applies also for every other Free Software Project. Contact
`translation@iro.umontreal.ca' to make the `.pot' files available to
the translation teams.
-
* libpam: Fix debug code (kukuk)
* pam_limits: Fix order of LIMITS_DEF_* priorities (kukuk)
* pam_xauth: preserve DISPLAY variable (Novell #66885 - kukuk)
-* libpam: Add prelude ids (http://www.prelude-ids.org) support,
+* libpam: Add prelude ids (http://www.prelude-ids.org) support,
as experimental. (toady)
-* configure: Add the directory where new versions of cracklib is
- installed (from Jim Gifford - toady)
+* configure: Add the directory where new versions of cracklib is
+ installed (from Jim Gifford - toady)
* libpamc: Use standard u_intX_t types instead of __uX (kukuk)
0.78: Do Nov 18 14:48:36 CET 2004
* pam_unix: change the order of trying password changes - local first,
NIS second (t8m)
-* pam_wheel: add option only_root to make it affect authentication
+* pam_wheel: add option only_root to make it affect authentication
to root account only
* pam_unix: test return values on renaming files and report error to
syslog and to user
The whole idea is to create few "systemwide" pam configs and include
parts of them in application pam configs.
(patch by "Dmitry V. Levin" <ldv@altlinux.org>) (Bug 812567 - baggins).
-* doc/modules/pam_mkhomedir.sgml: Remove wrong debug options
+* doc/modules/pam_mkhomedir.sgml: Remove wrong debug options
(Bug 591605 - kukuk)
* pam_unix: Call password checking helper whenever the password field
contains only one character (Bug 1027903 - kukuk)
(otherwise /etc/pam.conf is treated as before)
- given /etc/pam.d/
. config files are named (in lower case) by service-name
- . config files have same syntax as /etc/pam.conf except
+ . config files have same syntax as /etc/pam.conf except
that the "service-name" field is not present. (there
are thus three manditory fields (and arguments are
optional):
also some coverage of libpam_misc in the App. Developers' guide.
* Cristian's patches to pam_limits and pam_pwdb. Fixing bugs. (MORE added)
-
+
* adopted Cristian's _pam_macros.h file to help with common macros and
debugging stuff, gone through tree tidying up debugging lines to use
this [not complete].
* removed <bf/ .. / from documentation titles. This was not giving
politically correct html..
-
+
----- My vvvvvvvvvvvvvvvvvvv was a long time ago ;*] -----
Wed Sep 4 23:57:19 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu>
*** If anyone has any trouble, please *say*. Your problem will be
fixed in the next release. Also please feel free to scour the
- code for race conditions etc...
+ code for race conditions etc...
[* The above change requires that you purge your /usr/lib/security
directory of the old pam_unix_XXX.so modules: they will NOT be deleted
future documentation of static module support in pam_modules.sgml)
* libpam; many changes to makefiles and also automated the inclusion of
static module objects in pam_static.c
-* modified modules for automated static/dynamic support. Added static &
+* modified modules for automated static/dynamic support. Added static &
dynamic subdirectories, as instructed by Michael
* removed an annoying syslog message from pam_filter: "parent exited.."
* updated todo list (anyone know anything about svgalib/X? we probably should
* stable code from pam_unix is added to modules/pam_unix
* test/test.c now requests username and password and attempts
to perform authentication
-
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
-------------------------------------------------------------------------
-
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
-------------------------------------------------------------------------
-
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.
-
$(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
#CLEANFILES += $(man_MANS) README
-
Release 1.1.5
* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
* pam_access: Add hostname resolution cache
-* Documentation: Improvements/fixes
+* Documentation: Improvements/fixes
Release 1.1.4
# The PAM configuration file for the `xlock' service
#
xlock auth required pam_unix.so
-
The program will fail if ./pam.d/ already exists.
Andrew Morgan, February 1997
-
make -C sag releasedocs
make -C adg releasedocs
make -C mwg releasedocs
-
associated with the handle <emphasis>pamh</emphasis>).
</para>
<para>
- The <emphasis>pamh</emphasis> argument is an authentication
+ The <emphasis>pamh</emphasis> argument is an authentication
handle obtained by a prior call to pam_start().
The flags argument is the binary or of zero or more of the
following values:
name of the user specified by
<citerefentry>
<refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>. If no user was specified it what
+ </citerefentry>. If no user was specified it what
<function>pam_get_item (pamh, PAM_USER, ... );</function> would
have returned. If this is NULL it obtains the username via the
<citerefentry>
</itemizedlist>
<para>
By whatever means the username is obtained, a pointer to it is
- returned as the contents of <emphasis>*user</emphasis>. Note,
- this memory should <emphasis remap="B">not</emphasis> be
+ returned as the contents of <emphasis>*user</emphasis>. Note,
+ this memory should <emphasis remap="B">not</emphasis> be
<emphasis>free()</emphasis>'d or <emphasis>modified</emphasis>
by the module.
</para>
<para>
This function sets the <emphasis>PAM_USER</emphasis> item
- associated with the
+ associated with the
<citerefentry>
<refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
</citerefentry> and
<title>DESCRIPTION</title>
<para>
The <function>pam_set_data</function> function associates a pointer
- to an object with the (hopefully) unique string
+ to an object with the (hopefully) unique string
<emphasis>module_data_name</emphasis> in the PAM context specified
by the <emphasis>pamh</emphasis> argument.
</para>
Return <emphasis remap='B'>PAM_AUTH_ERR</emphasis> if the
database of authentication tokens for this authentication
mechanism has a <emphasis>NULL</emphasis> entry for the user.
- Without this flag, such a <emphasis>NULL</emphasis> token
+ Without this flag, such a <emphasis>NULL</emphasis> token
will lead to a success without the user being prompted.
</para>
</listitem>
<listitem>
<para>
The modules were not able to access the authentication
- information. This might be due to a network or hardware
+ information. This might be due to a network or hardware
failure etc.
</para>
</listitem>
<title>DESCRIPTION</title>
<para>
The <function>pam_xauth_data</function> structure contains X
- authentication data used to make a connection to an X display.
+ authentication data used to make a connection to an X display.
Using this mechanism, an application can communicate X
authentication data to PAM service modules. This allows modules to
make a connection to the user's X display in order to label the
parse_l.c
parse_y.c
parse_y.h
-
your agent has as an identifier, they you are entitled to use
this identifier.) It is up to each domain how it manages its local
namespace.
-
+
The '/' character is a mandatory delimiter, indicating the end of the
agent_id. The trailing data is of a format specific to the agent with
the given agent_id.
requests and exchanges them with the client. Every message sent by a
module should be acknowledged.
