From ca2cb12dd3165ab006c674d673a2d596d642c875 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 8 Jan 2008 14:49:05 +0000 Subject: Relevant BUGIDs: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Purpose of commit: bigfix Commit summary: --------------- 2008-01-08 Thorsten Kukuk * doc/man/Makefile.am: Fix manual page dependencies, add hack for bug in xsl stylestheets. 2008-01-02 Petteri Räty * modules/pam_limits/limits.conf: document allowed values for nice. * modules/pam_limits/limits.conf.5.xml: Likewise. and readd files wrongly deleted before. --- modules/pam_limits/limits.conf | 2 +- modules/pam_limits/limits.conf.5.xml | 2 +- modules/pam_selinux/.cvsignore | 1 - modules/pam_selinux/Makefile.am | 3 +- modules/pam_selinux/pam_selinux_check.8 | 35 +++++++++++++++ modules/pam_stress/.cvsignore | 1 - modules/pam_stress/README | 64 ++++++++++++++++++++++++++ modules/pam_unix/.cvsignore | 1 - modules/pam_unix/unix_chkpwd.8 | 80 +++++++++++++++++++++++++++++++++ 9 files changed, 183 insertions(+), 6 deletions(-) create mode 100644 modules/pam_selinux/pam_selinux_check.8 create mode 100644 modules/pam_stress/README create mode 100644 modules/pam_unix/unix_chkpwd.8 (limited to 'modules') diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf index d3463638..5d5c3f70 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf @@ -33,7 +33,7 @@ # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to +# - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority # # diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index 8983bee3..fb1fad27 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -214,7 +214,7 @@ - maximum nice priority allowed to raise to (Linux 2.6.12 and higher) + maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19] diff --git a/modules/pam_selinux/.cvsignore b/modules/pam_selinux/.cvsignore index 72174be1..08754fd5 100644 --- a/modules/pam_selinux/.cvsignore +++ b/modules/pam_selinux/.cvsignore @@ -9,4 +9,3 @@ Makefile.in pam_selinux_check README pam_selinux.8 -pam_selinux_check.8 diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index d11b507c..baf782a8 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -1,8 +1,9 @@ # -# Copyright (c) 2005, 2006 Thorsten Kukuk +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk # CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ tst-pam_selinux diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8 new file mode 100644 index 00000000..d6fcdff1 --- /dev/null +++ b/modules/pam_selinux/pam_selinux_check.8 @@ -0,0 +1,35 @@ +.TH pam_selinux_check 8 2002/05/23 "Red Hat Linux" "System Administrator's Manual" +.SH NAME +pam_selinux_check \- login program to test pam_selinux.so +.SH SYNOPSIS +.B pam_selinux_check [user] +.br + +.SH DESCRIPTION +With no arguments, +.B pam_selinux_check +will prompt for user + +.SH OPTIONS +.IP target_user +The user to login as. + +.SH DIAGNOSTICS +You must setup a /etc/pam.d/pam_selinux_check file, in order for the check to work. + +When checking if a selinux is valid, +.B pam_selinux_check +returns an exit code of 0 for success and > 0 on error: + +.nf +1: Authentication failure +.fi + +.SH SEE ALSO +pam_selinux(8) + +.SH BUGS +Let's hope not, but if you find any, please email the author. + +.SH AUTHOR +Dan Walsh diff --git a/modules/pam_stress/.cvsignore b/modules/pam_stress/.cvsignore index acf3f3bc..9fb98574 100644 --- a/modules/pam_stress/.cvsignore +++ b/modules/pam_stress/.cvsignore @@ -4,4 +4,3 @@ .libs Makefile Makefile.in -README diff --git a/modules/pam_stress/README b/modules/pam_stress/README new file mode 100644 index 00000000..e64bf2d3 --- /dev/null +++ b/modules/pam_stress/README @@ -0,0 +1,64 @@ +# +# This describes the behavior of this module with respect to the +# /etc/pam.conf file. +# +# writen by Andrew Morgan +# + +This module recognizes the following arguments. + +debug