From 1814aec611a5f9e03eceee81237ad3a3f51c954a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Wed, 26 Oct 2011 23:56:54 +0000 Subject: Fix whitespace issues Cleanup trailing whitespaces, indentation that uses spaces before tabs, and blank lines at EOF. Make the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD --- modules/pam_pwhistory/opasswd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index 738483ac..f896119b 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -395,7 +395,7 @@ save_old_password (pam_handle_t *pamh, const char *user, uid_t uid, entry.user, entry.uid, entry.count, oldpass) < 0) { - free (save); + free (save); retval = PAM_AUTHTOK_ERR; fclose (oldpf); fclose (newpf); @@ -408,7 +408,7 @@ save_old_password (pam_handle_t *pamh, const char *user, uid_t uid, entry.user, entry.uid, entry.count, entry.old_passwords, oldpass) < 0) { - free (save); + free (save); retval = PAM_AUTHTOK_ERR; fclose (oldpf); fclose (newpf); -- cgit v1.2.3 From c9c4faaf50c66d5e4d1b9d6c450c206c12f09f8a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Rename all .cvsignore files to .gitignore --- modules/pam_pwhistory/.cvsignore | 8 -------- modules/pam_pwhistory/.gitignore | 8 ++++++++ 2 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 modules/pam_pwhistory/.cvsignore create mode 100644 modules/pam_pwhistory/.gitignore (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/.cvsignore b/modules/pam_pwhistory/.cvsignore deleted file mode 100644 index c0d3c72c..00000000 --- a/modules/pam_pwhistory/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_pwhistory.8 diff --git a/modules/pam_pwhistory/.gitignore b/modules/pam_pwhistory/.gitignore new file mode 100644 index 00000000..c0d3c72c --- /dev/null +++ b/modules/pam_pwhistory/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_pwhistory.8 -- cgit v1.2.3 From 3e7fb3233efe776d867be9d34b4b6e83ec59df86 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Update .gitignore files * .gitignore: Add common ignore patterns. * m4/.gitignore: Unignore local m4 files. * dynamic/.gitignore: Unignore Makefile. * libpamc/test/modules/.gitignore: Likewise. * libpamc/test/regress/.gitignore: Likewise. * po/.gitignore: Add Makevars.template. * conf/.gitignore: Remove common ignore patterns. * conf/pam_conv1/.gitignore: Likewise. * doc/.gitignore: Likewise. * doc/specs/.gitignore: Likewise. * doc/specs/formatter/.gitignore: Likewise. * examples/.gitignore: Likewise. * modules/pam_filter/upperLOWER/.gitignore: Likewise. * modules/pam_mkhomedir/.gitignore: Likewise. * modules/pam_selinux/.gitignore: Likewise. * modules/pam_stress/.gitignore: Likewise. * modules/pam_tally/.gitignore: Likewise. * modules/pam_tally2/.gitignore: Likewise. * modules/pam_timestamp/.gitignore: Likewise. * modules/pam_unix/.gitignore: Likewise. * tests/.gitignore: Likewise. * xtests/.gitignore: Likewise. * doc/adg/.gitignore: Remove. * doc/man/.gitignore: Remove. * doc/mwg/.gitignore: Remove. * doc/sag/.gitignore: Remove. * libpamc/.gitignore: Remove. * libpamc/test/.gitignore: Remove. * libpam/.gitignore: Remove. * libpam_misc/.gitignore: Remove. * modules/.gitignore: Remove. * modules/pam_access/.gitignore: Remove. * modules/pam_cracklib/.gitignore: Remove. * modules/pam_debug/.gitignore: Remove. * modules/pam_deny/.gitignore: Remove. * modules/pam_echo/.gitignore: Remove. * modules/pam_env/.gitignore: Remove. * modules/pam_exec/.gitignore: Remove. * modules/pam_faildelay/.gitignore: Remove. * modules/pam_filter/.gitignore: Remove. * modules/pam_ftp/.gitignore: Remove. * modules/pam_group/.gitignore: Remove. * modules/pam_issue/.gitignore: Remove. * modules/pam_keyinit/.gitignore: Remove. * modules/pam_lastlog/.gitignore: Remove. * modules/pam_limits/.gitignore: Remove. * modules/pam_listfile/.gitignore: Remove. * modules/pam_localuser/.gitignore: Remove. * modules/pam_loginuid/.gitignore: Remove. * modules/pam_mail/.gitignore: Remove. * modules/pam_motd/.gitignore: Remove. * modules/pam_namespace/.gitignore: Remove. * modules/pam_nologin/.gitignore: Remove. * modules/pam_permit/.gitignore: Remove. * modules/pam_pwhistory/.gitignore: Remove. * modules/pam_rhosts/.gitignore: Remove. * modules/pam_rootok/.gitignore: Remove. * modules/pam_securetty/.gitignore: Remove. * modules/pam_sepermit/.gitignore: Remove. * modules/pam_shells/.gitignore: Remove. * modules/pam_succeed_if/.gitignore: Remove. * modules/pam_time/.gitignore: Remove. * modules/pam_tty_audit/.gitignore: Remove. * modules/pam_umask/.gitignore: Remove. * modules/pam_userdb/.gitignore: Remove. * modules/pam_warn/.gitignore: Remove. * modules/pam_wheel/.gitignore: Remove. * modules/pam_xauth/.gitignore: Remove. --- modules/pam_pwhistory/.gitignore | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 modules/pam_pwhistory/.gitignore (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/.gitignore b/modules/pam_pwhistory/.gitignore deleted file mode 100644 index c0d3c72c..00000000 --- a/modules/pam_pwhistory/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_pwhistory.8 -- cgit v1.2.3 From dc8b23cf9228ed432e9b7b2ee2209a06283241c0 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 28 Oct 2011 02:28:38 +0000 Subject: Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc GNU automake documentation recommends to avoid using -l options in LDADD or LIBADD when referring to libraries built