From 1814aec611a5f9e03eceee81237ad3a3f51c954a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Wed, 26 Oct 2011 23:56:54 +0000 Subject: Fix whitespace issues Cleanup trailing whitespaces, indentation that uses spaces before tabs, and blank lines at EOF. Make the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD --- modules/modules.map | 3 +- modules/pam_access/pam_access.c | 8 +- modules/pam_env/pam_env.conf | 16 +- modules/pam_env/pam_env.conf.5.xml | 2 +- modules/pam_exec/pam_exec.8.xml | 8 +- modules/pam_exec/pam_exec.c | 2 +- modules/pam_keyinit/pam_keyinit.c | 1 - modules/pam_limits/pam_limits.c | 16 +- modules/pam_mkhomedir/mkhomedir_helper.c | 14 +- modules/pam_mkhomedir/pam_mkhomedir.c | 2 +- modules/pam_namespace/md5.c | 2 +- modules/pam_namespace/namespace.conf | 4 +- modules/pam_namespace/namespace.conf.5.xml | 6 +- modules/pam_namespace/namespace.init | 2 +- modules/pam_namespace/pam_namespace.c | 330 ++++++++++++------------ modules/pam_namespace/pam_namespace.h | 7 +- modules/pam_pwhistory/opasswd.c | 4 +- modules/pam_securetty/pam_securetty.c | 4 +- modules/pam_selinux/Makefile.am | 3 +- modules/pam_selinux/pam_selinux.c | 44 ++-- modules/pam_selinux/pam_selinux_check.8 | 2 +- modules/pam_sepermit/pam_sepermit.c | 15 +- modules/pam_shells/pam_shells.c | 2 +- modules/pam_stress/pam_stress.c | 2 +- modules/pam_tally/pam_tally.c | 40 +-- modules/pam_tally/pam_tally_app.c | 1 - modules/pam_tally2/pam_tally2.c | 38 +-- modules/pam_tally2/pam_tally2_app.c | 1 - modules/pam_time/pam_time.c | 4 +- modules/pam_time/time.conf | 2 +- modules/pam_time/time.conf.5.xml | 2 +- modules/pam_timestamp/hmacfile.c | 2 +- modules/pam_timestamp/hmacsha1.c | 4 +- modules/pam_timestamp/pam_timestamp.8.xml | 1 - modules/pam_timestamp/pam_timestamp_check.8.xml | 1 - modules/pam_timestamp/sha1.c | 2 +- modules/pam_unix/CHANGELOG | 5 +- modules/pam_unix/bigcrypt.c | 8 +- modules/pam_unix/md5.c | 2 +- modules/pam_unix/pam_unix_auth.c | 2 +- modules/pam_unix/pam_unix_passwd.c | 4 +- modules/pam_unix/pam_unix_sess.c | 5 +- modules/pam_unix/passverify.c | 20 +- modules/pam_unix/support.c | 4 +- modules/pam_unix/unix_update.c | 2 +- modules/pam_userdb/Makefile.am | 1 - modules/pam_userdb/create.pl | 4 +- modules/pam_userdb/pam_userdb.c | 10 +- modules/pam_userdb/pam_userdb.h | 2 +- 49 files changed, 326 insertions(+), 340 deletions(-) (limited to 'modules') diff --git a/modules/modules.map b/modules/modules.map index 2234aa40..369b0479 100644 --- a/modules/modules.map +++ b/modules/modules.map @@ -1,4 +1,4 @@ -{ +{ global: pam_sm_acct_mgmt; pam_sm_authenticate; @@ -8,4 +8,3 @@ pam_sm_setcred; local: *; }; - diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 2669a5ec..65798f17 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -100,7 +100,7 @@ struct login_info { const char *from; const char *config_file; const char *hostname; - int debug; /* Print debugging messages. */ + int debug; /* Print debugging messages. */ int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */ int noaudit; /* Do not audit denials */ const char *fs; /* field separator */ @@ -375,7 +375,7 @@ login_access (pam_handle_t *pamh, struct login_info *item) /* Allow field seperator in last field of froms */ if (!(perm = strtok_r(line, item->fs, &sptr)) || !(users = strtok_r(NULL, item->fs, &sptr)) - || !(froms = strtok_r(NULL, "\n", &sptr))) { + || !(froms = strtok_r(NULL, "\n", &sptr))) { pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count", item->config_file, lineno); continue; @@ -398,8 +398,8 @@ login_access (pam_handle_t *pamh, struct login_info *item) nonall_match = YES; } if (item->debug) - pam_syslog (pamh, LOG_DEBUG, - "from_match=%d, \"%s\"", match, item->from); + pam_syslog (pamh, LOG_DEBUG, + "from_match=%d, \"%s\"", match, item->from); } } (void) fclose(fp); diff --git a/modules/pam_env/pam_env.conf b/modules/pam_env/pam_env.conf index d0ba35c2..30e9d008 100644 --- a/modules/pam_env/pam_env.conf +++ b/modules/pam_env/pam_env.conf @@ -1,7 +1,7 @@ # -# This is the configuration file for pam_env, a PAM module to load in -# a configurable list of environment variables for a -# +# This is the configuration file for pam_env, a PAM module to load in +# a configurable list of environment variables for a +# # The original idea for this came from Andrew G. Morgan ... # # Mmm. Perhaps you might like to write a pam_env module that reads a @@ -22,16 +22,16 @@ # administrators rather than set by logging in, how to treat them both # in the same config file? # -# Here is my idea: +# Here is my idea: # # Each line starts with the variable name, there are then two possible -# options for each variable DEFAULT and OVERRIDE. +# options for each variable DEFAULT and OVERRIDE. # DEFAULT allows and administrator to set the value of the # variable to some default value, if none is supplied then the empty # string is assumed. The OVERRIDE option tells pam_env that it should # enter in its value (overriding the default value) if there is one # to use. OVERRIDE is not used, "" is assumed and no override will be -# done. +# done. # # VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] # @@ -42,7 +42,7 @@ # values can be delimited with "", escaped " not supported. # Note that many environment variables that you would like to use # may not be set by the time the module is called. -# For example, HOME is used below several times, but +# For example, HOME is used below several times, but # many PAM applications don't make it available by the time you need it. # # @@ -52,7 +52,7 @@ # to "localhost" rather than not being set at all #REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} # -# Set the DISPLAY variable if it seems reasonable +# Set the DISPLAY variable if it seems reasonable #DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} # # diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml index 090e0e75..45950b8c 100644 --- a/modules/pam_env/pam_env.conf.5.xml +++ b/modules/pam_env/pam_env.conf.5.xml @@ -21,7 +21,7 @@ The /etc/security/pam_env.conf file specifies - the environment variables to be set, unset or modified by + the environment variables to be set, unset or modified by pam_env8. When someone logs in, this file is read and the environment variables are set according. diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml index 0976f67c..4dc2a19d 100644 --- a/modules/pam_exec/pam_exec.8.xml +++ b/modules/pam_exec/pam_exec.8.xml @@ -123,8 +123,8 @@ - Per default pam_exec.so will echo the exit status of the - external command if it fails. + Per default pam_exec.so will echo the exit status of the + external command if it fails. Specifying this option will suppress the message. @@ -136,8 +136,8 @@ - Per default pam_exec.so will execute the external command - with the real user ID of the calling process. + Per default pam_exec.so will execute the external command + with the real user ID of the calling process. Specifying this option means the command is run with the effective user ID. diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 7b2e402c..8b37e95e 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -282,7 +282,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, char *buffer = NULL; if ((i = open (logfile, O_CREAT|O_APPEND|O_WRONLY, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { int err = errno; pam_syslog (pamh, LOG_ERR, "open of %s failed: %m", diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index 4732f93b..8d0501e0 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -266,4 +266,3 @@ struct pam_module _pam_keyinit_modstruct = { NULL }; #endif - diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index c1810e07..8bf3b9bb 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -630,7 +630,7 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, else rlimit_value *= 1024; } - break; + break; #ifdef RLIMIT_NICE case RLIMIT_NICE: if (int_value > 19) @@ -672,7 +672,7 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, } else { pl->login_limit = int_value; pl->login_limit_def = source; - } + } } } return; @@ -975,8 +975,8 @@ static int setup_limits(pam_handle_t *pamh, if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) { #ifdef HAVE_LIBAUDIT if (!(ctrl & PAM_NO_AUDIT)) { - pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS, - "pam_limits", PAM_PERM_DENIED); + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS, + "pam_limits", PAM_PERM_DENIED); /* ignore return value as we fail anyway */ } #endif @@ -1055,12 +1055,12 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Parse the *.conf files. */ for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { pl->conf_file = globbuf.gl_pathv[i]; - retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); - if (retval == PAM_IGNORE) { + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); + if (retval == PAM_IGNORE) { D(("the configuration file ('%s') has an applicable ' -' entry", pl->conf_file)); globfree(&globbuf); return PAM_SUCCESS; - } + } if (retval != PAM_SUCCESS) goto out; } @@ -1070,7 +1070,7 @@ out: globfree(&globbuf); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE); + pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE); return retval; } diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c index 2a47de3a..f426d721 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.c +++ b/modules/pam_mkhomedir/mkhomedir_helper.c @@ -272,8 +272,8 @@ create_homedir(const struct passwd *pwd, } /* Set the proper ownership and permissions for the module. We make - the file a+w and then mask it with the set mask. This preseves - execute bits */ + the file a+w and then mask it with the set mask. This preseves + execute bits */ if (fchmod(destfd, (st.st_mode | 0222) & (~u_mask)) != 0 || fchown(destfd, pwd->pw_uid, pwd->pw_gid) != 0) { @@ -384,8 +384,8 @@ main(int argc, char *argv[]) pwd = getpwnam(argv[1]); if (pwd == NULL) { - pam_syslog(NULL, LOG_ERR, "User unknown."); - return PAM_CRED_INSUFFICIENT; + pam_syslog(NULL, LOG_ERR, "User unknown."); + return PAM_CRED_INSUFFICIENT; } if (argc >= 3) { @@ -399,11 +399,11 @@ main(int argc, char *argv[]) } if (argc >= 4) { - if (strlen(argv[3]) >= sizeof(skeldir)) { + if (strlen(argv[3]) >= sizeof(skeldir)) { pam_syslog(NULL, LOG_ERR, "Too long skeldir path."); return PAM_SESSION_ERR; - } - strcpy(skeldir, argv[3]); + } + strcpy(skeldir, argv[3]); } /* Stat the home directory, if something exists then we assume it is diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c index dfc4979e..5ac8a0f1 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.c +++ b/modules/pam_mkhomedir/pam_mkhomedir.c @@ -140,7 +140,7 @@ create_homedir (pam_handle_t *pamh, options_t *opt, if (rlim.rlim_max >= MAX_FD_NO) rlim.rlim_max = MAX_FD_NO; for (i=0; i < (int)rlim.rlim_max; i++) { - close(i); + close(i); } } diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index c79fb357..ce4f7d6e 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -107,7 +107,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign } /* - * Final wrapup - pad to 64-byte boundary with the bit pattern + * Final wrapup - pad to 64-byte boundary with the bit pattern * 1 0* (64-bit count of bits processed, MSB-first) */ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf index f973225f..b611a0f2 100644 --- a/modules/pam_namespace/namespace.conf +++ b/modules/pam_namespace/namespace.conf @@ -5,8 +5,8 @@ # Uncommenting the following three lines will polyinstantiate # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will # be polyinstantiated based on the MLS level part of the security context as well as user -# name, Polyinstantion will not be performed for user root and adm for directories -# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. +# name, Polyinstantion will not be performed for user root and adm for directories +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. # The user name and context is appended to the instance prefix. # # Note that instance directories do not have to reside inside the diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index 61c8673b..673099b0 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -61,7 +61,7 @@ The second field, instance_prefix is the string prefix used to build the pathname for the instantiation - of <polydir>. Depending on the polyinstantiation + of <polydir>. Depending on the polyinstantiation method it is then appended with "instance differentiation string" to generate the final instance directory path. This directory is created if it did not exist @@ -75,7 +75,7 @@ The third field, method, is the method used for polyinstantiation. It can take these values; "user" - for polyinstantiation based on user name, "level" for + for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, "context" for polyinstantiation based on process security context and user name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and @@ -97,7 +97,7 @@ The method field can contain also following optional flags separated by : characters. - + create=mode,owner,group - create the polyinstantiated directory. The mode, owner and group parameters are optional. The default for mode is determined by umask, the default diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init index 9898bf3a..9ab58062 100755 --- a/modules/pam_namespace/namespace.init +++ b/modules/pam_namespace/namespace.init @@ -1,5 +1,5 @@ #!/bin/sh -p -# It receives polydir path as $1, the instance path as $2, +# It receives polydir path as $1, the instance path as $2, # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, # and user name in $4. # diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 4a99184a..f0bffa15 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -76,7 +76,7 @@ static void del_polydir_list(struct polydir_s *polydirs_ptr) struct polydir_s *dptr = polydirs_ptr; while (dptr) { - struct polydir_s *tptr = dptr; + struct polydir_s *tptr = dptr; dptr = dptr->next; del_polydir(tptr); } @@ -163,9 +163,9 @@ static int parse_create_params(char *params, struct polydir_s *poly) poly->group = (gid_t)ULONG_MAX; if (*params != '=') - return 0; + return 0; params++; - + next = strchr(params, ','); if (next != NULL) { *next = '\0'; @@ -182,7 +182,7 @@ static int parse_create_params(char *params, struct polydir_s *poly) params = next; if (params == NULL) - return 0; + return 0; next = strchr(params, ','); if (next != NULL) { *next = '\0'; @@ -200,22 +200,22 @@ static int parse_create_params(char *params, struct polydir_s *poly) if (params == NULL || *params == '\0') { if (pwd != NULL) poly->group = pwd->pw_gid; - return 0; + return 0; } grp = getgrnam(params); if (grp == NULL) - return -1; + return -1; poly->group = grp->gr_gid; - + return 0; } static int parse_iscript_params(char *params, struct polydir_s *poly) { if (*params != '=') - return 0; + return 0; params++; - + if (*params != '\0') { if (*params != '/') { /* path is relative to NAMESPACE_D_DIR */ if (asprintf(&poly->init_script, "%s%s", NAMESPACE_D_DIR, params) == -1) @@ -235,11 +235,11 @@ static int parse_method(char *method, struct polydir_s *poly, enum polymethod pm; char *sptr = NULL; static const char *method_names[] = { "user", "context", "level", "tmpdir", - "tmpfs", NULL }; + "tmpfs", NULL }; static const char *flag_names[] = { "create", "noinit", "iscript", - "shared", NULL }; + "shared", NULL }; static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT, - POLYDIR_ISCRIPT, POLYDIR_SHARED }; + POLYDIR_ISCRIPT, POLYDIR_SHARED }; int i; char *flag; @@ -247,41 +247,41 @@ static int parse_method(char *method, struct polydir_s *poly, pm = NONE; for (i = 0; method_names[i]; i++) { - if (strcmp(method, method_names[i]) == 0) { - pm = i + 1; /* 0 = NONE */ - } + if (strcmp(method, method_names[i]) == 0) { + pm = i + 1; /* 0 = NONE */ + } } if (pm == NONE) { pam_syslog(idata->pamh, LOG_NOTICE, "Unknown method"); return -1; } - + poly->method = pm; - + while ((flag=strtok_r(NULL, ":", &sptr)) != NULL) { - for (i = 0; flag_names[i]; i++) { - int namelen = strlen(flag_names[i]); - - if (strncmp(flag, flag_names[i], namelen) == 0) { - poly->flags |= flag_values[i]; - switch (flag_values[i]) { - case POLYDIR_CREATE: - if (parse_create_params(flag+namelen, poly) != 0) { + for (i = 0; flag_names[i]; i++) { + int namelen = strlen(flag_names[i]); + + if (strncmp(flag, flag_names[i], namelen) == 0) { + poly->flags |= flag_values[i]; + switch (flag_values[i]) { + case POLYDIR_CREATE: + if (parse_create_params(flag+namelen, poly) != 0) { pam_syslog(idata->pamh, LOG_CRIT, "Invalid create parameters"); - return -1; - } - break; + return -1; + } + break; - case POLYDIR_ISCRIPT: - if (parse_iscript_params(flag+namelen, poly) != 0) { + case POLYDIR_ISCRIPT: + if (parse_iscript_params(flag+namelen, poly) != 0) { pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); - return -1; - }; - break; - } - } - } + return -1; + }; + break; + } + } + } } return 0; @@ -337,7 +337,7 @@ static int process_line(char *line, const char *home, const char *rhome, poly = calloc(1, sizeof(*poly)); if (poly == NULL) - goto erralloc; + goto erralloc; /* * Initialize and scan the five strings from the line from the @@ -383,12 +383,12 @@ static int process_line(char *line, const char *home, const char *rhome, dir = NULL; goto erralloc; } - + if ((dir=expand_variables(dir, var_names, var_values)) == NULL) { instance_prefix = NULL; goto erralloc; } - + if ((instance_prefix=expand_variables(instance_prefix, var_names, var_values)) == NULL) { goto erralloc; @@ -409,12 +409,12 @@ static int process_line(char *line, const char *home, const char *rhome, if (len > 0 && rdir[len-1] == '/') { rdir[len-1] = '\0'; } - + if (dir[0] == '\0' || rdir[0] == '\0') { - pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir"); - goto skipping; + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir"); + goto skipping; } - + /* * Populate polyinstantiated directory structure with appropriate * pathnames and the method with which to polyinstantiate. @@ -430,14 +430,14 @@ static int process_line(char *line, const char *home, const char *rhome, strcpy(poly->instance_prefix, instance_prefix); if (parse_method(method, poly, idata) != 0) { - goto skipping; + goto skipping; } if (poly->method == TMPDIR) { - if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) { - pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); - goto skipping; - } + if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + goto skipping; + } strcat(poly->instance_prefix, "XXXXXX"); } @@ -463,7 +463,7 @@ static int process_line(char *line, const char *home, const char *rhome, uid_t *uidptr; const char *ustr, *sstr; int count, i; - + if (*uids == '~') { poly->flags |= POLYDIR_EXCLUSIVE; uids++; @@ -488,8 +488,8 @@ static int process_line(char *line, const char *home, const char *rhome, pwd = pam_modutil_getpwnam(idata->pamh, ustr); if (pwd == NULL) { - pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr); - poly->num_uids--; + pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr); + poly->num_uids--; } else { *uidptr = pwd->pw_uid; uidptr++; @@ -508,7 +508,7 @@ static int process_line(char *line, const char *home, const char *rhome, erralloc: pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); - + skipping: if (idata->flags & PAMNS_IGN_CONFIG_ERR) retval = 0; @@ -554,9 +554,9 @@ static int parse_config_file(struct instance_data *idata) return PAM_SESSION_ERR; } if ((home=strdup(cpwd->pw_dir)) == NULL) { - pam_syslog(idata->pamh, LOG_CRIT, - "Memory allocation error"); - return PAM_SESSION_ERR; + pam_syslog(idata->pamh, LOG_CRIT, + "Memory allocation error"); + return PAM_SESSION_ERR; } cpwd = pam_modutil_getpwnam(idata->pamh, idata->ruser); @@ -568,10 +568,10 @@ static int parse_config_file(struct instance_data *idata) } if ((rhome=strdup(cpwd->pw_dir)) == NULL) { - pam_syslog(idata->pamh, LOG_CRIT, - "Memory allocation error"); - free(home); - return PAM_SESSION_ERR; + pam_syslog(idata->pamh, LOG_CRIT, + "Memory allocation error"); + free(home); + return PAM_SESSION_ERR; } /* @@ -594,7 +594,7 @@ static int parse_config_file(struct instance_data *idata) fil = fopen(confname, "r"); if (fil == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s", - confname); + confname); globfree(&globbuf); free(rhome); free(home); @@ -625,14 +625,14 @@ static int parse_config_file(struct instance_data *idata) if (n >= globbuf.gl_pathc) break; - confname = globbuf.gl_pathv[n]; + confname = globbuf.gl_pathv[n]; n++; } - + globfree(&globbuf); free(rhome); free(home); - + /* All done...just some debug stuff */ if (idata->flags & PAMNS_DEBUG) { struct polydir_s *dptr = idata->polydirs_ptr; @@ -640,7 +640,7 @@ static int parse_config_file(struct instance_data *idata) uid_t i; pam_syslog(idata->pamh, LOG_DEBUG, - dptr?"Configured poly dirs:":"No configured poly dirs"); + dptr?"Configured poly dirs:":"No configured poly dirs"); while (dptr) { pam_syslog(idata->pamh, LOG_DEBUG, "dir='%s' iprefix='%s' meth=%d", dptr->dir, dptr->instance_prefix, dptr->method); @@ -667,7 +667,7 @@ static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, unsigned int i; if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, + pam_syslog(idata->pamh, LOG_DEBUG, "Checking for ns override in dir %s for uid %d", polyptr->dir, uid); @@ -745,7 +745,7 @@ static int form_context(const struct polydir_s *polyptr, rc = getexeccon(&scon); } if (rc < 0 || scon == NULL) { - pam_syslog(idata->pamh, LOG_ERR, + pam_syslog(idata->pamh, LOG_ERR, "Error getting exec context, %m"); return PAM_SESSION_ERR; } @@ -870,17 +870,17 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, } pm = USER; } - + switch (pm) { case USER: if (asprintf(i_name, "%s", idata->user) < 0) { *i_name = NULL; goto fail; - } - break; + } + break; #ifdef WITH_SELINUX - case LEVEL: + case LEVEL: case CONTEXT: if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context"); @@ -890,27 +890,27 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, if (asprintf(i_name, "%s", rawcon) < 0) { *i_name = NULL; goto fail; - } + } } else { if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { *i_name = NULL; goto fail; - } + } } - break; + break; #endif /* WITH_SELINUX */ case TMPDIR: case TMPFS: if ((*i_name=strdup("")) == NULL) - goto fail; + goto fail; return PAM_SUCCESS; - default: - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); - goto fail; + default: + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); + goto fail; } if (idata->flags & PAMNS_DEBUG) @@ -919,24 +919,24 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) { hash = md5hash(*i_name, idata); if (hash == NULL) { - goto fail; + goto fail; } if (idata->flags & PAMNS_GEN_HASH) { - free(*i_name); + free(*i_name); *i_name = hash; hash = NULL; } else { - char *newname; - if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash), - *i_name, hash) < 0) { - goto fail; - } - free(*i_name); - *i_name = newname; + char *newname; + if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash), + *i_name, hash) < 0) { + goto fail; + } + free(*i_name); + *i_name = newname; } } rc = PAM_SUCCESS; - + fail: free(hash); #ifdef WITH_SELINUX @@ -959,34 +959,34 @@ static int protect_mount(int dfd, const char *path, struct instance_data *idata) { struct protect_dir_s *dir = idata->protect_dirs; char tmpbuf[64]; - + while (dir != NULL) { if (strcmp(path, dir->dir) == 0) { return 0; } dir = dir->next; } - + dir = calloc(1, sizeof(*dir)); - + if (dir == NULL) { return -1; } - + dir->dir = strdup(path); - + if (dir->dir == NULL) { free(dir); return -1; } - + snprintf(tmpbuf, sizeof(tmpbuf), "/proc/self/fd/%d", dfd); - + if (idata->flags & PAMNS_DEBUG) { pam_syslog(idata->pamh, LOG_INFO, "Protect mount of %s over itself", path); } - + if (mount(tmpbuf, tmpbuf, NULL, MS_BIND, NULL) != 0) { int save_errno = errno; pam_syslog(idata->pamh, LOG_ERR, @@ -996,7 +996,7 @@ static int protect_mount(int dfd, const char *path, struct instance_data *idata) errno = save_errno; return -1; } - + dir->next = idata->protect_dirs; idata->protect_dirs = dir; @@ -1019,15 +1019,15 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always, if (p == NULL) { goto error; } - + if (*dir == '/') { dfd = open("/", flags); if (dfd == -1) { goto error; } - dir++; /* assume / is safe */ + dir++; /* assume / is safe */ } - + while ((d=strchr(dir, '/')) != NULL) { *d = '\0'; dfd_next = openat(dfd, dir, flags); @@ -1042,8 +1042,8 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always, if (fstat(dfd, &st) != 0) { goto error; } - - if (flags & O_NOFOLLOW) { + + if (flags & O_NOFOLLOW) { /* we are inside user-owned dir - protect */ if (protect_mount(dfd, p, idata) == -1) goto error; @@ -1058,14 +1058,14 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always, } rv = openat(dfd, dir, flags); - + if (rv == -1) { if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) { goto error; } rv = openat(dfd, dir, flags); } - + if (rv != -1) { if (fstat(rv, &st) != 0) { save_errno = errno; @@ -1082,7 +1082,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always, } } - if ((flags & O_NOFOLLOW) || always) { + if ((flags & O_NOFOLLOW) || always) { /* we are inside user-owned dir - protect */ if (protect_mount(rv, p, idata) == -1) { save_errno = errno; @@ -1251,7 +1251,7 @@ static int create_polydir(struct polydir_s *polyptr, pam_syslog(idata->pamh, LOG_DEBUG, "Polydir %s context: %s", dir, (char *)dircon); if (setfscreatecon(dircon) != 0) - pam_syslog(idata->pamh, LOG_NOTICE, + pam_syslog(idata->pamh, LOG_NOTICE, "Error setting context for directory %s: %m", dir); freecon(dircon); } @@ -1279,15 +1279,15 @@ static int create_polydir(struct polydir_s *polyptr, pam_syslog(idata->pamh, LOG_DEBUG, "Created polydir %s", dir); if (polyptr->mode != (mode_t)ULONG_MAX) { - /* explicit mode requested */ - if (fchmod(rc, mode) != 0) { + /* explicit mode requested */ + if (fchmod(rc, mode) != 0) { pam_syslog(idata->pamh, LOG_ERR, - "Error changing mode of directory %s: %m", dir); + "Error changing mode of directory %s: %m", dir); close(rc); umount(dir); /* undo the eventual protection bind mount */ - rmdir(dir); - return PAM_SESSION_ERR; - } + rmdir(dir); + return PAM_SESSION_ERR; + } } if (polyptr->owner != (uid_t)ULONG_MAX) @@ -1345,14 +1345,14 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * * attributes to match that of the original directory that is being * polyinstantiated. */ - + if (polyptr->method == TMPDIR) { - if (mkdtemp(polyptr->instance_prefix) == NULL) { + if (mkdtemp(polyptr->instance_prefix) == NULL) { pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m", polyptr->instance_prefix); polyptr->method = NONE; /* do not clean up! */ return PAM_SESSION_ERR; - } + } /* copy the actual directory name to ipath */ strcpy(ipath, polyptr->instance_prefix); } else if (mkdir(ipath, S_IRUSR) < 0) { @@ -1452,21 +1452,21 @@ static int ns_setup(struct polydir_s *polyptr, if (retval < 0 && errno != ENOENT) { pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", polyptr->dir); - return PAM_SESSION_ERR; + return PAM_SESSION_ERR; } if (retval < 0) { - if ((polyptr->flags & POLYDIR_CREATE) && + if ((polyptr->flags & POLYDIR_CREATE) && create_polydir(polyptr, idata) != PAM_SUCCESS) return PAM_SESSION_ERR; } else { - close(retval); + close(retval); } - + if (polyptr->method == TMPFS) { if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", - polyptr->dir); + polyptr->dir); return PAM_SESSION_ERR; } @@ -1481,7 +1481,7 @@ static int ns_setup(struct polydir_s *polyptr, polyptr->dir); return PAM_SESSION_ERR; } - + /* * Obtain the name of instance pathname based on the * polyinstantiation method and instance context returned by @@ -1495,8 +1495,8 @@ static int ns_setup(struct polydir_s *polyptr, #endif if (retval != PAM_SUCCESS) { - if (retval != PAM_IGNORE) - pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name"); + if (retval != PAM_IGNORE) + pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name"); goto cleanup; } else { #ifdef WITH_SELINUX @@ -1526,8 +1526,8 @@ static int ns_setup(struct polydir_s *polyptr, #endif if (retval == PAM_IGNORE) { - newdir = 0; - retval = PAM_SUCCESS; + newdir = 0; + retval = PAM_SUCCESS; } if (retval != PAM_SUCCESS) { @@ -1647,7 +1647,7 @@ static int cleanup_tmpdirs(struct instance_data *idata) } if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { pam_syslog(idata->pamh, LOG_ERR, - "Error removing %s", pptr->instance_prefix); + "Error removing %s", pptr->instance_prefix); } } else if (pid < 0) { pam_syslog(idata->pamh, LOG_ERR, @@ -1686,14 +1686,14 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { if (ns_override(pptr, idata, idata->uid)) { - if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, + if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Overriding poly for user %d for dir %s", idata->uid, pptr->dir); } else { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Need unmount ns for user %d for dir %s", idata->ruid, pptr->dir); need_poly = 1; @@ -1721,7 +1721,7 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) return PAM_SESSION_ERR; } } else { - del_polydir_list(idata->polydirs_ptr); + del_polydir_list(idata->polydirs_ptr); return PAM_SUCCESS; } @@ -1768,12 +1768,12 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) * are available from */ strcpy(poly_parent, pptr->rdir); - fptr = strchr(poly_parent, '/'); - cptr = strrchr(poly_parent, '/'); - if (fptr && cptr && (fptr == cptr)) - strcpy(poly_parent, "/"); - else if (cptr) - *cptr = '\0'; + fptr = strchr(poly_parent, '/'); + cptr = strrchr(poly_parent, '/'); + if (fptr && cptr && (fptr == cptr)) + strcpy(poly_parent, "/"); + else if (cptr) + *cptr = '\0'; if (chdir(poly_parent) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Can't chdir to %s, %m", poly_parent); @@ -1781,12 +1781,12 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) } if (umount(pptr->rdir) < 0) { - int saved_errno = errno; - pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", - pptr->rdir); - if (saved_errno != EINVAL) { - retval = PAM_SESSION_ERR; - goto out; + int saved_errno = errno; + pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", + pptr->rdir); + if (saved_errno != EINVAL) { + retval = PAM_SESSION_ERR; + goto out; } } else if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", @@ -1803,20 +1803,20 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) } out: if (retval != PAM_SUCCESS) { - cleanup_tmpdirs(idata); - unprotect_dirs(idata->protect_dirs); + cleanup_tmpdirs(idata); + unprotect_dirs(idata->protect_dirs); } else if (pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, idata->protect_dirs, - cleanup_protect_data) != PAM_SUCCESS) { + cleanup_protect_data) != PAM_SUCCESS) { pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace protect data"); - cleanup_tmpdirs(idata); - unprotect_dirs(idata->protect_dirs); + cleanup_tmpdirs(idata); + unprotect_dirs(idata->protect_dirs); return PAM_SYSTEM_ERR; } else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr, - cleanup_polydir_data) != PAM_SUCCESS) { + cleanup_polydir_data) != PAM_SUCCESS) { pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace polydir data"); - cleanup_tmpdirs(idata); - pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); - idata->protect_dirs = NULL; + cleanup_tmpdirs(idata); + pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); + idata->protect_dirs = NULL; return PAM_SYSTEM_ERR; } return retval; @@ -1943,7 +1943,7 @@ static int get_user_data(struct instance_data *idata) int retval; char *user_name; struct passwd *pwd; - /* + /* * Lookup user and fill struct items */ retval = pam_get_item(idata->pamh, PAM_USER, (void*) &user_name ); @@ -1969,10 +1969,10 @@ static int get_user_data(struct instance_data *idata) /* Fill in RUSER too */ retval = pam_get_item(idata->pamh, PAM_RUSER, (void*) &user_name ); if ( user_name != NULL && retval == PAM_SUCCESS && user_name[0] != '\0' ) { - strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1); - pwd = pam_modutil_getpwnam(idata->pamh, user_name); + strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1); + pwd = pam_modutil_getpwnam(idata->pamh, user_name); } else { - pwd = pam_modutil_getpwuid(idata->pamh, getuid()); + pwd = pam_modutil_getpwuid(idata->pamh, getuid()); } if (!pwd) { pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name); @@ -2005,7 +2005,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, #ifdef WITH_SELINUX if (is_selinux_enabled()) idata.flags |= PAMNS_SELINUX_ENABLED; - if (ctxt_based_inst_needed()) + if (ctxt_based_inst_needed()) idata.flags |= PAMNS_CTXT_BASED_INST; #endif @@ -2036,7 +2036,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, unmnt = UNMNT_ONLY; if (strcmp(argv[i], "require_selinux") == 0) { if (!