14f5c9e0a52b1c5b8a6 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 3 May 2020 01:18:44 +0000 Subject: modules/*/Makefile.am: rename man_MANS to dist_man_MANS ... and remove $(MANS) from EXTRA_DIST. The change is performed automatically using the following script: sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am --- modules/pam_localuser/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 80a2a5f5..3c1cae7f 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -5,10 +5,10 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = $(MANS) $(XMLS) $(TESTS) +EXTRA_DIST = $(XMLS) $(TESTS) if HAVE_DOC -man_MANS = pam_localuser.8 +dist_man_MANS = pam_localuser.8 endif XMLS = README.xml pam_localuser.8.xml TESTS = tst-pam_localuser -- cgit v1.2.3 From f7d09edb72f605a2f7e1ec7989ab01c947bb1bee Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 3 May 2020 12:21:11 +0000 Subject: modules/*/Makefile.am: rename TESTS to dist_check_SCRIPTS ... and remove $(TESTS) from EXTRA_DIST. The change is performed automatically using the following script: sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \ -e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am --- modules/pam_localuser/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index 3c1cae7f..b742fdd0 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -5,13 +5,14 @@ CLEANFILES = *~ MAINTAINERCLEANFILES = $(MANS) README -EXTRA_DIST = $(XMLS) $(TESTS) +EXTRA_DIST = $(XMLS) if HAVE_DOC dist_man_MANS = pam_localuser.8 endif XMLS = README.xml pam_localuser.8.xml -TESTS = tst-pam_localuser +dist_check_SCRIPTS = tst-pam_localuser +TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -- cgit v1.2.3 From 37b5259298be9137f5b40eef16027152ddb803ff Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 19:20:12 +0000 Subject: modules: remove PAM_SM_* macros Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect. --- modules/pam_localuser/pam_localuser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index ac51e4ef..3633b535 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -1,4 +1,6 @@ /* + * pam_localuser module + * * Copyright 2001, 2004 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without @@ -47,8 +49,6 @@ #include #include -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT #include #include #include -- cgit v1.2.3 From 5aca62a102b7309f1d96ded01ad1e7f94310fade Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 15 May 2020 08:00:00 +0000 Subject: modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS If pam_get_user returned PAM_SUCCESS, the user name is guaranteed to be a valid C string, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check for NULL the user name returned by pam_get_user when the latter returned PAM_SUCCESS. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise. * modules/pam_filter/pam_filter.c (process_args): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_wheel/pam_wheel.c (perform_check): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise. --- modules/pam_localuser/pam_localuser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 3633b535..6f4f8aea 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -100,7 +100,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_SYSTEM_ERR; } - if ((user == NULL) || (strlen(user) == 0)) { + if (strlen(user) == 0) { pam_syslog (pamh, LOG_ERR, "user name not valid"); fclose(fp); return PAM_SYSTEM_ERR; -- cgit v1.2.3 From bd3cdf24ee83ea4c4551c6aaf6966e720d957577 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: reject user names containing a colon "root:x" is not a local user name even if the passwd file contains a line starting with "root:x:". * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_PERM_DENIED if the user name contains a colon. --- modules/pam_localuser/pam_localuser.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 6f4f8aea..4e05350e 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -106,6 +106,15 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_SYSTEM_ERR; } + if (strchr(user, ':') != NULL) { + /* + * "root:x" is not a local user name even if the passwd file + * contains a line starting with "root:x:". + */ + fclose(fp); + return PAM_PERM_DENIED; + } + /* scan the file, using fgets() instead of fgetpwent() because i * don't want to mess with applications which call fgetpwent() */ ret = PAM_PERM_DENIED; -- cgit v1.2.3 From e35c10e9689df315a626ea6a119763993f95440b Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: reject user names that are too long Too long user names used to be truncated which could potentially result to false match and, consequently, to incorrect PAM_SUCCESS return value. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_SERVICE_ERR if the user name is too long. --- modules/pam_localuser/pam_localuser.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 4e05350e..2020eced 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -106,6 +106,12 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_SYSTEM_ERR; } + if (strlen(user) > sizeof(name) - sizeof(":")) { + pam_syslog (pamh, LOG_ERR, "user name too long"); + fclose(fp); + return PAM_SERVICE_ERR; + } + if (strchr(user, ':') != NULL) { /* * "root:x" is not a local user name even if the passwd file -- cgit v1.2.3 From 1b9a74bd77740df08b87b225ea70afcfaa02636d Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR When passwd file cannot be opened or the user name either cannot be obtained or is not valid, return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR. --- modules/pam_localuser/pam_localuser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 2020eced..2aa60600 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -91,19 +91,19 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, if(fp == NULL) { pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m", filename); - return PAM_SYSTEM_ERR; + return PAM_SERVICE_ERR; } if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { pam_syslog (pamh, LOG_ERR, "user name not specified yet"); fclose(fp); - return PAM_SYSTEM_ERR; + return PAM_SERVICE_ERR; } if (strlen(user) == 0) { pam_syslog (pamh, LOG_ERR, "user name not valid"); fclose(fp); - return PAM_SYSTEM_ERR; + return PAM_SERVICE_ERR; } if (strlen(user) > sizeof(name) - sizeof(":")) { -- cgit v1.2.3 From be3030d76bf1fef7974a8063c75a46cf5668c396 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: log unrecognized options * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log unrecognized options. --- modules/pam_localuser/pam_localuser.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 2aa60600..a4cf94fb 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -76,6 +76,11 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, for(i = 0; i < argc; i++) { const char *str; + if (strcmp("debug", argv[i]) == 0) { + /* Already processed. */ + continue; + } + if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { filename = str; if(debug) { @@ -83,6 +88,9 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, "set filename to \"%s\"", filename); } + } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", + argv[i]); } } -- cgit v1.2.3 From 378ff917604725de6109b2a039de963de1f3245b Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: get rid of a temporary buffer * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not copy the user name into a temporary buffer, use the user name itself in comparisons. --- modules/pam_localuser/pam_localuser.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index a4cf94fb..3ce0aaa0 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -64,8 +64,9 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, FILE *fp; int debug = 0; const char *filename = "/etc/passwd"; - char line[LINE_MAX], name[LINE_MAX]; + char line[LINE_MAX]; const char* user; + size_t user_len; /* process arguments */ for(i = 0; i < argc; i++) { @@ -108,13 +109,13 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_SERVICE_ERR; } - if (strlen(user) == 0) { + if ((user_len = strlen(user)) == 0) { pam_syslog (pamh, LOG_ERR, "user name not valid"); fclose(fp); return PAM_SERVICE_ERR; } - if (strlen(user) > sizeof(name) - sizeof(":")) { + if (user_len > sizeof(line) - sizeof(":")) { pam_syslog (pamh, LOG_ERR, "user name too long"); fclose(fp); return PAM_SERVICE_ERR; @@ -132,13 +133,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* scan the file, using fgets() instead of fgetpwent() because i * don't want to mess with applications which call fgetpwent() */ ret = PAM_PERM_DENIED; - snprintf(name, sizeof(name), "%s:", user); - i = strlen(name); while(fgets(line, sizeof(line), fp) != NULL) { if(debug) { pam_syslog (pamh, LOG_DEBUG, "checking \"%s\"", line); } - if(strncmp(name, line, i) == 0) { + /* + * Does this line start with the user name + * followed by a colon? + */ + if (strncmp(user, line, user_len) == 0 && + line[user_len] == ':') { ret = PAM_SUCCESS; break; } -- cgit v1.2.3 From ed74a6c898df2963d0587262caf6996259025426 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: handle long lines in passwd files properly Before this change, a long line in the passwd file used to be treated as several lines which could potentially result to false match and, consequently, to incorrect PAM_SUCCESS return value. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle long lines in passwd files properly. --- modules/pam_localuser/pam_localuser.c | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 3ce0aaa0..66ca2d08 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -130,13 +130,20 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_PERM_DENIED; } - /* scan the file, using fgets() instead of fgetpwent() because i - * don't want to mess with applications which call fgetpwent() */ + /* + * Scan the file using fgets() instead of fgetpwent_r() because + * the latter is not flexible enough in handling long lines + * in passwd files. + */ ret = PAM_PERM_DENIED; - while(fgets(line, sizeof(line), fp) != NULL) { + while (fgets(line, sizeof(line), fp) != NULL) { + size_t line_len; + const char *str; + if(debug) { pam_syslog (pamh, LOG_DEBUG, "checking \"%s\"", line); } + /* * Does this line start with the user name * followed by a colon? @@ -146,6 +153,28 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, ret = PAM_SUCCESS; break; } + + /* Has a newline been read? */ + line_len = strlen(line); + if (line_len < sizeof(line) - 1 || + line[line_len - 1] == '\n') { + /* Yes, continue with the next line. */ + continue; + } + + /* No, read till the end of this line first. */ + while ((str = fgets(line, sizeof(line), fp)) != NULL) { + line_len = strlen(line); + if (line_len == 0 || + line[line_len - 1] == '\n') { + break; + } + } + if (str == NULL) { + /* fgets returned NULL, we are done. */ + break; + } + /* Continue with the next line. */ } /* okay, we're done */ -- cgit v1.2.3 From fa66049858580678e619360087dd825a783716d7 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: use BUFSIZ as the line buffer size As BUFSIZ is the buffer size used in stdio, it must be an efficient size for the line buffer. Also, it's larger than LINE_MAX used as the line buffer size before this change, effectively raising the maximum user name length supported by this module. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace LINE_MAX with BUFSIZ. --- modules/pam_localuser/pam_localuser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 66ca2d08..e6dd72d0 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -64,7 +64,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, FILE *fp; int debug = 0; const char *filename = "/etc/passwd"; - char line[LINE_MAX]; + char line[BUFSIZ]; const char* user; size_t user_len; -- cgit v1.2.3 From c6c3b3f9f7f7024fbbaff3edf0f57c8cb945b4c5 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: open the passwd file after user name validation Since user name is untrusted input, it should be validated earlier rather than later. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open the passwd file after user name validation. --- modules/pam_localuser/pam_localuser.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index e6dd72d0..249d09cf 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -95,29 +95,18 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } - /* open the file */ - fp = fopen(filename, "r"); - if(fp == NULL) { - pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m", - filename); - return PAM_SERVICE_ERR; - } - if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { pam_syslog (pamh, LOG_ERR, "user name not specified yet"); - fclose(fp); return PAM_SERVICE_ERR; } if ((user_len = strlen(user)) == 0) { pam_syslog (pamh, LOG_ERR, "user name not valid"); - fclose(fp); return PAM_SERVICE_ERR; } if (user_len > sizeof(line) - sizeof(":")) { pam_syslog (pamh, LOG_ERR, "user name too long"); - fclose(fp); return PAM_SERVICE_ERR; } @@ -126,10 +115,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, * "root:x" is not a local user name even if the passwd file * contains a line starting with "root:x:". */ - fclose(fp); return PAM_PERM_DENIED; } + /* Open the passwd file. */ + if ((fp = fopen(filename, "r")) == NULL) { + pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m", + filename); + return PAM_SERVICE_ERR; + } + /* * Scan the file using fgets() instead of fgetpwent_r() because * the latter is not flexible enough in handling long lines -- cgit v1.2.3 From 7d878c8471b56c018c04bfe9b83bea5fecd70f90 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN Give the application a chance to handle PAM_INCOMPLETE. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns PAM_CONV_AGAIN. * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document it. --- modules/pam_localuser/pam_localuser.8.xml | 10 ++++++++++ modules/pam_localuser/pam_localuser.c | 9 +++++---- 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml index 2a8b2e04..4d3daa9e 100644 --- a/modules/pam_localuser/pam_localuser.8.xml +++ b/modules/pam_localuser/pam_localuser.8.xml @@ -102,6 +102,16 @@ + + PAM_INCOMPLETE + + + The conversation method supplied by the application + returned PAM_CONV_AGAIN. + + + + PAM_SERVICE_ERR diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 249d09cf..9ffd54a3 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -60,7 +60,7 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int i, ret = PAM_SUCCESS; + int i, ret; FILE *fp; int debug = 0; const char *filename = "/etc/passwd"; @@ -95,9 +95,10 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } - if(pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog (pamh, LOG_ERR, "user name not specified yet"); - return PAM_SERVICE_ERR; + /* Obtain the user name. */ + if ((ret = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + pam_syslog (pamh, LOG_ERR, "cannot determine user name"); + return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : PAM_SERVICE_ERR; } if ((user_len = strlen(user)) == 0) { -- cgit v1.2.3 From ac85f26ed489a9f8ecbf4775237dd1561a28bfbc Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: forward error values returned by pam_get_user Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38, pam_get_user is guaranteed to return one of the following values: PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not replace non-PAM_CONV_AGAIN error values returned by pam_get_user with PAM_SERVICE_ERR. * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document new return values. --- modules/pam_localuser/pam_localuser.8.xml | 21 ++++++++++++++++++++- modules/pam_localuser/pam_localuser.c | 2 +- 2 files changed, 21 insertions(+), 2 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.8.xml b/modules/pam_localuser/pam_localuser.8.xml index 4d3daa9e..b3c1886b 100644 --- a/modules/pam_localuser/pam_localuser.8.xml +++ b/modules/pam_localuser/pam_localuser.8.xml @@ -102,6 +102,25 @@ + + PAM_BUF_ERR + + + Memory buffer error. + + + + + + PAM_CONV_ERR + + + The conversation method supplied by the application + failed to obtain the username. + + + + PAM_INCOMPLETE @@ -116,7 +135,7 @@ PAM_SERVICE_ERR - No username was given. + The user name is not valid or the passwd file is unavailable. diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 9ffd54a3..2452563a 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -98,7 +98,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* Obtain the user name. */ if ((ret = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { pam_syslog (pamh, LOG_ERR, "cannot determine user name"); - return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : PAM_SERVICE_ERR; + return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : ret; } if ((user_len = strlen(user)) == 0) { -- cgit v1.2.3 From 00bdd075714597515a0c6578c608f9853ccf36f1 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: remove unused includes Also, remove unused MODULE_NAME macro. * modules/pam_localuser/pam_localuser.c: Stop including unused header files. (MODULE_NAME): Remove. --- modules/pam_localuser/pam_localuser.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 2452563a..ca66462f 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -37,25 +37,16 @@ #include "config.h" -#include -#include +#include #include #include #include -#include -#include -#include #include -#include -#include #include -#include #include #include "pam_inline.h" -#define MODULE_NAME "pam_localuser" - int pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) -- cgit v1.2.3 From afbe3972c4be732565792582171099cf081e41e9 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: re-format pam_sm_* function declarations --- modules/pam_localuser/pam_localuser.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index ca66462f..97a623f7 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -48,8 +48,8 @@ #include "pam_inline.h" int -pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { int i, ret; FILE *fp; @@ -170,8 +170,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } int -pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } @@ -183,22 +183,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) } int -pam_sm_open_session (pam_handle_t *pamh, int flags, - int argc, const char **argv) +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } int -pam_sm_close_session (pam_handle_t *pamh, int flags, - int argc, const char **argv) +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } int -pam_sm_chauthtok (pam_handle_t *pamh, int flags, - int argc, const char **argv) +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) { return