-General conversation functions can support the following five
+General conversation functions can support the following five
conversation requests:
echo text string
The return value for this function is one of the following:
- PAM_BPC_TRUE - all invoked agents are content with
+ PAM_BPC_TRUE - all invoked agents are content with
authentication (the server is _not_ judged
_un_trustworthy by any agent)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-
+
#define MAXLINE 1000
#define INDENT_STRING " "
#define PAPER_WIDTH 74
printf("%s%s%s", $2, fixed, $4);
free($2);
free($4);
-
+
l = (len+1)/2;
memset(fixed, ' ', l);
fixed[l] = '\0';
printf("%s%s%s", $2, fixed, $4);
free($2);
free($4);
-
+
l = (len+1)/2;
memset(fixed, ' ', l);
fixed[l] = '\0';
sprintf(new+j, "%d", ++i);
counter_root = set_key(counter_root, key, new);
-
+
if (last_label) {
free(last_label);
}
Samar, Schemers Page 28
-
-
-
-
-
-
}
/* handle->XXX points to each of the PAM functions */
-
-
+
+
if (dlclose(handle)) {
fprintf(stderr, "failed to unload pam.so: %s\n", dlerror());
exit(1);
Makefile.in
.deps
.libs
-
xsh is new as of Linux-PAM-0.31, it is identical to blank, but invokes
/bin/sh if the user is authenticated.
-
fprintf(stderr,"usage: %s [username]\n",argv[0]);
} else if (argc == 2) {
username = argv[1];
- }
+ }
/* initialize the Linux-PAM library */
retcode = pam_start("blank", username, &conv, &pamh);
fprintf(stderr,"%s: problem closing a session\n",argv[0]);
break;
}
-
+
retcode = pam_setcred(pamh, PAM_DELETE_CRED);
bail_out(pamh,0,retcode,"pam_setcred2");
/*
$Id$
-
+
This program was contributed by Shane Watts <shane@icarus.bofh.asn.au>
slight modifications by AGM.
}
retval = pam_start("check", user, &conv, &pamh);
-
+
if (retval == PAM_SUCCESS)
retval = pam_authenticate(pamh, 0); /* is user really user? */
pam_end(pamh, res);
exit(0);
}
-
-
{
int audit_fd;
int rc;
-
+
if ((audit_fd=_pam_audit_open(pamh)) == -1) {
return PAM_SYSTEM_ERR;
} else if (audit_fd == -2) {
rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
audit_close(audit_fd);
-
+
return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS;
}
if (impression == _PAM_UNDEF
|| (impression == _PAM_POSITIVE
&& status == PAM_SUCCESS) ) {
- if ( retval != PAM_IGNORE || cached_retval == retval ) {
+ if ( retval != PAM_IGNORE || cached_retval == retval ) {
impression = _PAM_POSITIVE;
- status = retval;
- }
+ status = retval;
+ }
}
}
/* this means that we need to skip #action stacked modules */
while (h->next != NULL && h->next->stack_level >= stack_level && action > 0) {
- do {
+ do {
h = h->next;
++depth;
} while (h->next != NULL && h->next->stack_level > stack_level);
NSObjectFileImage ofile;
void *ret = NULL;
- if (NSCreateObjectFileImageFromFile(mod_path, &ofile) !=
- NSObjectFileImageSuccess )
+ if (NSCreateObjectFileImageFromFile(mod_path, &ofile) !=
+ NSObjectFileImageSuccess )
return NULL;
ret = NSLinkModule(ofile, mod_path, NSLINKMODULE_OPTION_PRIVATE | NSLINKMODULE_OPTION_BINDNOW);
#endif
}
-servicefn _pam_dlsym(void *handle, const char *symbol)
+servicefn _pam_dlsym(void *handle, const char *symbol)
{
#ifdef PAM_SHL
char *_symbol = NULL;
return NULL;
strcpy(_symbol, SHLIB_SYM_PREFIX);
strcat(_symbol, symbol);
- if( shl_findsym(&handle, _symbol,
+ if( shl_findsym(&handle, _symbol,
(short) TYPE_PROCEDURE, &ret ){
free(_symbol);
return NULL;
}
return ret;
-
+
#elif defined(PAM_DYLD)
NSSymbol nsSymbol;
char *_symbol;
tok = _pam_StrTok(NULL, " \n\t", &nexttok);
if (pam_include) {
- if (substack) {
+ if (substack) {
res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
- stack_level, module_type, actions, tok,
- 0, NULL, 0);
+ stack_level, module_type, actions, tok,
+ 0, NULL, 0);
if (res != PAM_SUCCESS) {
pam_syslog(pamh, LOG_ERR, "error adding substack %s", tok);
D(("failed to load module - aborting"));
return PAM_ABORT;
- }
- }
+ }
+ }
if (_pam_load_conf_file(pamh, tok, this_service, module_type,
stack_level + substack
#ifdef PAM_READ_BOTH_CONFS
struct loaded_module *mod;
D(("_pam_load_module: loading module `%s'", mod_path));
-
+
mod = pamh->handlers.module;
/* First, ensure the module is loaded */
/* if we get here with NULL it means allocation error */
return PAM_ABORT;
}
-
+
mod_type = mod->type;
}
-
+
if (mod_path == NULL)
- mod_path = UNKNOWN_MODULE;
+ mod_path = UNKNOWN_MODULE;
/*
* At this point 'mod' points to the stored/loaded module.
if (pamh->former.want_user) {
/* must have a prompt to resume with */
if (! pamh->former.prompt) {
- pam_syslog(pamh, LOG_ERR,
- "pam_get_user: failed to resume with prompt"
+ pam_syslog(pamh, LOG_ERR,
+ "pam_get_user: failed to resume with prompt"
);
return PAM_ABORT;
}
/* must be the same prompt as last time */
if (strcmp(pamh->former.prompt, use_prompt)) {
pam_syslog(pamh, LOG_ERR,
- "pam_get_user: resumed with different prompt");
+ "pam_get_user: resumed with different prompt");
return PAM_ABORT;
}
break;
}
}
- if (act > 0) {
+ if (act > 0) {
/*
* Either we have a number or we have hit an error. In
* principle, there is nothing to stop us accepting
#include <stdlib.h>
static int intlen(int number)
-{
+{
int len = 2;
while (number != 0) {
number /= 10;
}
static int longlen(long number)
-{
+{
int len = 2;
while (number != 0) {
number /= 10;
int i;
data_name = malloc(strlen("_pammodutil_getgrgid") + 1 +
- longlen((long)gid) + 1 + intlen(INT_MAX) + 1);
+ longlen((long)gid) + 1 + intlen(INT_MAX) + 1);
if ((pamh != NULL) && (data_name == NULL)) {
D(("was unable to register the data item [%s]",
pam_strerror(pamh, status)));
if (pamh != NULL) {
for (i = 0; i < INT_MAX; i++) {
sprintf(data_name, "_pammodutil_getgrgid_%ld_%d",
- (long) gid, i);
+ (long) gid, i);
status = PAM_NO_MODULE_DATA;
if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) {
status = pam_set_data(pamh, data_name,
/* no sense in repeating the call */
break;
}
-
+
length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
* Sorry, there does not appear to be a reentrant version of
* getgrgid(). So, we use the standard libc function.
*/
-
+
return getgrgid(gid);
#endif /* def HAVE_GETGRGID_R */
#include <stdlib.h>
static int intlen(int number)
-{
+{
int len = 2;
while (number != 0) {
number /= 10;
int i;
data_name = malloc(strlen("_pammodutil_getgrnam") + 1 +
- strlen(group) + 1 + intlen(INT_MAX) + 1);
+ strlen(group) + 1 + intlen(INT_MAX) + 1);
if ((pamh != NULL) && (data_name == NULL)) {
D(("was unable to register the data item [%s]",
pam_strerror(pamh, status)));
/* no sense in repeating the call */
break;
}
-
+
length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
* Sorry, there does not appear to be a reentrant version of
* getgrnam(). So, we use the standard libc function.