(idata.flags & PAMNS_SELINUX_ENABLED)) { - pam_syslog(idata.pamh, LOG_ERR, + pam_syslog(idata.pamh, LOG_ERR, "selinux_required option given and selinux is disabled"); return PAM_SESSION_ERR; } @@ -2047,7 +2047,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, retval = get_user_data(&idata); if (retval != PAM_SUCCESS) - return retval; + return retval; if (root_shared()) { idata.flags |= PAMNS_MOUNT_PRIVATE; @@ -2135,13 +2135,13 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, retval = get_user_data(&idata); if (retval != PAM_SUCCESS) - return retval; + return retval; retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, (const void **)&polyptr); if (retval != PAM_SUCCESS || polyptr == NULL) - /* nothing to reset */ - return PAM_SUCCESS; - + /* nothing to reset */ + return PAM_SUCCESS; + idata.polydirs_ptr = polyptr; if (idata.flags & PAMNS_DEBUG) @@ -2160,7 +2160,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); - + return PAM_SUCCESS; } diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index c49995c0..6bca31c4 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -1,5 +1,5 @@ /****************************************************************************** - * A module for Linux-PAM that will set the default namespace after + * A module for Linux-PAM that will set the default namespace after * establishing a session via PAM. * * (C) Copyright IBM Corporation 2005 @@ -134,9 +134,9 @@ enum polymethod { /* * Depending on the application using this namespace module, we * may need to unmount priviously bind mounted instance directory. - * Applications such as login and sshd, that establish a new + * Applications such as login and sshd, that establish a new * session unmount of instance directory is not needed. For applications - * such as su and newrole, that switch the identity, this module + * such as su and newrole, that switch the identity, this module * has to unmount previous instance directory first and re-mount * based on the new indentity. For other trusted applications that * just want to undo polyinstantiation, only unmount of previous @@ -182,4 +182,3 @@ struct instance_data { uid_t ruid; /* The uid of the requesting user */ unsigned long flags; /* Flags for debug, selinux etc */ }; - diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index 738483ac..f896119b 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -395,7 +395,7 @@ save_old_password (pam_handle_t *pamh, const char *user, uid_t uid, entry.user, entry.uid, entry.count, oldpass) < 0) { - free (save); + free (save); retval = PAM_AUTHTOK_ERR; fclose (oldpf); fclose (newpf); @@ -408,7 +408,7 @@ save_old_password (pam_handle_t *pamh, const char *user, uid_t uid, entry.user, entry.uid, entry.count, entry.old_passwords, oldpass) < 0) { - free (save); + free (save); retval = PAM_AUTHTOK_ERR; fclose (oldpf); fclose (newpf); diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 4e97ef59..5f2d1bec 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -203,9 +203,9 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, for (n = p; n != NULL; p = n+1) { if ((n = strchr(p, ' ')) != NULL) - *n = '\0'; + *n = '\0'; - if (strcmp(p, uttyname) == 0) { + if (strcmp(p, uttyname) == 0) { retval = 0; break; } diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index 5c83acb4..ef142f4e 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -10,7 +10,7 @@ EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ if HAVE_LIBSELINUX TESTS = tst-pam_selinux - man_MANS = pam_selinux.8 + man_MANS = pam_selinux.8 endif XMLS = README.xml pam_selinux.8.xml @@ -40,4 +40,3 @@ noinst_DATA = README pam_selinux.8 README: pam_selinux.8.xml -include $(top_srcdir)/Make.xml.rules endif - diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index f99d433a..b777b01e 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -142,7 +142,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, char **response, int debug) { int rc; - if (def) + if (def) rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def); else rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text); @@ -150,7 +150,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, if (*response == NULL) { rc = PAM_CONV_ERR; } - + if (rc != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text); } else if (debug) @@ -190,11 +190,11 @@ manual_context (pam_handle_t *pamh, const char *user, int debug) /* Allow the user to enter each field of the context individually */ if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && response[0] != '\0') { - if (context_role_set (new_context, response)) + if (context_role_set (new_context, response)) goto fail_set; - if (get_default_type(response, &type)) + if (get_default_type(response, &type)) goto fail_set; - if (context_type_set (new_context, type)) + if (context_type_set (new_context, type)) goto fail_set; _pam_drop(type); } @@ -283,7 +283,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre while (1) { if (query_response(pamh, - _("Would you like to enter a different role or level?"), "n", + _("Would you like to enter a different role or level?"), "n", &response, debug) == PAM_SUCCESS) { resp_val = response[0]; _pam_drop(response); @@ -293,22 +293,22 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if ((resp_val == 'y') || (resp_val == 'Y')) { if ((new_context = context_new(defaultcon)) == NULL) - goto fail_set; + goto fail_set; /* Allow the user to enter role and level individually */ - if (query_response(pamh, _("role:"), context_role_get(new_context), + if (query_response(pamh, _("role:"), context_role_get(new_context), &response, debug) == PAM_SUCCESS && response[0]) { if (get_default_type(response, &type)) { pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response); _pam_drop(response); continue; } else { - if (context_role_set(new_context, response)) + if (context_role_set(new_context, response)) goto fail_set; if (context_type_set (new_context, type)) goto fail_set; _pam_drop(type); - } + } } _pam_drop(response); @@ -320,9 +320,9 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (getcon(&mycon) != 0) goto fail_set; - my_context = context_new(mycon); + my_context = context_new(mycon); if (my_context == NULL) { - freecon(mycon); + freecon(mycon); goto fail_set; } freecon(mycon); @@ -331,11 +331,11 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre goto fail_set; } context_free(my_context); - } else if (query_response(pamh, _("level:"), context_range_get(new_context), + } else if (query_response(pamh, _("level:"), context_range_get(new_context), &response, debug) == PAM_SUCCESS && response[0]) { if (context_range_set(new_context, response)) goto fail_set; - } + } _pam_drop(response); } @@ -355,7 +355,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - send_audit_message(pamh, 0, defaultcon, newcon); + send_audit_message(pamh, 0, defaultcon, newcon); free(newcon); goto fail_range; @@ -380,7 +380,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre context_free (new_context); send_audit_message(pamh, 0, defaultcon, NULL); fail_range: - return NULL; + return NULL; } static security_context_t @@ -405,7 +405,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env); goto fail_set; } else { - if (context_role_set(new_context, env)) + if (context_role_set(new_context, env)) goto fail_set; if (context_type_set(new_context, type)) goto fail_set; @@ -449,7 +449,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par if (debug) pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon); - + /* Get the string value of the context and see if it is valid. */ if (security_check_context(newcon)) { pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); @@ -623,7 +623,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, env_params = 1; } } - + if (debug) pam_syslog(pamh, LOG_NOTICE, "Open Session"); @@ -656,9 +656,9 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, #else if (getseuserbyname(username, &seuser, &level) == 0) { #endif - num_contexts = get_ordered_context_list_with_level(seuser, + num_contexts = get_ordered_context_list_with_level(seuser, level, - NULL, + NULL, &contextlist); if (debug) pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", @@ -692,7 +692,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, return PAM_SUCCESS; } } - else { + else { if (seuser != NULL) { user_context = manual_context(pamh,seuser,debug); free(seuser); diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8 index d6fcdff1..34f578d7 100644 --- a/modules/pam_selinux/pam_selinux_check.8 +++ b/modules/pam_selinux/pam_selinux_check.8 @@ -29,7 +29,7 @@ returns an exit code of 0 for success and > 0 on error: pam_selinux(8) .SH BUGS -Let's hope not, but if you find any, please email the author. +Let's hope not, but if you find any, please email the author. .SH AUTHOR Dan Walsh diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 4879b685..f7998457 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -85,11 +85,11 @@ match_process_uid(pid_t pid, uid_t uid) uid_t puid; FILE *f; int re = 0; - + snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid); if (!(f = fopen (buf, "r"))) return 0; - + while (fgets(buf, sizeof buf, f)) { if (sscanf (buf, "Uid:\t%d", &puid)) { re = uid == puid; @@ -246,9 +246,9 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, int matched = 0; int exclusive = 0; int ignore = 0; - + f = fopen(cfgfile, "r"); - + if (!f) { pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile); return PAM_SERVICE_ERR; @@ -276,7 +276,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, start = strtok_r(start, OPT_DELIM, &sptr); switch (start[0]) { - case '@': + case '@': ++start; if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start); @@ -411,9 +411,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, } #ifdef PAM_STATIC - + /* static module data */ - + struct pam_module _pam_sepermit_modstruct = { "pam_sepermit", pam_sm_authenticate, @@ -424,4 +424,3 @@ struct pam_module _pam_sepermit_modstruct = { NULL }; #endif - diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index 89fc297e..68bd6074 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -57,7 +57,7 @@ static int perform_check(pam_handle_t *pamh) return PAM_SERVICE_ERR; /* It could still be NULL the second time. */ - if (!userName || (userName[0] == '\0')) + if (!userName || (userName[0] == '\0')) return PAM_SERVICE_ERR; } diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c index b75a597d..c1695d7f 100644 --- a/modules/pam_stress/pam_stress.c +++ b/modules/pam_stress/pam_stress.c @@ -62,7 +62,7 @@ _pam_report (const pam_handle_t *pamh, int ctrl, const char *name, pam_syslog(pamh, LOG_DEBUG, "CALLED: %s", name); pam_syslog(pamh, LOG_DEBUG, "FLAGS : 0%o%s", flags, (flags & PAM_SILENT) ? " (silent)":""); - pam_syslog(pamh, LOG_DEBUG, "CTRL = 0%o", ctrl); + pam_syslog(pamh, LOG_DEBUG, "CTRL = 0%o", ctrl); pam_syslog(pamh, LOG_DEBUG, "ARGV :"); while (argc--) { pam_syslog(pamh, LOG_DEBUG, " \"%s\"", *argv++); diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index dffbc895..c7128857 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -134,7 +134,7 @@ static void log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv) { if ( phase != PHASE_AUTH ) { - pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_ERR, "option %s allowed in auth phase only", argv); } } @@ -194,12 +194,12 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, else if ( ! strcmp( *argv, "per_user" ) ) { log_phase_no_auth(pamh, phase, *argv); - opts->ctrl |= OPT_PER_USER; + opts->ctrl |= OPT_PER_USER; } else if ( ! strcmp( *argv, "no_lock_time") ) { log_phase_no_auth(pamh, phase, *argv); - opts->ctrl |= OPT_NO_LOCK_TIME; + opts->ctrl |= OPT_NO_LOCK_TIME; } else if ( ! strcmp( *argv, "no_reset" ) ) { opts->ctrl |= OPT_NO_RESET; @@ -463,19 +463,19 @@ tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh, (void) pam_get_item(pamh, PAM_RHOST, &remote_host); if (!remote_host) { - (void) pam_get_item(pamh, PAM_TTY, &cur_tty); + (void) pam_get_item(pamh, PAM_TTY, &cur_tty); if (!cur_tty) { - strncpy(fsp->fs_faillog.fail_line, "unknown", + strncpy(fsp->fs_faillog.fail_line, "unknown", sizeof(fsp->fs_faillog.fail_line) - 1); fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0; } else { - strncpy(fsp->fs_faillog.fail_line, cur_tty, + strncpy(fsp->fs_faillog.fail_line, cur_tty, sizeof(fsp->fs_faillog.fail_line)-1); fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0; } } else { - strncpy(fsp->fs_faillog.fail_line, remote_host, + strncpy(fsp->fs_faillog.fail_line, remote_host, (size_t)sizeof(fsp->fs_faillog.fail_line)); fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0; } @@ -534,8 +534,8 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid, if (lock_time && oldtime && !(opts->ctrl & OPT_NO_LOCK_TIME) ) { - if ( lock_time + oldtime > time(NULL) ) - { + if ( lock_time + oldtime > time(NULL) ) + { if (!(opts->ctrl & OPT_SILENT)) pam_info (pamh, _("Account temporary locked (%ld seconds left)"), @@ -543,19 +543,19 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid, if (!(opts->ctrl & OPT_NOLOGNOTICE)) pam_syslog (pamh, LOG_NOTICE, - "user %s (%lu) has time limit [%lds left]" + "user %s (%lu) has time limit [%lds left]" " since last failure.", user, (unsigned long int) uid, oldtime+lock_time-time(NULL)); - return PAM_AUTH_ERR; - } + return PAM_AUTH_ERR; + } } if (opts->unlock_time && oldtime) { - if ( opts->unlock_time + oldtime <= time(NULL) ) - { /* ignore deny check after unlock_time elapsed */ - return PAM_SUCCESS; - } + if ( opts->unlock_time + oldtime <= time(NULL) ) + { /* ignore deny check after unlock_time elapsed */ + return PAM_SUCCESS; + } } if ( ( deny != 0 ) && /* deny==0 means no deny */ @@ -599,8 +599,8 @@ tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts) if (tally == 0) { - fsp->fs_faillog.fail_time = (time_t) 0; - strcpy(fsp->fs_faillog.fail_line, ""); + fsp->fs_faillog.fail_time = (time_t) 0; + strcpy(fsp->fs_faillog.fail_line, ""); } i=set_tally(pamh, tally, uid, opts->filename, &TALLY, fsp); @@ -866,8 +866,8 @@ int main ( int argc UNUSED, char **argv ) if ( ! fread((char *) &fsp->fs_faillog, sizeof (struct faillog), 1, TALLY) || ! fsp->fs_faillog.fail_cnt ) { - continue; - } + continue; + } tally = fsp->fs_faillog.fail_cnt; if ( ( pw=getpwuid(uid) ) ) { diff --git a/modules/pam_tally/pam_tally_app.c b/modules/pam_tally/pam_tally_app.c index 9e6e1faf..ad288549 100644 --- a/modules/pam_tally/pam_tally_app.c +++ b/modules/pam_tally/pam_tally_app.c @@ -4,4 +4,3 @@ #define MAIN #include "pam_tally.c" - diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index e1df6d74..c72d27a0 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -159,7 +159,7 @@ static void log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv) { if ( phase != PHASE_AUTH ) { - pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_ERR, "option %s allowed in auth phase only", argv); } } @@ -407,7 +407,7 @@ get_tally(pam_handle_t *pamh, uid_t uid, const char *filename, if ((*tfile = open(filename, O_RDWR)) == -1) { #ifndef MAIN if (errno == EACCES) /* called with insufficient access rights */ - return PAM_IGNORE; + return PAM_IGNORE; #endif pam_syslog(pamh, LOG_ALERT, "Error opening %s for update: %m", filename); @@ -418,7 +418,7 @@ skip_open: if (lseek(*tfile, (off_t)uid*(off_t)sizeof(*tally), SEEK_SET) == (off_t)-1) { pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename); if (!preopened) { - close(*tfile); + close(*tfile); *tfile = -1; } return PAM_AUTH_ERR; @@ -536,30 +536,30 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, if (uid) { /* Unlock time check */ if (opts->unlock_time && oldtime) { - if (opts->unlock_time + oldtime <= time(NULL)) { + if (opts->unlock_time + oldtime <= time(NULL)) { /* ignore deny check after unlock_time elapsed */ #ifdef HAVE_LIBAUDIT snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, NULL, NULL, NULL, 1); #endif - rv = PAM_SUCCESS; - goto cleanup; - } + rv = PAM_SUCCESS; + goto cleanup; + } } } else { /* Root unlock time check */ if (opts->root_unlock_time && oldtime) { if (opts->root_unlock_time + oldtime <= time(NULL)) { - /* ignore deny check after unlock_time elapsed */ + /* ignore deny check after unlock_time elapsed */ #ifdef HAVE_LIBAUDIT snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, NULL, NULL, NULL, 1); #endif - rv = PAM_SUCCESS; - goto cleanup; - } + rv = PAM_SUCCESS; + goto cleanup; + } } } @@ -597,7 +597,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, oldtime+opts->lock_time-time(NULL)); } if (!(opts->ctrl & OPT_NOLOGNOTICE)) { - pam_syslog(pamh, LOG_NOTICE, + pam_syslog(pamh, LOG_NOTICE, "user %s (%lu) has time limit [%lds left]" " since last failure.", user, (unsigned long)uid, @@ -605,7 +605,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, } rv = PAM_AUTH_ERR; goto cleanup; - } + } } cleanup: @@ -648,10 +648,10 @@ tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh, (void) pam_get_item(pamh, PAM_RHOST, &remote_host); if (!remote_host) { - (void) pam_get_item(pamh, PAM_TTY, &remote_host); + (void) pam_get_item(pamh, PAM_TTY, &remote_host); if (!remote_host) { - remote_host = "unknown"; - } + remote_host = "unknown"; + } } strncpy(tally.fail_line, remote_host, @@ -1019,14 +1019,14 @@ main( int argc UNUSED, char **argv ) FILE *tfile=fopen(cline_filename, "r"); uid_t uid=0; if (!tfile && cline_reset != 0) { - perror(*argv); - exit(1); + perror(*argv); + exit(1); } for ( ; tfile && !feof(tfile); uid++ ) { if ( !fread(&tally, sizeof(tally), 1, tfile) || !tally.fail_cnt ) { - continue; + continue; } print_one(&tally, uid); } diff --git a/modules/pam_tally2/pam_tally2_app.c b/modules/pam_tally2/pam_tally2_app.c index 681ed690..b72e9bfd 100644 --- a/modules/pam_tally2/pam_tally2_app.c +++ b/modules/pam_tally2/pam_tally2_app.c @@ -4,4 +4,3 @@ #define MAIN #include "pam_tally2.c" - diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index dff4a6da..c94737ca 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -135,7 +135,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state) return -1; } } - + if (*from > 0) to = shift_buf(*buf, *from); @@ -652,7 +652,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, #ifdef HAVE_LIBAUDIT if (!(ctrl & PAM_NO_AUDIT)) { pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_TIME, - "pam_time", rv); /* ignore return value as we fail anyway */ + "pam_time", rv); /* ignore return value as we fail anyway */ } #endif if (ctrl & PAM_DEBUG_ARG) { diff --git a/modules/pam_time/time.conf b/modules/pam_time/time.conf index c7b7989c..68d2dadc 100644 --- a/modules/pam_time/time.conf +++ b/modules/pam_time/time.conf @@ -1,4 +1,4 @@ -# this is an example configuration file for the pam_time module. Its syntax +# this is an example configuration file for the pam_time module. Its syntax # was initially based heavily on that of the shadow package (shadow-960129). # # the syntax of the lines is as follows: diff --git a/modules/pam_time/time.conf.5.xml b/modules/pam_time/time.conf.5.xml index 224fda34..82227ba0 100644 --- a/modules/pam_time/time.conf.5.xml +++ b/modules/pam_time/time.conf.5.xml @@ -119,7 +119,7 @@ login ; tty* & !ttyp* ; !root ; !Al0000-2400 Games (configured to use PAM) are only to be accessed out of working hours. This rule does not apply to the user waster: - + games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 diff --git a/modules/pam_timestamp/hmacfile.c b/modules/pam_timestamp/hmacfile.c index d2da5ff1..7c1f8bfb 100644 --- a/modules/pam_timestamp/hmacfile.c +++ b/modules/pam_timestamp/hmacfile.c @@ -63,7 +63,7 @@ testvectors(void) "b617318655057264e28bc0b6fb378c8ef146be00", }, -#ifdef HMAC_ALLOW_SHORT_KEYS +#ifdef HMAC_ALLOW_SHORT_KEYS { "Jefe", 4, "what do ya want for nothing?", 28, diff --git a/modules/pam_timestamp/hmacsha1.c b/modules/pam_timestamp/hmacsha1.c index 5b3774ff..573ecf3b 100644 --- a/modules/pam_timestamp/hmacsha1.c +++ b/modules/pam_timestamp/hmacsha1.c @@ -69,8 +69,8 @@ hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, pam_syslog(pamh, LOG_ERR, "Cannot create %s: %m", filename); return; } - - + + if (fchown(keyfd, owner, group) == -1) { pam_syslog(pamh, LOG_ERR, "Cannot chown %s: %m", filename); return; diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml index adb87a79..fc6a9276 100644 --- a/modules/pam_timestamp/pam_timestamp.8.xml +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -186,4 +186,3 @@ session optional pam_timestamp.so - diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml index 7ec7140e..06432e09 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8.xml +++ b/modules/pam_timestamp/pam_timestamp_check.8.xml @@ -205,4 +205,3 @@ session optional pam_timestamp.so - diff --git a/modules/pam_timestamp/sha1.c b/modules/pam_timestamp/sha1.c index e6705eb5..576b4b41 100644 --- a/modules/pam_timestamp/sha1.c +++ b/modules/pam_timestamp/sha1.c @@ -185,7 +185,7 @@ size_t sha1_output(struct sha1_context *ctx, unsigned char *out) { struct sha1_context ctx2; - + /* Output the sum. */ if (out != NULL) { u_int32_t c; diff --git a/modules/pam_unix/CHANGELOG b/modules/pam_unix/CHANGELOG index 1476b579..c18acc27 100644 --- a/modules/pam_unix/CHANGELOG +++ b/modules/pam_unix/CHANGELOG @@ -8,7 +8,7 @@ $Id$ - temporarily removed the crypt16 stuff. I'm really paranoid about crypto stuff and exporting it, and there are a few too many 's-box' references in the code for my liking.. - + * Wed Jun 30 1999 Steve Langasek - further NIS+ fixes @@ -50,6 +50,5 @@ $Id$ is too lame to use it in real life) * Sun Mar 21 1999 Jan Rêkorajski -- pam_unix_auth now correctly behave when user has NULL AUTHTOK +- pam_unix_auth now correctly behave when user has NULL AUTHTOK - pam_unix_auth returns PAM_PERM_DENIED when seteuid fails - diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c index 9922d177..e10d1c56 100644 --- a/modules/pam_unix/bigcrypt.c +++ b/modules/pam_unix/bigcrypt.c @@ -1,20 +1,20 @@ /* * This function implements the "bigcrypt" algorithm specifically for * Linux-PAM. - * + * * This algorithm is algorithm 0 (default) shipped with the C2 secure * implementation of Digital UNIX. - * + * * Disclaimer: This work is not based on the source code to Digital * UNIX, nor am I connected to Digital Equipment Corp, in any way * other than as a customer. This code is based on published * interfaces and reasonable guesswork. - * + * * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8 * characters or less. Each block is encrypted using the standard UNIX * libc crypt function. The result of the encryption for one block * provides the salt for the suceeding block. - * + * * Restrictions: The buffer used to hold the encrypted result is * statically allocated. (see MAX_PASS_LEN below). This is necessary, * as the returned pointer points to "static data that are overwritten diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c index 94d1c9da..7881db5d 100644 --- a/modules/pam_unix/md5.c +++ b/modules/pam_unix/md5.c @@ -107,7 +107,7 @@ void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsign } /* - * Final wrapup - pad to 64-byte boundary with the bit pattern + * Final wrapup - pad to 64-byte boundary with the bit pattern * 1 0* (64-bit count of bits processed, MSB-first) */ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index d9c4ea55..1379d96c 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -206,7 +206,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, don't worry about an explicit check of argv. */ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS && pretval) { - retval = *(const int *)pretval; + retval = *(const int *)pretval; pam_set_data(pamh, "unix_setcred_return", NULL, NULL); D(("recovered data indicates that old retval was %d", retval)); } diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 631df318..6ba2c2e6 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -212,7 +212,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const rlim.rlim_max = MAX_FD_NO; for (i=0; i < (int)rlim.rlim_max; i++) { if (i != STDIN_FILENO) - close(i); + close(i); } } @@ -262,7 +262,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const } else { D(("fork failed")); close(fds[0]); - close(fds[1]); + close(fds[1]); retval = PAM_AUTH_ERR; } diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index 778062e4..72046ea0 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -16,13 +16,13 @@ * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -140,4 +140,3 @@ struct pam_module _pam_unix_session_modstruct = { NULL, }; #endif - diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 5199a690..089f4b83 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -89,17 +89,17 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) } else { if (!strncmp(hash, "$1$", 3)) { pp = Goodcrypt_md5(p, hash); - if (pp && strcmp(pp, hash) != 0) { + if (pp && strcmp(pp, hash) != 0) { _pam_delete(pp); pp = Brokencrypt_md5(p, hash); - } + } } else if (*hash != '$' && hash_len >= 13) { - pp = bigcrypt(p, hash); - if (pp && hash_len == 13 && strlen(pp) > hash_len) { + pp = bigcrypt(p, hash); + if (pp && hash_len == 13 && strlen(pp) > hash_len) { _pam_overwrite(pp + hash_len); - } + } } else { - /* + /* * Ok, we don't know the crypt algorithm, but maybe * libcrypt knows about it? We should try it. */ @@ -448,12 +448,12 @@ unix_selinux_confined(void) char tempfile[]="/etc/.pwdXXXXXX"; if (confined != -1) - return confined; + return confined; /* cannot be confined without SELinux enabled */ if (!SELINUX_ENABLED){ - confined = 0; - return confined; + confined = 0; + return confined; } /* let's try opening shadow read only */ @@ -633,7 +633,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, char *sptr = NULL; found = 1; if (howmany == 0) - continue; + continue; buf[strlen(buf) - 1] = '\0'; s_luser = strtok_r(buf, ":", &sptr); s_uid = strtok_r(NULL, ":", &sptr); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index cc350e58..ab04535f 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -475,7 +475,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, rlim.rlim_max = MAX_FD_NO; for (i=0; i < (int)rlim.rlim_max; i++) { if (i != STDIN_FILENO) - close(i); + close(i); } } @@ -530,7 +530,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, } else { D(("fork failed")); close(fds[0]); - close(fds[1]); + close(fds[1]); retval = PAM_AUTH_ERR; } diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 702912d0..6ea7ea51 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -62,7 +62,7 @@ set_password(const char *forwho, const char *shadow, const char *remember) } if (lock_pwdf() != PAM_SUCCESS) - return PAM_AUTHTOK_LOCK_BUSY; + return PAM_AUTHTOK_LOCK_BUSY; pwd = getpwnam(forwho); diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am index b05cc6c6..77cc9608 100644 --- a/modules/pam_userdb/Makefile.am +++ b/modules/pam_userdb/Makefile.am @@ -35,4 +35,3 @@ noinst_DATA = README pam_userdb.8 README: pam_userdb.8.xml -include $(top_srcdir)/Make.xml.rules endif - diff --git a/modules/pam_userdb/create.pl b/modules/pam_userdb/create.pl index 224204b7..06915c92 100644 --- a/modules/pam_userdb/create.pl +++ b/modules/pam_userdb/create.pl @@ -1,5 +1,5 @@ #!/usr/bin/perl -# this program creates a database in ARGV[1] from pairs given on +# this program creates a database in ARGV[1] from pairs given on # stdandard input # # $Id$ @@ -19,5 +19,3 @@ while () { $lusers{$user} = $pass; } untie %lusers; - - diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 11b0d6bd..c075c4b5 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -145,7 +145,7 @@ _pam_parse (pam_handle_t *pamh, int argc, const char **argv, * return values: * 1 = User not found * 0 = OK - * -1 = Password incorrect + * -1 = Password incorrect * -2 = System error */ static int @@ -362,12 +362,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, retval = pam_get_item(pamh, PAM_AUTHTOK, &password); if (retval != PAM_SUCCESS || password == NULL) { if ((ctrl & PAM_TRY_FPASS_ARG) != 0) { - /* Converse to obtain a password */ - retval = obtain_authtok(pamh); - if (retval != PAM_SUCCESS) { + /* Converse to obtain a password */ + retval = obtain_authtok(pamh); + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "can not obtain password from user"); return retval; - } + } retval = pam_get_item(pamh, PAM_AUTHTOK, &password); } if (retval != PAM_SUCCESS || password == NULL) { diff --git a/modules/pam_userdb/pam_userdb.h b/modules/pam_userdb/pam_userdb.h index 4cd81baf..3cd8fee0 100644 --- a/modules/pam_userdb/pam_userdb.h +++ b/modules/pam_userdb/pam_userdb.h @@ -2,7 +2,7 @@ #ifndef _PAM_USERSDB_H #define _PAM_USERSDB_H /* $Id$ */ - + /* Header files */ #include -- cgit v1.2.3 From c9c4faaf50c66d5e4d1b9d6c450c206c12f09f8a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Rename all .cvsignore files to .gitignore --- modules/.cvsignore | 3 --- modules/.gitignore | 3 +++ modules/pam_access/.cvsignore | 9 --------- modules/pam_access/.gitignore | 9 +++++++++ modules/pam_cracklib/.cvsignore | 8 -------- modules/pam_cracklib/.gitignore | 8 ++++++++ modules/pam_debug/.cvsignore | 8 -------- modules/pam_debug/.gitignore | 8 ++++++++ modules/pam_deny/.cvsignore | 8 -------- modules/pam_deny/.gitignore | 8 ++++++++ modules/pam_echo/.cvsignore | 8 -------- modules/pam_echo/.gitignore | 8 ++++++++ modules/pam_env/.cvsignore | 9 --------- modules/pam_env/.gitignore | 9 +++++++++ modules/pam_exec/.cvsignore | 8 -------- modules/pam_exec/.gitignore | 8 ++++++++ modules/pam_faildelay/.cvsignore | 8 -------- modules/pam_faildelay/.gitignore | 8 ++++++++ modules/pam_filter/.cvsignore | 9 --------- modules/pam_filter/.gitignore | 9 +++++++++ modules/pam_filter/upperLOWER/.cvsignore | 5 ----- modules/pam_filter/upperLOWER/.gitignore | 5 +++++ modules/pam_ftp/.cvsignore | 8 -------- modules/pam_ftp/.gitignore | 8 ++++++++ modules/pam_group/.cvsignore | 9 --------- modules/pam_group/.gitignore | 9 +++++++++ modules/pam_issue/.cvsignore | 8 -------- modules/pam_issue/.gitignore | 8 ++++++++ modules/pam_keyinit/.cvsignore | 8 -------- modules/pam_keyinit/.gitignore | 8 ++++++++ modules/pam_lastlog/.cvsignore | 8 -------- modules/pam_lastlog/.gitignore | 8 ++++++++ modules/pam_limits/.cvsignore | 9 --------- modules/pam_limits/.gitignore | 9 +++++++++ modules/pam_listfile/.cvsignore | 8 -------- modules/pam_listfile/.gitignore | 8 ++++++++ modules/pam_localuser/.cvsignore | 10 ---------- modules/pam_localuser/.gitignore | 10 ++++++++++ modules/pam_loginuid/.cvsignore | 9 --------- modules/pam_loginuid/.gitignore | 9 +++++++++ modules/pam_mail/.cvsignore | 8 -------- modules/pam_mail/.gitignore | 8 ++++++++ modules/pam_mkhomedir/.cvsignore | 10 ---------- modules/pam_mkhomedir/.gitignore | 10 ++++++++++ modules/pam_motd/.cvsignore | 8 -------- modules/pam_motd/.gitignore | 8 ++++++++ modules/pam_namespace/.cvsignore | 9 --------- modules/pam_namespace/.gitignore | 9 +++++++++ modules/pam_nologin/.cvsignore | 8 -------- modules/pam_nologin/.gitignore | 8 ++++++++ modules/pam_permit/.cvsignore | 8 -------- modules/pam_permit/.gitignore | 8 ++++++++ modules/pam_pwhistory/.cvsignore | 8 -------- modules/pam_pwhistory/.gitignore | 8 ++++++++ modules/pam_rhosts/.cvsignore | 8 -------- modules/pam_rhosts/.gitignore | 8 ++++++++ modules/pam_rootok/.cvsignore | 8 -------- modules/pam_rootok/.gitignore | 8 ++++++++ modules/pam_securetty/.cvsignore | 8 -------- modules/pam_securetty/.gitignore | 8 ++++++++ modules/pam_selinux/.cvsignore | 11 ----------- modules/pam_selinux/.gitignore | 11 +++++++++++ modules/pam_sepermit/.cvsignore | 11 ----------- modules/pam_sepermit/.gitignore | 11 +++++++++++ modules/pam_shells/.cvsignore | 8 -------- modules/pam_shells/.gitignore | 8 ++++++++ modules/pam_stress/.cvsignore | 6 ------ modules/pam_stress/.gitignore | 6 ++++++ modules/pam_succeed_if/.cvsignore | 10 ---------- modules/pam_succeed_if/.gitignore | 10 ++++++++++ modules/pam_tally/.cvsignore | 9 --------- modules/pam_tally/.gitignore | 9 +++++++++ modules/pam_tally2/.cvsignore | 9 --------- modules/pam_tally2/.gitignore | 9 +++++++++ modules/pam_time/.cvsignore | 9 --------- modules/pam_time/.gitignore | 9 +++++++++ modules/pam_timestamp/.cvsignore | 13 ------------- modules/pam_timestamp/.gitignore | 13 +++++++++++++ modules/pam_tty_audit/.cvsignore | 8 -------- modules/pam_tty_audit/.gitignore | 8 ++++++++ modules/pam_umask/.cvsignore | 10 ---------- modules/pam_umask/.gitignore | 10 ++++++++++ modules/pam_unix/.cvsignore | 14 -------------- modules/pam_unix/.gitignore | 14 ++++++++++++++ modules/pam_userdb/.cvsignore | 8 -------- modules/pam_userdb/.gitignore | 8 ++++++++ modules/pam_warn/.cvsignore | 8 -------- modules/pam_warn/.gitignore | 8 ++++++++ modules/pam_wheel/.cvsignore | 8 -------- modules/pam_wheel/.gitignore | 8 ++++++++ modules/pam_xauth/.cvsignore | 10 ---------- modules/pam_xauth/.gitignore | 10 ++++++++++ 92 files changed, 395 insertions(+), 395 deletions(-) delete mode 100644 modules/.cvsignore create mode 100644 modules/.gitignore delete mode 100644 modules/pam_access/.cvsignore create mode 100644 modules/pam_access/.gitignore delete mode 100644 modules/pam_cracklib/.cvsignore create mode 100644 modules/pam_cracklib/.gitignore delete mode 100644 modules/pam_debug/.cvsignore create mode 100644 modules/pam_debug/.gitignore delete mode 100644 modules/pam_deny/.cvsignore create mode 100644 modules/pam_deny/.gitignore delete mode 100644 modules/pam_echo/.cvsignore create mode 100644 modules/pam_echo/.gitignore delete mode 100644 modules/pam_env/.cvsignore create mode 100644 modules/pam_env/.gitignore delete mode 100644 modules/pam_exec/.cvsignore create mode 100644 modules/pam_exec/.gitignore delete mode 100644 modules/pam_faildelay/.cvsignore create mode 100644 modules/pam_faildelay/.gitignore delete mode 100644 modules/pam_filter/.cvsignore create mode 100644 modules/pam_filter/.gitignore delete mode 100644 modules/pam_filter/upperLOWER/.cvsignore create mode 100644 modules/pam_filter/upperLOWER/.gitignore delete mode 100644 modules/pam_ftp/.cvsignore create mode 100644 modules/pam_ftp/.gitignore delete mode 100644 modules/pam_group/.cvsignore create mode 100644 modules/pam_group/.gitignore delete mode 100644 modules/pam_issue/.cvsignore create mode 100644 modules/pam_issue/.gitignore delete mode 100644 modules/pam_keyinit/.cvsignore create mode 100644 modules/pam_keyinit/.gitignore delete mode 100644 modules/pam_lastlog/.cvsignore create mode 100644 modules/pam_lastlog/.gitignore delete mode 100644 modules/pam_limits/.cvsignore create mode 100644 modules/pam_limits/.gitignore delete mode 100644 modules/pam_listfile/.cvsignore create mode 100644 modules/pam_listfile/.gitignore delete mode 100644 modules/pam_localuser/.cvsignore create mode 100644 modules/pam_localuser/.gitignore delete mode 100644 