From 3ad8ed87726d5c3a6a9f15a5c2dce2ce8aca06b6 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 17 Oct 2014 08:34:24 +0200
Subject: pam_succeed_if: Use long long type for numeric values

The currently used long with additional conversion to int is
too small for uids and gids.

modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace
strtol() with strtoll() and int with long long in the parameters
of comparison functions.
---
 modules/pam_succeed_if/pam_succeed_if.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'modules/pam_succeed_if')

diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index 32a73738..98a84745 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -68,20 +68,20 @@
  * PAM_SERVICE_ERR if the arguments can't be parsed as numbers. */
 static int
 evaluate_num(const pam_handle_t *pamh, const char *left,
-	     const char *right, int (*cmp)(int, int))
+	     const char *right, int (*cmp)(long long, long long))
 {
-	long l, r;
+	long long l, r;
 	char *p;
 	int ret = PAM_SUCCESS;
 
 	errno = 0;
-	l = strtol(left, &p, 0);
+	l = strtoll(left, &p, 0);
 	if ((p == NULL) || (*p != '\0') || errno) {
 		pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", left);
 		ret = PAM_SERVICE_ERR;
 	}
 
-	r = strtol(right, &p, 0);
+	r = strtoll(right, &p, 0);
 	if ((p == NULL) || (*p != '\0') || errno) {
 		pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", right);
 		ret = PAM_SERVICE_ERR;
@@ -96,32 +96,32 @@ evaluate_num(const pam_handle_t *pamh, const char *left,
 
 /* Simple numeric comparison callbacks. */
 static int
-eq(int i, int j)
+eq(long long i, long long j)
 {
 	return i == j;
 }
 static int
-ne(int i, int j)
+ne(long long i, long long j)
 {
 	return i != j;
 }
 static int
-lt(int i, int j)
+lt(long long i, long long j)
 {
 	return i < j;
 }
 static int
-le(int i, int j)
+le(long long i, long long j)
 {
 	return lt(i, j) || eq(i, j);
 }
 static int
-gt(int i, int j)
+gt(long long i, long long j)
 {
 	return i > j;
 }
 static int
-ge(int i, int j)
+ge(long long i, long long j)
 {
 	return gt(i, j) || eq(i, j);
 }
-- 
cgit v1.2.3


From 5df44a328abe4befc4479e16ce7fd86ff2caedcc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 17 Oct 2014 08:39:58 +0200
Subject: pam_succeed_if: Fix copy&paste error in rhost and tty values.

modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST
and PAM_TTY properly for the rhost and tty values.
---
 modules/pam_succeed_if/pam_succeed_if.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/pam_succeed_if')

diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index 98a84745..aa828fcc 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -298,7 +298,7 @@ evaluate(pam_handle_t *pamh, int debug,
 	}
 	if (strcasecmp(left, "rhost") == 0) {
 		const void *rhost;
-		if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS ||
+		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS ||
 			rhost == NULL)
 			rhost = "";
 		snprintf(buf, sizeof(buf), "%s", (const char *)rhost);
@@ -306,7 +306,7 @@ evaluate(pam_handle_t *pamh, int debug,
 	}
 	if (strcasecmp(left, "tty") == 0) {
 		const void *tty;
-		if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS ||
+		if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS ||
 			tty == NULL)
 			tty = "";
 		snprintf(buf, sizeof(buf), "%s", (const char *)tty);
-- 
cgit v1.2.3


From a684595c0bbd88df71285f43fb27630e3829121e Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 29 Mar 2016 14:14:03 +0200
Subject: Remove "--enable-static-modules" option and support from  Linux-PAM.
 It was never official supported and was broken since years.

* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.
---
 modules/pam_succeed_if/pam_succeed_if.c | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

(limited to 'modules/pam_succeed_if')

diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index aa828fcc..c39b1cb1 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -400,7 +400,7 @@ evaluate(pam_handle_t *pamh, int debug,
 	return PAM_SERVICE_ERR;
 }
 
-PAM_EXTERN int
+int
 pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		     int argc, const char **argv)
 {
@@ -544,46 +544,33 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 	return ret;
 }
 
-PAM_EXTERN int
+int
 pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
                int argc UNUSED, const char **argv UNUSED)
 {
 	return PAM_IGNORE;
 }
 
-PAM_EXTERN int
+int
 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	return pam_sm_authenticate(pamh, flags, argc, argv);
 }
 
-PAM_EXTERN int
+int
 pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	return pam_sm_authenticate(pamh, flags, argc, argv);
 }
 
-PAM_EXTERN int
+int
 pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	return pam_sm_authenticate(pamh, flags, argc, argv);
 }
 
-PAM_EXTERN int
+int
 pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	return pam_sm_authenticate(pamh, flags, argc, argv);
 }
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_succeed_if_modstruct = {
-    "pam_succeed_if",
-    pam_sm_authenticate,
-    pam_sm_setcred,
-    pam_sm_acct_mgmt,
-    pam_sm_open_session,
-    pam_sm_close_session,
-    pam_sm_chauthtok
-};
-#endif
-- 
cgit v1.2.3


From 835d64947996b7cc96fe187f9b3103db36dddf77 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Mon, 4 Apr 2016 11:39:45 +0200
Subject: innetgr may not be there so make sure that when innetgr is not
 present then we inform about it and not use it. [ticket#46]

* modules/pam_group/pam_group.c: ditto
* modules/pam_succeed_if/pam_succeed_if.c: ditto
* modules/pam_time/pam_time.c: ditto

Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
 modules/pam_succeed_if/pam_succeed_if.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

(limited to 'modules/pam_succeed_if')

diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index c39b1cb1..856db0ca 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
 }
 /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
 static int
-evaluate_innetgr(const char *host, const char *user, const char *group)
+evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
 {
+#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 1)
 		return PAM_SUCCESS;
+#else
+	pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
+
 	return PAM_AUTH_ERR;
 }
 /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
 static int
-evaluate_notinnetgr(const char *host, const char *user, const char *group)
+evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
 {
+#ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 0)
 		return PAM_SUCCESS;
+#else
+	pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
 	return PAM_AUTH_ERR;
 }
 
@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug,
 		const void *rhost;
 		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
 			rhost = NULL;
-		return evaluate_innetgr(rhost, user, right);
+		return evaluate_innetgr(pamh, rhost, user, right);
 	}
 	/* (Rhost, user) is not in this group. */
 	if (strcasecmp(qual, "notinnetgr") == 0) {
 		const void *rhost;
 		if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
 			rhost = NULL;
-		return evaluate_notinnetgr(rhost, user, right);
+		return evaluate_notinnetgr(pamh, rhost, user, right);
 	}
 	/* Fail closed. */
 	return PAM_SERVICE_ERR;
-- 
cgit v1.2.3