*/
-
+
return getgrnam(group);
#endif /* def HAVE_GETGRNAM_R */
#include <stdlib.h>
static int intlen(int number)
-{
+{
int len = 2;
while (number != 0) {
number /= 10;
int i;
data_name = malloc(strlen("_pammodutil_getpwnam") + 1 +
- strlen(user) + 1 + intlen(INT_MAX) + 1);
+ strlen(user) + 1 + intlen(INT_MAX) + 1);
if ((pamh != NULL) && (data_name == NULL)) {
D(("was unable to register the data item [%s]",
pam_strerror(pamh, status)));
/* no sense in repeating the call */
break;
}
-
+
length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
* Sorry, there does not appear to be a reentrant version of
* getpwnam(). So, we use the standard libc function.
*/
-
+
return getpwnam(user);
#endif /* def HAVE_GETPWNAM_R */
#include <stdlib.h>
static int intlen(int number)
-{
+{
int len = 2;
while (number != 0) {
number /= 10;
}
static int longlen(long number)
-{
+{
int len = 2;
while (number != 0) {
number /= 10;
int i;
data_name = malloc(strlen("_pammodutil_getpwuid") + 1 +
- longlen((long) uid) + 1 + intlen(INT_MAX) + 1);
+ longlen((long) uid) + 1 + intlen(INT_MAX) + 1);
if ((pamh != NULL) && (data_name == NULL)) {
D(("was unable to register the data item [%s]",
pam_strerror(pamh, status)));
if (pamh != NULL) {
for (i = 0; i < INT_MAX; i++) {
sprintf(data_name, "_pammodutil_getpwuid_%ld_%d",
- (long) uid, i);
+ (long) uid, i);
status = PAM_NO_MODULE_DATA;
if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) {
status = pam_set_data(pamh, data_name,
/* no sense in repeating the call */
break;
}
-
+
length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
* Sorry, there does not appear to be a reentrant version of
* getpwuid(). So, we use the standard libc function.
*/
-
+
return getpwuid(uid);
#endif /* def HAVE_GETPWUID_R */
#include <stdlib.h>
static int intlen(int number)
-{
+{
int len = 2;
while (number != 0) {
number /= 10;
int i;
data_name = malloc(strlen("_pammodutil_getspnam") + 1 +
- strlen(user) + 1 + intlen(INT_MAX) + 1);
+ strlen(user) + 1 + intlen(INT_MAX) + 1);
if ((pamh != NULL) && (data_name == NULL)) {
D(("was unable to register the data item [%s]",
pam_strerror(pamh, status)));
/* no sense in repeating the call */
break;
}
-
+
length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
* Sorry, there does not appear to be a reentrant version of
* getspnam(). So, we use the standard libc function.
*/
-
+
return getspnam(user);
#endif /* def HAVE_GETSPNAM_R */
return 0;
}
-int
+int
pam_modutil_user_in_group_nam_nam(pam_handle_t *pamh,
const char *user, const char *group)
{
void prelude_send_alert(pam_handle_t *pamh, int authval);
#endif /* _SECURITY_PAM_PRELUDE_H */
-
#ifdef HAVE_LIBAUDIT
retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
-#endif
+#endif
return retval;
}
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior
* written permission.
- *
+ *
* ALTERNATIVELY, this product may be distributed under the terms of
* the GNU Public License, in which case the provisions of the GPL are
* required INSTEAD OF the above restrictions. (This clause is
* necessary due to a potential bad interaction between the GPL and
* the restrictions contained in a BSD-style copyright.)
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
lib_LTLIBRARIES = libpam_misc.la
libpam_misc_la_SOURCES = help_env.c misc_conv.c
-
#include <security/pam_appl.h>
#include <security/pam_client.h>
-#ifdef __cplusplus
-extern "C" {
+#ifdef __cplusplus
+extern "C" {
#endif /* __cplusplus */
/* include some useful macros */
if (have_term)
nc = read(STDIN_FILENO, line, INPUTSIZE-1);
else /* we must read one line only */
- for (nc = 0; nc < INPUTSIZE-1 && (nc?line[nc-1]:0) != '\n';
+ for (nc = 0; nc < INPUTSIZE-1 && (nc?line[nc-1]:0) != '\n';
nc++) {
int rv;
if ((rv=read(STDIN_FILENO, line+nc, 1)) != 1) {
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
-------------------------------------------------------------------------
-
\
__size = PAM_BP_MIN_SIZE + data_length; \
if ((*(old_p) = PAM_BP_CALLOC(1, 1+__size))) { \
- __PAM_BP_WOCTET(*(old_p), 3) = __size & 0xFF; \
+ __PAM_BP_WOCTET(*(old_p), 3) = __size & 0xFF; \
__PAM_BP_WOCTET(*(old_p), 2) = (__size>>=8) & 0xFF; \
__PAM_BP_WOCTET(*(old_p), 1) = (__size>>=8) & 0xFF; \
__PAM_BP_WOCTET(*(old_p), 0) = (__size>>=8) & 0xFF; \
if ( default_path[i] == PAMC_SYSTEM_AGENT_SEPARATOR
|| !default_path[i] ) {
int length;
-
+
pch->agent_paths[this] = malloc(length = 1+i-last);
if (pch->agent_paths[this] == NULL) {
}
/*
- * shutdown each of the loaded agents and
+ * shutdown each of the loaded agents and
*/
static int __pamc_shutdown_agents(pamc_handle_t pch)
int retval = PAM_BPC_TRUE;
D(("called"));
-
+
while (pch->chain) {
pid_t pid;
int status;
return PAM_BPC_FAIL;
}
}
-
+
/* enough memory for any path + this agent */
reset_length = 3 + pch->max_path + agent->id_length;
D(("reset_length = %d (3+%d+%d)",
D(("no agent was found"));
goto free_and_return;
}
-
+
if (pipe(to_agent)) {
D(("failed to open pipe to agent"));
goto free_and_return;
D(("sorry agent is disabled"));
return PAM_BPC_FALSE;
}
-
+
length = strlen(agent_id);
/* scan list to see if agent is loaded */
agent->next = pch->chain;
pch->chain = agent;
-
+
return PAM_BPC_TRUE;
fail_free_agent_id:
($reply_control, $reply_data) = HandleContinuation($data);
} else {
if ($debug) {
- print STDERR
+ print STDERR
"agent: unrecognized packet $control {$data} to read\n";
}
($reply_control, $reply_data) = (0x04, "");
}
my $expected_digest = CreateDigest($state{$key});
- my ($local_cookie, $remote_cookie, $shared_secret)
+ my ($local_cookie, $remote_cookie, $shared_secret)
= split '\|', $state{$key};
delete $state{$key};
print STDERR "agent: server appears to know the secret\n";
}
- my $session_authenticated_ticket =
+ my $session_authenticated_ticket =
CreateDigest($remote_cookie."|".$shared_secret."|".$local_cookie);
# FIXME: Agent should set a derived session key environment
# broken packet header
return (-1, "");
}
-
+
my ($length, $control) = unpack("N C", $buffer);
if ($length < 5) {
# broken packet length
}
}
-
old_data = NULL;
D(("done (%d)", retval));
-
+
return retval;
}
data_length = PAM_BP_LENGTH(prompt);
packet->at = 0;
append_data(packet, data_length, NULL);
-
+
PAM_BP_EXTRACT(prompt, 0, data_length, packet->buffer);
fprintf(stderr, "server received[%d]: {%d|0x%.2x|%s}\n",
digest);
}
-
+
retval = pamc_end(&pch);
fprintf(stderr, "server: agent(s) were %shappy to terminate\n",
# broken packet header
return (-1, "");
}
-
+
my ($length, $control) = unpack("N C", $buffer);
if ($length < 5) {
# broken packet length
return $secret;
}
-
fi
AC_MSG_RESULT($ac_cv___attribute__)
])
-
# Werner Koch 99-12-09
dnl AM_PATH_LIBPRELUDE([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-dnl Test for libprelude, and define LIBPRELUDE_PREFIX, LIBPRELUDE_CFLAGS, LIBPRELUDE_PTHREAD_CFLAGS,
+dnl Test for libprelude, and define LIBPRELUDE_PREFIX, LIBPRELUDE_CFLAGS, LIBPRELUDE_PTHREAD_CFLAGS,