modules/pam_loginuid/.cvsignore create mode 100644 modules/pam_loginuid/.gitignore delete mode 100644 modules/pam_mail/.cvsignore create mode 100644 modules/pam_mail/.gitignore delete mode 100644 modules/pam_mkhomedir/.cvsignore create mode 100644 modules/pam_mkhomedir/.gitignore delete mode 100644 modules/pam_motd/.cvsignore create mode 100644 modules/pam_motd/.gitignore delete mode 100644 modules/pam_namespace/.cvsignore create mode 100644 modules/pam_namespace/.gitignore delete mode 100644 modules/pam_nologin/.cvsignore create mode 100644 modules/pam_nologin/.gitignore delete mode 100644 modules/pam_permit/.cvsignore create mode 100644 modules/pam_permit/.gitignore delete mode 100644 modules/pam_pwhistory/.cvsignore create mode 100644 modules/pam_pwhistory/.gitignore delete mode 100644 modules/pam_rhosts/.cvsignore create mode 100644 modules/pam_rhosts/.gitignore delete mode 100644 modules/pam_rootok/.cvsignore create mode 100644 modules/pam_rootok/.gitignore delete mode 100644 modules/pam_securetty/.cvsignore create mode 100644 modules/pam_securetty/.gitignore delete mode 100644 modules/pam_selinux/.cvsignore create mode 100644 modules/pam_selinux/.gitignore delete mode 100644 modules/pam_sepermit/.cvsignore create mode 100644 modules/pam_sepermit/.gitignore delete mode 100644 modules/pam_shells/.cvsignore create mode 100644 modules/pam_shells/.gitignore delete mode 100644 modules/pam_stress/.cvsignore create mode 100644 modules/pam_stress/.gitignore delete mode 100644 modules/pam_succeed_if/.cvsignore create mode 100644 modules/pam_succeed_if/.gitignore delete mode 100644 modules/pam_tally/.cvsignore create mode 100644 modules/pam_tally/.gitignore delete mode 100644 modules/pam_tally2/.cvsignore create mode 100644 modules/pam_tally2/.gitignore delete mode 100644 modules/pam_time/.cvsignore create mode 100644 modules/pam_time/.gitignore delete mode 100644 modules/pam_timestamp/.cvsignore create mode 100644 modules/pam_timestamp/.gitignore delete mode 100644 modules/pam_tty_audit/.cvsignore create mode 100644 modules/pam_tty_audit/.gitignore delete mode 100644 modules/pam_umask/.cvsignore create mode 100644 modules/pam_umask/.gitignore delete mode 100644 modules/pam_unix/.cvsignore create mode 100644 modules/pam_unix/.gitignore delete mode 100644 modules/pam_userdb/.cvsignore create mode 100644 modules/pam_userdb/.gitignore delete mode 100644 modules/pam_warn/.cvsignore create mode 100644 modules/pam_warn/.gitignore delete mode 100644 modules/pam_wheel/.cvsignore create mode 100644 modules/pam_wheel/.gitignore delete mode 100644 modules/pam_xauth/.cvsignore create mode 100644 modules/pam_xauth/.gitignore (limited to 'modules') diff --git a/modules/.cvsignore b/modules/.cvsignore deleted file mode 100644 index 0615b487..00000000 --- a/modules/.cvsignore +++ /dev/null @@ -1,3 +0,0 @@ -*~ -Makefile -Makefile.in diff --git a/modules/.gitignore b/modules/.gitignore new file mode 100644 index 00000000..0615b487 --- /dev/null +++ b/modules/.gitignore @@ -0,0 +1,3 @@ +*~ +Makefile +Makefile.in diff --git a/modules/pam_access/.cvsignore b/modules/pam_access/.cvsignore deleted file mode 100644 index 6e648372..00000000 --- a/modules/pam_access/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -access.conf.5 -pam_access.8 diff --git a/modules/pam_access/.gitignore b/modules/pam_access/.gitignore new file mode 100644 index 00000000..6e648372 --- /dev/null +++ b/modules/pam_access/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +access.conf.5 +pam_access.8 diff --git a/modules/pam_cracklib/.cvsignore b/modules/pam_cracklib/.cvsignore deleted file mode 100644 index db3b3295..00000000 --- a/modules/pam_cracklib/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_cracklib.8 diff --git a/modules/pam_cracklib/.gitignore b/modules/pam_cracklib/.gitignore new file mode 100644 index 00000000..db3b3295 --- /dev/null +++ b/modules/pam_cracklib/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_cracklib.8 diff --git a/modules/pam_debug/.cvsignore b/modules/pam_debug/.cvsignore deleted file mode 100644 index af38ef08..00000000 --- a/modules/pam_debug/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_debug.8 diff --git a/modules/pam_debug/.gitignore b/modules/pam_debug/.gitignore new file mode 100644 index 00000000..af38ef08 --- /dev/null +++ b/modules/pam_debug/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_debug.8 diff --git a/modules/pam_deny/.cvsignore b/modules/pam_deny/.cvsignore deleted file mode 100644 index 180c6155..00000000 --- a/modules/pam_deny/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_deny.8 diff --git a/modules/pam_deny/.gitignore b/modules/pam_deny/.gitignore new file mode 100644 index 00000000..180c6155 --- /dev/null +++ b/modules/pam_deny/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_deny.8 diff --git a/modules/pam_echo/.cvsignore b/modules/pam_echo/.cvsignore deleted file mode 100644 index 2d5569ad..00000000 --- a/modules/pam_echo/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_echo.8 diff --git a/modules/pam_echo/.gitignore b/modules/pam_echo/.gitignore new file mode 100644 index 00000000..2d5569ad --- /dev/null +++ b/modules/pam_echo/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_echo.8 diff --git a/modules/pam_env/.cvsignore b/modules/pam_env/.cvsignore deleted file mode 100644 index e35f869e..00000000 --- a/modules/pam_env/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_env.8 -pam_env.conf.5 diff --git a/modules/pam_env/.gitignore b/modules/pam_env/.gitignore new file mode 100644 index 00000000..e35f869e --- /dev/null +++ b/modules/pam_env/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_env.8 +pam_env.conf.5 diff --git a/modules/pam_exec/.cvsignore b/modules/pam_exec/.cvsignore deleted file mode 100644 index 47c8610e..00000000 --- a/modules/pam_exec/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_exec.8 diff --git a/modules/pam_exec/.gitignore b/modules/pam_exec/.gitignore new file mode 100644 index 00000000..47c8610e --- /dev/null +++ b/modules/pam_exec/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_exec.8 diff --git a/modules/pam_faildelay/.cvsignore b/modules/pam_faildelay/.cvsignore deleted file mode 100644 index cc931c87..00000000 --- a/modules/pam_faildelay/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_faildelay.8 diff --git a/modules/pam_faildelay/.gitignore b/modules/pam_faildelay/.gitignore new file mode 100644 index 00000000..cc931c87 --- /dev/null +++ b/modules/pam_faildelay/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_faildelay.8 diff --git a/modules/pam_filter/.cvsignore b/modules/pam_filter/.cvsignore deleted file mode 100644 index dc6908c2..00000000 --- a/modules/pam_filter/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -security -README -pam_filter.8 diff --git a/modules/pam_filter/.gitignore b/modules/pam_filter/.gitignore new file mode 100644 index 00000000..dc6908c2 --- /dev/null +++ b/modules/pam_filter/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +security +README +pam_filter.8 diff --git a/modules/pam_filter/upperLOWER/.cvsignore b/modules/pam_filter/upperLOWER/.cvsignore deleted file mode 100644 index ceceb1b9..00000000 --- a/modules/pam_filter/upperLOWER/.cvsignore +++ /dev/null @@ -1,5 +0,0 @@ -.deps -.libs -upperLOWER -Makefile -Makefile.in diff --git a/modules/pam_filter/upperLOWER/.gitignore b/modules/pam_filter/upperLOWER/.gitignore new file mode 100644 index 00000000..ceceb1b9 --- /dev/null +++ b/modules/pam_filter/upperLOWER/.gitignore @@ -0,0 +1,5 @@ +.deps +.libs +upperLOWER +Makefile +Makefile.in diff --git a/modules/pam_ftp/.cvsignore b/modules/pam_ftp/.cvsignore deleted file mode 100644 index 02e0ab6b..00000000 --- a/modules/pam_ftp/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_ftp.8 diff --git a/modules/pam_ftp/.gitignore b/modules/pam_ftp/.gitignore new file mode 100644 index 00000000..02e0ab6b --- /dev/null +++ b/modules/pam_ftp/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_ftp.8 diff --git a/modules/pam_group/.cvsignore b/modules/pam_group/.cvsignore deleted file mode 100644 index 49b88179..00000000 --- a/modules/pam_group/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -group.conf.5 -pam_group.8 diff --git a/modules/pam_group/.gitignore b/modules/pam_group/.gitignore new file mode 100644 index 00000000..49b88179 --- /dev/null +++ b/modules/pam_group/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +group.conf.5 +pam_group.8 diff --git a/modules/pam_issue/.cvsignore b/modules/pam_issue/.cvsignore deleted file mode 100644 index 8754cdf0..00000000 --- a/modules/pam_issue/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_issue.8 diff --git a/modules/pam_issue/.gitignore b/modules/pam_issue/.gitignore new file mode 100644 index 00000000..8754cdf0 --- /dev/null +++ b/modules/pam_issue/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_issue.8 diff --git a/modules/pam_keyinit/.cvsignore b/modules/pam_keyinit/.cvsignore deleted file mode 100644 index a2072fc9..00000000 --- a/modules/pam_keyinit/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_keyinit.8 diff --git a/modules/pam_keyinit/.gitignore b/modules/pam_keyinit/.gitignore new file mode 100644 index 00000000..a2072fc9 --- /dev/null +++ b/modules/pam_keyinit/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_keyinit.8 diff --git a/modules/pam_lastlog/.cvsignore b/modules/pam_lastlog/.cvsignore deleted file mode 100644 index 9b0768f7..00000000 --- a/modules/pam_lastlog/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_lastlog.8 diff --git a/modules/pam_lastlog/.gitignore b/modules/pam_lastlog/.gitignore new file mode 100644 index 00000000..9b0768f7 --- /dev/null +++ b/modules/pam_lastlog/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_lastlog.8 diff --git a/modules/pam_limits/.cvsignore b/modules/pam_limits/.cvsignore deleted file mode 100644 index b2519a1c..00000000 --- a/modules/pam_limits/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -limits.conf.5 -pam_limits.8 diff --git a/modules/pam_limits/.gitignore b/modules/pam_limits/.gitignore new file mode 100644 index 00000000..b2519a1c --- /dev/null +++ b/modules/pam_limits/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +limits.conf.5 +pam_limits.8 diff --git a/modules/pam_listfile/.cvsignore b/modules/pam_listfile/.cvsignore deleted file mode 100644 index f54f6f27..00000000 --- a/modules/pam_listfile/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_listfile.8 diff --git a/modules/pam_listfile/.gitignore b/modules/pam_listfile/.gitignore new file mode 100644 index 00000000..f54f6f27 --- /dev/null +++ b/modules/pam_listfile/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_listfile.8 diff --git a/modules/pam_localuser/.cvsignore b/modules/pam_localuser/.cvsignore deleted file mode 100644 index ae7dab97..00000000 --- a/modules/pam_localuser/.cvsignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_localuser.8 diff --git a/modules/pam_localuser/.gitignore b/modules/pam_localuser/.gitignore new file mode 100644 index 00000000..ae7dab97 --- /dev/null +++ b/modules/pam_localuser/.gitignore @@ -0,0 +1,10 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_localuser.8 diff --git a/modules/pam_loginuid/.cvsignore b/modules/pam_loginuid/.cvsignore deleted file mode 100644 index cb4cb6de..00000000 --- a/modules/pam_loginuid/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -pam_loginuid -README -pam_loginuid.8 diff --git a/modules/pam_loginuid/.gitignore b/modules/pam_loginuid/.gitignore new file mode 100644 index 00000000..cb4cb6de --- /dev/null +++ b/modules/pam_loginuid/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +pam_loginuid +README +pam_loginuid.8 diff --git a/modules/pam_mail/.cvsignore b/modules/pam_mail/.cvsignore deleted file mode 100644 index e34886b5..00000000 --- a/modules/pam_mail/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_mail.8 diff --git a/modules/pam_mail/.gitignore b/modules/pam_mail/.gitignore new file mode 100644 index 00000000..e34886b5 --- /dev/null +++ b/modules/pam_mail/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_mail.8 diff --git a/modules/pam_mkhomedir/.cvsignore b/modules/pam_mkhomedir/.cvsignore deleted file mode 100644 index a0ad1aad..00000000 --- a/modules/pam_mkhomedir/.cvsignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_mkhomedir.8 -mkhomedir_helper -mkhomedir_helper.8 diff --git a/modules/pam_mkhomedir/.gitignore b/modules/pam_mkhomedir/.gitignore new file mode 100644 index 00000000..a0ad1aad --- /dev/null +++ b/modules/pam_mkhomedir/.gitignore @@ -0,0 +1,10 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_mkhomedir.8 +mkhomedir_helper +mkhomedir_helper.8 diff --git a/modules/pam_motd/.cvsignore b/modules/pam_motd/.cvsignore deleted file mode 100644 index f36d06fa..00000000 --- a/modules/pam_motd/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_motd.8 diff --git a/modules/pam_motd/.gitignore b/modules/pam_motd/.gitignore new file mode 100644 index 00000000..f36d06fa --- /dev/null +++ b/modules/pam_motd/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_motd.8 diff --git a/modules/pam_namespace/.cvsignore b/modules/pam_namespace/.cvsignore deleted file mode 100644 index 59a9578c..00000000 --- a/modules/pam_namespace/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -namespace.conf.5 -pam_namespace.8 diff --git a/modules/pam_namespace/.gitignore b/modules/pam_namespace/.gitignore new file mode 100644 index 00000000..59a9578c --- /dev/null +++ b/modules/pam_namespace/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +namespace.conf.5 +pam_namespace.8 diff --git a/modules/pam_nologin/.cvsignore b/modules/pam_nologin/.cvsignore deleted file mode 100644 index f9fb15b5..00000000 --- a/modules/pam_nologin/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_nologin.8 diff --git a/modules/pam_nologin/.gitignore b/modules/pam_nologin/.gitignore new file mode 100644 index 00000000..f9fb15b5 --- /dev/null +++ b/modules/pam_nologin/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_nologin.8 diff --git a/modules/pam_permit/.cvsignore b/modules/pam_permit/.cvsignore deleted file mode 100644 index 5406ac33..00000000 --- a/modules/pam_permit/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_permit.8 diff --git a/modules/pam_permit/.gitignore b/modules/pam_permit/.gitignore new file mode 100644 index 00000000..5406ac33 --- /dev/null +++ b/modules/pam_permit/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_permit.8 diff --git a/modules/pam_pwhistory/.cvsignore b/modules/pam_pwhistory/.cvsignore deleted file mode 100644 index c0d3c72c..00000000 --- a/modules/pam_pwhistory/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_pwhistory.8 diff --git a/modules/pam_pwhistory/.gitignore b/modules/pam_pwhistory/.gitignore new file mode 100644 index 00000000..c0d3c72c --- /dev/null +++ b/modules/pam_pwhistory/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_pwhistory.8 diff --git a/modules/pam_rhosts/.cvsignore b/modules/pam_rhosts/.cvsignore deleted file mode 100644 index 8f807d67..00000000 --- a/modules/pam_rhosts/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_rhosts.8 diff --git a/modules/pam_rhosts/.gitignore b/modules/pam_rhosts/.gitignore new file mode 100644 index 00000000..8f807d67 --- /dev/null +++ b/modules/pam_rhosts/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_rhosts.8 diff --git a/modules/pam_rootok/.cvsignore b/modules/pam_rootok/.cvsignore deleted file mode 100644 index 70776789..00000000 --- a/modules/pam_rootok/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_rootok.8 diff --git a/modules/pam_rootok/.gitignore b/modules/pam_rootok/.gitignore new file mode 100644 index 00000000..70776789 --- /dev/null +++ b/modules/pam_rootok/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_rootok.8 diff --git a/modules/pam_securetty/.cvsignore b/modules/pam_securetty/.cvsignore deleted file mode 100644 index 1e9b0b2d..00000000 --- a/modules/pam_securetty/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_securetty.8 diff --git a/modules/pam_securetty/.gitignore b/modules/pam_securetty/.gitignore new file mode 100644 index 00000000..1e9b0b2d --- /dev/null +++ b/modules/pam_securetty/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_securetty.8 diff --git a/modules/pam_selinux/.cvsignore b/modules/pam_selinux/.cvsignore deleted file mode 100644 index 08754fd5..00000000 --- a/modules/pam_selinux/.cvsignore +++ /dev/null @@ -1,11 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -pam_selinux_check -README -pam_selinux.8 diff --git a/modules/pam_selinux/.gitignore b/modules/pam_selinux/.gitignore new file mode 100644 index 00000000..08754fd5 --- /dev/null +++ b/modules/pam_selinux/.gitignore @@ -0,0 +1,11 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +pam_selinux_check +README +pam_selinux.8 diff --git a/modules/pam_sepermit/.cvsignore b/modules/pam_sepermit/.cvsignore deleted file mode 100644 index 47f494cc..00000000 --- a/modules/pam_sepermit/.cvsignore +++ /dev/null @@ -1,11 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_sepermit.8 -sepermit.conf.5 diff --git a/modules/pam_sepermit/.gitignore b/modules/pam_sepermit/.gitignore new file mode 100644 index 00000000..47f494cc --- /dev/null +++ b/modules/pam_sepermit/.gitignore @@ -0,0 +1,11 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_sepermit.8 +sepermit.conf.5 diff --git a/modules/pam_shells/.cvsignore b/modules/pam_shells/.cvsignore deleted file mode 100644 index f86c33b1..00000000 --- a/modules/pam_shells/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_shells.8 diff --git a/modules/pam_shells/.gitignore b/modules/pam_shells/.gitignore new file mode 100644 index 00000000..f86c33b1 --- /dev/null +++ b/modules/pam_shells/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_shells.8 diff --git a/modules/pam_stress/.cvsignore b/modules/pam_stress/.cvsignore deleted file mode 100644 index 9fb98574..00000000 --- a/modules/pam_stress/.cvsignore +++ /dev/null @@ -1,6 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in diff --git a/modules/pam_stress/.gitignore b/modules/pam_stress/.gitignore new file mode 100644 index 00000000..9fb98574 --- /dev/null +++ b/modules/pam_stress/.gitignore @@ -0,0 +1,6 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in diff --git a/modules/pam_succeed_if/.cvsignore b/modules/pam_succeed_if/.cvsignore deleted file mode 100644 index 6218e822..00000000 --- a/modules/pam_succeed_if/.cvsignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_succeed_if.8 diff --git a/modules/pam_succeed_if/.gitignore b/modules/pam_succeed_if/.gitignore new file mode 100644 index 00000000..6218e822 --- /dev/null +++ b/modules/pam_succeed_if/.gitignore @@ -0,0 +1,10 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_succeed_if.8 diff --git a/modules/pam_tally/.cvsignore b/modules/pam_tally/.cvsignore deleted file mode 100644 index 0286d635..00000000 --- a/modules/pam_tally/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -pam_tally -README -pam_tally.8 diff --git a/modules/pam_tally/.gitignore b/modules/pam_tally/.gitignore new file mode 100644 index 00000000..0286d635 --- /dev/null +++ b/modules/pam_tally/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +pam_tally +README +pam_tally.8 diff --git a/modules/pam_tally2/.cvsignore b/modules/pam_tally2/.cvsignore deleted file mode 100644 index c20ebb92..00000000 --- a/modules/pam_tally2/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -pam_tally2 -README -pam_tally2.8 diff --git a/modules/pam_tally2/.gitignore b/modules/pam_tally2/.gitignore new file mode 100644 index 00000000..c20ebb92 --- /dev/null +++ b/modules/pam_tally2/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +pam_tally2 +README +pam_tally2.8 diff --git a/modules/pam_time/.cvsignore b/modules/pam_time/.cvsignore deleted file mode 100644 index cac9cca3..00000000 --- a/modules/pam_time/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_time.8 -time.conf.5 diff --git a/modules/pam_time/.gitignore b/modules/pam_time/.gitignore new file mode 100644 index 00000000..cac9cca3 --- /dev/null +++ b/modules/pam_time/.gitignore @@ -0,0 +1,9 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_time.8 +time.conf.5 diff --git a/modules/pam_timestamp/.cvsignore b/modules/pam_timestamp/.cvsignore deleted file mode 100644 index c084c915..00000000 --- a/modules/pam_timestamp/.cvsignore +++ /dev/null @@ -1,13 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_timestamp.8 -pam_timestamp_check.8 -hmacfile -pam_timestamp_check diff --git a/modules/pam_timestamp/.gitignore b/modules/pam_timestamp/.gitignore new file mode 100644 index 00000000..c084c915 --- /dev/null +++ b/modules/pam_timestamp/.gitignore @@ -0,0 +1,13 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_timestamp.8 +pam_timestamp_check.8 +hmacfile +pam_timestamp_check diff --git a/modules/pam_tty_audit/.cvsignore b/modules/pam_tty_audit/.cvsignore deleted file mode 100644 index aefb9d6f..00000000 --- a/modules/pam_tty_audit/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_tty_audit.8 diff --git a/modules/pam_tty_audit/.gitignore b/modules/pam_tty_audit/.gitignore new file mode 100644 index 00000000..aefb9d6f --- /dev/null +++ b/modules/pam_tty_audit/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_tty_audit.8 diff --git a/modules/pam_umask/.cvsignore b/modules/pam_umask/.cvsignore deleted file mode 100644 index d53ba152..00000000 --- a/modules/pam_umask/.cvsignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_umask.8 diff --git a/modules/pam_umask/.gitignore b/modules/pam_umask/.gitignore new file mode 100644 index 00000000..d53ba152 --- /dev/null +++ b/modules/pam_umask/.gitignore @@ -0,0 +1,10 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_umask.8 diff --git a/modules/pam_unix/.cvsignore b/modules/pam_unix/.cvsignore deleted file mode 100644 index 01819c28..00000000 --- a/modules/pam_unix/.cvsignore +++ /dev/null @@ -1,14 +0,0 @@ -*.la -*.lo -*.so -.deps -.libs -Makefile -Makefile.in -bigcrypt -unix_chkpwd -unix_update -README -pam_unix.8 -unix_chkpwd.8 -unix_update.8 diff --git a/modules/pam_unix/.gitignore b/modules/pam_unix/.gitignore new file mode 100644 index 00000000..01819c28 --- /dev/null +++ b/modules/pam_unix/.gitignore @@ -0,0 +1,14 @@ +*.la +*.lo +*.so +.deps +.libs +Makefile +Makefile.in +bigcrypt +unix_chkpwd +unix_update +README +pam_unix.8 +unix_chkpwd.8 +unix_update.8 diff --git a/modules/pam_userdb/.cvsignore b/modules/pam_userdb/.cvsignore deleted file mode 100644 index ca9670ba..00000000 --- a/modules/pam_userdb/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_userdb.8 diff --git a/modules/pam_userdb/.gitignore b/modules/pam_userdb/.gitignore new file mode 100644 index 00000000..ca9670ba --- /dev/null +++ b/modules/pam_userdb/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_userdb.8 diff --git a/modules/pam_warn/.cvsignore b/modules/pam_warn/.cvsignore deleted file mode 100644 index 7737bcc0..00000000 --- a/modules/pam_warn/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_warn.8 diff --git a/modules/pam_warn/.gitignore b/modules/pam_warn/.gitignore new file mode 100644 index 00000000..7737bcc0 --- /dev/null +++ b/modules/pam_warn/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_warn.8 diff --git a/modules/pam_wheel/.cvsignore b/modules/pam_wheel/.cvsignore deleted file mode 100644 index e63f2a9c..00000000 --- a/modules/pam_wheel/.cvsignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_wheel.8 diff --git a/modules/pam_wheel/.gitignore b/modules/pam_wheel/.gitignore new file mode 100644 index 00000000..e63f2a9c --- /dev/null +++ b/modules/pam_wheel/.gitignore @@ -0,0 +1,8 @@ +*.la +*.lo +.deps +.libs +Makefile +Makefile.in +README +pam_wheel.8 diff --git a/modules/pam_xauth/.cvsignore b/modules/pam_xauth/.cvsignore deleted file mode 100644 index 1611e414..00000000 --- a/modules/pam_xauth/.cvsignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_xauth.8 diff --git a/modules/pam_xauth/.gitignore b/modules/pam_xauth/.gitignore new file mode 100644 index 00000000..1611e414 --- /dev/null +++ b/modules/pam_xauth/.gitignore @@ -0,0 +1,10 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +README +pam_xauth.8 -- cgit v1.2.3 From d468cbd673a38dc03362fc375b854ab3d7c2d6a1 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Remove modules/pam_timestamp/hmacfile from distribution * modules/pam_timestamp/Makefile.am (dist_TESTS): Add tst-pam_timestamp. (nodist_TESTS): Add hmacfile. (EXTRA_DIST): Replace TESTS with dist_TESTS. --- modules/pam_timestamp/Makefile.am | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am index 313c1eb7..9b84cd10 100644 --- a/modules/pam_timestamp/Makefile.am +++ b/modules/pam_timestamp/Makefile.am @@ -8,9 +8,11 @@ MAINTAINERCLEANFILES = $(MANS) README XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml man_MANS = pam_timestamp.8 pam_timestamp_check.8 -TESTS = tst-pam_timestamp hmacfile +dist_TESTS = tst-pam_timestamp +nodist_TESTS = hmacfile +TESTS = $(dist_TESTS) $(nodist_TESTS) -EXTRA_DIST = $(man_MANS) $(XMLS) $(TESTS) +EXTRA_DIST = $(man_MANS) $(XMLS) $(dist_TESTS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) -- cgit v1.2.3 From 3e7fb3233efe776d867be9d34b4b6e83ec59df86 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Update .gitignore files * .gitignore: Add common ignore patterns. * m4/.gitignore: Unignore local m4 files. * dynamic/.gitignore: Unignore Makefile. * libpamc/test/modules/.gitignore: Likewise. * libpamc/test/regress/.gitignore: Likewise. * po/.gitignore: Add Makevars.template. * conf/.gitignore: Remove common ignore patterns. * conf/pam_conv1/.gitignore: Likewise. * doc/.gitignore: Likewise. * doc/specs/.gitignore: Likewise. * doc/specs/formatter/.gitignore: Likewise. * examples/.gitignore: Likewise. * modules/pam_filter/upperLOWER/.gitignore: Likewise. * modules/pam_mkhomedir/.gitignore: Likewise. * modules/pam_selinux/.gitignore: Likewise. * modules/pam_stress/.gitignore: Likewise. * modules/pam_tally/.gitignore: Likewise. * modules/pam_tally2/.gitignore: Likewise. * modules/pam_timestamp/.gitignore: Likewise. * modules/pam_unix/.gitignore: Likewise. * tests/.gitignore: Likewise. * xtests/.gitignore: Likewise. * doc/adg/.gitignore: Remove. * doc/man/.gitignore: Remove. * doc/mwg/.gitignore: Remove. * doc/sag/.gitignore: Remove. * libpamc/.gitignore: Remove. * libpamc/test/.gitignore: Remove. * libpam/.gitignore: Remove. * libpam_misc/.gitignore: Remove. * modules/.gitignore: Remove. * modules/pam_access/.gitignore: Remove. * modules/pam_cracklib/.gitignore: Remove. * modules/pam_debug/.gitignore: Remove. * modules/pam_deny/.gitignore: Remove. * modules/pam_echo/.gitignore: Remove. * modules/pam_env/.gitignore: Remove. * modules/pam_exec/.gitignore: Remove. * modules/pam_faildelay/.gitignore: Remove. * modules/pam_filter/.gitignore: Remove. * modules/pam_ftp/.gitignore: Remove. * modules/pam_group/.gitignore: Remove. * modules/pam_issue/.gitignore: Remove. * modules/pam_keyinit/.gitignore: Remove. * modules/pam_lastlog/.gitignore: Remove. * modules/pam_limits/.gitignore: Remove. * modules/pam_listfile/.gitignore: Remove. * modules/pam_localuser/.gitignore: Remove. * modules/pam_loginuid/.gitignore: Remove. * modules/pam_mail/.gitignore: Remove. * modules/pam_motd/.gitignore: Remove. * modules/pam_namespace/.gitignore: Remove. * modules/pam_nologin/.gitignore: Remove. * modules/pam_permit/.gitignore: Remove. * modules/pam_pwhistory/.gitignore: Remove. * modules/pam_rhosts/.gitignore: Remove. * modules/pam_rootok/.gitignore: Remove. * modules/pam_securetty/.gitignore: Remove. * modules/pam_sepermit/.gitignore: Remove. * modules/pam_shells/.gitignore: Remove. * modules/pam_succeed_if/.gitignore: Remove. * modules/pam_time/.gitignore: Remove. * modules/pam_tty_audit/.gitignore: Remove. * modules/pam_umask/.gitignore: Remove. * modules/pam_userdb/.gitignore: Remove. * modules/pam_warn/.gitignore: Remove. * modules/pam_wheel/.gitignore: Remove. * modules/pam_xauth/.gitignore: Remove. --- modules/.gitignore | 3 --- modules/pam_access/.gitignore | 9 --------- modules/pam_cracklib/.gitignore | 8 -------- modules/pam_debug/.gitignore | 8 -------- modules/pam_deny/.gitignore | 8 -------- modules/pam_echo/.gitignore | 8 -------- modules/pam_env/.gitignore | 9 --------- modules/pam_exec/.gitignore | 8 -------- modules/pam_faildelay/.gitignore | 8 -------- modules/pam_filter/.gitignore | 9 --------- modules/pam_filter/upperLOWER/.gitignore | 4 ---- modules/pam_ftp/.gitignore | 8 -------- modules/pam_group/.gitignore | 9 --------- modules/pam_issue/.gitignore | 8 -------- modules/pam_keyinit/.gitignore | 8 -------- modules/pam_lastlog/.gitignore | 8 -------- modules/pam_limits/.gitignore | 9 --------- modules/pam_listfile/.gitignore | 8 -------- modules/pam_localuser/.gitignore | 10 ---------- modules/pam_loginuid/.gitignore | 9 --------- modules/pam_mail/.gitignore | 8 -------- modules/pam_mkhomedir/.gitignore | 9 --------- modules/pam_motd/.gitignore | 8 -------- modules/pam_namespace/.gitignore | 9 --------- modules/pam_nologin/.gitignore | 8 -------- modules/pam_permit/.gitignore | 8 -------- modules/pam_pwhistory/.gitignore | 8 -------- modules/pam_rhosts/.gitignore | 8 -------- modules/pam_rootok/.gitignore | 8 -------- modules/pam_securetty/.gitignore | 8 -------- modules/pam_selinux/.gitignore | 11 +---------- modules/pam_sepermit/.gitignore | 11 ----------- modules/pam_shells/.gitignore | 8 -------- modules/pam_stress/.gitignore | 7 +------ modules/pam_succeed_if/.gitignore | 10 ---------- modules/pam_tally/.gitignore | 8 -------- modules/pam_tally2/.gitignore | 8 -------- modules/pam_time/.gitignore | 9 --------- modules/pam_timestamp/.gitignore | 11 ----------- modules/pam_tty_audit/.gitignore | 8 -------- modules/pam_umask/.gitignore | 10 ---------- modules/pam_unix/.gitignore | 11 ----------- modules/pam_userdb/.gitignore | 8 -------- modules/pam_warn/.gitignore | 8 -------- modules/pam_wheel/.gitignore | 8 -------- modules/pam_xauth/.gitignore | 10 ---------- 46 files changed, 2 insertions(+), 385 deletions(-) delete mode 100644 modules/.gitignore delete mode 100644 modules/pam_access/.gitignore delete mode 100644 modules/pam_cracklib/.gitignore delete mode 100644 modules/pam_debug/.gitignore delete mode 100644 modules/pam_deny/.gitignore delete mode 100644 modules/pam_echo/.gitignore delete mode 100644 modules/pam_env/.gitignore delete mode 100644 modules/pam_exec/.gitignore delete mode 100644 modules/pam_faildelay/.gitignore delete mode 100644 modules/pam_filter/.gitignore delete mode 100644 modules/pam_ftp/.gitignore delete mode 100644 modules/pam_group/.gitignore delete mode 100644 modules/pam_issue/.gitignore delete mode 100644 modules/pam_keyinit/.gitignore delete mode 100644 modules/pam_lastlog/.gitignore delete mode 100644 modules/pam_limits/.gitignore delete mode 100644 modules/pam_listfile/.gitignore delete mode 100644 modules/pam_localuser/.gitignore delete mode 100644 modules/pam_loginuid/.gitignore delete mode 100644 modules/pam_mail/.gitignore delete mode 100644 modules/pam_motd/.gitignore delete mode 100644 modules/pam_namespace/.gitignore delete mode 100644 modules/pam_nologin/.gitignore delete mode 100644 modules/pam_permit/.gitignore delete mode 100644 modules/pam_pwhistory/.gitignore delete mode 100644 modules/pam_rhosts/.gitignore delete mode 100644 modules/pam_rootok/.gitignore delete mode 100644 modules/pam_securetty/.gitignore delete mode 100644 modules/pam_sepermit/.gitignore delete mode 100644 modules/pam_shells/.gitignore delete mode 100644 modules/pam_succeed_if/.gitignore delete mode 100644 modules/pam_time/.gitignore delete mode 100644 modules/pam_tty_audit/.gitignore delete mode 100644 modules/pam_umask/.gitignore delete mode 100644 modules/pam_userdb/.gitignore delete mode 100644 modules/pam_warn/.gitignore delete mode 100644 modules/pam_wheel/.gitignore delete mode 100644 modules/pam_xauth/.gitignore (limited to 'modules') diff --git a/modules/.gitignore b/modules/.gitignore deleted file mode 100644 index 0615b487..00000000 --- a/modules/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -*~ -Makefile -Makefile.in diff --git a/modules/pam_access/.gitignore b/modules/pam_access/.gitignore deleted file mode 100644 index 6e648372..00000000 --- a/modules/pam_access/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -access.conf.5 -pam_access.8 diff --git a/modules/pam_cracklib/.gitignore b/modules/pam_cracklib/.gitignore deleted file mode 100644 index db3b3295..00000000 --- a/modules/pam_cracklib/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_cracklib.8 diff --git a/modules/pam_debug/.gitignore b/modules/pam_debug/.gitignore deleted file mode 100644 index af38ef08..00000000 --- a/modules/pam_debug/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_debug.8 diff --git a/modules/pam_deny/.gitignore b/modules/pam_deny/.gitignore deleted file mode 100644 index 180c6155..00000000 --- a/modules/pam_deny/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_deny.8 diff --git a/modules/pam_echo/.gitignore b/modules/pam_echo/.gitignore deleted file mode 100644 index 2d5569ad..00000000 --- a/modules/pam_echo/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_echo.8 diff --git a/modules/pam_env/.gitignore b/modules/pam_env/.gitignore deleted file mode 100644 index e35f869e..00000000 --- a/modules/pam_env/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_env.8 -pam_env.conf.5 diff --git a/modules/pam_exec/.gitignore b/modules/pam_exec/.gitignore deleted file mode 100644 index 47c8610e..00000000 --- a/modules/pam_exec/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_exec.8 diff --git a/modules/pam_faildelay/.gitignore b/modules/pam_faildelay/.gitignore