by the package. Instead, it recommends to write the file name of the library explicitly, and use -l option only to list third-party libraries. As result, the default value of *_DEPENDENCIES will list all local libraries and omit the other ones. * modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", to follow GNU automake recommendations. * modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise. * modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise. * modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise. * modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise. * modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise. * modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise. * modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise. * modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise. * modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise. * modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise. * modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise. * modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise. * modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise. * modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise. * modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise. * modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise. * modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise. * modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise. * modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise. * modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD, mkhomedir_helper_LDADD): Likewise. * modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise. * modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise. * modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise. * modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise. * modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise. * modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise. * modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise. * modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise. * modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise. * modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise. * modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD): Likewise. * modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise. * modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD, pam_tally2_LDADD): Likewise. * modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise. * modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD, pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise. * modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise. * modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise. * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise. * modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise. * modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise. * modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise. * modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise. * tests/Makefile.am (LDADD): Likewise. * examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", and "-L$(top_builddir)/libpam_misc -lpam_misc" with "$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake recommendations. * xtests/Makefile.am (LDADD): Likewise. * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise. --- modules/pam_pwhistory/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am index 4c24c275..4bb4d6df 100644 --- a/modules/pam_pwhistory/Makefile.am +++ b/modules/pam_pwhistory/Makefile.am @@ -25,7 +25,7 @@ endif noinst_HEADERS = opasswd.h securelib_LTLIBRARIES = pam_pwhistory.la -pam_pwhistory_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBCRYPT@ +pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c if ENABLE_REGENERATE_MAN -- cgit v1.2.3 From aff021e14203373248e376b4ca013e58074dc7a9 Mon Sep 17 00:00:00 2001 From: Matveychikov Ilya Date: Tue, 17 Jan 2012 11:16:49 +0400 Subject: Fix compile time errors in --enable-static-modules mode * libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove obsolete declaration. (static_modules): Remove undefined reference to _pam_rhosts_auth_modstruct. * modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to {save,check}_old_pass in order to avoid conflicts with pam_unix. * modules/pam_pwhistory/opasswd.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to _pam_tally2_modstruct. Signed-off-by: Matveychikov Ilya --- modules/pam_pwhistory/opasswd.c | 8 ++++---- modules/pam_pwhistory/opasswd.h | 10 +++++----- modules/pam_pwhistory/pam_pwhistory.c | 12 ++++++------ 3 files changed, 15 insertions(+), 15 deletions(-) (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index f896119b..274fdb92 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -113,8 +113,8 @@ compare_password(const char *newpass, const char *oldpass) /* Check, if the new password is already in the opasswd file. */ int -check_old_password (pam_handle_t *pamh, const char *user, - const char *newpass, int debug) +check_old_pass (pam_handle_t *pamh, const char *user, + const char *newpass, int debug) { int retval = PAM_SUCCESS; FILE *oldpf; @@ -209,8 +209,8 @@ check_old_password (pam_handle_t *pamh, const char *user, } int -save_old_password (pam_handle_t *pamh, const