dnl LIBPRELUDE_LDFLAGS, and LIBPRELUDE_LIBS
dnl
AC_DEFUN([AM_PATH_LIBPRELUDE],
-{
+{
global:
pam_sm_acct_mgmt;
pam_sm_authenticate;
pam_sm_setcred;
local: *;
};
-
const char *from;
const char *config_file;
const char *hostname;
- int debug; /* Print debugging messages. */
+ int debug; /* Print debugging messages. */
int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
int noaudit; /* Do not audit denials */
const char *fs; /* field separator */
/* Allow field seperator in last field of froms */
if (!(perm = strtok_r(line, item->fs, &sptr))
|| !(users = strtok_r(NULL, item->fs, &sptr))
- || !(froms = strtok_r(NULL, "\n", &sptr))) {
+ || !(froms = strtok_r(NULL, "\n", &sptr))) {
pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count",
item->config_file, lineno);
continue;
nonall_match = YES;
}
if (item->debug)
- pam_syslog (pamh, LOG_DEBUG,
- "from_match=%d, \"%s\"", match, item->from);
+ pam_syslog (pamh, LOG_DEBUG,
+ "from_match=%d, \"%s\"", match, item->from);
}
}
(void) fclose(fp);
#
-# This is the configuration file for pam_env, a PAM module to load in
-# a configurable list of environment variables for a
-#
+# This is the configuration file for pam_env, a PAM module to load in
+# a configurable list of environment variables for a
+#
# The original idea for this came from Andrew G. Morgan ...
#<quote>
# Mmm. Perhaps you might like to write a pam_env module that reads a
# administrators rather than set by logging in, how to treat them both
# in the same config file?
#
-# Here is my idea:
+# Here is my idea:
#
# Each line starts with the variable name, there are then two possible
-# options for each variable DEFAULT and OVERRIDE.
+# options for each variable DEFAULT and OVERRIDE.
# DEFAULT allows and administrator to set the value of the
# variable to some default value, if none is supplied then the empty
# string is assumed. The OVERRIDE option tells pam_env that it should
# enter in its value (overriding the default value) if there is one
# to use. OVERRIDE is not used, "" is assumed and no override will be
-# done.
+# done.
#
# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
#
# values can be delimited with "", escaped " not supported.
# Note that many environment variables that you would like to use
# may not be set by the time the module is called.
-# For example, HOME is used below several times, but
+# For example, HOME is used below several times, but
# many PAM applications don't make it available by the time you need it.
#
#
# to "localhost" rather than not being set at all
#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
#
-# Set the DISPLAY variable if it seems reasonable
+# Set the DISPLAY variable if it seems reasonable
#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
#
#
<para>
The <filename>/etc/security/pam_env.conf</filename> file specifies
- the environment variables to be set, unset or modified by
+ the environment variables to be set, unset or modified by
<citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
When someone logs in, this file is read and the environment
variables are set according.
</term>
<listitem>
<para>
- Per default pam_exec.so will echo the exit status of the
- external command if it fails.
+ Per default pam_exec.so will echo the exit status of the
+ external command if it fails.
Specifying this option will suppress the message.
</para>
</listitem>
</term>
<listitem>
<para>
- Per default pam_exec.so will execute the external command
- with the real user ID of the calling process.
+ Per default pam_exec.so will execute the external command
+ with the real user ID of the calling process.
Specifying this option means the command is run
with the effective user ID.
</para>
char *buffer = NULL;
if ((i = open (logfile, O_CREAT|O_APPEND|O_WRONLY,
- S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1)
+ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1)
{
int err = errno;
pam_syslog (pamh, LOG_ERR, "open of %s failed: %m",
else
rlimit_value *= 1024;
}
- break;
+ break;
#ifdef RLIMIT_NICE
case RLIMIT_NICE:
if (int_value > 19)
} else {
pl->login_limit = int_value;
pl->login_limit_def = source;
- }
+ }
}
}
return;
if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
#ifdef HAVE_LIBAUDIT
if (!(ctrl & PAM_NO_AUDIT)) {
- pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
- "pam_limits", PAM_PERM_DENIED);
+ pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
+ "pam_limits", PAM_PERM_DENIED);
/* ignore return value as we fail anyway */
}
#endif
/* Parse the *.conf files. */
for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
pl->conf_file = globbuf.gl_pathv[i];
- retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
- if (retval == PAM_IGNORE) {
+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
+ if (retval == PAM_IGNORE) {
D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file));
globfree(&globbuf);
return PAM_SUCCESS;
- }
+ }
if (retval != PAM_SUCCESS)
goto out;
}
globfree(&globbuf);
if (retval != PAM_SUCCESS)
{
- pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE);
+ pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE);
return retval;
}
}
/* Set the proper ownership and permissions for the module. We make
- the file a+w and then mask it with the set mask. This preseves
- execute bits */
+ the file a+w and then mask it with the set mask. This preseves
+ execute bits */
if (fchmod(destfd, (st.st_mode | 0222) & (~u_mask)) != 0 ||
fchown(destfd, pwd->pw_uid, pwd->pw_gid) != 0)
{
pwd = getpwnam(argv[1]);
if (pwd == NULL) {
- pam_syslog(NULL, LOG_ERR, "User unknown.");
- return PAM_CRED_INSUFFICIENT;
+ pam_syslog(NULL, LOG_ERR, "User unknown.");
+ return PAM_CRED_INSUFFICIENT;
}
if (argc >= 3) {
}
if (argc >= 4) {
- if (strlen(argv[3]) >= sizeof(skeldir)) {
+ if (strlen(argv[3]) >= sizeof(skeldir)) {
pam_syslog(NULL, LOG_ERR, "Too long skeldir path.");
return PAM_SESSION_ERR;
- }
- strcpy(skeldir, argv[3]);
+ }
+ strcpy(skeldir, argv[3]);
}
/* Stat the home directory, if something exists then we assume it is
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
for (i=0; i < (int)rlim.rlim_max; i++) {
- close(i);
+ close(i);
}
}
}
/*
- * Final wrapup - pad to 64-byte boundary with the bit pattern
+ * Final wrapup - pad to 64-byte boundary with the bit pattern
* 1 0* (64-bit count of bits processed, MSB-first)
*/
void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
# Uncommenting the following three lines will polyinstantiate
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
# be polyinstantiated based on the MLS level part of the security context as well as user
-# name, Polyinstantion will not be performed for user root and adm for directories
-# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
+# name, Polyinstantion will not be performed for user root and adm for directories