deleted file mode 100644 index cc931c87..00000000 --- a/modules/pam_faildelay/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_faildelay.8 diff --git a/modules/pam_filter/.gitignore b/modules/pam_filter/.gitignore deleted file mode 100644 index dc6908c2..00000000 --- a/modules/pam_filter/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -security -README -pam_filter.8 diff --git a/modules/pam_filter/upperLOWER/.gitignore b/modules/pam_filter/upperLOWER/.gitignore index ceceb1b9..bcd63650 100644 --- a/modules/pam_filter/upperLOWER/.gitignore +++ b/modules/pam_filter/upperLOWER/.gitignore @@ -1,5 +1 @@ -.deps -.libs upperLOWER -Makefile -Makefile.in diff --git a/modules/pam_ftp/.gitignore b/modules/pam_ftp/.gitignore deleted file mode 100644 index 02e0ab6b..00000000 --- a/modules/pam_ftp/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_ftp.8 diff --git a/modules/pam_group/.gitignore b/modules/pam_group/.gitignore deleted file mode 100644 index 49b88179..00000000 --- a/modules/pam_group/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -group.conf.5 -pam_group.8 diff --git a/modules/pam_issue/.gitignore b/modules/pam_issue/.gitignore deleted file mode 100644 index 8754cdf0..00000000 --- a/modules/pam_issue/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_issue.8 diff --git a/modules/pam_keyinit/.gitignore b/modules/pam_keyinit/.gitignore deleted file mode 100644 index a2072fc9..00000000 --- a/modules/pam_keyinit/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_keyinit.8 diff --git a/modules/pam_lastlog/.gitignore b/modules/pam_lastlog/.gitignore deleted file mode 100644 index 9b0768f7..00000000 --- a/modules/pam_lastlog/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_lastlog.8 diff --git a/modules/pam_limits/.gitignore b/modules/pam_limits/.gitignore deleted file mode 100644 index b2519a1c..00000000 --- a/modules/pam_limits/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -limits.conf.5 -pam_limits.8 diff --git a/modules/pam_listfile/.gitignore b/modules/pam_listfile/.gitignore deleted file mode 100644 index f54f6f27..00000000 --- a/modules/pam_listfile/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_listfile.8 diff --git a/modules/pam_localuser/.gitignore b/modules/pam_localuser/.gitignore deleted file mode 100644 index ae7dab97..00000000 --- a/modules/pam_localuser/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_localuser.8 diff --git a/modules/pam_loginuid/.gitignore b/modules/pam_loginuid/.gitignore deleted file mode 100644 index cb4cb6de..00000000 --- a/modules/pam_loginuid/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -pam_loginuid -README -pam_loginuid.8 diff --git a/modules/pam_mail/.gitignore b/modules/pam_mail/.gitignore deleted file mode 100644 index e34886b5..00000000 --- a/modules/pam_mail/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_mail.8 diff --git a/modules/pam_mkhomedir/.gitignore b/modules/pam_mkhomedir/.gitignore index a0ad1aad..7352e564 100644 --- a/modules/pam_mkhomedir/.gitignore +++ b/modules/pam_mkhomedir/.gitignore @@ -1,10 +1 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_mkhomedir.8 mkhomedir_helper -mkhomedir_helper.8 diff --git a/modules/pam_motd/.gitignore b/modules/pam_motd/.gitignore deleted file mode 100644 index f36d06fa..00000000 --- a/modules/pam_motd/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_motd.8 diff --git a/modules/pam_namespace/.gitignore b/modules/pam_namespace/.gitignore deleted file mode 100644 index 59a9578c..00000000 --- a/modules/pam_namespace/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -namespace.conf.5 -pam_namespace.8 diff --git a/modules/pam_nologin/.gitignore b/modules/pam_nologin/.gitignore deleted file mode 100644 index f9fb15b5..00000000 --- a/modules/pam_nologin/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_nologin.8 diff --git a/modules/pam_permit/.gitignore b/modules/pam_permit/.gitignore deleted file mode 100644 index 5406ac33..00000000 --- a/modules/pam_permit/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_permit.8 diff --git a/modules/pam_pwhistory/.gitignore b/modules/pam_pwhistory/.gitignore deleted file mode 100644 index c0d3c72c..00000000 --- a/modules/pam_pwhistory/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_pwhistory.8 diff --git a/modules/pam_rhosts/.gitignore b/modules/pam_rhosts/.gitignore deleted file mode 100644 index 8f807d67..00000000 --- a/modules/pam_rhosts/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_rhosts.8 diff --git a/modules/pam_rootok/.gitignore b/modules/pam_rootok/.gitignore deleted file mode 100644 index 70776789..00000000 --- a/modules/pam_rootok/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_rootok.8 diff --git a/modules/pam_securetty/.gitignore b/modules/pam_securetty/.gitignore deleted file mode 100644 index 1e9b0b2d..00000000 --- a/modules/pam_securetty/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_securetty.8 diff --git a/modules/pam_selinux/.gitignore b/modules/pam_selinux/.gitignore index 08754fd5..6683beba 100644 --- a/modules/pam_selinux/.gitignore +++ b/modules/pam_selinux/.gitignore @@ -1,11 +1,2 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in pam_selinux_check -README -pam_selinux.8 +!pam_selinux_check.8 diff --git a/modules/pam_sepermit/.gitignore b/modules/pam_sepermit/.gitignore deleted file mode 100644 index 47f494cc..00000000 --- a/modules/pam_sepermit/.gitignore +++ /dev/null @@ -1,11 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_sepermit.8 -sepermit.conf.5 diff --git a/modules/pam_shells/.gitignore b/modules/pam_shells/.gitignore deleted file mode 100644 index f86c33b1..00000000 --- a/modules/pam_shells/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_shells.8 diff --git a/modules/pam_stress/.gitignore b/modules/pam_stress/.gitignore index 9fb98574..a164aea3 100644 --- a/modules/pam_stress/.gitignore +++ b/modules/pam_stress/.gitignore @@ -1,6 +1 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in +!README diff --git a/modules/pam_succeed_if/.gitignore b/modules/pam_succeed_if/.gitignore deleted file mode 100644 index 6218e822..00000000 --- a/modules/pam_succeed_if/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_succeed_if.8 diff --git a/modules/pam_tally/.gitignore b/modules/pam_tally/.gitignore index 0286d635..b4d6899e 100644 --- a/modules/pam_tally/.gitignore +++ b/modules/pam_tally/.gitignore @@ -1,9 +1 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in pam_tally -README -pam_tally.8 diff --git a/modules/pam_tally2/.gitignore b/modules/pam_tally2/.gitignore index c20ebb92..8ff18583 100644 --- a/modules/pam_tally2/.gitignore +++ b/modules/pam_tally2/.gitignore @@ -1,9 +1 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in pam_tally2 -README -pam_tally2.8 diff --git a/modules/pam_time/.gitignore b/modules/pam_time/.gitignore deleted file mode 100644 index cac9cca3..00000000 --- a/modules/pam_time/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_time.8 -time.conf.5 diff --git a/modules/pam_timestamp/.gitignore b/modules/pam_timestamp/.gitignore index c084c915..9eb311b6 100644 --- a/modules/pam_timestamp/.gitignore +++ b/modules/pam_timestamp/.gitignore @@ -1,13 +1,2 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_timestamp.8 -pam_timestamp_check.8 hmacfile pam_timestamp_check diff --git a/modules/pam_tty_audit/.gitignore b/modules/pam_tty_audit/.gitignore deleted file mode 100644 index aefb9d6f..00000000 --- a/modules/pam_tty_audit/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_tty_audit.8 diff --git a/modules/pam_umask/.gitignore b/modules/pam_umask/.gitignore deleted file mode 100644 index d53ba152..00000000 --- a/modules/pam_umask/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_umask.8 diff --git a/modules/pam_unix/.gitignore b/modules/pam_unix/.gitignore index 01819c28..3beb544f 100644 --- a/modules/pam_unix/.gitignore +++ b/modules/pam_unix/.gitignore @@ -1,14 +1,3 @@ -*.la -*.lo -*.so -.deps -.libs -Makefile -Makefile.in bigcrypt unix_chkpwd unix_update -README -pam_unix.8 -unix_chkpwd.8 -unix_update.8 diff --git a/modules/pam_userdb/.gitignore b/modules/pam_userdb/.gitignore deleted file mode 100644 index ca9670ba..00000000 --- a/modules/pam_userdb/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_userdb.8 diff --git a/modules/pam_warn/.gitignore b/modules/pam_warn/.gitignore deleted file mode 100644 index 7737bcc0..00000000 --- a/modules/pam_warn/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_warn.8 diff --git a/modules/pam_wheel/.gitignore b/modules/pam_wheel/.gitignore deleted file mode 100644 index e63f2a9c..00000000 --- a/modules/pam_wheel/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_wheel.8 diff --git a/modules/pam_xauth/.gitignore b/modules/pam_xauth/.gitignore deleted file mode 100644 index 1611e414..00000000 --- a/modules/pam_xauth/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -README -pam_xauth.8 -- cgit v1.2.3 From 61a6b8c8e850ec1589e01accf15f3bce2c80d494 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 28 Oct 2011 02:20:17 +0000 Subject: Fix usage of LIBADD, LDADD and LDFLAGS * modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to pam_selinux_check_LDADD. * modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from AM_LDFLAGS. * modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from AM_LDFLAGS. * modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from AM_LDFLAGS. * modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from AM_LDFLAGS. * xtests/Makefile.am: Rename AM_LDFLAGS to LDADD. --- modules/pam_selinux/Makefile.am | 8 +++----- modules/pam_userdb/Makefile.am | 4 ++-- modules/pam_warn/Makefile.am | 4 ++-- modules/pam_wheel/Makefile.am | 4 ++-- modules/pam_xauth/Makefile.am | 4 ++-- 5 files changed, 11 insertions(+), 13 deletions(-) (limited to 'modules') diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index ef142f4e..48709ef5 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -21,12 +21,8 @@ secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include -pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) \ - -L$(top_builddir)/libpam -lpam \ - -L$(top_builddir)/libpam_misc -lpam_misc - -pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module +pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ if HAVE_VERSIONING pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -34,6 +30,8 @@ endif if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_selinux.la noinst_PROGRAMS = pam_selinux_check + pam_selinux_check_LDADD = -L$(top_builddir)/libpam -lpam \ + -L$(top_builddir)/libpam_misc -lpam_misc endif if ENABLE_REGENERATE_MAN noinst_DATA = README pam_selinux.8 diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am index 77cc9608..4fbe319b 100644 --- a/modules/pam_userdb/Makefile.am +++ b/modules/pam_userdb/Makefile.am @@ -18,14 +18,14 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam @LIBDB@ @LIBCRYPT@ +AM_LDFLAGS = -no-undefined -avoid-version -module @LIBDB@ @LIBCRYPT@ if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif if HAVE_LIBDB securelib_LTLIBRARIES = pam_userdb.la + pam_userdb_la_LIBADD = -L$(top_builddir)/libpam -lpam endif noinst_HEADERS = pam_userdb.h diff --git a/modules/pam_warn/Makefile.am b/modules/pam_warn/Makefile.am index 75cf38a5..7fd570e3 100644 --- a/modules/pam_warn/Makefile.am +++ b/modules/pam_warn/Makefile.am @@ -16,13 +16,13 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam +AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_warn.la +pam_warn_la_LIBADD = -L$(top_builddir)/libpam -lpam if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_wheel/Makefile.am b/modules/pam_wheel/Makefile.am index bccb8aae..f9d1b3d3 100644 --- a/modules/pam_wheel/Makefile.am +++ b/modules/pam_wheel/Makefile.am @@ -16,13 +16,13 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam +AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_wheel.la +pam_wheel_la_LIBADD = -L$(top_builddir)/libpam -lpam if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am index db089adb..4504d7b2 100644 --- a/modules/pam_xauth/Makefile.am +++ b/modules/pam_xauth/Makefile.am @@ -16,13 +16,13 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_xauth.la +pam_xauth_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ if ENABLE_REGENERATE_MAN noinst_DATA = README -- cgit v1.2.3 From dc8b23cf9228ed432e9b7b2ee2209a06283241c0 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 28 Oct 2011 02:28:38 +0000 Subject: Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc GNU automake documentation recommends to avoid using -l options in LDADD or LIBADD when referring to libraries built by the package. Instead, it recommends to write the file name of the library explicitly, and use -l option only to list third-party libraries. As result, the default value of *_DEPENDENCIES will list all local libraries and omit the other ones. * modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", to follow GNU automake recommendations. * modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise. * modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise. * modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise. * modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise. * modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise. * modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise. * modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise. * modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise. * modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise. * modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise. * modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise. * modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise. * modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise. * modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise. * modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise. * modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise. * modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise. * modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise. * modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise. * modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD, mkhomedir_helper_LDADD): Likewise. * modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise. * modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise. * modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise. * modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise. * modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise. * modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise. * modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise. * modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise. * modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise. * modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise. * modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD): Likewise. * modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise. * modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD, pam_tally2_LDADD): Likewise. * modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise. * modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD, pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise. * modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise. * modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise. * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise. * modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise. * modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise. * modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise. * modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise. * tests/Makefile.am (LDADD): Likewise. * examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", and "-L$(top_builddir)/libpam_misc -lpam_misc" with "$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake recommendations. * xtests/Makefile.am (LDADD): Likewise. * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise. --- modules/pam_access/Makefile.am | 2 +- modules/pam_cracklib/Makefile.am | 2 +- modules/pam_debug/Makefile.am | 2 +- modules/pam_deny/Makefile.am | 2 +- modules/pam_echo/Makefile.am | 2 +- modules/pam_env/Makefile.am | 2 +- modules/pam_exec/Makefile.am | 2 +- modules/pam_faildelay/Makefile.am | 2 +- modules/pam_filter/Makefile.am | 2 +- modules/pam_filter/upperLOWER/Makefile.am | 2 +- modules/pam_ftp/Makefile.am | 2 +- modules/pam_group/Makefile.am | 2 +- modules/pam_issue/Makefile.am | 2 +- modules/pam_keyinit/Makefile.am | 2 +- modules/pam_lastlog/Makefile.am | 2 +- modules/pam_limits/Makefile.am | 2 +- modules/pam_listfile/Makefile.am | 2 +- modules/pam_localuser/Makefile.am | 2 +- modules/pam_loginuid/Makefile.am | 2 +- modules/pam_mail/Makefile.am | 2 +- modules/pam_mkhomedir/Makefile.am | 4 ++-- modules/pam_motd/Makefile.am | 2 +- modules/pam_namespace/Makefile.am | 2 +- modules/pam_nologin/Makefile.am | 2 +- modules/pam_permit/Makefile.am | 2 +- modules/pam_pwhistory/Makefile.am | 2 +- modules/pam_rhosts/Makefile.am | 2 +- modules/pam_rootok/Makefile.am | 2 +- modules/pam_securetty/Makefile.am | 2 +- modules/pam_selinux/Makefile.am | 6 +++--- modules/pam_sepermit/Makefile.am | 2 +- modules/pam_shells/Makefile.am | 2 +- modules/pam_stress/Makefile.am | 2 +- modules/pam_succeed_if/Makefile.am | 2 +- modules/pam_tally/Makefile.am | 2 +- modules/pam_tally2/Makefile.am | 4 ++-- modules/pam_time/Makefile.am | 2 +- modules/pam_timestamp/Makefile.am | 6 +++--- modules/pam_tty_audit/Makefile.am | 2 +- modules/pam_umask/Makefile.am | 2 +- modules/pam_unix/Makefile.am | 2 +- modules/pam_userdb/Makefile.am | 2 +- modules/pam_warn/Makefile.am | 2 +- modules/pam_wheel/Makefile.am | 2 +- modules/pam_xauth/Makefile.am | 2 +- 45 files changed, 51 insertions(+), 51 deletions(-) (limited to 'modules') diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am index 89222b56..05276747 100644 --- a/modules/pam_access/Makefile.am +++ b/modules/pam_access/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_access.la -pam_access_la_LIBADD = -L$(top_builddir)/libpam -lpam $(NIS_LIBS) +pam_access_la_LIBADD = $(top_builddir)/libpam/libpam.la $(NIS_LIBS) secureconf_DATA = access.conf diff --git a/modules/pam_cracklib/Makefile.am b/modules/pam_cracklib/Makefile.am index 57ddd675..77b89d16 100644 --- a/modules/pam_cracklib/Makefile.am +++ b/modules/pam_cracklib/Makefile.am @@ -22,7 +22,7 @@ AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -pam_cracklib_la_LIBADD = -L$(top_builddir)/libpam -lpam \ +pam_cracklib_la_LIBADD = $(top_builddir)/libpam/libpam.la \ @LIBCRACK@ @LIBCRYPT@ if HAVE_LIBCRACK securelib_LTLIBRARIES = pam_cracklib.la diff --git a/modules/pam_debug/Makefile.am b/modules/pam_debug/Makefile.am index d87af88f..9e27ec5e 100644 --- a/modules/pam_debug/Makefile.am +++ b/modules/pam_debug/Makefile.am @@ -20,7 +20,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_debug.la -pam_debug_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_debug_la_LIBADD = $(top_builddir)/libpam/libpam.la TESTS = tst-pam_debug diff --git a/modules/pam_deny/Makefile.am b/modules/pam_deny/Makefile.am index 118928a1..e2d2ea4c 100644 --- a/modules/pam_deny/Makefile.am +++ b/modules/pam_deny/Makefile.am @@ -21,7 +21,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_deny.la -pam_deny_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_deny_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN diff --git a/modules/pam_echo/Makefile.am b/modules/pam_echo/Makefile.am index 265e3a07..dc14b057 100644 --- a/modules/pam_echo/Makefile.am +++ b/modules/pam_echo/Makefile.am @@ -21,7 +21,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_echo.la -pam_echo_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_echo_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am index d39aad80..7b8d9afe 100644 --- a/modules/pam_env/Makefile.am +++ b/modules/pam_env/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_env.la -pam_env_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la secureconf_DATA = pam_env.conf sysconf_DATA = environment diff --git a/modules/pam_exec/Makefile.am b/modules/pam_exec/Makefile.am index 2838d1de..293c00ae 100644 --- a/modules/pam_exec/Makefile.am +++ b/modules/pam_exec/Makefile.am @@ -21,7 +21,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_exec.la -pam_exec_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_exec_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN diff --git a/modules/pam_faildelay/Makefile.am b/modules/pam_faildelay/Makefile.am index 2a4a2b07..9166d582 100644 --- a/modules/pam_faildelay/Makefile.am +++ b/modules/pam_faildelay/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_faildelay.la -pam_faildelay_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_faildelay_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_filter/Makefile.am b/modules/pam_filter/Makefile.am index eddb08af..47e9b491 100644 --- a/modules/pam_filter/Makefile.am +++ b/modules/pam_filter/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif include_HEADERS=pam_filter.h -pam_filter_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_filter_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_filter.la TESTS = tst-pam_filter diff --git a/modules/pam_filter/upperLOWER/Makefile.am b/modules/pam_filter/upperLOWER/Makefile.am index 93d24ff5..41f0a349 100644 --- a/modules/pam_filter/upperLOWER/Makefile.am +++ b/modules/pam_filter/upperLOWER/Makefile.am @@ -10,6 +10,6 @@ securelibfilterdir = $(SECUREDIR)/pam_filter AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(srcdir)/.. @PIE_CFLAGS@ AM_LDFLAGS = @PIE_LDFLAGS@ -LDADD = -L$(top_builddir)/libpam -lpam +LDADD = $(top_builddir)/libpam/libpam.la securelibfilter_PROGRAMS = upperLOWER diff --git a/modules/pam_ftp/Makefile.am b/modules/pam_ftp/Makefile.am index 4401399b..bbc0a739 100644 --- a/modules/pam_ftp/Makefile.am +++ b/modules/pam_ftp/Makefile.am @@ -20,7 +20,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_ftp.la -pam_ftp_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_ftp_la_LIBADD = $(top_builddir)/libpam/libpam.la TESTS = tst-pam_ftp diff --git a/modules/pam_group/Makefile.am b/modules/pam_group/Makefile.am index 0fd2a5d2..6c1c5213 100644 --- a/modules/pam_group/Makefile.am +++ b/modules/pam_group/Makefile.am @@ -21,7 +21,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_group.la -pam_group_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_group_la_LIBADD = $(top_builddir)/libpam/libpam.la secureconf_DATA = group.conf diff --git a/modules/pam_issue/Makefile.am b/modules/pam_issue/Makefile.am index 40d5c1ab..92917398 100644 --- a/modules/pam_issue/Makefile.am +++ b/modules/pam_issue/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_issue.la -pam_issue_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_issue_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am index 4416c1c1..5e8657c6 100644 --- a/modules/pam_keyinit/Makefile.am +++ b/modules/pam_keyinit/Makefile.am @@ -31,4 +31,4 @@ endif if HAVE_KEY_MANAGEMENT securelib_LTLIBRARIES = pam_keyinit.la endif -pam_keyinit_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_keyinit_la_LIBADD = $(top_builddir)/libpam/libpam.la diff --git a/modules/pam_lastlog/Makefile.am b/modules/pam_lastlog/Makefile.am index 88bab272..1c639327 100644 --- a/modules/pam_lastlog/Makefile.am +++ b/modules/pam_lastlog/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_lastlog.la -pam_lastlog_la_LIBADD = -L$(top_builddir)/libpam -lpam -lutil +pam_lastlog_la_LIBADD = $(top_builddir)/libpam/libpam.la -lutil if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am index 78943736..75a49088 100644 --- a/modules/pam_limits/Makefile.am +++ b/modules/pam_limits/Makefile.am @@ -25,7 +25,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_limits.la -pam_limits_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_limits_la_LIBADD = $(top_builddir)/libpam/libpam.la secureconf_DATA = limits.conf diff --git a/modules/pam_listfile/Makefile.am b/modules/pam_listfile/Makefile.am index 15466257..7b10af98 100644 --- a/modules/pam_listfile/Makefile.am +++ b/modules/pam_listfile/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_listfile.la -pam_listfile_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_listfile_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_localuser/Makefile.am b/modules/pam_localuser/Makefile.am index c7deac3f..64f2ef3f 100644 --- a/modules/pam_localuser/Makefile.am +++ b/modules/pam_localuser/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_localuser.la -pam_localuser_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_localuser_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_loginuid/Makefile.am b/modules/pam_loginuid/Makefile.am index 4a715f1b..1b9e87bb 100644 --- a/modules/pam_loginuid/Makefile.am +++ b/modules/pam_loginuid/Makefile.am @@ -21,7 +21,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_loginuid.la -pam_loginuid_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBAUDIT@ +pam_loginuid_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBAUDIT@ if ENABLE_REGENERATE_MAN diff --git a/modules/pam_mail/Makefile.am b/modules/pam_mail/Makefile.am index c63a2bc2..84f3d9ed 100644 --- a/modules/pam_mail/Makefile.am +++ b/modules/pam_mail/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_mail.la -pam_mail_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_mail_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_mkhomedir/Makefile.am b/modules/pam_mkhomedir/Makefile.am index 6e93ba98..eb047212 100644 --- a/modules/pam_mkhomedir/Makefile.am +++ b/modules/pam_mkhomedir/Makefile.am @@ -22,7 +22,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ securelib_LTLIBRARIES = pam_mkhomedir.la pam_mkhomedir_la_SOURCES = pam_mkhomedir.c -pam_mkhomedir_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_mkhomedir_la_LIBADD = $(top_builddir)/libpam/libpam.la pam_mkhomedir_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING pam_mkhomedir_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map @@ -30,7 +30,7 @@ endif sbin_PROGRAMS = mkhomedir_helper mkhomedir_helper_SOURCES = mkhomedir_helper.c -mkhomedir_helper_LDADD = -L$(top_builddir)/libpam -lpam +mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_motd/Makefile.am b/modules/pam_motd/Makefile.am index ec6cd57a..bd499c54 100644 --- a/modules/pam_motd/Makefile.am +++ b/modules/pam_motd/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_motd.la -pam_motd_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_motd_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 44513de0..586a5436 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -34,7 +34,7 @@ noinst_HEADERS = md5.h pam_namespace.h argv_parse.h if HAVE_UNSHARE securelib_LTLIBRARIES = pam_namespace.la pam_namespace_la_SOURCES = pam_namespace.c md5.c argv_parse.c - pam_namespace_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ + pam_namespace_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ secureconf_DATA = namespace.conf secureconf_SCRIPTS = namespace.init diff --git a/modules/pam_nologin/Makefile.am b/modules/pam_nologin/Makefile.am index f2bcfab1..a4ed9ff3 100644 --- a/modules/pam_nologin/Makefile.am +++ b/modules/pam_nologin/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_nologin.la -pam_nologin_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_nologin_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_permit/Makefile.am b/modules/pam_permit/Makefile.am index 5d251323..dcc75ebb 100644 --- a/modules/pam_permit/Makefile.am +++ b/modules/pam_permit/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_permit.la -pam_permit_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_permit_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am index 4c24c275..4bb4d6df 100644 --- a/modules/pam_pwhistory/Makefile.am +++ b/modules/pam_pwhistory/Makefile.am @@ -25,7 +25,7 @@ endif noinst_HEADERS = opasswd.h securelib_LTLIBRARIES = pam_pwhistory.la -pam_pwhistory_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBCRYPT@ +pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c if ENABLE_REGENERATE_MAN diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am index 7ffd4b78..7e043833 100644 --- a/modules/pam_rhosts/Makefile.am +++ b/modules/pam_rhosts/Makefile.am @@ -23,7 +23,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_rhosts.la -pam_rhosts_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_rhosts_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_rootok/Makefile.am b/modules/pam_rootok/Makefile.am index 81969fc4..d132367a 100644 --- a/modules/pam_rootok/Makefile.am +++ b/modules/pam_rootok/Makefile.am @@ -25,7 +25,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_rootok.la -pam_rootok_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am index 092b6773..30cc879a 100644 --- a/modules/pam_securetty/Makefile.am +++ b/modules/pam_securetty/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_securetty.la -pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index 48709ef5..28c60d84 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -22,7 +22,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module -pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ +pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ if HAVE_VERSIONING pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -30,8 +30,8 @@ endif if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_selinux.la noinst_PROGRAMS = pam_selinux_check - pam_selinux_check_LDADD = -L$(top_builddir)/libpam -lpam \ - -L$(top_builddir)/libpam_misc -lpam_misc + pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la endif if ENABLE_REGENERATE_MAN noinst_DATA = README pam_selinux.8 diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index 9211a938..d1a557f6 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -24,7 +24,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" -pam_sepermit_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_shells/Makefile.am b/modules/pam_shells/Makefile.am index f4abbb44..c9e01ccd 100644 --- a/modules/pam_shells/Makefile.am +++ b/modules/pam_shells/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_shells.la -pam_shells_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_shells_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_stress/Makefile.am b/modules/pam_stress/Makefile.am index ff33817b..a8d50eb8 100644 --- a/modules/pam_stress/Makefile.am +++ b/modules/pam_stress/Makefile.am @@ -17,4 +17,4 @@ if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif securelib_LTLIBRARIES = pam_stress.la -pam_stress_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_stress_la_LIBADD = $(top_builddir)/libpam/libpam.la diff --git a/modules/pam_succeed_if/Makefile.am b/modules/pam_succeed_if/Makefile.am index 49b5d46c..ce1eb500 100644 --- a/modules/pam_succeed_if/Makefile.am +++ b/modules/pam_succeed_if/Makefile.am @@ -23,7 +23,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_succeed_if.la -pam_succeed_if_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_succeed_if_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_tally/Makefile.am b/modules/pam_tally/Makefile.am index e5b95592..53d0c0a1 100644 --- a/modules/pam_tally/Makefile.am +++ b/modules/pam_tally/Makefile.am @@ -20,7 +20,7 @@ noinst_HEADERS = faillog.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include pam_tally_la_LDFLAGS = -no-undefined -avoid-version -module -pam_tally_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_tally_la_LIBADD = $(top_builddir)/libpam/libpam.la if HAVE_VERSIONING pam_tally_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif diff --git a/modules/pam_tally2/Makefile.am b/modules/pam_tally2/Makefile.am index 507c2942..ec898645 100644 --- a/modules/pam_tally2/Makefile.am +++ b/modules/pam_tally2/Makefile.am @@ -21,12 +21,12 @@ noinst_HEADERS = tallylog.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module -pam_tally2_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) +pam_tally2_la_LIBADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) if HAVE_VERSIONING pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -pam_tally2_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) +pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) securelib_LTLIBRARIES = pam_tally2.la sbin_PROGRAMS = pam_tally2 diff --git a/modules/pam_time/Makefile.am b/modules/pam_time/Makefile.am index d2ef636c..a1640c17 100644 --- a/modules/pam_time/Makefile.am +++ b/modules/pam_time/Makefile.am @@ -21,7 +21,7 @@ AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -pam_time_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_time_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_time.la secureconf_DATA = time.conf diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am index 9b84cd10..5588225b 100644 --- a/modules/pam_timestamp/Makefile.am +++ b/modules/pam_timestamp/Makefile.am @@ -22,7 +22,7 @@ noinst_HEADERS = hmacsha1.h sha1.