char *user, uid_t uid, - const char *oldpass, int howmany, int debug UNUSED) +save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + const char *oldpass, int howmany, int debug UNUSED) { char opasswd_tmp[] = TMP_PASSWORDS_FILE; struct stat opasswd_stat; diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h index e8a20139..db3e6568 100644 --- a/modules/pam_pwhistory/opasswd.h +++ b/modules/pam_pwhistory/opasswd.h @@ -36,10 +36,10 @@ #ifndef __OPASSWD_H__ #define __OPASSWD_H__ -extern int check_old_password (pam_handle_t *pamh, const char *user, - const char *newpass, int debug); -extern int save_old_password (pam_handle_t *pamh, const char *user, - uid_t uid, const char *oldpass, - int howmany, int debug); +extern int check_old_pass (pam_handle_t *pamh, const char *user, + const char *newpass, int debug); +extern int save_old_pass (pam_handle_t *pamh, const char *user, + uid_t uid, const char *oldpass, + int howmany, int debug); #endif /* __OPASSWD_H__ */ diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 9b588958..4c582bc2 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -168,15 +168,15 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (spw == NULL) return PAM_USER_UNKNOWN; - retval = save_old_password (pamh, user, pwd->pw_uid, spw->sp_pwdp, - options.remember, options.debug); + retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, + options.remember, options.debug); if (retval != PAM_SUCCESS) return retval; } else { - retval = save_old_password (pamh, user, pwd->pw_uid, pwd->pw_passwd, - options.remember, options.debug); + retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, + options.remember, options.debug); if (retval != PAM_SUCCESS) return retval; } @@ -208,8 +208,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - if (check_old_password (pamh, user, newpass, - options.debug) != PAM_SUCCESS) + if (check_old_pass (pamh, user, newpass, + options.debug) != PAM_SUCCESS) { pam_error (pamh, _("Password has been already used. Choose another.")); -- cgit v1.2.3 From 585f6c06b2d3574935ed62c3084f2aadd6d1defb Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 May 2012 20:24:17 +0200 Subject: pam_pwhistory: Always record the old password even when root changes it. modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of the process instead of the target user UID (same as in pam_cracklib) to check for root. Always record old password. --- modules/pam_pwhistory/pam_pwhistory.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 4c582bc2..e9b28eb1 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -155,10 +155,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (pwd == NULL) return PAM_USER_UNKNOWN; - /* Ignore root if not enforced */ - if (pwd->pw_uid == 0 && !options.enforce_for_root) - return PAM_SUCCESS; - if ((strcmp(pwd->pw_passwd, "x") == 0) || ((pwd->pw_passwd[0] == '#') && (pwd->pw_passwd[1] == '#') && @@ -211,11 +207,18 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (check_old_pass (pamh, user, newpass, options.debug) != PAM_SUCCESS) { - pam_error (pamh, - _("Password has been already used. Choose another.")); - newpass = NULL; - /* Remove password item, else following module will use it */ - pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + if (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + { + pam_error (pamh, + _("Password has been already used. Choose another.")); + newpass = NULL; + /* Remove password item, else following module will use it */ + pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + } + else + pam_info (pamh, + _("Password has been already used.")); } } -- cgit v1.2.3 From c62981a43a7da5d7c10e432874e7c66b47a4f363 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 16 Aug 2012 15:46:56 +0200 Subject: Small documentation and define fixes modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10] modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary modules/pam_pwhistory/pam_pwhistory.c: Document how the module works modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6] --- modules/pam_pwhistory/pam_pwhistory.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index e9b28eb1..654edd39 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -1,6 +1,6 @@ /* - * Copyright (c) 2008 Thorsten Kukuk - * Author: Thorsten Kukuk + * Copyright (c) 2008, 2012 Thorsten Kukuk + * Author: Thorsten Kukuk * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -103,6 +103,9 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) } +/* This module saves the current crypted password in /etc/security/opasswd + and then compares the new password with all entries in this file. */ + PAM_EXTERN int pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) { -- cgit v1.2.3 From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Feb 2013 15:04:26 +0100 Subject: Add checks for crypt() returning NULL. modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. --- modules/pam_pwhistory/opasswd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_pwhistory') diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index 274fdb92..836d713e 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass) outval = crypt (newpass, oldpass); #endif - return strcmp(outval, oldpass) == 0; + return outval != NULL && strcmp(outval, oldpass) == 0; } /* Check, if the new password is already in the opasswd file. */ -- cgit v1.2.3