+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
# The user name and context is appended to the instance prefix.
#
# Note that instance directories do not have to reside inside the
<para>
The second field, <replaceable>instance_prefix</replaceable> is
the string prefix used to build the pathname for the instantiation
- of <polydir>. Depending on the polyinstantiation
+ of <polydir>. Depending on the polyinstantiation
<replaceable>method</replaceable> it is then appended with
"instance differentiation string" to generate the final
instance directory path. This directory is created if it did not exist
<para>
The third field, <replaceable>method</replaceable>, is the method
used for polyinstantiation. It can take these values; "user"
- for polyinstantiation based on user name, "level" for
+ for polyinstantiation based on user name, "level" for
polyinstantiation based on process MLS level and user name, "context" for
polyinstantiation based on process security context and user name,
"tmpfs" for mounting tmpfs filesystem as an instance dir, and
The <replaceable>method</replaceable> field can contain also following
optional flags separated by <emphasis>:</emphasis> characters.
</para>
-
+
<para><emphasis>create</emphasis>=<replaceable>mode</replaceable>,<replaceable>owner</replaceable>,<replaceable>group</replaceable>
- create the polyinstantiated directory. The mode, owner and group parameters
are optional. The default for mode is determined by umask, the default
#!/bin/sh -p
-# It receives polydir path as $1, the instance path as $2,
+# It receives polydir path as $1, the instance path as $2,
# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
# and user name in $4.
#
struct polydir_s *dptr = polydirs_ptr;
while (dptr) {
- struct polydir_s *tptr = dptr;
+ struct polydir_s *tptr = dptr;
dptr = dptr->next;
del_polydir(tptr);
}
poly->group = (gid_t)ULONG_MAX;
if (*params != '=')
- return 0;
+ return 0;
params++;
-
+
next = strchr(params, ',');
if (next != NULL) {
*next = '\0';
params = next;
if (params == NULL)
- return 0;
+ return 0;
next = strchr(params, ',');
if (next != NULL) {
*next = '\0';
if (params == NULL || *params == '\0') {
if (pwd != NULL)
poly->group = pwd->pw_gid;
- return 0;
+ return 0;
}
grp = getgrnam(params);
if (grp == NULL)
- return -1;
+ return -1;
poly->group = grp->gr_gid;
-
+
return 0;
}
static int parse_iscript_params(char *params, struct polydir_s *poly)
{
if (*params != '=')
- return 0;
+ return 0;
params++;
-
+
if (*params != '\0') {
if (*params != '/') { /* path is relative to NAMESPACE_D_DIR */
if (asprintf(&poly->init_script, "%s%s", NAMESPACE_D_DIR, params) == -1)
enum polymethod pm;
char *sptr = NULL;
static const char *method_names[] = { "user", "context", "level", "tmpdir",
- "tmpfs", NULL };
+ "tmpfs", NULL };
static const char *flag_names[] = { "create", "noinit", "iscript",
- "shared", NULL };
+ "shared", NULL };
static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT,
- POLYDIR_ISCRIPT, POLYDIR_SHARED };
+ POLYDIR_ISCRIPT, POLYDIR_SHARED };
int i;
char *flag;
pm = NONE;
for (i = 0; method_names[i]; i++) {
- if (strcmp(method, method_names[i]) == 0) {
- pm = i + 1; /* 0 = NONE */
- }
+ if (strcmp(method, method_names[i]) == 0) {
+ pm = i + 1; /* 0 = NONE */
+ }
}
if (pm == NONE) {
pam_syslog(idata->pamh, LOG_NOTICE, "Unknown method");
return -1;
}
-
+
poly->method = pm;
-
+
while ((flag=strtok_r(NULL, ":", &sptr)) != NULL) {
- for (i = 0; flag_names[i]; i++) {
- int namelen = strlen(flag_names[i]);
-
- if (strncmp(flag, flag_names[i], namelen) == 0) {
- poly->flags |= flag_values[i];
- switch (flag_values[i]) {
- case POLYDIR_CREATE:
- if (parse_create_params(flag+namelen, poly) != 0) {
+ for (i = 0; flag_names[i]; i++) {
+ int namelen = strlen(flag_names[i]);
+
+ if (strncmp(flag, flag_names[i], namelen) == 0) {
+ poly->flags |= flag_values[i];
+ switch (flag_values[i]) {
+ case POLYDIR_CREATE:
+ if (parse_create_params(flag+namelen, poly) != 0) {
pam_syslog(idata->pamh, LOG_CRIT, "Invalid create parameters");
- return -1;
- }
- break;
+ return -1;
+ }
+ break;
- case POLYDIR_ISCRIPT:
- if (parse_iscript_params(flag+namelen, poly) != 0) {
+ case POLYDIR_ISCRIPT:
+ if (parse_iscript_params(flag+namelen, poly) != 0) {
pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
- return -1;
- };
- break;
- }
- }
- }
+ return -1;
+ };
+ break;
+ }
+ }
+ }
}
return 0;
poly = calloc(1, sizeof(*poly));
if (poly == NULL)
- goto erralloc;
+ goto erralloc;
/*
* Initialize and scan the five strings from the line from the
dir = NULL;
goto erralloc;
}
-
+
if ((dir=expand_variables(dir, var_names, var_values)) == NULL) {
instance_prefix = NULL;
goto erralloc;
}
-
+
if ((instance_prefix=expand_variables(instance_prefix, var_names, var_values))
== NULL) {
goto erralloc;
if (len > 0 && rdir[len-1] == '/') {
rdir[len-1] = '\0';
}
-
+
if (dir[0] == '\0' || rdir[0] == '\0') {
- pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir");
- goto skipping;
+ pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir");
+ goto skipping;
}
-
+
/*
* Populate polyinstantiated directory structure with appropriate
* pathnames and the method with which to polyinstantiate.