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) -pam_timestamp_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la if HAVE_VERSIONING pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -35,11 +35,11 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) pam_timestamp_check_SOURCES = pam_timestamp_check.c pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -pam_timestamp_check_LDADD = -L$(top_builddir)/libpam -lpam +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c -hmacfile_LDADD = -L$(top_builddir)/libpam -lpam +hmacfile_LDADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am index 38c13c03..63784835 100644 --- a/modules/pam_tty_audit/Makefile.am +++ b/modules/pam_tty_audit/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif if HAVE_AUDIT_TTY_STATUS - pam_tty_audit_la_LIBADD = -L$(top_builddir)/libpam -lpam + pam_tty_audit_la_LIBADD = $(top_builddir)/libpam/libpam.la securelib_LTLIBRARIES = pam_tty_audit.la endif diff --git a/modules/pam_umask/Makefile.am b/modules/pam_umask/Makefile.am index 397c5398..205e7718 100644 --- a/modules/pam_umask/Makefile.am +++ b/modules/pam_umask/Makefile.am @@ -23,7 +23,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_umask.la -pam_umask_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_umask_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index ea5a7318..ab0d55ac 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -29,7 +29,7 @@ pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -pam_unix_la_LIBADD = -L$(top_builddir)/libpam -lpam \ +pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) securelib_LTLIBRARIES = pam_unix.la diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am index 4fbe319b..047b1009 100644 --- a/modules/pam_userdb/Makefile.am +++ b/modules/pam_userdb/Makefile.am @@ -25,7 +25,7 @@ endif if HAVE_LIBDB securelib_LTLIBRARIES = pam_userdb.la - pam_userdb_la_LIBADD = -L$(top_builddir)/libpam -lpam + pam_userdb_la_LIBADD = $(top_builddir)/libpam/libpam.la endif noinst_HEADERS = pam_userdb.h diff --git a/modules/pam_warn/Makefile.am b/modules/pam_warn/Makefile.am index 7fd570e3..40c5bb6b 100644 --- a/modules/pam_warn/Makefile.am +++ b/modules/pam_warn/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_warn.la -pam_warn_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_warn_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_wheel/Makefile.am b/modules/pam_wheel/Makefile.am index f9d1b3d3..0042ca82 100644 --- a/modules/pam_wheel/Makefile.am +++ b/modules/pam_wheel/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_wheel.la -pam_wheel_la_LIBADD = -L$(top_builddir)/libpam -lpam +pam_wheel_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am index 4504d7b2..0735d13b 100644 --- a/modules/pam_xauth/Makefile.am +++ b/modules/pam_xauth/Makefile.am @@ -22,7 +22,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_xauth.la -pam_xauth_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ +pam_xauth_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ if ENABLE_REGENERATE_MAN noinst_DATA = README -- cgit v1.2.3 From d39e8e553683fa9816bf54679ee5b963493f46f2 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 19 Oct 2010 23:34:51 +0000 Subject: pam_selinux.c: rewrite using pam_get_data/pam_set_data * modules/pam_selinux/pam_selinux.c (security_restorelabel_tty, security_label_tty): Remove old functions. (module_data_t): New structure. (free_module_data, cleanup, get_module_data, get_item, set_exec_context, set_file_context, compute_exec_context, compute_tty_context, restore_context, set_context, create_context): New functions. (pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session, pam_sm_close_session): Use them. --- modules/pam_selinux/pam_selinux.c | 602 +++++++++++++++++++++----------------- 1 file changed, 336 insertions(+), 266 deletions(-) (limited to 'modules') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index b777b01e..a8f540dd 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -480,139 +480,301 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par return newcon; } +#define DATANAME "pam_selinux_context" +typedef struct { + security_context_t exec_context; + security_context_t prev_exec_context; + security_context_t default_user_context; + security_context_t tty_context; + security_context_t prev_tty_context; + char *tty_path; +} module_data_t; + static void -security_restorelabel_tty(const pam_handle_t *pamh, - const char *tty, security_context_t context) +free_module_data(module_data_t *data) +{ + free(data->tty_path); + freecon(data->prev_tty_context); + freecon(data->tty_context); + freecon(data->default_user_context); + freecon(data->prev_exec_context); + if (data->exec_context != data->default_user_context) + freecon(data->exec_context); + memset(data, 0, sizeof(*data)); + free(data); +} + +static void +cleanup(pam_handle_t *pamh UNUSED, void *data, int err UNUSED) +{ + free_module_data(data); +} + +static const module_data_t * +get_module_data(const pam_handle_t *pamh) +{ + const void *data; + + return (pam_get_data(pamh, DATANAME, &data) == PAM_SUCCESS) ? data : NULL; +} + +static const char * +get_item(const pam_handle_t *pamh, int item_type) +{ + const void *item; + + return (pam_get_item(pamh, item_type, &item) == PAM_SUCCESS) ? item : NULL; +} + +static int +set_exec_context(const pam_handle_t *pamh, security_context_t context) +{ + if (setexeccon(context) == 0) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting executable context \"%s\" failed: %m", + context ? context : ""); + return -1; +} + +static int +set_file_context(const pam_handle_t *pamh, security_context_t context, + const char *file) +{ + if (!file) + return 0; + if (setfilecon(file, context) == 0 || errno == ENOENT) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting file context \"%s\" failed for %s: %m", + context ? context : "", file); + return -1; +} + +static int +compute_exec_context(pam_handle_t *pamh, module_data_t *data, + int select_context, int use_current_range, + int env_params, int debug) { - char ttybuf[PATH_MAX]; - const char *ptr; + const char *username; - if (context==NULL) - return; +#ifdef HAVE_GETSEUSER + const char *service; +#endif + char *seuser = NULL; + char *level = NULL; + security_context_t *contextlist = NULL; + int num_contexts = 0; - if(strncmp("/dev/", tty, 5)) { - snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); - ptr = ttybuf; + if (!(username = get_item(pamh, PAM_USER))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name"); + return PAM_USER_UNKNOWN; } - else - ptr = tty; - if (setfilecon(ptr, context) && errno != ENOENT) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not relabel %s with %s, not relabeling: %m", - ptr, context); + /* compute execute context */ +#ifdef HAVE_GETSEUSER + if (!(service = get_item(pamh, PAM_SERVICE))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the service name"); + return PAM_SESSION_ERR; + } + if (getseuser(username, service, &seuser, &level) == 0) { +#else + if (getseuserbyname(username, &seuser, &level) == 0) { +#endif + num_contexts = get_ordered_context_list_with_level(seuser, level, NULL, + &contextlist); + if (debug) + pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User= %s Level= %s", + username, seuser, level); + free(level); + } + if (num_contexts > 0) { + free(seuser); + data->default_user_context = strdup(contextlist[0]); + freeconary(contextlist); + if (!data->default_user_context) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; + } + + data->exec_context = data->default_user_context; + if (select_context) + data->exec_context = config_context(pamh, data->default_user_context, + use_current_range, debug); + else if (env_params || use_current_range) + data->exec_context = context_from_env(pamh, data->default_user_context, + env_params, use_current_range, + debug); + } else { + if (seuser) { + data->exec_context = manual_context(pamh, seuser, debug); + free(seuser); + } } + + if (!data->exec_context) { + pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username); + pam_prompt(pamh, PAM_ERROR_MSG, NULL, + _("Unable to get valid context for %s"), username); + } + + if (getexeccon(&data->prev_exec_context) < 0) + data->prev_exec_context = NULL; + + return PAM_SUCCESS; } -static security_context_t -security_label_tty(pam_handle_t *pamh, char *tty, - security_context_t usercon) +static int +compute_tty_context(const pam_handle_t *pamh, module_data_t *data) { - char ttybuf[PATH_MAX]; - int status=0; - security_context_t newdev_context=NULL; /* The new context of a device */ - security_context_t prev_context=NULL; /* The new context of a device */ - const char *ptr; - - if(strncmp("/dev/", tty, 5)) - { - snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); - ptr = ttybuf; + const char *tty = get_item(pamh, PAM_TTY); + + if (!tty || !*tty || !strcmp(tty, "ssh") || !strncmp(tty, "NODEV", 5)) { + tty = ttyname(STDIN_FILENO); + if (!tty || !*tty) + tty = ttyname(STDOUT_FILENO); + if (!tty || !*tty) + tty = ttyname(STDERR_FILENO); + if (!tty || !*tty) + return PAM_SUCCESS; } - else - ptr = tty; - - if (getfilecon(ptr, &prev_context) < 0) - { - if(errno != ENOENT) - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not get current context for %s, not relabeling: %m", - ptr); - return NULL; + + if (strncmp("/dev/", tty, 5)) { + if (asprintf(&data->tty_path, "%s%s", "/dev/", tty) < 0) + data->tty_path = NULL; + } else { + data->tty_path = strdup(tty); } - if( security_compute_relabel(usercon,prev_context,SECCLASS_CHR_FILE, - &newdev_context)!=0) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not get new context for %s, not relabeling: %m", - ptr); - pam_syslog(pamh, LOG_NOTICE, - "usercon=%s, prev_context=%s", usercon, prev_context); - freecon(prev_context); - return NULL; + + if (!data->tty_path) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; } - status=setfilecon(ptr,newdev_context); - if (status) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not relabel %s with %s, not relabeling: %m", - ptr,newdev_context); - freecon(prev_context); - prev_context=NULL; + + if (getfilecon(data->tty_path, &data->prev_tty_context) < 0) { + data->prev_tty_context = NULL; + if (errno == ENOENT) { + free(data->tty_path); + data->tty_path = NULL; + return PAM_SUCCESS; + } + pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m", + data->tty_path); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; } - freecon(newdev_context); - return prev_context; -} -static security_context_t user_context=NULL; -static security_context_t prev_user_context=NULL; -static security_context_t ttyn_context=NULL; /* The current context of ttyn device */ -static int selinux_enabled=0; -static char *ttyn=NULL; + if (security_compute_relabel(data->exec_context, data->prev_tty_context, + SECCLASS_CHR_FILE, &data->tty_context)) { + data->tty_context = NULL; + pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m", + data->tty_path); + freecon(data->prev_tty_context); + data->prev_tty_context = NULL; + free(data->tty_path); + data->tty_path = NULL; + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + } -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) + return PAM_SUCCESS; +} + +static int +restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug) { - /* Fail by default. */ - return PAM_AUTH_ERR; + int err; + + if (!data) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "No context to restore"); + return PAM_SUCCESS; + } + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, + "Restore file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->tty_context ? data->tty_context : "", + data->prev_tty_context ? data->prev_tty_context : ""); + err = set_file_context(pamh, data->prev_tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Restore executable context: [%s] -> [%s]", + data->exec_context, + data->prev_exec_context ? data->prev_exec_context : ""); + err |= set_exec_context(pamh, data->prev_exec_context); + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; } -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) +static int +set_context(pam_handle_t *pamh, const module_data_t *data, + int debug, int verbose) { - return PAM_SUCCESS; + int rc, err; + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, "Set file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->prev_tty_context ? data->prev_tty_context : "", + data->tty_context ? data->tty_context : ""); + err = set_file_context(pamh, data->tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set executable context: [%s] -> [%s]", + data->prev_exec_context ? data->prev_exec_context : "", + data->exec_context); + rc = set_exec_context(pamh, data->exec_context); + err |= rc; + + send_audit_message(pamh, !rc, data->default_user_context, data->exec_context); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Security Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#ifdef HAVE_SETKEYCREATECON + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set key creation context to %s", + data->exec_context ? data->exec_context : ""); + rc = setkeycreatecon(data->exec_context); + err |= rc; + if (rc) + pam_syslog(pamh, LOG_ERR, "Setting key creation context %s failed: %m", + data->exec_context ? data->exec_context : ""); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Key Creation Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#endif + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; } -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +static int +create_context(pam_handle_t *pamh, int argc, const char **argv, + int debug, int verbose) { - int i, debug = 0, ttys=1; - int verbose=0, close_session=0; + int i; + int ttys = 1; int select_context = 0; int use_current_range = 0; - int ret = 0; - security_context_t* contextlist = NULL; - int num_contexts = 0; int env_params = 0; - const char *username; - const void *void_username; - const void *tty = NULL; - char *seuser=NULL; - char *level=NULL; - security_context_t default_user_context=NULL; -#ifdef HAVE_GETSEUSER - const void *void_service; - const char *service; -#endif + module_data_t *data; /* Parse arguments. */ for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) { - debug = 1; - } if (strcmp(argv[i], "nottys") == 0) { ttys = 0; } - if (strcmp(argv[i], "verbose") == 0) { - verbose = 1; - } - if (strcmp(argv[i], "close") == 0) { - close_session = 1; - } if (strcmp(argv[i], "select_context") == 0) { select_context = 1; } @@ -624,171 +786,103 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, } } - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Open Session"); + if (is_selinux_enabled() <= 0) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "SELinux is not enabled"); + return PAM_SUCCESS; + } if (select_context && env_params) { - pam_syslog(pamh, LOG_ERR, "select_context cannot be used with env_params"); + pam_syslog(pamh, LOG_ERR, + "select_context cannot be used with env_params"); select_context = 0; } - /* this module is only supposed to execute close_session */ - if (close_session) - return PAM_SUCCESS; + if (!(data = calloc(1, sizeof(*data)))) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; + } - if (!(selinux_enabled = is_selinux_enabled()>0) ) - return PAM_SUCCESS; + i = compute_exec_context(pamh, data, select_context, use_current_range, + env_params, debug); + if (i != PAM_SUCCESS) { + free_module_data(data); + return i; + } - if (pam_get_item(pamh, PAM_USER, &void_username) != PAM_SUCCESS || - void_username == NULL) { - return PAM_USER_UNKNOWN; + if (!data->exec_context) { + free_module_data(data); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; } - username = void_username; -#ifdef HAVE_GETSEUSER - if (pam_get_item(pamh, PAM_SERVICE, (void *) &void_service) != PAM_SUCCESS || - void_service == NULL) { - return PAM_SESSION_ERR; + if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) { + free_module_data(data); + return i; } - service = void_service; - if (getseuser(username, service, &seuser, &level) == 0) { -#else - if (getseuserbyname(username, &seuser, &level) == 0) { -#endif - num_contexts = get_ordered_context_list_with_level(seuser, - level, - NULL, - &contextlist); - if (debug) - pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", - username, seuser, level); - free(level); + if ((i = pam_set_data(pamh, DATANAME, data, cleanup)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Error saving context: %m"); + free_module_data(data); + return i; } - if (num_contexts > 0) { - free(seuser); - default_user_context=strdup(contextlist[0]); - freeconary(contextlist); - if (default_user_context == NULL) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); - return PAM_BUF_ERR; - } - user_context = default_user_context; - if (select_context) { - user_context = config_context(pamh, default_user_context, use_current_range, debug); - } else if (env_params || use_current_range) { - user_context = context_from_env(pamh, default_user_context, env_params, use_current_range, debug); - } + return set_context(pamh, data, debug, verbose); +} - if (user_context == NULL) { - freecon(default_user_context); - pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", - username); - pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; - } - } - else { - if (seuser != NULL) { - user_context = manual_context(pamh,seuser,debug); - free(seuser); - } - if (user_context == NULL) { - pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", - username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; - } - } +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + /* Fail by default. */ + return PAM_AUTH_ERR; +} - if (getexeccon(&prev_user_context)<0) { - prev_user_context=NULL; - } - if (ttys) { - /* Get the name of the terminal. */ - if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS) { - tty = NULL; - } +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} - if ((tty == NULL) || (strlen(tty) == 0) || - strcmp(tty, "ssh") == 0 || strncmp(tty, "NODEV", 5) == 0) { - tty = ttyname(STDIN_FILENO); - if ((tty == NULL) || (strlen(tty) == 0)) { - tty = ttyname(STDOUT_FILENO); - } - if ((tty == NULL) || (strlen(tty) == 0)) { - tty = ttyname(STDERR_FILENO); - } +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + const module_data_t *data; + int i, debug = 0, verbose = 0, close_session = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; } - } - if (ttys && tty) { - ttyn=strdup(tty); - ttyn_context=security_label_tty(pamh,ttyn,user_context); - } - send_audit_message(pamh, 1, default_user_context, user_context); - if (default_user_context != user_context) { - freecon(default_user_context); - } - ret = setexeccon(user_context); - if (ret==0 && verbose) { - char msg[PATH_MAX]; - snprintf(msg, sizeof(msg), - _("Security Context %s Assigned"), user_context); - send_text(pamh, msg, debug); - } - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s executable context %s.", - username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; } - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", - username, user_context); - } -#ifdef HAVE_SETKEYCREATECON - ret = setkeycreatecon(user_context); - if (ret==0 && verbose) { - char msg[PATH_MAX]; - snprintf(msg, sizeof(msg), - _("Key Creation Context %s Assigned"), user_context); - send_text(pamh, msg, debug); - } - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s key creation context %s.", - username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; + if (strcmp(argv[i], "close") == 0) { + close_session = 1; } - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", - username, user_context); } -#endif - freecon(user_context); - return PAM_SUCCESS; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + + /* Is this module supposed to execute close_session only? */ + if (close_session) + return PAM_SUCCESS; + + data = get_module_data(pamh); + + /* If there is a saved context, this module is supposed to set it again. */ + return data ? set_context(pamh, data, debug, verbose) : + create_context(pamh, argc, argv, debug, verbose); } PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int i, debug = 0, status = PAM_SUCCESS, open_session = 0; - if (! (selinux_enabled )) - return PAM_SUCCESS; + int i, debug = 0, open_session = 0; /* Parse arguments. */ for (i = 0; i < argc; i++) { @@ -803,34 +897,10 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, if (debug) pam_syslog(pamh, LOG_NOTICE, "Close Session"); + /* Is this module supposed to execute open_session only? */ if (open_session) return PAM_SUCCESS; - if (ttyn) { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Restore tty %s -> %s", - ttyn,ttyn_context); - - security_restorelabel_tty(pamh,ttyn,ttyn_context); - freecon(ttyn_context); - free(ttyn); - ttyn=NULL; - } - - if (setexeccon(prev_user_context)) { - pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", - prev_user_context ? prev_user_context : ""); - if (security_getenforce() == 1) - status = PAM_AUTH_ERR; - else - status = PAM_SUCCESS; - } else if (debug) - pam_syslog(pamh, LOG_NOTICE, "Executable context back to original"); - - if (prev_user_context) { - freecon(prev_user_context); - prev_user_context = NULL; - } - - return status; + /* Restore original context. */ + return restore_context(pamh, get_module_data(pamh), debug); } -- cgit v1.2.3 From cffedb98666140013497524064d3098c11461ff1 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 19 Oct 2010 23:34:52 +0000 Subject: pam_selinux.c: add "restore" option * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new "restore" option. --- modules/pam_selinux/pam_selinux.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index a8f540dd..d66ccb46 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -849,7 +849,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { const module_data_t *data; - int i, debug = 0, verbose = 0, close_session = 0; + int i, debug = 0, verbose = 0, close_session = 0, restore = 0; /* Parse arguments. */ for (i = 0; i < argc; i++) { @@ -862,6 +862,9 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, if (strcmp(argv[i], "close") == 0) { close_session = 1; } + if (strcmp(argv[i], "restore") == 0) { + restore = 1; + } } if (debug) @@ -873,6 +876,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, data = get_module_data(pamh); + /* Is this module supposed only to restore original context? */ + if (restore) + return restore_context(pamh, data, debug); + /* If there is a saved context, this module is supposed to set it again. */ return data ? set_context(pamh, data, debug, verbose) : create_context(pamh, argc, argv, debug, verbose); -- cgit v1.2.3 From aea290af6d2de6a493e952b9ef8c771ab9014fef Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 19 Oct 2010 23:34:52 +0000 Subject: pam_selinux.8.xml: update * modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis): Reorder options, add new "restore" option. pam_selinux-description): Rewrite. (pam_selinux-options): Reorder options, describe new "restore" option. (pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR and PAM_BUF_ERR. (pam_selinux-see_also): Remove pam.conf(5). Add execve(2), tty(4) and selinux(8). --- modules/pam_selinux/pam_selinux.8.xml | 113 ++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 39 deletions(-) (limited to 'modules') diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 2c1cdb24..28d465f5 100644 --- a/modules/pam_selinux/pam_selinux.8.xml +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -19,17 +19,20 @@ pam_selinux.so - close + open - debug + close - open + restore nottys + + debug + verbose @@ -48,26 +51,31 @@ DESCRIPTION - In a nutshell, pam_selinux sets up the default security context for the - next execed shell. + pam_selinux is a PAM module that sets up the default SELinux security + context for the next executed process. + + + When a new session is started, the open_session part of the module + computes and sets up the execution security context used for the next + + execve2 + + call, the file security context for the controlling terminal, and + the security context used for creating a new kernel keyring. - When an application opens a session using pam_selinux, the shell that - gets executed will be run in the default security context, or if the - user chooses and the pam file allows the selected security context. - Also the controlling tty will have it's security context modified to - match the users. + When the session is ended, the close_session part of the module restores + old security contexts that were in effect before the change made + by the open_session part of the module. - Adding pam_selinux into a pam file could cause other pam modules to - change their behavior if the exec another application. The close and - open option help mitigate this problem. close option will only cause - the close portion of the pam_selinux to execute, and open will only - cause the open portion to run. You can add pam_selinux to the config - file twice. Add the pam_selinux close as the executes the open pass - through the modules, pam_selinux open_session will happen last. - When PAM executes the close pass through the modules pam_selinux - close_session will happen first. + Adding pam_selinux into the PAM stack might disrupt behavior of other + PAM modules which execute applications. To avoid that, + pam_selinux.so open should be placed after such + modules in the PAM stack, and pam_selinux.so close + should be placed before them. When such a placement is not feasible, + pam_selinux.so restore could be used to temporary + restore original security contexts. @@ -76,34 +84,34 @@ - + - Only execute the close_session portion of the module. + Only execute the open_session part of the module. - + - Turns on debugging via - - syslog3 - . + Only execute the close_session part of the module. - + - Only execute the open_session portion of the module. + In open_session part of the module, temporarily restore the + security contexts as they were before the previous call of + the module. Another call of this module without the restore + option will set up the new security contexts again. @@ -113,7 +121,20 @@ - Do not try to setup the ttys security context. + Do not setup security context of the controlling terminal. + + + + + + + + + + Turn on debug messages via + + syslog3 + . @@ -123,7 +144,7 @@ - attempt to inform the user when security context is set. + Attempt to inform the user when security context is set. @@ -134,7 +155,7 @@ Attempt to ask the user for a custom security context role. - If MLS is on ask also for sensitivity level. + If MLS is on, ask also for sensitivity level. @@ -145,11 +166,11 @@ Attempt to obtain a custom security context role from PAM environment. - If MLS is on obtain also sensitivity level. This option and the - select_context option are mutually exclusive. The respective PAM + If MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and - SELINUX_USE_CURRENT_RANGE. The first two variables + SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module. @@ -181,18 +202,18 @@ RETURN VALUES - PAM_AUTH_ERR + PAM_SUCCESS - Unable to get or set a valid context. + The security context was set successfully. - PAM_SUCCESS + PAM_SESSION_ERR - The security context was set successfully. + Unable to get or set a valid context. @@ -204,6 +225,14 @@ + + PAM_BUF_ERR + + + Memory allocation error. + + + @@ -220,13 +249,19 @@ session optional pam_selinux.so SEE ALSO - pam.conf5 + execve2 + , + + tty4 , pam.d5 , pam8 + , + + selinux8 -- cgit v1.2.3 From 0baf28fa03dfa46482e13390fd9a7545c30ccd7f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Jan 2012 12:30:43 +0100 Subject: Fix matching of usernames in the pam_unix remember feature. * modules/pam_unix/pam_unix_passwd.c (check_old_password): Make sure we match only the whole username in opasswd entry. * modules/pam_unix/passverify.c (save_old_password): Likewise make sure we match only the whole username in opasswd entry. --- modules/pam_unix/pam_unix_passwd.c | 4 +++- modules/pam_unix/passverify.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 6ba2c2e6..498a81c6 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -280,13 +280,15 @@ static int check_old_password(const char *forwho, const char *newpass) char *s_luser, *s_uid, *s_npas, *s_pas; int retval = PAM_SUCCESS; FILE *opwfile; + size_t len = strlen(forwho); opwfile = fopen(OLD_PASSWORDS_FILE, "r"); if (opwfile == NULL) return PAM_ABORT; while (fgets(buf, 16380, opwfile)) { - if (!strncmp(buf, forwho, strlen(forwho))) { + if (!strncmp(buf, forwho, len) && (buf[len] == ':' || + buf[len] == ',')) { char *sptr; buf[strlen(buf) - 1] = '\0'; s_luser = strtok_r(buf, ":,", &sptr); diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 089f4b83..52899552 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -562,6 +562,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, int found = 0; struct passwd *pwd = NULL; struct stat st; + size_t len = strlen(forwho); #ifdef WITH_SELINUX security_context_t prev_context=NULL; #endif @@ -629,7 +630,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, } while (fgets(buf, 16380, opwfile)) { - if (!strncmp(buf, forwho, strlen(forwho))) { + if (!strncmp(buf, forwho, len) && strchr(":,\n", buf[len]) != NULL) { char *sptr = NULL; found = 1; if (howmany == 0) -- cgit v1.2.3 From 91e4c3633f34a6590743ee105746308664078073 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 13 Jan 2012 18:33:27 +0100 Subject: Add possibility to match ruser, rhost, and tty in pam_succeed_if. * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser, rhost, and tty as left operand. * modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new possible left operands. --- modules/pam_succeed_if/pam_succeed_if.8.xml | 9 +++++---- modules/pam_succeed_if/pam_succeed_if.c | 28 +++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 5 deletions(-) (limited to 'modules') diff --git a/modules/pam_succeed_if/pam_succeed_if.8.xml b/modules/pam_succeed_if/pam_succeed_if.8.xml index cc61e088..7bdcb024 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8.xml +++ b/modules/pam_succeed_if/pam_succeed_if.8.xml @@ -33,8 +33,8 @@ pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being - authenticated. One use is to select whether to load other modules based - on this test. + authenticated or values of other PAM items. One use is to select whether + to load other modules based on this test. @@ -105,8 +105,9 @@ Available fields are user, uid, gid, - shell, home - and service: + shell, home, + ruser, rhost, + tty and service: diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index 2670c258..32a73738 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -281,11 +281,37 @@ evaluate(pam_handle_t *pamh, int debug, } if (strcasecmp(left, "service") == 0) { const void *svc; - if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS) + if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS || + svc == NULL) svc = ""; snprintf(buf, sizeof(buf), "%s", (const char *)svc); left = buf; } + if (strcasecmp(left, "ruser") == 0) { + const void *ruser; + if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS || + ruser == NULL) + ruser = ""; + snprintf(buf, sizeof(buf), "%s", (const char *)ruser); + left = buf; + user = buf; + } + if (strcasecmp(left, "rhost") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS || + rhost == NULL) + rhost = ""; + snprintf(buf, sizeof(buf), "%s", (const char *)rhost); + left = buf; + } + if (strcasecmp(left, "tty") == 0) { + const void *tty; + if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS || + tty == NULL) + tty = ""; + snprintf(buf, sizeof(buf), "%s", (const char *)tty); + left = buf; + } /* If we have no idea what's going on, return an error. */ if (left != buf) { pam_syslog(pamh, LOG_CRIT, "unknown attribute \"%s\"", left); -- cgit v1.2.3 From d5a261b8be2035bbf49726eb7ac792ee6d5a22d1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 24 Jan 2012 20:03:28 +0100 Subject: Make / mount as rslave instead of bind mounting polydirs. * modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument. (check_inst_parent): Drop the always argument from protect_dir(). (create_polydir): Likewise. (ns_setup): Likewise and do not mark the polydir with MS_PRIVATE. (setup_namespace): Mark the / with MS_SLAVE|MS_REC. * modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs. --- modules/pam_namespace/pam_namespace.8.xml | 10 ++++++-- modules/pam_namespace/pam_namespace.c | 40 +++++++++++++++---------------- 2 files changed, 27 insertions(+), 23 deletions(-) (limited to 'modules') diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index 48021c80..6ec3ad23 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -246,12 +246,18 @@ This option can be used on systems where the / mount point or its submounts are made shared (for example with a mount --make-rshared / command). - The module will make the polyinstantiated directory mount points - private. Normally the pam_namespace will try to detect the + The module will mark the whole directory tree so any mount and + unmount operations in the polyinstantiation namespace are private. + Normally the pam_namespace will try to detect the shared / mount point and make the polyinstantiated directories private automatically. This option has to be used just when only a subtree is shared and / is not. + + Note that mounts and unmounts done in the private namespace will not + affect the parent namespace if this option is used or when the + shared / mount point is autodetected. + diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index f0bffa15..470f493b 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -1003,7 +1003,7 @@ static int protect_mount(int dfd, const char *path, struct instance_data *idata) return 0; } -static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always, +static int protect_dir(const char *path, mode_t mode, int do_mkdir, struct instance_data *idata) { char *p = strdup(path); @@ -1082,7 +1082,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always, } } - if ((flags & O_NOFOLLOW) || always) { + if (flags & O_NOFOLLOW) { /* we are inside user-owned dir - protect */ if (protect_mount(rv, p, idata) == -1) { save_errno = errno; @@ -1124,7 +1124,7 @@ static int check_inst_parent(char *ipath, struct instance_data *idata) if (trailing_slash) *trailing_slash = '\0'; - dfd = protect_dir(inst_parent, 0, 1, 0, idata); + dfd = protect_dir(inst_parent, 0, 1, idata); if (dfd == -1 || fstat(dfd, &instpbuf) < 