pam_sm_authenticate(pamh, flags, argc, argv); } -- cgit v1.2.3 From 2e379a5a7f6ccf07dc2da92bff26f459e419a072 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 22 May 2020 11:00:00 +0000 Subject: pam_localuser: downgrade syslog level for errors related to user input MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade the syslog level for errors related to pam_get_user from LOG_ERR to LOG_NOTICE. Suggested-by: Tomáš Mráz --- modules/pam_localuser/pam_localuser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 97a623f7..a9fbb64e 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -88,17 +88,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, /* Obtain the user name. */ if ((ret = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { - pam_syslog (pamh, LOG_ERR, "cannot determine user name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : ret; } if ((user_len = strlen(user)) == 0) { - pam_syslog (pamh, LOG_ERR, "user name not valid"); + pam_syslog(pamh, LOG_NOTICE, "user name is not valid"); return PAM_SERVICE_ERR; } if (user_len > sizeof(line) - sizeof(":")) { - pam_syslog (pamh, LOG_ERR, "user name too long"); + pam_syslog(pamh, LOG_NOTICE, "user name is too long"); return PAM_SERVICE_ERR; } -- cgit v1.2.3 From be80ddec86c182c22338cb9b526f2fadaf4c1c86 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 21:44:59 +0000 Subject: pam_localuser: refactor pam_sm_authenticate * modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New function. (pam_sm_authenticate): Use it. --- modules/pam_localuser/pam_localuser.c | 119 ++++++++++++++++++---------------- 1 file changed, 63 insertions(+), 56 deletions(-) (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index a9fbb64e..cb507524 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -2,6 +2,7 @@ * pam_localuser module * * Copyright 2001, 2004 Red Hat, Inc. + * Copyright (c) 2020 Dmitry V. Levin * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -47,52 +48,17 @@ #include #include "pam_inline.h" -int -pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +static int +check_user_in_passwd(pam_handle_t *pamh, const char *user_name, + const char *file_name) { - int i, ret; + int rc; + size_t user_len; FILE *fp; - int debug = 0; - const char *filename = "/etc/passwd"; char line[BUFSIZ]; - const char* user; - size_t user_len; - - /* process arguments */ - for(i = 0; i < argc; i++) { - if(strcmp("debug", argv[i]) == 0) { - debug = 1; - } - } - for(i = 0; i < argc; i++) { - const char *str; - - if (strcmp("debug", argv[i]) == 0) { - /* Already processed. */ - continue; - } - if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { - filename = str; - if(debug) { - pam_syslog (pamh, LOG_DEBUG, - "set filename to \"%s\"", - filename); - } - } else { - pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", - argv[i]); - } - } - - /* Obtain the user name. */ - if ((ret = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); - return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : ret; - } - - if ((user_len = strlen(user)) == 0) { + /* Validate the user name. */ + if ((user_len = strlen(user_name)) == 0) { pam_syslog(pamh, LOG_NOTICE, "user name is not valid"); return PAM_SERVICE_ERR; } @@ -102,7 +68,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, return PAM_SERVICE_ERR; } - if (strchr(user, ':') != NULL) { + if (strchr(user_name, ':') != NULL) { /* * "root:x" is not a local user name even if the passwd file * contains a line starting with "root:x:". @@ -111,9 +77,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, } /* Open the passwd file. */ - if ((fp = fopen(filename, "r")) == NULL) { - pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m", - filename); + if (file_name == NULL) { + file_name = "/etc/passwd"; + } + if ((fp = fopen(file_name, "r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name); return PAM_SERVICE_ERR; } @@ -122,25 +90,20 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, * the latter is not flexible enough in handling long lines * in passwd files. */ - ret = PAM_PERM_DENIED; + rc = PAM_PERM_DENIED; while (fgets(line, sizeof(line), fp) != NULL) { size_t line_len; const char *str; - if(debug) { - pam_syslog (pamh, LOG_DEBUG, "checking \"%s\"", line); - } - /* * Does this line start with the user name * followed by a colon? */ - if (strncmp(user, line, user_len) == 0 && + if (strncmp(user_name, line, user_len) == 0 && line[user_len] == ':') { - ret = PAM_SUCCESS; + rc = PAM_SUCCESS; break; } - /* Has a newline been read? */ line_len = strlen(line); if (line_len < sizeof(line) - 1 || @@ -164,9 +127,53 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, /* Continue