strcpy(poly->instance_prefix, instance_prefix);
if (parse_method(method, poly, idata) != 0) {
- goto skipping;
+ goto skipping;
}
if (poly->method == TMPDIR) {
- if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) {
- pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
- goto skipping;
- }
+ if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) {
+ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
+ goto skipping;
+ }
strcat(poly->instance_prefix, "XXXXXX");
}
uid_t *uidptr;
const char *ustr, *sstr;
int count, i;
-
+
if (*uids == '~') {
poly->flags |= POLYDIR_EXCLUSIVE;
uids++;
pwd = pam_modutil_getpwnam(idata->pamh, ustr);
if (pwd == NULL) {
- pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr);
- poly->num_uids--;
+ pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr);
+ poly->num_uids--;
} else {
*uidptr = pwd->pw_uid;
uidptr++;
erralloc:
pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
-
+
skipping:
if (idata->flags & PAMNS_IGN_CONFIG_ERR)
retval = 0;
return PAM_SESSION_ERR;
}
if ((home=strdup(cpwd->pw_dir)) == NULL) {
- pam_syslog(idata->pamh, LOG_CRIT,
- "Memory allocation error");
- return PAM_SESSION_ERR;
+ pam_syslog(idata->pamh, LOG_CRIT,
+ "Memory allocation error");
+ return PAM_SESSION_ERR;
}
cpwd = pam_modutil_getpwnam(idata->pamh, idata->ruser);
}
if ((rhome=strdup(cpwd->pw_dir)) == NULL) {
- pam_syslog(idata->pamh, LOG_CRIT,
- "Memory allocation error");
- free(home);
- return PAM_SESSION_ERR;
+ pam_syslog(idata->pamh, LOG_CRIT,
+ "Memory allocation error");
+ free(home);
+ return PAM_SESSION_ERR;
}
/*
fil = fopen(confname, "r");
if (fil == NULL) {
pam_syslog(idata->pamh, LOG_ERR, "Error opening config file %s",
- confname);
+ confname);
globfree(&globbuf);
free(rhome);
free(home);
if (n >= globbuf.gl_pathc)
break;
- confname = globbuf.gl_pathv[n];
+ confname = globbuf.gl_pathv[n];
n++;
}
-
+
globfree(&globbuf);
free(rhome);
free(home);
-
+
/* All done...just some debug stuff */
if (idata->flags & PAMNS_DEBUG) {
struct polydir_s *dptr = idata->polydirs_ptr;
uid_t i;
pam_syslog(idata->pamh, LOG_DEBUG,
- dptr?"Configured poly dirs:":"No configured poly dirs");
+ dptr?"Configured poly dirs:":"No configured poly dirs");
while (dptr) {
pam_syslog(idata->pamh, LOG_DEBUG, "dir='%s' iprefix='%s' meth=%d",
dptr->dir, dptr->instance_prefix, dptr->method);
unsigned int i;
if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
+ pam_syslog(idata->pamh, LOG_DEBUG,
"Checking for ns override in dir %s for uid %d",
polyptr->dir, uid);
rc = getexeccon(&scon);
}
if (rc < 0 || scon == NULL) {
- pam_syslog(idata->pamh, LOG_ERR,
+ pam_syslog(idata->pamh, LOG_ERR,
"Error getting exec context, %m");
return PAM_SESSION_ERR;
}
}
pm = USER;
}
-
+
switch (pm) {
case USER:
if (asprintf(i_name, "%s", idata->user) < 0) {
*i_name = NULL;
goto fail;
- }
- break;
+ }
+ break;
#ifdef WITH_SELINUX
- case LEVEL:
+ case LEVEL:
case CONTEXT:
if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
if (asprintf(i_name, "%s", rawcon) < 0) {
*i_name = NULL;
goto fail;
- }
+ }
} else {
if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) {
*i_name = NULL;
goto fail;
- }
+ }
}
- break;
+ break;
#endif /* WITH_SELINUX */
case TMPDIR:
case TMPFS:
if ((*i_name=strdup("")) == NULL)
- goto fail;
+ goto fail;
return PAM_SUCCESS;
- default:
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
- goto fail;
+ default:
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
+ goto fail;
}
if (idata->flags & PAMNS_DEBUG)
if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) {
hash = md5hash(*i_name, idata);
if (hash == NULL) {
- goto fail;
+ goto fail;
}
if (idata->flags & PAMNS_GEN_HASH) {
- free(*i_name);
+ free(*i_name);
*i_name = hash;
hash = NULL;
} else {
- char *newname;
- if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash),
- *i_name, hash) < 0) {
- goto fail;
- }
- free(*i_name);
- *i_name = newname;
+ char *newname;
+ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash),
+ *i_name, hash) < 0) {
+ goto fail;
+ }
+ free(*i_name);
+ *i_name = newname;
}
}
rc = PAM_SUCCESS;
-
+
fail:
free(hash);
#ifdef WITH_SELINUX
{
struct protect_dir_s *dir = idata->protect_dirs;
char tmpbuf[64];
-
+
while (dir != NULL) {
if (strcmp(path, dir->dir) == 0) {
return 0;
}
dir = dir->next;
}
-
+
dir = calloc(1, sizeof(*dir));
-
+
if (dir == NULL) {
return -1;
}
-
+
dir->dir = strdup(path);
-
+
if (dir->dir == NULL) {
free(dir);
return -1;
}
-
+
snprintf(tmpbuf, sizeof(tmpbuf), "/proc/self/fd/%d", dfd);
-
+
if (idata->flags & PAMNS_DEBUG) {
pam_syslog(idata->pamh, LOG_INFO,
"Protect mount of %s over itself", path);
}
-
+
if (mount(tmpbuf, tmpbuf, NULL, MS_BIND, NULL) != 0) {
int save_errno = errno;
pam_syslog(idata->pamh, LOG_ERR,
errno = save_errno;
return -1;
}
-
+
dir->next = idata->protect_dirs;
idata->protect_dirs = dir;
if (p == NULL) {
goto error;
}
-
+
if (*dir == '/') {
dfd = open("/", flags);
if (dfd == -1) {
goto error;
}
- dir++; /* assume / is safe */
+ dir++; /* assume / is safe */
}
-
+
while ((d=strchr(dir, '/')) != NULL) {
*d = '\0';
dfd_next = openat(dfd, dir, flags);
if (fstat(dfd, &st) != 0) {
goto error;
}
-
- if (flags & O_NOFOLLOW) {
+
+ if (flags & O_NOFOLLOW) {
/* we are inside user-owned dir - protect */
if (protect_mount(dfd, p, idata) == -1)
goto error;
}
rv = openat(dfd, dir, flags);
-
+
if (rv == -1) {
if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) {
goto error;
}
rv = openat(dfd, dir, flags);
}
-
+
if (rv != -1) {
if (fstat(rv, &st) != 0) {
save_errno = errno;
}
}
- if ((flags & O_NOFOLLOW) || always) {
+ if ((flags & O_NOFOLLOW) || always) {
/* we are inside user-owned dir - protect */
if (protect_mount(rv, p, idata) == -1) {
save_errno = errno;
pam_syslog(idata->pamh, LOG_DEBUG,
"Polydir %s context: %s", dir, (char *)dircon);
if (setfscreatecon(dircon) != 0)
- pam_syslog(idata->pamh, LOG_NOTICE,
+ pam_syslog(idata->pamh, LOG_NOTICE,
"Error setting context for directory %s: %m", dir);
freecon(dircon);
}
pam_syslog(idata->pamh, LOG_DEBUG, "Created polydir %s", dir);
if (polyptr->mode != (mode_t)ULONG_MAX) {
- /* explicit mode requested */
- if (fchmod(rc, mode) != 0) {
+ /* explicit mode requested */
+ if (fchmod(rc, mode) != 0) {
pam_syslog(idata->pamh, LOG_ERR,
- "Error changing mode of directory %s: %m", dir);
+ "Error changing mode of directory %s: %m", dir);
close(rc);
umount(dir); /* undo the eventual protection bind mount */
- rmdir(dir);
- return PAM_SESSION_ERR;
- }
+ rmdir(dir);
+ return PAM_SESSION_ERR;
+ }
}
if (polyptr->owner != (uid_t)ULONG_MAX)
* attributes to match that of the original directory that is being
* polyinstantiated.