0) { pam_syslog(idata->pamh, LOG_ERR, @@ -1259,7 +1259,7 @@ static int create_polydir(struct polydir_s *polyptr, } #endif - rc = protect_dir(dir, mode, 1, idata->flags & PAMNS_MOUNT_PRIVATE, idata); + rc = protect_dir(dir, mode, 1, idata); if (rc == -1) { pam_syslog(idata->pamh, LOG_ERR, "Error creating directory %s: %m", dir); @@ -1447,7 +1447,7 @@ static int ns_setup(struct polydir_s *polyptr, pam_syslog(idata->pamh, LOG_DEBUG, "Set namespace for directory %s", polyptr->dir); - retval = protect_dir(polyptr->dir, 0, 0, idata->flags & PAMNS_MOUNT_PRIVATE, idata); + retval = protect_dir(polyptr->dir, 0, 0, idata); if (retval < 0 && errno != ENOENT) { pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", @@ -1534,22 +1534,6 @@ static int ns_setup(struct polydir_s *polyptr, goto error_out; } - if (idata->flags & PAMNS_MOUNT_PRIVATE) { - /* - * Make the polyinstantiated dir private mount. This depends - * on making the dir a mount point in the protect_dir call. - */ - if (mount(polyptr->dir, polyptr->dir, NULL, MS_PRIVATE|MS_REC, NULL) < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Error making %s a private mount, %m", - polyptr->dir); - goto error_out; - } - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "Polyinstantiated directory %s made as private mount", polyptr->dir); - - } - /* * Bind mount instance directory on top of the polyinstantiated * directory to provide an instance of polyinstantiated directory @@ -1720,6 +1704,20 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) "Unable to unshare from parent namespace, %m"); return PAM_SESSION_ERR; } + if (idata->flags & PAMNS_MOUNT_PRIVATE) { + /* + * Remount / as SLAVE so that nothing mounted in the namespace + * shows up in the parent + */ + if (mount("/", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Failed to mark / as a slave mount point, %m"); + return PAM_SESSION_ERR; + } + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "The / mount point was marked as slave"); + } } else { del_polydir_list(idata->polydirs_ptr); return PAM_SUCCESS; -- cgit v1.2.3 From 17a3f6715591b215a7fdd3127db4abe70ff26381 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 26 Jan 2012 14:50:51 +0100 Subject: Do not unmount anything by default in pam_namespace close session call. * modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize the unmount_on_close option and make the default to be to not unmount. * modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to PAMNS_UNMOUNT_ON_CLOSE. * modules/pam_namespace/pam_namespace.8.xml: Document the change. --- modules/pam_namespace/pam_namespace.8.xml | 17 +++++++++-------- modules/pam_namespace/pam_namespace.c | 24 +++++++++++++----------- modules/pam_namespace/pam_namespace.h | 2 +- 3 files changed, 23 insertions(+), 20 deletions(-) (limited to 'modules') diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml index 6ec3ad23..f0f80d33 100644 --- a/modules/pam_namespace/pam_namespace.8.xml +++ b/modules/pam_namespace/pam_namespace.8.xml @@ -44,7 +44,7 @@ ignore_instance_parent_mode - no_unmount_on_close + unmount_on_close use_current_context @@ -195,16 +195,17 @@ - + - For certain trusted programs such as newrole, open session - is called from a child process while the parent performs - close session and pam end functions. For these commands - use this option to instruct pam_close_session to not - unmount the bind mounted polyinstantiated directory in the - parent. + Explicitly unmount the polyinstantiated directories instead + of relying on automatic namespace destruction after the last + process in a namespace exits. This option should be used + only in case it is ensured by other means that there cannot be + any processes running in the private namespace left after the + session close. It is also useful only in case there are + multiple pam session calls in sequence from the same process. diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 470f493b..a40f05e6 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -2108,24 +2108,26 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, idata.flags |= PAMNS_DEBUG; if (strcmp(argv[i], "ignore_config_error") == 0) idata.flags |= PAMNS_IGN_CONFIG_ERR; - if (strcmp(argv[i], "no_unmount_on_close") == 0) - idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE; + if (strcmp(argv[i], "unmount_on_close") == 0) + idata.flags |= PAMNS_UNMOUNT_ON_CLOSE; } if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); /* - * For certain trusted programs such as newrole, open session - * is called from a child process while the parent perfoms - * close session and pam end functions. For these commands - * pam_close_session should not perform the unmount of the - * polyinstantiatied directory because it will result in - * undoing of parents polyinstantiatiaion. These commands - * will invoke pam_namespace with the "no_unmount_on_close" - * argument. + * Normally the unmount is implicitly done when the last + * process in the private namespace exits. + * If it is ensured that there are no child processes left in + * the private namespace by other means and if there are + * multiple sessions opened and closed sequentially by the + * same process, the "unmount_on_close" option might be + * used to unmount the polydirs explicitly. */ - if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) { + if (!(idata.flags & PAMNS_UNMOUNT_ON_CLOSE)) { + pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); + pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); + if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); return PAM_SUCCESS; diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 6bca31c4..1d0c11c6 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -101,7 +101,7 @@ #define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */ #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ -#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ +#define PAMNS_UNMOUNT_ON_CLOSE 0x00010000 /* Unmount at session close */ #define PAMNS_USE_CURRENT_CONTEXT 0x00020000 /* use getcon instead of getexeccon */ #define PAMNS_USE_DEFAULT_CONTEXT 0x00040000 /* use get_default_context instead of getexeccon */ #define PAMNS_MOUNT_PRIVATE 0x00080000 /* Make the polydir mounts private */ -- cgit v1.2.3 From aff021e14203373248e376b4ca013e58074dc7a9 Mon Sep 17 00:00:00 2001 From: Matveychikov Ilya Date: Tue, 17 Jan 2012 11:16:49 +0400 Subject: Fix compile time errors in --enable-static-modules mode * libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove obsolete declaration. (static_modules): Remove undefined reference to _pam_rhosts_auth_modstruct. * modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to {save,check}_old_pass in order to avoid conflicts with pam_unix. * modules/pam_pwhistory/opasswd.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to _pam_tally2_modstruct. Signed-off-by: Matveychikov Ilya --- modules/pam_pwhistory/opasswd.c | 8 ++++---- modules/pam_pwhistory/opasswd.h | 10 +++++----- modules/pam_pwhistory/pam_pwhistory.c | 12 ++++++------ modules/pam_tally2/pam_tally2.c | 2 +- 4 files changed, 16 insertions(+), 16 deletions(-) (limited to 'modules') diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index f896119b..274fdb92 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -113,8 +113,8 @@ compare_password(const char *newpass, const char *oldpass) /* Check, if the new password is already in the opasswd file. */ int -check_old_password (pam_handle_t *pamh, const char *user, - const char *newpass, int debug) +check_old_pass (pam_handle_t *pamh, const char *user, + const char *newpass, int debug) { int retval = PAM_SUCCESS; FILE *oldpf; @@ -209,8 +209,8 @@ check_old_password (pam_handle_t *pamh, const char *user, } int -save_old_password (pam_handle_t *pamh, const char *user, uid_t uid, - const char *oldpass, int howmany, int debug UNUSED) +save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + const char *oldpass, int howmany, int debug UNUSED) { char opasswd_tmp[] = TMP_PASSWORDS_FILE; struct stat opasswd_stat; diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h index e8a20139..db3e6568 100644 --- a/modules/pam_pwhistory/opasswd.h +++ b/modules/pam_pwhistory/opasswd.h @@ -36,10 +36,10 @@ #ifndef __OPASSWD_H__ #define __OPASSWD_H__ -extern int check_old_password (pam_handle_t *pamh, const char *user, - const char *newpass, int debug); -extern int save_old_password (pam_handle_t *pamh, const char *user, - uid_t uid, const char *oldpass, - int howmany, int debug); +extern int check_old_pass (pam_handle_t *pamh, const char *user, + const char *newpass, int debug); +extern int save_old_pass (pam_handle_t *pamh, const char *user, + uid_t uid, const char *oldpass, + int howmany, int debug); #endif /* __OPASSWD_H__ */ diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 9b588958..4c582bc2 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -168,15 +168,15 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (spw == NULL) return PAM_USER_UNKNOWN; - retval = save_old_password (pamh, user, pwd->pw_uid, spw->sp_pwdp, - options.remember, options.debug); + retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, + options.remember, options.debug); if (retval != PAM_SUCCESS) return retval; } else { - retval = save_old_password (pamh, user, pwd->pw_uid, pwd->pw_passwd, - options.remember, options.debug); + retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, + options.remember, options.debug); if (retval != PAM_SUCCESS) return retval; } @@ -208,8 +208,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - if (check_old_password (pamh, user, newpass, - options.debug) != PAM_SUCCESS) + if (check_old_pass (pamh, user, newpass, + options.debug) != PAM_SUCCESS) { pam_error (pamh, _("Password has been already used. Choose another.")); diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index c72d27a0..d3d6779a 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -844,7 +844,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* static module data */ -struct pam_module _pam_tally_modstruct = { +struct pam_module _pam_tally2_modstruct = { MODULE_NAME, #ifdef PAM_SM_AUTH pam_sm_authenticate, -- cgit v1.2.3 From 3c69856acf9af74368b789b1ed867b433db0ed02 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 3 Feb 2012 00:13:44 +0000 Subject: pam_unix: make configuration consistent in --enable-static-modules mode In --enable-static-modules mode, it was not possible to use "pam_unix" in PAM config files. Instead, different names had to be used for each management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and pam_unix_session. This change makes pam_unix configuration consistent with other PAM modules. * README: Remove the paragraph describing pam_unix distinctions in --enable-static-modules mode. * libpam/pam_static_modules.h (_pam_unix_acct_modstruct, _pam_unix_auth_modstruct, _pam_unix_passwd_modstruct, _pam_unix_session_modstruct): Remove. (_pam_unix_modstruct): New pam_module declaration. * modules/pam_unix/pam_unix_static.h: New file. * modules/pam_unix/pam_unix_static.c: Likewise. * modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h (pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c * modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_acct_modstruct): Remove. * modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_auth_modstruct): Remove. * modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_passwd_modstruct): Remove. * modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include pam_unix_static.h [PAM_STATIC] (_pam_unix_session_modstruct): Remove. Suggested-by: Matveychikov Ilya --- modules/pam_unix/Makefile.am | 6 +++++- modules/pam_unix/pam_unix_acct.c | 24 +++++++----------------- modules/pam_unix/pam_unix_auth.c | 25 ++++++++----------------- modules/pam_unix/pam_unix_passwd.c | 25 +++++++------------------ modules/pam_unix/pam_unix_sess.c | 27 +++++++++------------------ modules/pam_unix/pam_unix_static.c | 23 +++++++++++++++++++++++ modules/pam_unix/pam_unix_static.h | 6 ++++++ 7 files changed, 65 insertions(+), 71 deletions(-) create mode 100644 modules/pam_unix/pam_unix_static.c create mode 100644 modules/pam_unix/pam_unix_static.h (limited to 'modules') diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index ab0d55ac..56ed5916 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -34,7 +34,8 @@ pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ securelib_LTLIBRARIES = pam_unix.la -noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h +noinst_HEADERS = md5.h support.h yppasswd.h bigcrypt.h passverify.h \ + pam_unix_static.h sbin_PROGRAMS = unix_chkpwd unix_update @@ -43,6 +44,9 @@ noinst_PROGRAMS = bigcrypt pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c +if STATIC_MODULES +pam_unix_la_SOURCES += pam_unix_static.c +endif bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 2731b8bc..8e90cc9a 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -52,7 +52,11 @@ /* indicate that the following groups are defined */ -#define PAM_SM_ACCOUNT +#ifdef PAM_STATIC +# include "pam_unix_static.h" +#else +# define PAM_SM_ACCOUNT +#endif #include #include @@ -178,8 +182,8 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, * account management module. */ -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, - int argc, const char **argv) +int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { unsigned int ctrl; const void *void_uname; @@ -291,17 +295,3 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, return retval; } - - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_unix_acct_modstruct = { - "pam_unix_acct", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL, -}; -#endif diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 1379d96c..44573e6c 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -50,7 +50,11 @@ /* indicate the following groups are defined */ -#define PAM_SM_AUTH +#ifdef PAM_STATIC +# include "pam_unix_static.h" +#else +# define PAM_SM_AUTH +#endif #define _PAM_EXTERN_FUNCTIONS #include @@ -98,9 +102,8 @@ setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED) free (ptr); } - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags - ,int argc, const char **argv) +int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { unsigned int ctrl; int retval, *ret_data = NULL; @@ -190,7 +193,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags * warned you. -- AOY */ -PAM_EXTERN int +int pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) { @@ -213,15 +216,3 @@ pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, return retval; } - -#ifdef PAM_STATIC -struct pam_module _pam_unix_auth_modstruct = { - "pam_unix_auth", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; -#endif diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 498a81c6..e9059d3c 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -63,7 +63,11 @@ /* indicate the following groups are defined */ -#define PAM_SM_PASSWORD +#ifdef PAM_STATIC +# include "pam_unix_static.h" +#else +# define PAM_SM_PASSWORD +#endif #include #include @@ -523,9 +527,8 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh return retval; } - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, - int argc, const char **argv) +int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) { unsigned int ctrl, lctrl; int retval; @@ -823,17 +826,3 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, return retval; } - - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_unix_passwd_modstruct = { - "pam_unix_passwd", - NULL, - NULL, - NULL, - NULL, - NULL, - pam_sm_chauthtok, -}; -#endif diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index 72046ea0..d1376732 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -49,7 +49,11 @@ /* indicate the following groups are defined */ -#define PAM_SM_SESSION +#ifdef PAM_STATIC +# include "pam_unix_static.h" +#else +# define PAM_SM_SESSION +#endif #include #include @@ -63,8 +67,8 @@ * session module. */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, - int argc, const char **argv) +int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *user_name, *service; unsigned int ctrl; @@ -98,8 +102,8 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, return PAM_SUCCESS; } -PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, - int argc, const char **argv) +int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *user_name, *service; unsigned int ctrl; @@ -127,16 +131,3 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, return PAM_SUCCESS; } - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_unix_session_modstruct = { - "pam_unix_session", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL, -}; -#endif diff --git a/modules/pam_unix/pam_unix_static.c b/modules/pam_unix/pam_unix_static.c new file mode 100644 index 00000000..160268c9 --- /dev/null +++ b/modules/pam_unix/pam_unix_static.c @@ -0,0 +1,23 @@ +#include "config.h" + +#ifdef PAM_STATIC + +#define static extern +#define PAM_SM_ACCOUNT +#define PAM_SM_AUTH +#define PAM_SM_PASSWORD +#define PAM_SM_SESSION +#include "pam_unix_static.h" +#include + +struct pam_module _pam_unix_modstruct = { + "pam_unix", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok, +}; + +#endif diff --git a/modules/pam_unix/pam_unix_static.h b/modules/pam_unix/pam_unix_static.h new file mode 100644 index 00000000..39b05efe --- /dev/null +++ b/modules/pam_unix/pam_unix_static.h @@ -0,0 +1,6 @@ +#define pam_sm_acct_mgmt _pam_unix_sm_acct_mgmt +#define pam_sm_authenticate _pam_unix_sm_authenticate +#define pam_sm_setcred _pam_unix_sm_setcred +#define pam_sm_chauthtok _pam_unix_sm_chauthtok +#define pam_sm_open_session _pam_unix_sm_open_session +#define pam_sm_close_session _pam_unix_sm_close_session -- cgit v1.2.3 From 1329c68b19daa6d5793dd672db73ebe85465eea9 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 11 Apr 2012 21:13:14 +0200 Subject: Check for crypt() failure returning NULL. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message. * modules/pam_unix/passverify.c (create_password_hash): Check for crypt() returning NULL. --- modules/pam_unix/pam_unix_passwd.c | 2 +- modules/pam_unix/passverify.c | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index e9059d3c..9e1302d5 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -800,7 +800,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) tpass = create_password_hash(pamh, pass_new, ctrl, rounds); if (tpass == NULL) { pam_syslog(pamh, LOG_CRIT, - "out of memory for password"); + "crypt() failure or out of memory for password"); pass_new = pass_old = NULL; /* tidy up */ unlock_pwdf(); return PAM_BUF_ERR; diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 52899552..4840bb2d 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -424,7 +424,7 @@ PAMH_ARG_DECL(char * create_password_hash, } #endif sp = crypt(password, salt); - if (strncmp(algoid, sp, strlen(algoid)) != 0) { + if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { /* libxcrypt/libc doesn't know the algorithm, use MD5 */ pam_syslog(pamh, LOG_ERR, "Algo %s not supported by the crypto backend, " @@ -432,7 +432,9 @@ PAMH_ARG_DECL(char * create_password_hash, on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : on(UNIX_SHA256_PASS, ctrl) ? "sha256" : on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); - memset(sp, '\0', strlen(sp)); + if(sp) { + memset(sp, '\0', strlen(sp)); + } return crypt_md5_wrapper(password); } -- cgit v1.2.3 From 791dec4305054de2a5f994a9a4e475079b7b7a9c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 17 Apr 2012 14:05:24 +0200 Subject: pam_lastlog: add possibility to lock out inactive users in auth or account * modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and option. * modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out. (_pam_session_parse): Renamed from _pam_parse. (_pam_auth_parse): New function to parse auth arguments. (_last_login_open): Factor out opening of the lastlog file. (_last_login_read): Factor out opening of the lastlog file. (pam_sm_authenticate): Implement the lockout functionality. (pam_sm_setcred): Just return PAM_SUCCESS. (pam_sm_acct_mgmt): Call pam_sm_authenticate(). --- modules/pam_lastlog/pam_lastlog.8.xml | 53 ++++++++- modules/pam_lastlog/pam_lastlog.c | 203 ++++++++++++++++++++++++++++------ 2 files changed, 224 insertions(+), 32 deletions(-) (limited to 'modules') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index 2a6794ad..ecac2664 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -45,6 +45,9 @@ showfailed + + inactive=<days> + @@ -165,13 +168,30 @@ + + + + + + + This option is specific for the auth or account phase. It + specifies the number of days after the last login of the user + when the user will be locked out by the module. The default + value is 90. + + + MODULE TYPES PROVIDED - Only the module type is provided. + The and module type + allows to lock out users which did not login recently enough. + The module type is provided for displaying + the information about the last login and/or updating the lastlog and + wtmp files. @@ -207,6 +227,27 @@ + + PAM_AUTH_ERR + + + User locked out in the auth or account phase due to + inactivity. + + + + + + PAM_IGNORE + + + There was an error during reading the lastlog file + in the auth or account phase and thus inactivity + of the user cannot be determined. + + + + @@ -220,6 +261,13 @@ session required pam_lastlog.so nowtmp + + To reject the user if he did not login during the previous 50 days + the following line can be used: + + + auth required pam_lastlog.so inactive=50 + @@ -254,6 +302,9 @@ pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. + + Inactive account lock out added by Tomáš Mráz <tm@t8m.info>. + diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 9e8da7d2..4111b182 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -56,6 +56,9 @@ struct lastlog { #define DEFAULT_HOST "" /* "[no.where]" */ #define DEFAULT_TERM "" /* "tt???" */ +#define DEFAULT_INACTIVE_DAYS 90 +#define MAX_INACTIVE_DAYS 100000 + /* * here, we make a definition for the externally accessible function * in this file (this definition is required for static a module @@ -64,6 +67,8 @@ struct lastlog { */ #define PAM_SM_SESSION +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include #include @@ -83,7 +88,45 @@ struct lastlog { #define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ static int -_pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) +_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, + time_t *inactive) +{ + int ctrl = 0; + + *inactive = DEFAULT_INACTIVE_DAYS; + + /* does the appliction require quiet? */ + if (flags & PAM_SILENT) { + ctrl |= LASTLOG_QUIET; + } + + /* step through arguments */ + for (; argc-- > 0; ++argv) { + char *ep = NULL; + long l; + + if (!strcmp(*argv,"debug")) { + ctrl |= LASTLOG_DEBUG; + } else if (!strcmp(*argv,"silent")) { + ctrl |= LASTLOG_QUIET; + } else if (!strncmp(*argv,"inactive=", 9)) { + l = strtol(*argv+9, &ep, 10); + if (ep != *argv+9 && l > 0 && l < MAX_INACTIVE_DAYS) + *inactive = l; + else { + pam_syslog(pamh, LOG_ERR, "bad option value: %s", *argv); + } + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } + } + + D(("ctrl = %o", ctrl)); + return ctrl; +} + +static int +_pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) { int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE); @@ -144,6 +187,44 @@ get_tty(pam_handle_t *pamh) return terminal_line; } +static int +last_login_open(pam_handle_t *pamh, int announce, uid_t uid) +{ + int last_fd; + + /* obtain the last login date and all the relevant info */ + last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY); + if (last_fd < 0) { + if (errno == ENOENT && (announce & LASTLOG_UPDATE)) { + last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if (last_fd < 0) { + pam_syslog(pamh, LOG_ERR, + "unable to create %s: %m", _PATH_LASTLOG); + D(("unable to create %s file", _PATH_LASTLOG)); + return -1; + } + pam_syslog(pamh, LOG_WARNING, + "file %s created", _PATH_LASTLOG); + D(("file %s created", _PATH_LASTLOG)); + } else { + pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG); + D(("unable to open %s file", _PATH_LASTLOG)); + return -1; + } + } + + if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) { + pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG); + D(("unable to lseek %s file", _PATH_LASTLOG)); + close(last_fd); + return -1; + } + + return last_fd; +} + + static int last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t *lltime) { @@ -338,31 +419,9 @@ last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user, t int last_fd; /* obtain the last login date and all the relevant info */ - last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY); + last_fd = last_login_open(pamh, announce, uid); if (last_fd < 0) { - if (errno == ENOENT) { - last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - if (last_fd < 0) { - pam_syslog(pamh, LOG_ERR, - "unable to create %s: %m", _PATH_LASTLOG); - D(("unable to create %s file", _PATH_LASTLOG)); - return PAM_SERVICE_ERR; - } - pam_syslog(pamh, LOG_WARNING, - "file %s created", _PATH_LASTLOG); - D(("file %s created", _PATH_LASTLOG)); - } else { - pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG); - D(("unable to open %s file", _PATH_LASTLOG)); - return PAM_SERVICE_ERR; - } - } - - if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) { - pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG); - D(("unable to lseek %s file", _PATH_LASTLOG)); - return PAM_SERVICE_ERR; + return PAM_SERVICE_ERR; } retval = last_login_read(pamh, announce, last_fd, uid, lltime); @@ -502,7 +561,89 @@ cleanup: return retval; } -/* --- authentication management functions (only) --- */ +/* --- authentication (locking out inactive users) functions --- */ +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + int retval, ctrl; + const char *user = NULL; + const struct passwd *pwd; + uid_t uid; + time_t lltime = 0; + time_t inactive_days = 0; + int last_fd; + + /* + * Lock out the user if he did not login recently enough. + */ + + ctrl = _pam_auth_parse(pamh, flags, argc, argv, &inactive_days); + + /* which user? */ + + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + || *user == '\0') { + pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + return PAM_USER_UNKNOWN; + } + + /* what uid? */ + + pwd = pam_modutil_getpwnam (pamh, user); + if (pwd == NULL) { + pam_syslog(pamh, LOG_ERR, "user unknown"); + return PAM_USER_UNKNOWN; + } + uid = pwd->pw_uid; + pwd = NULL; /* tidy up */ + + + /* obtain the last login date and all the relevant info */ + last_fd = last_login_open(pamh, ctrl, uid); + if (last_fd < 0) { + return PAM_IGNORE; + } + + retval = last_login_read(pamh, ctrl|LASTLOG_QUIET, last_fd, uid, &lltime); + close(last_fd); + + if (retval != PAM_SUCCESS) { + D(("error while reading lastlog file")); + return PAM_IGNORE; + } + + if (lltime == 0) { /* user never logged in before */ + if (ctrl & LASTLOG_DEBUG) + pam_syslog(pamh, LOG_DEBUG, "user never logged in - pass"); + return PAM_SUCCESS; + } + + lltime = (time(NULL) - lltime) / (24*60*60); + + if (lltime > inactive_days) { + pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime); + return PAM_AUTH_ERR; + } + + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +/* --- session management functions --- */ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, @@ -519,7 +660,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, * last login info and then updates the lastlog for that user. */ - ctrl = _pam_parse(pamh, flags, argc, argv); + ctrl = _pam_session_parse(pamh, flags, argc, argv); /* which user? */ @@ -560,7 +701,7 @@ pam_sm_close_session (pam_handle_t *pamh, int flags, { const char *terminal_line; - if (!(_pam_parse(pamh, flags, argc, argv) & LASTLOG_WTMP)) + if (!(_pam_session_parse(pamh, flags, argc, argv) & LASTLOG_WTMP)) return PAM_SUCCESS; terminal_line = get_tty(pamh); @@ -577,9 +718,9 @@ pam_sm_close_session (pam_handle_t *pamh, int flags, struct pam_module _pam_lastlog_modstruct = { "pam_lastlog", - NULL, - NULL, - NULL, + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session, NULL, -- cgit v1.2.3 From cf9c75be753a3c12fdecb9f4696b8ad1b28dd799 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 Apr 2012 14:46:48 +0200 Subject: pam_lastlog: Never lock out the root account. modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if uid==0. modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation. --- modules/pam_lastlog/pam_lastlog.8.xml | 8 +++++++- modules/pam_lastlog/pam_lastlog.c | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index ecac2664..77da9dbc 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -12,7 +12,7 @@ pam_lastlog - PAM module to display date of last login + PAM module to display date of last login and perform inactive account lock out @@ -64,6 +64,12 @@ Some applications may perform this function themselves. In such cases, this module is not necessary. + + If the module is called in the auth or account phase, the accounts that + were not used recently enough will be disallowed to log in. The + check is not performed for the root account so the root is never + locked out. + diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 4111b182..50e5a59c 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -598,6 +598,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, uid = pwd->pw_uid; pwd = NULL; /* tidy up */ + if (uid == 0) + return PAM_SUCCESS; /* obtain the last login date and all the relevant info */ last_fd = last_login_open(pamh, ctrl, uid); -- cgit v1.2.3 From 422c19520fb814cfd8edd84d7989f4c52acbfa03 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 Apr 2012 15:03:32 +0200 Subject: pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore. modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option. (simple): Add the check for the same class repetition. (usercheck): Refactor into wordcheck(). (gecoscheck): New test for words from the GECOS field. (password_check): Call the gecoscheck(). (pam_sm_chauthtok): Drop the diff_ignore from options struct. modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test. --- modules/pam_cracklib/pam_cracklib.8.xml | 66 ++++++++-------- modules/pam_cracklib/pam_cracklib.c | 129 ++++++++++++++++++++++++++------ 2 files changed, 142 insertions(+), 53 deletions(-) (limited to 'modules') diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 29e00c09..5022c753 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -77,17 +77,10 @@ Is the new password too much like the old one? This is primarily controlled by one argument, - which is a number of characters - that if different between the old and new are enough to accept - the new password, this defaults to 10 or 1/2 the size of the - new password whichever is smaller. - - - To avoid the lockup associated with trying to change a long and - complicated password, is available. - This argument can be used to specify the minimum length a new - password needs to be before the value is - ignored. The default value for is 23. + which is a number of character changes + (inserts, removals, or replacements) between the old and new + password that are enough to accept the new password. + This defaults to 5 changes. @@ -96,7 +89,8 @@ Is the new password too small? - This is controlled by 5 arguments , + This is controlled by 6 arguments , + , , , , and . See the section on the arguments for the details of how these work and there defaults. @@ -204,24 +198,9 @@ This argument will change the default of - 5 for the number of characters in - the new password that must not be present in the old - password. In addition, if 1/2 of the characters in the - new password are different then the new password will - be accepted anyway. - - - - - - - - - - - How many characters should the password have before - difok will be ignored. The default is - 23. + 5 for the number of character + changes in the new password that differentiate it + from the old password. @@ -368,6 +347,19 @@ + + + + + + + Reject passwords which contain more than N consecutive + characters of the same class. The default is 0 which means + that this check is disabled. + + + + @@ -381,6 +373,20 @@ + + + + + + + Check whether the words from the GECOS field (usualy full name + of the user) longer than 3 characters in straight or reversed + form are contained in the new password. If any such word is + found the new password is rejected. + + + + diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index 1955b83f..96ee9954 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -51,6 +51,8 @@ #include #include #include +#include +#include #ifdef HAVE_CRACK_H #include @@ -92,7 +94,6 @@ extern char *FascistCheck(char *pw, const char *dictpath); struct cracklib_options { int retry_times; int diff_ok; - int diff_ignore; int min_length; int dig_credit; int up_credit; @@ -100,19 +101,21 @@ struct cracklib_options { int oth_credit; int min_class; int max_repeat; + int max_class_repeat; int reject_user; + int gecos_check; const char *cracklib_dictpath; }; #define CO_RETRY_TIMES 1 #define CO_DIFF_OK 5 -#define CO_DIFF_IGNORE 23 #define CO_MIN_LENGTH 9 # define CO_MIN_LENGTH_BASE 5 #define CO_DIG_CREDIT 1 #define CO_UP_CREDIT 1 #define CO_LOW_CREDIT 1 #define CO_OTH_CREDIT 1 +#define CO_MIN_WORD_LENGTH 4 static int _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, @@ -139,9 +142,7 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, if (!ep || (opt->diff_ok < 0)) opt->diff_ok = CO_DIFF_OK; } else if (!strncmp(*argv,"difignore=",10)) { - opt->diff_ignore = strtol(*argv+10,&ep,10); - if (!ep || (opt->diff_ignore < 0)) - opt->diff_ignore = CO_DIFF_IGNORE; + /* just ignore */ } else if (!strncmp(*argv,"minlen=",7)) { opt->min_length = strtol(*argv+7,&ep,10); if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE)) @@ -172,8 +173,14 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, opt->max_repeat = strtol(*argv+10,&ep,10); if (!ep) opt->max_repeat = 0; + } else if (!strncmp(*argv,"maxclassrepeat=",15)) { + opt->max_class_repeat = strtol(*argv+15,&ep,10); + if (!ep) + opt->max_class_repeat = 0; } else if (!strncmp(*argv,"reject_username",15)) { opt->reject_user = 1; + } else if (!strncmp(*argv,"gecoscheck",10)) { + opt->gecos_check = 1; } else if (!strncmp(*argv,"authtok_type",12)) { /* for pam_get_authtok, ignore */; } else if (!strncmp(*argv,"use_authtok",11)) { @@ -357,16 +364,45 @@ static int simple(struct cracklib_options *opt, const char *new) int others = 0; int size; int i; + enum { NONE, DIGIT, UCASE, LCASE, OTHER } prevclass = NONE; + int sameclass = 0; for (i = 0;new[i];i++) { - if (isdigit (new[i])) + if (isdigit (new[i])) { digits++; - else if (isupper (new[i])) + if (prevclass != DIGIT) { + prevclass = DIGIT; + sameclass = 1; + } else + sameclass++; + } + else if (isupper (new[i])) { uppers++; - else if (islower (new[i])) + if (prevclass != UCASE) { + prevclass = UCASE; + sameclass = 1; + } else + sameclass++; + } + else if (islower (new[i])) { lowers++; - else + if (prevclass != LCASE) { + prevclass = LCASE; + sameclass = 1; + } else + sameclass++; + } + else { others++; + if (prevclass != OTHER) { + prevclass = OTHER; + sameclass = 1; + } else + sameclass++; + } + if (opt->max_class_repeat > 1 && sameclass > opt->max_class_repeat) { + return 1; + } } /* @@ -439,21 +475,17 @@ static int consecutive(struct cracklib_options *opt, const char *new) return 0; } -static int usercheck(struct cracklib_options *opt, const char *new, - char *user) +static int wordcheck(const char *new, char *word) { char *f, *b; - if (!opt->reject_user) - return 0; - - if (strstr(new, user) != NULL) + if (strstr(new, word) != NULL) return 1; - /* now reverse the username, we can do that in place + /* now reverse the word, we can do that in place as it is strdup-ed */ - f = user; - b = user+strlen(user)-1; + f = word; + b = word+strlen(word)-1; while (f < b) { char c; @@ -464,11 +496,20 @@ static int usercheck(struct cracklib_options *opt, const char *new, ++f; } - if (strstr(new, user) != NULL) + if (strstr(new, word) != NULL) return 1; return 0; } +static int usercheck(struct cracklib_options *opt, const char *new, + char *user) +{ + if (!opt->reject_user) + return 0; + + return wordcheck(new, user); +} + static char * str_lower(char *string) { char *cp; @@ -481,7 +522,50 @@ static char * str_lower(char *string) return string; } -static const char *password_check(struct cracklib_options *opt, +static int gecoscheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new, + const char *user) +{ + struct passwd *pwd; + char *list; + char *p; + char *next; + + if (!opt->gecos_check) + return 0; + + if ((pwd = pam_modutil_getpwnam(pamh, user)) == NULL) { + return 0; + } + + list = strdup(pwd->pw_gecos); + + if (list == NULL || *list == '\0') { + free(list); + return 0; + } + + for (p = list;;p = next + 1) { + next = strchr(p, ' '); + if (next) + *next = '\0'; + + if (strlen(p) >= CO_MIN_WORD_LENGTH) { + str_lower(p); + if (wordcheck(new, p)) { + free(list); + return 1; + } + } + + if (!next) + break; + } + + free(list); + return 0; +} + +static const char *password_check(pam_handle_t *pamh, struct cracklib_options *opt, const char *old, const char *new, const char *user) { @@ -535,7 +619,7 @@ static const char *password_check(struct cracklib_options *opt, if (!msg && consecutive(opt, new)) msg = _("contains too many same characters consecutively"); - if (!msg && usercheck(opt, newmono, usermono)) + if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user))) msg = _("contains the user name in some form"); free(usermono); @@ -584,7 +668,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, * if one wanted to hardwire authentication token strength * checking this would be the place */ - msg = password_check(opt, pass_old, pass_new, user); + msg = password_check(pamh, opt, pass_old, pass_new, user); if (msg) { if (ctrl & PAM_DEBUG_ARG) @@ -611,7 +695,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, memset(&options, 0, sizeof(options)); options.retry_times = CO_RETRY_TIMES; options.diff_ok = CO_DIFF_OK; - options.diff_ignore = CO_DIFF_IGNORE; options.min_length = CO_MIN_LENGTH; options.dig_credit = CO_DIG_CREDIT; options.up_credit = CO_UP_CREDIT; -- cgit v1.2.3 From ddf3ac65b547f331400d235e64a1dddce8d42155 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 24 May 2012 13:40:24 +0200 Subject: pam_cracklib: Add enforce_for_root option. modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option. (pam_sm_chauthtok): Enforce errors for root with the option. modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option. --- modules/pam_cracklib/pam_cracklib.8.xml | 14 ++++++++++++++ modules/pam_cracklib/pam_cracklib.c | 7 +++++-- 2 files changed, 19 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 5022c753..7c0ae700 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -387,6 +387,20 @@ + + + + + + + The module will return error on failed check also if the user + changing the password is root. This option is off by default + which means that just the message about the failed check is + printed but root can change the password anyway. + + + + diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index 96ee9954..4c3030f5 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -104,6 +104,7 @@ struct cracklib_options { int max_class_repeat; int reject_user; int gecos_check; + int enforce_for_root; const char *cracklib_dictpath; }; @@ -181,6 +182,8 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, opt->reject_user = 1; } else if (!strncmp(*argv,"gecoscheck",10)) { opt->gecos_check = 1; + } else if (!strncmp(*argv,"enforce_for_root",16)) { + opt->enforce_for_root = 1; } else if (!strncmp(*argv,"authtok_type",12)) { /* for pam_get_authtok, ignore */; } else if (!strncmp(*argv,"use_authtok",11)) { @@ -757,7 +760,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg); pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg); - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { pam_set_item (pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; @@ -770,7 +773,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, retval = _pam_unix_approve_pass (pamh, ctrl, &options, oldtoken, newtoken); if (retval != PAM_SUCCESS) { - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { pam_set_item(pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; -- cgit v1.2.3 From 585f6c06b2d3574935ed62c3084f2aadd6d1defb Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 May 2012 20:24:17 +0200 Subject: pam_pwhistory: Always record the old password even when root changes it. modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of the process instead of the target user UID (same as in pam_cracklib) to check for root. Always record old password. --- modules/pam_pwhistory/pam_pwhistory.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'modules') diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 4c582bc2..e9b28eb1 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -155,10 +155,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (pwd == NULL) return PAM_USER_UNKNOWN; - /* Ignore root if not enforced */ - if (pwd->pw_uid == 0 && !options.enforce_for_root) - return PAM_SUCCESS; - if ((strcmp(pwd->pw_passwd, "x") == 0) || ((pwd->pw_passwd[0] == '#') && (pwd->pw_passwd[1] == '#') && @@ -211,11 +207,18 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (check_old_pass (pamh, user, newpass, options.debug) != PAM_SUCCESS) { - pam_error (pamh, - _("Password has been already used. Choose another.")); - newpass = NULL; - /* Remove password item, else following module will use it */ - pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + if (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + { + pam_error (pamh, + _("Password has been already used. Choose another.")); + newpass = NULL; + /* Remove password item, else following module will use it */ + pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + } + else + pam_info (pamh, + _("Password has been already used.")); } } -- cgit v1.2.3 From e01a134b72b027042fc555793181d9b025c53a15 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 1 Jun 2012 11:12:21 +0200 Subject: pam_timestamp: Fix copy&paste error in manpage. modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section. --- modules/pam_timestamp/pam_timestamp.8.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml index fc6a9276..07a5cf1d 100644 --- a/modules/pam_timestamp/pam_timestamp.8.xml +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -181,7 +181,7 @@ session optional pam_timestamp.so AUTHOR - pam_tally was written by Nalin Dahyabhai. + pam_timestamp was written by Nalin Dahyabhai. -- cgit v1.2.3 From d7687ef4ba7e0e776f0216f1fcb36859acc3fe15 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 22 Jun 2012 13:36:45 +0200 Subject: pam_cracklib: Add monotonic character sequence checking. modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option. (sequence): New function to check for too long monotonic sequence of characters. (password_check): Call the sequence(). modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check. --- modules/pam_cracklib/pam_cracklib.8.xml | 23 ++++++++++++++++++ modules/pam_cracklib/pam_cracklib.c | 41 +++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) (limited to 'modules') diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 7c0ae700..9c929bfa 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -113,6 +113,14 @@ + + Too long monotonic character sequence + + + Optional check for too long monotonic character sequence. + + + Contains user name @@ -347,6 +355,21 @@ + + + + + + + Reject passwords which contain monotonic character sequences + longer than N. The default is 0 which means that this check + is disabled. Examples of such sequence are '12345' or 'fedcb'. + Note that most such passwords will not pass the simplicity + check unless the sequence is only a minor part of the password. + + + + diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index 4c3030f5..56913477 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -101,6 +101,7 @@ struct cracklib_options { int oth_credit; int min_class; int max_repeat; + int max_sequence; int max_class_repeat; int reject_user; int gecos_check; @@ -174,6 +175,10 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, opt->max_repeat = strtol(*argv+10,&ep,10); if (!ep) opt->max_repeat = 0; + } else if (!strncmp(*argv,"maxsequence=",12)) { + opt->max_sequence = strtol(*argv+12,&ep,10); + if (!ep) + opt->max_sequence = 0; } else if (!strncmp(*argv,"maxclassrepeat=",15)) { opt->max_class_repeat = strtol(*argv+15,&ep,10); if (!ep) @@ -478,6 +483,39 @@ static int consecutive(struct cracklib_options *opt, const char *new) return 0; } +static int sequence(struct cracklib_options *opt, const char *new) +{ + char c; + int i; + int sequp = 1; + int seqdown = 1; + + if (opt->max_sequence == 0) + return 0; + + if (new[0] == '\0') + return 0; + + for (i = 1; new[i]; i++) { + c = new[i-1]; + if (new[i] == c+1) { + ++sequp; + if (sequp > opt->max_sequence) + return 1; + seqdown = 1; + } else if (new[i] == c-1) { + ++seqdown; + if (seqdown > opt->max_sequence) + return 1; + sequp = 1; + } else { + sequp = 1; + seqdown = 1; + } + } + return 0; +} + static int wordcheck(const char *new, char *word) { char *f, *b; @@ -622,6 +660,9 @@ static const char *password_check(pam_handle_t *pamh, struct cracklib_options *o if (!msg && consecutive(opt, new)) msg = _("contains too many same characters consecutively"); + if (!msg && sequence(opt, new)) + msg = _("contains too long of a monotonic character sequence"); + if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user))) msg = _("contains the user name in some form"); -- cgit v1.2.3 From 333aa74b2679ff786559994689ed149f5fd648a1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 27 Jun 2012 18:21:13 +0200 Subject: pam_umask: correct the documentation of GECOS field parsing modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field parsing. --- modules/pam_umask/pam_umask.8.xml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) (limited to 'modules') diff --git a/modules/pam_umask/pam_umask.8.xml b/modules/pam_umask/pam_umask.8.xml index 3b7e197b..1e8d130b 100644 --- a/modules/pam_umask/pam_umask.8.xml +++ b/modules/pam_umask/pam_umask.8.xml @@ -53,17 +53,7 @@ - umask= entry of the users GECOS field - - - - - pri= entry of the users GECOS field - - - - - ulimit= entry of the users GECOS field + umask= entry in the user's GECOS field @@ -78,6 +68,13 @@ + + The GECOS field is split on comma ',' characters. The module + also in addition to the umask= entry recognizes pri= entry, + which sets the nice priority value for the session, and + ulimit= entry, which sets the maximum size of files the processes + in the session can create. + -- cgit v1.2.3 From 8e508f23bf5ed727649c99bbd540f7b1c2c2bd35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stevan=20Baji=C4=87?= Date: Mon, 9 Jul 2012 09:43:11 +0200 Subject: RLIMIT_* variables are no longer defined unless you explicitly include sys/resource.h. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Diego Elio Pettenò modules/pam_unix/pam_unix_acct.c: Include sys/resource.h. --- modules/pam_unix/pam_unix_acct.c | 1 + 1 file changed, 1 insertion(+) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 8e90cc9a..4a362f88 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include -- cgit v1.2.3 From 01e176ec352748487212e59723192d8dbdf53e29 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 23 Jul 2012 18:32:16 +0200 Subject: New autotools do not create empty directories on install. modules/pam_namespace/Makefile.am: Add install-data-local target to create namespaceddir. modules/pam_sepermit/Makefile.am: Add install-data-local target to create sepermitlockdir. --- modules/pam_namespace/Makefile.am | 4 +++- modules/pam_sepermit/Makefile.am | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index 586a5436..a28f1960 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -38,7 +38,9 @@ if HAVE_UNSHARE secureconf_DATA = namespace.conf secureconf_SCRIPTS = namespace.init - namespaced_DATA = + +install-data-local: + mkdir -p $(namespaceddir) endif diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index d1a557f6..cfc55947 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -32,9 +32,10 @@ endif if HAVE_LIBSELINUX secureconf_DATA = sepermit.conf - sepermitlock_DATA = - securelib_LTLIBRARIES = pam_sepermit.la + +install-data-local: + mkdir -p $(sepermitlockdir) endif if ENABLE_REGENERATE_MAN noinst_DATA = README pam_sepermit.8 sepermit.conf.5 -- cgit v1.2.3 From 426fdb813c73f256be82c98c27740a75f48c85c8 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 9 Aug 2012 11:55:23 +0200 Subject: Document limits.d also in the limits.conf manpage. modules/pam_limits/limits.conf.5.xml: Document the limits.d existence. --- modules/pam_limits/limits.conf.5.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'modules') diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index 939fa0fe..4b6b5baf 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -17,6 +17,14 @@ DESCRIPTION + + The pam_limits.so module applies ulimit limits, + nice priority and number of simultaneous login sessions limit to user + login sessions. This description of the configuration file syntax + applies to the /etc/security/limits.conf file and + *.conf files in the + /etc/security/limits.d directory. + The syntax of the lines is as follows: -- cgit v1.2.3 From c62981a43a7da5d7c10e432874e7c66b47a4f363 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 16 Aug 2012 15:46:56 +0200 Subject: Small documentation and define fixes modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10] modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary modules/pam_pwhistory/pam_pwhistory.c: Document how the module works modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6] --- modules/pam_limits/limits.conf.5.xml | 3 +++ modules/pam_namespace/pam_namespace.h | 4 ++++ modules/pam_pwhistory/pam_pwhistory.c | 7 +++++-- modules/pam_unix/pam_unix.8.xml | 2 ++ 4 files changed, 14 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index 4b6b5baf..ecc6d5ff 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -290,6 +290,9 @@ Also, please note that all limit settings are set per login. They are not global, nor are they permanent; existing only for the duration of the session. + One exception is the maxlogin option, this one + is system wide. But there is a race, concurrent logins at the same + time will not always be detect as such but only counted as one. In the limits configuration file, the diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 1d0c11c6..51d23886 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -81,6 +81,10 @@ #ifndef MS_PRIVATE #define MS_PRIVATE (1<<18) #endif +#ifndef MS_SLAVE +#define MS_SLAVE (1<<19) +#endif + /* * Module defines diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index e9b28eb1..654edd39 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -1,6 +1,6 @@ /* - * Copyright (c) 2008 Thorsten Kukuk - * Author: Thorsten Kukuk + * Copyright (c) 2008, 2012 Thorsten Kukuk + * Author: Thorsten Kukuk * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -103,6 +103,9 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) } +/* This module saves the current crypted password in /etc/security/opasswd + and then compares the new password with all entries in this file. */ + PAM_EXTERN int pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) { diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index c272e3ce..0a42d7a3 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -223,6 +223,8 @@ user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently. + Instead of this option the pam_pwhistory + module should be used. -- cgit v1.2.3 From d7e6b921cd34f7ad8fc4d05065c75d13ba330896 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 17 Aug 2012 14:46:40 +0200 Subject: Add missing $(DESTDIR) when making directories on install. modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making $(namespaceddir) on install. modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making $(sepermitlockdir) on install. --- modules/pam_namespace/Makefile.am | 2 +- modules/pam_sepermit/Makefile.am | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am index a28f1960..ebb00f36 100644 --- a/modules/pam_namespace/Makefile.am +++ b/modules/pam_namespace/Makefile.am @@ -40,7 +40,7 @@ if HAVE_UNSHARE secureconf_SCRIPTS = namespace.init install-data-local: - mkdir -p $(namespaceddir) + mkdir -p $(DESTDIR)$(namespaceddir) endif diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am index cfc55947..bc822757 100644 --- a/modules/pam_sepermit/Makefile.am +++ b/modules/pam_sepermit/Makefile.am @@ -35,7 +35,7 @@ if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_sepermit.la install-data-local: - mkdir -p $(sepermitlockdir) + mkdir -p $(DESTDIR)$(sepermitlockdir) endif if ENABLE_REGENERATE_MAN noinst_DATA = README pam_sepermit.8 sepermit.conf.5 -- cgit v1.2.3 From 6b2a5b9f5595f39fb919c12c52c7f3c53f33f914 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 6 Sep 2012 14:58:57 +0200 Subject: pam_selinux, pam_tally2: Add tty and rhost to audit data. modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and rhost from PAM items and pass them to audit. modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and rhost from PAM items and pass them to audit. (main): Obtain tty name of stdin and pass it to audit. --- modules/pam_selinux/pam_selinux.c | 5 ++++- modules/pam_tally2/pam_tally2.c | 15 +++++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) (limited to 'modules') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index d66ccb46..473655c5 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau int audit_fd = audit_open(); security_context_t default_raw=NULL; security_context_t selected_raw=NULL; + const void *tty = NULL, *rhost = NULL; rc = -1; if (audit_fd < 0) { if (errno == EINVAL || errno == EPROTONOSUPPORT || @@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau pam_syslog(pamh, LOG_ERR, "Error connecting to audit system."); return rc; } + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { pam_syslog(pamh, LOG_ERR, "Error translating default context."); default_raw = NULL; @@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau goto out; } if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, - msg, NULL, NULL, NULL, success) <= 0) { + msg, rhost, NULL, tty, success) <= 0) { pam_syslog(pamh, LOG_ERR, "Error sending audit message."); goto out; } diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index d3d6779a..09e85855 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, #ifdef HAVE_LIBAUDIT char buf[64]; int audit_fd = -1; + const void *rhost = NULL, *tty = NULL; #endif if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { @@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)) return PAM_SYSTEM_ERR; + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); #endif if (opts->deny != 0 && /* deny==0 means no deny */ tally->fail_cnt > opts->deny && /* tally>deny means exceeded */ @@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, /* First say that max number was hit. */ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, - NULL, NULL, NULL, 1); + rhost, NULL, tty, 1); } #endif if (uid) { @@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, #ifdef HAVE_LIBAUDIT snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, - NULL, NULL, NULL, 1); + rhost, NULL, tty, 1); #endif rv = PAM_SUCCESS; goto cleanup; @@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, #ifdef HAVE_LIBAUDIT snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, - NULL, NULL, NULL, 1); + rhost, NULL, tty, 1); #endif rv = PAM_SUCCESS; goto cleanup; @@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, if (tally->fail_cnt == opts->deny+1) { /* First say that max number was hit. */ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, - NULL, NULL, NULL, 1); + rhost, NULL, tty, 1); } #endif @@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv ) int audit_fd = audit_open(); snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); audit_log_user_message(audit_fd, AUDIT_USER_ACCT, - buf, NULL, NULL, NULL, 1); + buf, NULL, NULL, ttyname(STDIN_FILENO), 1); if (audit_fd >=0) close(audit_fd); #endif @@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv ) int audit_fd = audit_open(); snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); audit_log_user_message(audit_fd, AUDIT_USER_ACCT, - buf, NULL, NULL, NULL, 1); + buf, NULL, NULL, ttyname(STDIN_FILENO), 1); if (audit_fd >=0) close(audit_fd); #endif -- cgit v1.2.3 From fbcbb0e302b0c7561e565531b47fba9477b238ba Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 10 Oct 2012 19:46:02 +0200 Subject: pam_namespace: add mntopts flag for tmpfs mount options modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir structure. modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts. (parse_method): Parse the mntopts flag. (ns_setup): Pass the mount_opts to mount(). modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag. --- modules/pam_namespace/namespace.conf.5.xml | 8 ++++++++ modules/pam_namespace/pam_namespace.c | 21 ++++++++++++++++++--- modules/pam_namespace/pam_namespace.h | 2 ++ 3 files changed, 28 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml index 673099b0..c7698cb4 100644 --- a/modules/pam_namespace/namespace.conf.5.xml +++ b/modules/pam_namespace/namespace.conf.5.xml @@ -119,6 +119,14 @@ contain the user name and will be shared among all users. + mntopts=value + - value of this flag is passed to the mount call when the tmpfs mount is + done. It allows for example the specification of the maximum size of the + tmpfs instance that is created by the mount call. See + mount8 + for details. + + The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 0000. The diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index a40f05e6..e0d5e30b 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -64,6 +64,7 @@ static void del_polydir(struct polydir_s *poly) if (poly) { free(poly->uid); free(poly->init_script); + free(poly->mount_opts); free(poly); } } @@ -237,9 +238,9 @@ static int parse_method(char *method, struct polydir_s *poly, static const char *method_names[] = { "user", "context", "level", "tmpdir", "tmpfs", NULL }; static const char *flag_names[] = { "create", "noinit", "iscript", - "shared", NULL }; + "shared", "mntopts", NULL }; static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT, - POLYDIR_ISCRIPT, POLYDIR_SHARED }; + POLYDIR_ISCRIPT, POLYDIR_SHARED, POLYDIR_MNTOPTS }; int i; char *flag; @@ -279,6 +280,20 @@ static int parse_method(char *method, struct polydir_s *poly, return -1; }; break; + + case POLYDIR_MNTOPTS: + if (flag[namelen] != '=') + break; + if (poly->method != TMPFS) { + pam_syslog(idata->pamh, LOG_WARNING, "Mount options applicable only to tmpfs method"); + break; + } + free(poly->mount_opts); /* if duplicate mntopts specified */ + if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) { + pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } + break; } } } @@ -1464,7 +1479,7 @@ static int ns_setup(struct polydir_s *polyptr, } if (polyptr->method == TMPFS) { - if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) { + if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) { pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", polyptr->dir); return PAM_SESSION_ERR; diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 51d23886..47ebcc33 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -116,6 +116,7 @@ #define POLYDIR_NOINIT 0x00000004 /* no init script */ #define POLYDIR_SHARED 0x00000008 /* share context/level instances among users */ #define POLYDIR_ISCRIPT 0x00000010 /* non default init script */ +#define POLYDIR_MNTOPTS 0x00000020 /* mount options for tmpfs mount */ #define NAMESPACE_MAX_DIR_LEN 80 @@ -164,6 +165,7 @@ struct polydir_s { uid_t *uid; /* list of override uids */ unsigned int flags; /* polydir flags */ char *init_script; /* path to init script */ + char *mount_opts; /* mount options for tmpfs mount */ uid_t owner; /* user which should own the polydir */ gid_t group; /* group which should own the polydir */ mode_t mode; /* mode of the polydir */ -- cgit v1.2.3 From 0603b28023ebe44151466bfb33c60687922e0b0b Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Wed, 10 Oct 2012 18:13:07 +0000 Subject: pam_unix: fix build in --enable-selinux mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit glibc's starting with commit http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467 does not include for POSIX 2008 conformance reasons, so when pam is being built with SELinux support enabled, pam_unix_passwd.c uses getrlimit(2) and therefore should include without relying on other headers. * modules/pam_unix/pam_unix_passwd.c: Include . Reported-by: Guido Trentalancia Reported-by: "Jory A. Pratt" Reported-by: Diego Elio Pettenò --- modules/pam_unix/pam_unix_passwd.c | 1 + 1 file changed, 1 insertion(+) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 9e1302d5..94bc3ec8 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -58,6 +58,7 @@ #include #include #include +#include #include -- cgit v1.2.3 From 37e701d0b580ce3b5378fbeac218694d18e35245 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 23 Nov 2012 10:06:15 +0100 Subject: pam_limits: fix grammatical mistake. modules/pam_limits/limits.conf: Fix grammatical mistake. --- modules/pam_limits/limits.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf index 5d5c3f70..fd66ab77 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf @@ -6,7 +6,7 @@ # #Where: # can be: -# - an user name +# - a user name # - a group name, with @group syntax # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, -- cgit v1.2.3 From b2d771f1d3689fd165fe5bd1e0a6d81b31424688 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 30 Nov 2012 21:05:26 +0100 Subject: pam_selinux: Drop obsolete and unsupported manual context selection. modules/pam_selinux/pam_selinux.c (manual_context): Drop function. (compute_exec_context): Drop manual_context() call. --- modules/pam_selinux/pam_selinux.c | 80 --------------------------------------- 1 file changed, 80 deletions(-) (limited to 'modules') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 473655c5..b96cc236 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, return rc; } -static security_context_t -manual_context (pam_handle_t *pamh, const char *user, int debug) -{ - security_context_t newcon=NULL; - context_t new_context; - int mls_enabled = is_selinux_mls_enabled(); - char *type=NULL; - char *response=NULL; - - while (1) { - if (query_response(pamh, - _("Would you like to enter a security context? [N] "), NULL, - &response, debug) != PAM_SUCCESS) - return NULL; - - if ((response[0] == 'y') || (response[0] == 'Y')) - { - if (mls_enabled) - new_context = context_new ("user:role:type:level"); - else - new_context = context_new ("user:role:type"); - - if (!new_context) - goto fail_set; - - if (context_user_set (new_context, user)) - goto fail_set; - - _pam_drop(response); - /* Allow the user to enter each field of the context individually */ - if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && - response[0] != '\0') { - if (context_role_set (new_context, response)) - goto fail_set; - if (get_default_type(response, &type)) - goto fail_set; - if (context_type_set (new_context, type)) - goto fail_set; - _pam_drop(type); - } - _pam_drop(response); - - if (mls_enabled) - { - if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS && - response[0] != '\0') { - if (context_range_set (new_context, response)) - goto fail_set; - } - _pam_drop(response); - } - - /* Get the string value of the context and see if it is valid. */ - if (!security_check_context(context_str(new_context))) { - newcon = strdup(context_str(new_context)); - context_free (new_context); - return newcon; - } - else - send_text(pamh,_("Not a valid security context"),debug); - - context_free (new_context); - } - else { - _pam_drop(response); - return NULL; - } - } /* end while */ - fail_set: - free(type); - _pam_drop(response); - context_free (new_context); - return NULL; -} - static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) { struct av_decision avd; @@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data, data->exec_context = context_from_env(pamh, data->default_user_context, env_params, use_current_range, debug); - } else { - if (seuser) { - data->exec_context = manual_context(pamh, seuser, debug); - free(seuser); - } } if (!data->exec_context) { -- cgit v1.2.3 From 33efdded5f66be933aeb0bcc9ea3087551853394 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 20 Dec 2012 16:22:47 +0100 Subject: pam_cracklib: Mention checks that are not run for root. modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks when run as root. --- modules/pam_cracklib/pam_cracklib.8.xml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'modules') diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 9c929bfa..3f6e76f0 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -420,6 +420,8 @@ changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway. + Note that root is not asked for an old password so the checks + that compare the old and new password are not performed. -- cgit v1.2.3 From d1ed6a6fc71967b31eb758cea715690e478844c9 Mon Sep 17 00:00:00 2001 From: Walter de Jong Date: Fri, 18 Jan 2013 14:51:40 +0100 Subject: pam_access: fix typo in ifdef modules/pam_access/pam_access.c (netgroup_match): Fix typo in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN. --- modules/pam_access/pam_access.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 65798f17..55816dcb 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -471,7 +471,7 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, int retval; char *mydomain = NULL; -#ifdef HAVE_YP_GET_DEFAUTL_DOMAIN +#ifdef HAVE_YP_GET_DEFAULT_DOMAIN yp_get_default_domain(&mydomain); #elif defined(HAVE_GETDOMAINNAME) char domainname_res[256]; -- cgit v1.2.3 From e2a818773f96d12fc9f91bf2792a5a216c3b9aa4 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 7 Feb 2013 17:06:57 +0100 Subject: pam_userdb: Allow also modern password hashes supported by crypt(). modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes longer than 13 characters and long salt. --- modules/pam_userdb/pam_userdb.