with the next line. */ } - /* okay, we're done */ fclose(fp); - return ret; + return rc; +} + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i; + int rc; + int debug = 0; + const char *file_name = NULL; + const char *user_name = NULL; + + /* Process arguments. */ + for (i = 0; i < argc; ++i) { + if (strcmp("debug", argv[i]) == 0) { + debug = 1; + } + } + for (i = 0; i < argc; ++i) { + const char *str; + + if (strcmp("debug", argv[i]) == 0) { + /* Already processed. */ + continue; + } + if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { + file_name = str; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "set filename to %s", file_name); + } + } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", + argv[i]); + } + } + + /* Obtain the user name. */ + if ((rc = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, rc)); + return rc == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rc; + } + + return check_user_in_passwd(pamh, user_name, file_name); } int -- cgit v1.2.3 From faf68f5453f8e90693ffd203759247ff993ae5ea Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 2 May 2020 23:02:26 +0000 Subject: pam_localuser: add a test for return values * modules/pam_localuser/tst-pam_localuser-retval.c: New file. * modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS). (check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables. --- modules/pam_localuser/Makefile.am | 5 +- modules/pam_localuser/tst-pam_localuser-retval.c | 144 +++++++++++++++++++++++ 2 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 modules/pam_localuser/tst-pam_localuser-retval.c (limited to 'modules/pam_localuser') diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index b742fdd0..46f87a89 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -12,7 +12,7 @@ dist_man_MANS = pam_localuser.8 endif XMLS = README.xml pam_localuser.8.xml dist_check_SCRIPTS = tst-pam_localuser -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) @@ -27,6 +27,9 @@ endif securelib_LTLIBRARIES = pam_localuser.la pam_localuser_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_localuser-retval +tst_pam_localuser_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_localuser/tst-pam_localuser-retval.c b/modules/pam_localuser/tst-pam_localuser-retval.c new file mode 100644 index 00000000..5581cecc --- /dev/null +++ b/modules/pam_localuser/tst-pam_localuser-retval.c @@ -0,0 +1,144 @@ +/* + * Check pam_localuser return values. + * + * Copyright (c) 2020 Dmitry V. Levin + */ + +#include "test_assert.h" + +#include +#include +#include +#include +#include +#include + +#define MODULE_NAME "pam_localuser" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char passwd_file[] = TEST_NAME ".passwd"; +static const char missing_file[] = TEST_NAME ".missing"; + +static const char alice_line[] = "alice:x:1001:1001:Alice:/home/alice:"; +static const char bob_line[] = "bob:x:1002:1002:Bob:/home/bob:"; +static const char craig_prefix[] = ":x:1003:1003:"; +static const char craig_suffix[] = "craig:/home/craig:"; + +int +main(void) +{ + static struct pam_conv conv; + pam_handle_t *pamh = NULL; + FILE *fp; + char cwd[PATH_MAX]; + char name[BUFSIZ]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* default passwd */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so\n", + cwd, MODULE_NAME)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + memset(name, 'x', sizeof(name) - 1); + name[sizeof(name) - 1] = '\0'; + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root:x", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* missing passwd file */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "root", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* custom passwd file */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, passwd_file)); + ASSERT_EQ(0, fclose(fp)); + + memcpy(name + (sizeof(name) - sizeof(craig_prefix)), + craig_prefix, sizeof(craig_prefix)); + ASSERT_NE(NULL, fp = fopen(passwd_file, "w")); + ASSERT_LT(0, fprintf(fp, "%s\n%s\n%s%s\n", + alice_line, bob_line, name, craig_suffix)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + memset(name, 'x', sizeof(name) - 1); + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SERVICE_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "alice", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "bob", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "alice:x", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, "craig", &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + ASSERT_EQ(0, unlink(service_file)); + ASSERT_EQ(0, unlink(passwd_file)); + + return 0; +} -- cgit v1.2.3