*/
-
+
if (polyptr->method == TMPDIR) {
- if (mkdtemp(polyptr->instance_prefix) == NULL) {
+ if (mkdtemp(polyptr->instance_prefix) == NULL) {
pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m",
polyptr->instance_prefix);
polyptr->method = NONE; /* do not clean up! */
return PAM_SESSION_ERR;
- }
+ }
/* copy the actual directory name to ipath */
strcpy(ipath, polyptr->instance_prefix);
} else if (mkdir(ipath, S_IRUSR) < 0) {
if (retval < 0 && errno != ENOENT) {
pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m",
polyptr->dir);
- return PAM_SESSION_ERR;
+ return PAM_SESSION_ERR;
}
if (retval < 0) {
- if ((polyptr->flags & POLYDIR_CREATE) &&
+ if ((polyptr->flags & POLYDIR_CREATE) &&
create_polydir(polyptr, idata) != PAM_SUCCESS)
return PAM_SESSION_ERR;
} else {
- close(retval);
+ close(retval);
}
-
+
if (polyptr->method == TMPFS) {
if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) {
pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
- polyptr->dir);
+ polyptr->dir);
return PAM_SESSION_ERR;
}
polyptr->dir);
return PAM_SESSION_ERR;
}
-
+
/*
* Obtain the name of instance pathname based on the
* polyinstantiation method and instance context returned by
#endif
if (retval != PAM_SUCCESS) {
- if (retval != PAM_IGNORE)
- pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name");
+ if (retval != PAM_IGNORE)
+ pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name");
goto cleanup;
} else {
#ifdef WITH_SELINUX
#endif
if (retval == PAM_IGNORE) {
- newdir = 0;
- retval = PAM_SUCCESS;
+ newdir = 0;
+ retval = PAM_SUCCESS;
}
if (retval != PAM_SUCCESS) {
}
if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
pam_syslog(idata->pamh, LOG_ERR,
- "Error removing %s", pptr->instance_prefix);
+ "Error removing %s", pptr->instance_prefix);
}
} else if (pid < 0) {
pam_syslog(idata->pamh, LOG_ERR,
*/
for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
if (ns_override(pptr, idata, idata->uid)) {
- if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) {
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
+ if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) {
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG,
"Overriding poly for user %d for dir %s",
idata->uid, pptr->dir);
} else {
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG,
"Need unmount ns for user %d for dir %s",
idata->ruid, pptr->dir);
need_poly = 1;
return PAM_SESSION_ERR;
}
} else {
- del_polydir_list(idata->polydirs_ptr);
+ del_polydir_list(idata->polydirs_ptr);
return PAM_SUCCESS;
}
* are available from
*/
strcpy(poly_parent, pptr->rdir);
- fptr = strchr(poly_parent, '/');
- cptr = strrchr(poly_parent, '/');
- if (fptr && cptr && (fptr == cptr))
- strcpy(poly_parent, "/");
- else if (cptr)
- *cptr = '\0';
+ fptr = strchr(poly_parent, '/');
+ cptr = strrchr(poly_parent, '/');
+ if (fptr && cptr && (fptr == cptr))
+ strcpy(poly_parent, "/");
+ else if (cptr)
+ *cptr = '\0';
if (chdir(poly_parent) < 0) {
pam_syslog(idata->pamh, LOG_ERR,
"Can't chdir to %s, %m", poly_parent);
}
if (umount(pptr->rdir) < 0) {
- int saved_errno = errno;
- pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m",
- pptr->rdir);
- if (saved_errno != EINVAL) {
- retval = PAM_SESSION_ERR;
- goto out;
+ int saved_errno = errno;
+ pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m",
+ pptr->rdir);
+ if (saved_errno != EINVAL) {
+ retval = PAM_SESSION_ERR;
+ goto out;
}
} else if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
}
out:
if (retval != PAM_SUCCESS) {
- cleanup_tmpdirs(idata);
- unprotect_dirs(idata->protect_dirs);
+ cleanup_tmpdirs(idata);
+ unprotect_dirs(idata->protect_dirs);
} else if (pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, idata->protect_dirs,
- cleanup_protect_data) != PAM_SUCCESS) {
+ cleanup_protect_data) != PAM_SUCCESS) {
pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace protect data");
- cleanup_tmpdirs(idata);
- unprotect_dirs(idata->protect_dirs);
+ cleanup_tmpdirs(idata);
+ unprotect_dirs(idata->protect_dirs);
return PAM_SYSTEM_ERR;
} else if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr,
- cleanup_polydir_data) != PAM_SUCCESS) {
+ cleanup_polydir_data) != PAM_SUCCESS) {
pam_syslog(idata->pamh, LOG_ERR, "Unable to set namespace polydir data");
- cleanup_tmpdirs(idata);
- pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, NULL, NULL);
- idata->protect_dirs = NULL;
+ cleanup_tmpdirs(idata);
+ pam_set_data(idata->pamh, NAMESPACE_PROTECT_DATA, NULL, NULL);
+ idata->protect_dirs = NULL;
return PAM_SYSTEM_ERR;
}
return retval;
int retval;
char *user_name;
struct passwd *pwd;
- /*
+ /*
* Lookup user and fill struct items
*/
retval = pam_get_item(idata->pamh, PAM_USER, (void*) &user_name );
/* Fill in RUSER too */
retval = pam_get_item(idata->pamh, PAM_RUSER, (void*) &user_name );
if ( user_name != NULL && retval == PAM_SUCCESS && user_name[0] != '\0' ) {
- strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1);
- pwd = pam_modutil_getpwnam(idata->pamh, user_name);
+ strncat(idata->ruser, user_name, sizeof(idata->ruser) - 1);
+ pwd = pam_modutil_getpwnam(idata->pamh, user_name);
} else {
- pwd = pam_modutil_getpwuid(idata->pamh, getuid());
+ pwd = pam_modutil_getpwuid(idata->pamh, getuid());
}
if (!pwd) {
pam_syslog(idata->pamh, LOG_ERR, "user unknown '%s'", user_name);
#ifdef WITH_SELINUX
if (is_selinux_enabled())
idata.flags |= PAMNS_SELINUX_ENABLED;
- if (ctxt_based_inst_needed())
+ if (ctxt_based_inst_needed())
idata.flags |= PAMNS_CTXT_BASED_INST;
#endif
unmnt = UNMNT_ONLY;
if (strcmp(argv[i], "require_selinux") == 0) {
if (!(idata.flags & PAMNS_SELINUX_ENABLED)) {
- pam_syslog(idata.pamh, LOG_ERR,
+ pam_syslog(idata.pamh, LOG_ERR,
"selinux_required option given and selinux is disabled");
return PAM_SESSION_ERR;
}
retval = get_user_data(&idata);
if (retval != PAM_SUCCESS)
- return retval;
+ return retval;
if (root_shared()) {
idata.flags |= PAMNS_MOUNT_PRIVATE;
retval = get_user_data(&idata);
if (retval != PAM_SUCCESS)
- return retval;
+ return retval;
retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, (const void **)&polyptr);
if (retval != PAM_SUCCESS || polyptr == NULL)
- /* nothing to reset */
- return PAM_SUCCESS;
-
+ /* nothing to reset */
+ return PAM_SUCCESS;
+
idata.polydirs_ptr = polyptr;
if (idata.flags & PAMNS_DEBUG)
pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL);
-
+
return PAM_SUCCESS;
}
/******************************************************************************
- * A module for Linux-PAM that will set the default namespace after
+ * A module for Linux-PAM that will set the default namespace after
* establishing a session via PAM.