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'modules') diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index c075c4b5..de8b5b1e 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -214,17 +214,13 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, /* crypt(3) password storage */ char *cryptpw; - char salt[2]; - if (data.dsize != 13) { + if (data.dsize < 13) { compare = -2; } else if (ctrl & PAM_ICASE_ARG) { compare = -2; } else { - salt[0] = *data.dptr; - salt[1] = *(data.dptr + 1); - - cryptpw = crypt (pass, salt); + cryptpw = crypt (pass, data.dptr); if (cryptpw) { compare = strncasecmp (data.dptr, cryptpw, data.dsize); -- cgit v1.2.3 From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Feb 2013 15:04:26 +0100 Subject: Add checks for crypt() returning NULL. modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. --- modules/pam_pwhistory/opasswd.c | 2 +- modules/pam_unix/bigcrypt.c | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index 274fdb92..836d713e 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass) outval = crypt (newpass, oldpass); #endif - return strcmp(outval, oldpass) == 0; + return outval != NULL && strcmp(outval, oldpass) == 0; } /* Check, if the new password is already in the opasswd file. */ diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c index e10d1c56..e1d57a07 100644 --- a/modules/pam_unix/bigcrypt.c +++ b/modules/pam_unix/bigcrypt.c @@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt) #else tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */ #endif + if (tmp_ptr == NULL) { + free(dec_c2_cryptbuf); + return NULL; + } /* and place in the static area */ strncpy(cipher_ptr, tmp_ptr, 13); cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; @@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt) #else tmp_ptr = crypt(plaintext_ptr, salt_ptr); #endif + if (tmp_ptr == NULL) { + _pam_overwrite(dec_c2_cryptbuf); + free(dec_c2_cryptbuf); + return NULL; + } /* skip the salt for seg!=0 */ strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); -- cgit v1.2.3 From 74ab2ed83471c2b17c2176d7465f56ae32ae4507 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 22 Mar 2013 09:42:22 +0100 Subject: pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions. (check_for_root): Use the selinux_check_root() instead of checkPasswdAccess. --- modules/pam_rootok/pam_rootok.c | 63 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index 8d368cee..70579e5b 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -28,7 +28,11 @@ #ifdef WITH_SELINUX #include -#include +#include +#endif + +#ifdef HAVE_LIBAUDIT +#include #endif /* argument parsing */ @@ -55,6 +59,61 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) return ctrl; } +#ifdef WITH_SELINUX +static int +log_callback (int type, const char *fmt, ...) +{ + int audit_fd; + va_list ap; + + va_start(ap, fmt); +#ifdef HAVE_LIBAUDIT + audit_fd = audit_open(); + + if (audit_fd >= 0) { + char *buf; + + if (vasprintf (&buf, fmt, ap) < 0) + return 0; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); + audit_close(audit_fd); + free(buf); + return 0; + } + +#endif + vsyslog (LOG_USER | LOG_INFO, fmt, ap); + va_end(ap); + return 0; +} + +static int +selinux_check_root (void) +{ + int status = -1; + security_context_t user_context; + union selinux_callback old_callback; + + if (is_selinux_enabled() < 1) + return 0; + + old_callback = selinux_get_callback(SELINUX_CB_LOG); + /* setup callbacks */ + selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); + if ((status = getprevcon(&user_context)) < 0) { + selinux_set_callback(SELINUX_CB_LOG, old_callback); + return status; + } + + status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); + + selinux_set_callback(SELINUX_CB_LOG, old_callback); + freecon(user_context); + return status; +} +#endif + static int check_for_root (pam_handle_t *pamh, int ctrl) { @@ -62,7 +121,7 @@ check_for_root (pam_handle_t *pamh, int ctrl) if (getuid() == 0) #ifdef WITH_SELINUX - if (is_selinux_enabled()<1 || checkPasswdAccess(PASSWD__ROOTOK)==0) + if (selinux_check_root() == 0 || security_getenforce() == 0) #endif retval = PAM_SUCCESS; -- cgit v1.2.3 From 9909a2b6ab99a32853224ae8dc0bb24c018d45e7 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 22 Mar 2013 13:50:54 +0100 Subject: pam_lastlog: Do not fail on short read if btmp is corrupted. modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail on short read or read error. --- modules/pam_lastlog/pam_lastlog.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'modules') diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 50e5a59c..bd454ffd 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -479,6 +479,10 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt } } + if (retval != 0) + pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP); + retval = PAM_SUCCESS; + if (failed) { /* we want the date? */ if (announce & LASTLOG_DATE) { -- cgit v1.2.3 From 183f91a212879229d37e4dce18edd7a141eefa12 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 28 Mar 2013 15:30:19 +0100 Subject: Fix strict aliasing issue in MD5 implementations. modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment. modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment. --- modules/pam_namespace/md5.c | 3 +-- modules/pam_unix/md5.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c index ce4f7d6e..dc95ab14 100644 --- a/modules/pam_namespace/md5.c +++ b/modules/pam_namespace/md5.c @@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) byteReverse(ctx->in, 14); /* Append length in bits and transform */ - ((uint32 *) ctx->in)[14] = ctx->bits[0]; - ((uint32 *) ctx->in)[15] = ctx->bits[1]; + memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); byteReverse((unsigned char *) ctx->buf, 4); diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c index 7881db5d..94f0485b 100644 --- a/modules/pam_unix/md5.c +++ b/modules/pam_unix/md5.c @@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) byteReverse(ctx->in, 14); /* Append length in bits and transform */ - ((uint32 *) ctx->in)[14] = ctx->bits[0]; - ((uint32 *) ctx->in)[15] = ctx->bits[1]; + memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); byteReverse((unsigned char *) ctx->buf, 4); -- cgit v1.2.3 From 8c715834cd61f2d50d53f9af85d3bd2f87a26c61 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 12 Apr 2013 12:49:55 +0200 Subject: pam_access: better not change the default function used to get domain name. modules/pam_access/pam_access.c (netgroup_match): As we did not use yp_get_default_domain() in the 1.1 branch due to typo in ifdef we should use it only as fallback. --- modules/pam_access/pam_access.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 55816dcb..a9cce510 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -471,9 +471,7 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, int retval; char *mydomain = NULL; -#ifdef HAVE_YP_GET_DEFAULT_DOMAIN - yp_get_default_domain(&mydomain); -#elif defined(HAVE_GETDOMAINNAME) +#if defined(HAVE_GETDOMAINNAME) char domainname_res[256]; if (getdomainname (domainname_res, sizeof (domainname_res)) == 0) @@ -483,6 +481,8 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, mydomain = domainname_res; } } +#elif defined(HAVE_YP_GET_DEFAULT_DOMAIN) + yp_get_default_domain(&mydomain); #endif #ifdef HAVE_INNETGR -- cgit v1.2.3 From a36df58aa78531a4629f90f732be475e9296a842 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 18 Jun 2013 16:27:15 +0200 Subject: Use hash from /etc/login.defs as default if no other one is specified as argument. * modules/pam_unix/support.c: Add search_key, call from __set_ctrl * modules/pam_unix/support.h: Add define for /etc/login.defs * modules/pam_unix/pam_unix.8.xml: Document new behavior. * modules/pam_umask/pam_umask.c: Add missing NULL pointer check --- modules/pam_umask/pam_umask.c | 6 ++- modules/pam_unix/pam_unix.8.xml | 7 ++- modules/pam_unix/support.c | 106 +++++++++++++++++++++++++++++++++++++++- modules/pam_unix/support.h | 63 +++++++++++++----------- 4 files changed, 151 insertions(+), 31 deletions(-) (limited to 'modules') diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index 6d2ec1ac..863f0387 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2006, 2007, 2010 Thorsten Kukuk + * Copyright (c) 2005, 2006, 2007, 2010, 2013 Thorsten Kukuk * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -112,6 +112,10 @@ search_key (const char *filename) { buflen = BUF_SIZE; buf = malloc (buflen); + if (buf == NULL) { + fclose (fp); + return NULL; + } } buf[0] = '\0'; if (fgets (buf, buflen - 1, fp) == NULL) diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index 0a42d7a3..9ce084e3 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -81,7 +81,9 @@ The password component of this module performs the task of updating - the user's password. + the user's password. The default encryption hash is taken from the + ENCRYPT_METHOD variable from + /etc/login.defs @@ -392,6 +394,9 @@ session required pam_unix.so SEE ALSO + + login.defs5 + , pam.conf5 , diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index ab04535f..f36786e4 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -37,6 +37,80 @@ #define SELINUX_ENABLED 0 #endif +static char * +search_key (const char *key, const char *filename) +{ + FILE *fp; + char *buf = NULL; + size_t buflen = 0; + char *retval = NULL; + + fp = fopen (filename, "r"); + if (NULL == fp) + return NULL; + + while (!feof (fp)) + { + char *tmp, *cp; +#if defined(HAVE_GETLINE) + ssize_t n = getline (&buf, &buflen, fp); +#elif defined (HAVE_GETDELIM) + ssize_t n = getdelim (&buf, &buflen, '\n', fp); +#else + ssize_t n; + + if (buf == NULL) + { + buflen = BUF_SIZE; + buf = malloc (buflen); + if (buf == NULL) { + fclose (fp); + return NULL; + } + } + buf[0] = '\0'; + if (fgets (buf, buflen - 1, fp) == NULL) + break; + else if (buf != NULL) + n = strlen (buf); + else + n = 0; +#endif /* HAVE_GETLINE / HAVE_GETDELIM */ + cp = buf; + + if (n < 1) + break; + + tmp = strchr (cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; + while (isspace ((int)*cp)) /* remove spaces and tabs */ + ++cp; + if (*cp == '\0') /* ignore empty lines */ + continue; + + if (cp[strlen (cp) - 1] == '\n') + cp[strlen (cp) - 1] = '\0'; + + tmp = strsep (&cp, " \t="); + if (cp != NULL) + while (isspace ((int)*cp) || *cp == '=') + ++cp; + + if (strcasecmp (tmp, key) == 0) + { + retval = strdup (cp); + break; + } + } + fclose (fp); + + free (buf); + + return retval; +} + + /* this is a front-end for module-application conversations */ int _make_remark(pam_handle_t * pamh, unsigned int ctrl, @@ -58,6 +132,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, int *pass_min_len, int argc, const char **argv) { unsigned int ctrl; + char *val; + int j; D(("called.")); @@ -81,10 +157,38 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, D(("SILENT")); set(UNIX__QUIET, ctrl); } + + /* preset encryption method with value from /etc/login.defs */ + val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); + if (val) { + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token && unix_args[j].is_hash_algo + && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { + break; + } + } + if (j >= UNIX_CTRLS_) { + pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD value [%s]", val); + } else { + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + } + free (val); + + /* read number of rounds for crypt algo */ + if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { + val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); + + if (val) { + *rounds = strtol(val, NULL, 10); + free (val); + } + } + } + /* now parse the arguments to this module */ for (; argc-- > 0; ++argv) { - int j; D(("pam_unix arg: %s", *argv)); diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index db4cd953..65759384 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -7,6 +7,12 @@ #include +/* + * File to read value of ENCRYPT_METHOD from. + */ +#define LOGIN_DEFS "/etc/login.defs" + + /* * here is the string to inform the user that the new passwords they * typed were not the same. @@ -20,6 +26,7 @@ typedef struct { const char *token; unsigned int mask; /* shall assume 32 bits of flags */ unsigned int flag; + unsigned int is_hash_algo; } UNIX_Ctrls; /* @@ -100,34 +107,34 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = /* symbol token name ctrl mask ctrl * * ----------------------- ------------------- --------------------- -------- */ -/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01}, -/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02}, -/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04}, -/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010}, -/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020}, -/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040}, -/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, -/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, -/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, -/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, -/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, -/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, -/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000}, -/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0}, -/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000}, -/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000}, -/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000}, -/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000}, -/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000}, -/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000}, -/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000}, -/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000}, -/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000}, -/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000}, -/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, -/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000}, -/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, +/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0}, +/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0}, +/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, +/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, +/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, +/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1}, +/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0}, +/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1}, +/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1}, +/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1}, +/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, +/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, }; #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) -- cgit v1.2.3 From 43a69398c33f8580c5925953fa7ee561666d8e33 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 20 Jun 2013 10:11:43 +0200 Subject: Man page fix - unix_update runs in the permissive mode as well. modules/pam_unix/unix_update.8.xml: unix_update helper runs in the permissive mode as well. --- modules/pam_unix/unix_update.8.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_unix/unix_update.8.xml b/modules/pam_unix/unix_update.8.xml index 07695951..6c7467b9 100644 --- a/modules/pam_unix/unix_update.8.xml +++ b/modules/pam_unix/unix_update.8.xml @@ -38,7 +38,7 @@ The purpose of the helper is to enable tighter confinement of login and password changing services. The helper is thus called only - when SELinux is enabled and in the enforcing mode on the system. + when SELinux is enabled on the system. -- cgit v1.2.3 From 333686501468f66160c8eb50ae23f1dc08b82e12 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Fri, 21 Jun 2013 08:29:00 -0400 Subject: pam_tty_audit: add an option to control logging of passwords: log_passwd Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode with echo set to off to do this. This feature (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of logging passwords per task. * configure.in: autoconf bits to conditionally add support at compile time depending on struct audit_tty_status kernel header version. * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module log_passwd option. * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added "log_passwd" option parsing. Signed-off-by: Richard Guy Briggs --- modules/pam_tty_audit/pam_tty_audit.8.xml | 15 +++++++++++++++ modules/pam_tty_audit/pam_tty_audit.c | 23 ++++++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 447b8454..552353ce 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -77,6 +77,19 @@ + + + + + + + Log keystrokes when ECHO mode is off but ICANON mode is active. + This is the mode in which the tty is placed during password entry. + By default, passwords are not logged. This option may not be + available on older kernels (3.9?). + + + @@ -161,6 +174,8 @@ session required pam_tty_audit.so disable=* enable=root pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. + The log_passwd option was added by Richard Guy Briggs + <rgb@redhat.com>. diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 080f4950..a3b590db 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + int log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ (void)flags; @@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) command = CMD_NONE; open_only = 0; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 0; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } else if (strcmp (argv[i], "open_only") == 0) open_only = 1; + else if (strcmp (argv[i], "log_passwd") == 0) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 1; +#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + pam_syslog (pamh, LOG_WARNING, + "The log_passwd option was not available at compile time."); +#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ else { pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); @@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } new_status.enabled = (command == CMD_ENABLE ? 1 : 0); - if (old_status->enabled == new_status.enabled) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + if (old_status->enabled == new_status.enabled +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + && old_status->log_passwd == new_status.log_passwd +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + ) { open_only = 1; /* to clean up old_status */ goto ok_fd; -- cgit v1.2.3 From 40ff0c583388d1bb1ef1abfd8522d4aa45f6a7ec Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 27 Jun 2013 15:31:16 -0400 Subject: pam_tty_audit: fix a typo that crept in during patch review * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD. * configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove. Signed-off-by: Richard Guy Briggs Signed-off-by: Dmitry V. Levin --- modules/pam_tty_audit/pam_tty_audit.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'modules') diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index a3b590db..7dc37395 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -201,9 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD int log_passwd; -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ (void)flags; @@ -215,9 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) command = CMD_NONE; open_only = 0; -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD log_passwd = 0; -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -244,13 +244,13 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) else if (strcmp (argv[i], "open_only") == 0) open_only = 1; else if (strcmp (argv[i], "log_passwd") == 0) -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD log_passwd = 1; -#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ pam_syslog (pamh, LOG_WARNING, "The log_passwd option was not available at compile time."); #warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ else { pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); @@ -276,13 +276,13 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } new_status.enabled = (command == CMD_ENABLE ? 1 : 0); -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD new_status.log_passwd = log_passwd; -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ if (old_status->enabled == new_status.enabled -#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD +#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD && old_status->log_passwd == new_status.log_passwd -#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ +#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ ) { open_only = 1; /* to clean up old_status */ -- cgit v1.2.3 From 7561a59dcfa7a334055244a43195148c4bb0aad1 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 1 Jul 2013 22:18:02 +0000 Subject: pam_rootok: fix linking in --enable-audit mode pam_rootok.c explicitly uses functions from libaudit, so the module has to be linked with the library. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@. --- modules/pam_rootok/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_rootok/Makefile.am b/modules/pam_rootok/Makefile.am index d132367a..f8f292eb 100644 --- a/modules/pam_rootok/Makefile.am +++ b/modules/pam_rootok/Makefile.am @@ -25,7 +25,7 @@ if HAVE_VERSIONING endif securelib_LTLIBRARIES = pam_rootok.la -pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ +pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ if ENABLE_REGENERATE_MAN noinst_DATA = README -- cgit v1.2.3 From 8fe9004f9fed0eb18b51a7bba4c3e3355076041e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 23 Aug 2013 14:43:36 +0200 Subject: Apply the exclusive check in pam_sepermit only when loginuid not set. * modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from /proc (sepermit_match): Apply the exclusive check only when loginuid not set. --- modules/pam_sepermit/pam_sepermit.c | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index f7998457..8af1266a 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -162,6 +162,40 @@ check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug) return running; } +/* + * This function reads the loginuid from the /proc system. It returns + * (uid_t)-1 on failure. + */ +static uid_t get_loginuid(pam_handle_t *pamh) +{ + int fd, count; + char loginuid[24]; + char *eptr; + uid_t rv = (uid_t)-1; + + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY); + if (fd < 0) { + if (errno != ENOENT) { + pam_syslog(pamh, LOG_ERR, + "Cannot open /proc/self/loginuid: %m"); + } + return rv; + } + if ((count = pam_modutil_read(fd, loginuid, sizeof(loginuid)-1)) < 1) { + close(fd); + return rv; + } + loginuid[count] = '\0'; + close(fd); + + errno = 0; + rv = strtoul(loginuid, &eptr, 10); + if (errno != 0 || eptr == loginuid) + rv = (uid_t) -1; + + return rv; +} + static void sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED) { @@ -319,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (*sense == PAM_SUCCESS) { if (ignore) *sense = PAM_IGNORE; - if (geteuid() == 0 && exclusive) + if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1) if (sepermit_lock(pamh, user, debug) < 0) *sense = PAM_AUTH_ERR; } -- cgit v1.2.3 From a9ac7fd64000712fdedd4c38b408ffebd2988156 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 29 Aug 2013 14:09:39 +0200 Subject: Restart waitpid if it returns with EINTR (ticket #17) * modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/support.c: Likewise. --- modules/pam_unix/pam_unix_acct.c | 3 ++- modules/pam_unix/pam_unix_passwd.c | 3 ++- modules/pam_unix/support.c | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 4a362f88..7f8250ca 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -142,7 +142,8 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, if (child > 0) { char buf[32]; int rc=0; - rc=waitpid(child, &retval, 0); /* wait for helper to complete */ + /* wait for helper to complete: */ + while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR); if (rc<0) { pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); retval = PAM_AUTH_ERR; diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 94bc3ec8..9bc1cd9e 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -254,7 +254,8 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const close(fds[0]); /* close here to avoid possible SIGPIPE above */ close(fds[1]); - rc=waitpid(child, &retval, 0); /* wait for helper to complete */ + /* wait for helper to complete: */ + while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR); if (rc<0) { pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m"); retval = PAM_AUTHTOK_ERR; diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index f36786e4..d8f4a6f7 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -621,7 +621,8 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, } close(fds[0]); /* close here to avoid possible SIGPIPE above */ close(fds[1]); - rc=waitpid(child, &retval, 0); /* wait for helper to complete */ + /* wait for helper to complete: */ + while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR); if (rc<0) { pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); retval = PAM_AUTH_ERR; -- cgit v1.2.3 From f11cd89316cc051e23ef080aee5c7d823c6dfce2 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 30 Aug 2013 14:46:47 +0200 Subject: Fix compile error * modules/pam_unix/pam_unix_acct.c: fix last change --- modules/pam_unix/pam_unix_acct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 7f8250ca..865dc290 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -143,7 +143,7 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, char buf[32]; int rc=0; /* wait for helper to complete: */ - while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR); + while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR); if (rc<0) { pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc); retval = PAM_AUTH_ERR; -- cgit v1.2.3 From fbd7a2c8e9e3e7b10ba408b28f286cbdeccc5691 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 4 Sep 2013 16:40:37 +0200 Subject: Extend pam_exec by stdout and type= options (ticket #8): * modules/pam_exec/pam_exec.c: Add stdout and type= option * modules/pam_exec/pam_exec.8.xml: Document new options --- modules/pam_exec/pam_exec.8.xml | 34 ++++++++++++- modules/pam_exec/pam_exec.c | 108 +++++++++++++++++++++++++++++++++++----- 2 files changed, 127 insertions(+), 15 deletions(-) (limited to 'modules') diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml index 4dc2a19d..23793668 100644 --- a/modules/pam_exec/pam_exec.8.xml +++ b/modules/pam_exec/pam_exec.8.xml @@ -30,9 +30,15 @@ quiet + + stdout + log=file + + type=type + command @@ -117,6 +123,28 @@ + + + + + + + Only run the command if the module type matches the given type. + + + + + + + + + + + Per default the output of the executed command is written to /dev/null. With this option, the stdout output of the executed command is redirected to the calling application. It's in the responsibility of this application what happens with the output. The option is ignored. + + + + @@ -194,7 +222,8 @@ pam_setcred was called, which - does not execute the command. + does not execute the command. Or, the value given for the type= + parameter did not match the module type. @@ -236,7 +265,8 @@ AUTHOR - pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>. + pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and + Josh Triplett <josh@joshtriplett.org>. diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 8b37e95e..b56e4b26 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -72,6 +72,24 @@ static struct { ENV_ITEM(PAM_RUSER), }; +/* move_fd_to_non_stdio copies the given file descriptor to something other + * than stdin, stdout, or stderr. Assumes that the caller will close all + * unwanted fds after calling. */ +static int +move_fd_to_non_stdio (pam_handle_t *pamh, int fd) +{ + while (fd < 3) + { + fd = dup(fd); + if (fd == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "dup failed: %m"); + _exit (err); + } + } + return fd; +} static int call_exec (const char *pam_type, pam_handle_t *pamh, @@ -81,11 +99,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh, int call_setuid = 0; int quiet = 0; int expose_authtok = 0; + int use_stdout = 0; int optargc; const char *logfile = NULL; const char *authtok = NULL; pid_t pid; int fds[2]; + int stdout_fds[2]; + FILE *stdout_file = NULL; if (argc < 1) { pam_syslog (pamh, LOG_ERR, @@ -100,8 +121,15 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (strcasecmp (argv[optargc], "debug") == 0) debug = 1; + else if (strcasecmp (argv[optargc], "stdout") == 0) + use_stdout = 1; else if (strncasecmp (argv[optargc], "log=", 4) == 0) logfile = &argv[optargc][4]; + else if (strncasecmp (argv[optargc], "type=", 5) == 0) + { + if (strcmp (pam_type, &argv[optargc][5]) != 0) + return PAM_IGNORE; + } else if (strcasecmp (argv[optargc], "seteuid") == 0) call_setuid = 1; else if (strcasecmp (argv[optargc], "quiet") == 0) @@ -164,6 +192,21 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } } + if (use_stdout) + { + if (pipe(stdout_fds) != 0) + { + pam_syslog (pamh, LOG_ERR, "Could not create pipe: %m"); + return PAM_SYSTEM_ERR; + } + stdout_file = fdopen(stdout_fds[0], "r"); + if (!stdout_file) + { + pam_syslog (pamh, LOG_ERR, "Could not fdopen pipe: %m"); + return PAM_SYSTEM_ERR; + } + } + if (optargc >= argc) { pam_syslog (pamh, LOG_ERR, "No path given as argument"); return PAM_SERVICE_ERR; @@ -198,6 +241,21 @@ call_exec (const char *pam_type, pam_handle_t *pamh, close(fds[1]); } + if (use_stdout) + { + char buf[4096]; + close(stdout_fds[1]); + while (fgets(buf, sizeof(buf), stdout_file) != NULL) + { + size_t len; + len = strlen(buf); + if (buf[len-1] == '\n') + buf[len-1] = '\0'; + pam_info(pamh, "%s", buf); + } + fclose(stdout_file); + } + while ((retval = waitpid (pid, &status, 0)) == -1 && errno == EINTR); if (retval == (pid_t)-1) @@ -245,6 +303,23 @@ call_exec (const char *pam_type, pam_handle_t *pamh, int envlen, nitems; char *envstr; + /* First, move all the pipes off of stdin, stdout, and stderr, to ensure + * that calls to dup2 won't close them. */ + + if (expose_authtok) + { + fds[0] = move_fd_to_non_stdio(pamh, fds[0]); + close(fds[1]); + } + + if (use_stdout) + { + stdout_fds[1] = move_fd_to_non_stdio(pamh, stdout_fds[1]); + close(stdout_fds[0]); + } + + /* Set up stdin. */ + if (expose_authtok) { /* reopen stdin as pipe */ @@ -254,17 +329,10 @@ call_exec (const char *pam_type, pam_handle_t *pamh, pam_syslog (pamh, LOG_ERR, "dup2 of STDIN failed: %m"); _exit (err); } - - for (i = 0; i < sysconf (_SC_OPEN_MAX); i++) - { - if (i != STDIN_FILENO) - close (i); - } } else { - for (i = 0; i < sysconf (_SC_OPEN_MAX); i++) - close (i); + close (STDIN_FILENO); /* New stdin. */ if ((i = open ("/dev/null", O_RDWR)) < 0) @@ -275,12 +343,23 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } } - /* New stdout and stderr. */ - if (logfile) + /* Set up stdout. */ + + if (use_stdout) + { + if (dup2(stdout_fds[1], STDOUT_FILENO) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "dup2 to stdout failed: %m"); + _exit (err); + } + } + else if (logfile) { time_t tm = time (NULL); char *buffer = NULL; + close (STDOUT_FILENO); if ((i = open (logfile, O_CREAT|O_APPEND|O_WRONLY, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { @@ -297,7 +376,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } else { - /* New stdout/stderr. */ + close (STDOUT_FILENO); if ((i = open ("/dev/null", O_RDWR)) < 0) { int err = errno; @@ -306,13 +385,16 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } } - if (dup (i) == -1) + if (dup2 (STDOUT_FILENO, STDERR_FILENO) == -1) { int err = errno; - pam_syslog (pamh, LOG_ERR, "dup failed: %m"); + pam_syslog (pamh, LOG_ERR, "dup2 failed: %m"); _exit (err); } + for (i = 3; i < sysconf (_SC_OPEN_MAX); i++) + close (i); + if (call_setuid) if (setuid (geteuid ()) == -1) { -- cgit v1.2.3 From 7f9aa8388f19012b6b11b0077422ee0c7a8cb286 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 13 Sep 2013 14:04:08 +0200 Subject: Add missing ')' modules/pam_unix/pam_unix_passwd.c: Add missing ')'.. --- modules/pam_unix/pam_unix_passwd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 9bc1cd9e..9aae3b03 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -255,7 +255,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const close(fds[0]); /* close here to avoid possible SIGPIPE above */ close(fds[1]); /* wait for helper to complete: */ - while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR); + while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR); if (rc<0) { pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m"); retval = PAM_AUTHTOK_ERR; -- cgit v1.2.3 From 45ec020678ffc82f6c2849935907e2d83710a1f2 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 13 Sep 2013 15:20:01 +0200 Subject: Write to *rounds only if non-NULL. modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL. --- modules/pam_unix/support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index d8f4a6f7..9284dbaa 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -176,7 +176,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, free (val); /* read number of rounds for crypt algo */ - if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { + if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); if (val) { -- cgit v1.2.3 From ba315ae8effdcad591608c99452dad05c4cf20ab Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 16 Sep 2013 11:48:12 +0200 Subject: Check return value of setuid to remove glibc warnings. * modules/pam_unix/pam_unix_acct.c: Check setuid return value. * modules/pam_unix/support.c: Likewise. --- modules/pam_unix/pam_unix_acct.c | 7 ++++++- modules/pam_unix/support.c | 5 ++++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 865dc290..8ec44492 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -121,7 +121,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, if (geteuid() == 0) { /* must set the real uid to 0 so the helper will not error out if pam is called from setuid binary (su, sudo...) */ - setuid(0); + if (setuid(0) == -1) { + pam_syslog(pamh, LOG_ERR, "setuid failed: %m"); + printf("-1\n"); + fflush(stdout); + _exit(PAM_AUTHINFO_UNAVAIL); + } } /* exec binary helper */ diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 9284dbaa..19d72e66 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -586,7 +586,10 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, if (geteuid() == 0) { /* must set the real uid to 0 so the helper will not error out if pam is called from setuid binary (su, sudo...) */ - setuid(0); + if (setuid(0) == -1) { + D(("setuid failed")); + _exit(PAM_AUTHINFO_UNAVAIL); + } } /* exec binary helper */ -- cgit v1.2.3