put lots of information in syslog. + *NOTE* this option writes passwords to syslog, so + don't use anything sensitive when testing. + +no_warn don't give warnings about things (otherwise warnings are issued + via the conversation function) + +use_first_pass don't prompt for a password, for pam_sm_authentication + function just use item PAM_AUTHTOK. + +try_first_pass don't prompt for a password unless there has been no + previous authentication token (item PAM_AUTHTOK is NULL) + +rootok This is intended for the pam_sm_chauthtok function and + it instructs this function to permit root to change + the user's password without entering the old password. + +The following arguments are acted on by the module. They are intended +to make the module give the impression of failing as a fully +functioning module might. + +expired an argument intended for the account and chauthtok module + parts. It instructs the module to act as if the user's + password has expired + +fail_1 this instructs the module to make its first function fail. + +fail_2 this instructs the module to make its second function (if there + is one) fail. + + The function break up is indicated in the Module + Developers' Guide. Listed here it is: + + service function 1 function 2 + ------- ---------- ---------- + auth pam_sm_authenticate pam_sm_setcred + password pam_sm_chauthtok + session pam_sm_open_session pam_sm_close_session + account pam_sm_acct_mgmt + +prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. + +required for pam_sm_chauthtok, means fail if the user hasn't already + been authenticated by this module. (See stress_new_pwd data + item below.) + +# +# data strings that this module uses are the following: +# + +data name value(s) Comments +--------- -------- -------- +stress_new_pwd yes tells pam_sm_chauthtok that + pam_sm_acct_mgmt says we need a new + password diff --git a/modules/pam_unix/.cvsignore b/modules/pam_unix/.cvsignore index 454f7276..905ba473 100644 --- a/modules/pam_unix/.cvsignore +++ b/modules/pam_unix/.cvsignore @@ -9,4 +9,3 @@ bigcrypt unix_chkpwd README pam_unix.8 -unix_chkpwd.8 diff --git a/modules/pam_unix/unix_chkpwd.8 b/modules/pam_unix/unix_chkpwd.8 new file mode 100644 index 00000000..02ccfe4a --- /dev/null +++ b/modules/pam_unix/unix_chkpwd.8 @@ -0,0 +1,80 @@ +.\" Copyright (C) 2003 International Business Machines Corporation +.\" This file is distributed according to the GNU General Public License. +.\" See the file COPYING in the top level source directory for details. +.\" +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "UNIX_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" +.SH NAME +unix_chkpwd \- helper binary that verifies the password of the current user +.SH "SYNOPSIS" +.ad l +.hy 0 + +/sbin/unix_chkpwd [\fIusername\fR] +.sp +.ad +.hy +.SH "DESCRIPTION" +.PP +\fBunix_chkpwd\fR is a helper program for the pam_unix module that verifies +the password of the current user. It is not intended to be run directly from +the command line and logs a security violation if done so. + +It is typically installed setuid root or setgid shadow. + +.SH "OPTIONS" +.PP +unix_pwdchk optionally takes the following argument: +.TP +\fIusername\fR +The username of the user whose password you want to check: this must match the current user id. + +.SH "INPUTS" +.PP +unix_pwdchk expects the following inputs via stdin: +.TP +\fIoption\fR +Either nullok or nonull, depending on whether the user can have an empty password. +.TP +\fIpassword\fR +The password to verify. + +.SH "RETURN CODES" +.PP +\fBunix_chkpwd\fR has the following return codes: +.TP +1 +unix_chkpwd was inappropriately called from the command line or the password is incorrect. + +.TP +0 +The password is correct. + +.SH "HISTORY" +Written by Andrew Morgan + +.SH "SEE ALSO" + +.PP +\fBpam\fR(8) + +.SH AUTHOR +Emily Ratliff. + -- cgit v1.2.3