*
* (C) Copyright IBM Corporation 2005
/*
* Depending on the application using this namespace module, we
* may need to unmount priviously bind mounted instance directory.
- * Applications such as login and sshd, that establish a new
+ * Applications such as login and sshd, that establish a new
* session unmount of instance directory is not needed. For applications
- * such as su and newrole, that switch the identity, this module
+ * such as su and newrole, that switch the identity, this module
* has to unmount previous instance directory first and re-mount
* based on the new indentity. For other trusted applications that
* just want to undo polyinstantiation, only unmount of previous
uid_t ruid; /* The uid of the requesting user */
unsigned long flags; /* Flags for debug, selinux etc */
};
-
entry.user, entry.uid, entry.count,
oldpass) < 0)
{
- free (save);
+ free (save);
retval = PAM_AUTHTOK_ERR;
fclose (oldpf);
fclose (newpf);
entry.user, entry.uid, entry.count,
entry.old_passwords, oldpass) < 0)
{
- free (save);
+ free (save);
retval = PAM_AUTHTOK_ERR;
fclose (oldpf);
fclose (newpf);
for (n = p; n != NULL; p = n+1) {
if ((n = strchr(p, ' ')) != NULL)
- *n = '\0';
+ *n = '\0';
- if (strcmp(p, uttyname) == 0) {
+ if (strcmp(p, uttyname) == 0) {
retval = 0;
break;
}
if HAVE_LIBSELINUX
TESTS = tst-pam_selinux
- man_MANS = pam_selinux.8
+ man_MANS = pam_selinux.8
endif
XMLS = README.xml pam_selinux.8.xml
README: pam_selinux.8.xml
-include $(top_srcdir)/Make.xml.rules
endif
-
char **response, int debug)
{
int rc;
- if (def)
+ if (def)
rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def);
else
rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text);
if (*response == NULL) {
rc = PAM_CONV_ERR;
}
-
+
if (rc != PAM_SUCCESS) {
pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text);
} else if (debug)
/* Allow the user to enter each field of the context individually */
if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS &&
response[0] != '\0') {
- if (context_role_set (new_context, response))
+ if (context_role_set (new_context, response))
goto fail_set;
- if (get_default_type(response, &type))
+ if (get_default_type(response, &type))
goto fail_set;
- if (context_type_set (new_context, type))
+ if (context_type_set (new_context, type))
goto fail_set;
_pam_drop(type);
}
while (1) {
if (query_response(pamh,
- _("Would you like to enter a different role or level?"), "n",
+ _("Would you like to enter a different role or level?"), "n",
&response, debug) == PAM_SUCCESS) {
resp_val = response[0];
_pam_drop(response);
if ((resp_val == 'y') || (resp_val == 'Y'))
{
if ((new_context = context_new(defaultcon)) == NULL)
- goto fail_set;
+ goto fail_set;
/* Allow the user to enter role and level individually */
- if (query_response(pamh, _("role:"), context_role_get(new_context),
+ if (query_response(pamh, _("role:"), context_role_get(new_context),
&response, debug) == PAM_SUCCESS && response[0]) {
if (get_default_type(response, &type)) {
pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response);
_pam_drop(response);
continue;
} else {
- if (context_role_set(new_context, response))
+ if (context_role_set(new_context, response))
goto fail_set;
if (context_type_set (new_context, type))
goto fail_set;
_pam_drop(type);
- }
+ }
}
_pam_drop(response);
if (getcon(&mycon) != 0)
goto fail_set;
- my_context = context_new(mycon);
+ my_context = context_new(mycon);
if (my_context == NULL) {
- freecon(mycon);
+ freecon(mycon);
goto fail_set;
}
freecon(mycon);
goto fail_set;
}
context_free(my_context);
- } else if (query_response(pamh, _("level:"), context_range_get(new_context),
+ } else if (query_response(pamh, _("level:"), context_range_get(new_context),
&response, debug) == PAM_SUCCESS && response[0]) {
if (context_range_set(new_context, response))
goto fail_set;
- }
+ }
_pam_drop(response);
}
if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
- send_audit_message(pamh, 0, defaultcon, newcon);
+ send_audit_message(pamh, 0, defaultcon, newcon);
free(newcon);
goto fail_range;
context_free (new_context);
send_audit_message(pamh, 0, defaultcon, NULL);
fail_range:
- return NULL;
+ return NULL;
}
static security_context_t
pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env);
goto fail_set;
} else {
- if (context_role_set(new_context, env))
+ if (context_role_set(new_context, env))
goto fail_set;
if (context_type_set(new_context, type))
goto fail_set;
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon);
-
+
/* Get the string value of the context and see if it is valid. */
if (security_check_context(newcon)) {
pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon);
env_params = 1;
}
}
-
+
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Open Session");
#else
if (getseuserbyname(username, &seuser, &level) == 0) {
#endif
- num_contexts = get_ordered_context_list_with_level(seuser,
+ num_contexts = get_ordered_context_list_with_level(seuser,
level,
- NULL,
+ NULL,
&contextlist);
if (debug)
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
return PAM_SUCCESS;
}
}
- else {
+ else {
if (seuser != NULL) {
user_context = manual_context(pamh,seuser,debug);
free(seuser);
pam_selinux(8)
.SH BUGS
-Let's hope not, but if you find any, please email the author.
+Let's hope not, but if you find any, please email the author.
.SH AUTHOR
Dan Walsh <dwalsh@redhat.com>
uid_t puid;
FILE *f;
int re = 0;
-
+
snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid);
if (!(f = fopen (buf, "r")))
return 0;
-
+
while (fgets(buf, sizeof buf, f)) {
if (sscanf (buf, "Uid:\t%d", &puid)) {
re = uid == puid;
int matched = 0;
int exclusive = 0;
int ignore = 0;
-
+
f = fopen(cfgfile, "r");
-
+
if (!f) {
pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile);
return PAM_SERVICE_ERR;
start = strtok_r(start, OPT_DELIM, &sptr);
switch (start[0]) {
- case '@':
+ case '@':
++start;
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start);
}
#ifdef PAM_STATIC
-
+
/* static module data */
-
+
struct pam_module _pam_sepermit_modstruct = {
"pam_sepermit",
pam_sm_authenticate,
NULL
};
#endif
-
return PAM_SERVICE_ERR;
/* It could still be NULL the second time. */
- if (!userName || (userName[0] == '\0'))
+ if (!userName || (userName[0] == '\0'))
return PAM_SERVICE_ERR;
}
pam_syslog(pamh, LOG_DEBUG, "CALLED: %s", name);
pam_syslog(pamh, LOG_DEBUG, "FLAGS : 0%o%s",
flags, (flags & PAM_SILENT) ? " (silent)":"");
- pam_syslog(pamh, LOG_DEBUG, "CTRL = 0%o", ctrl);
+ pam_syslog(pamh, LOG_DEBUG, "CTRL = 0%o", ctrl);
pam_syslog(pamh, LOG_DEBUG, "ARGV :");
while (argc--) {
pam_syslog(pamh, LOG_DEBUG, " \"%s\"", *argv++);
log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv)
{
if ( phase != PHASE_AUTH ) {
- pam_syslog(pamh, LOG_ERR,
+ pam_syslog(pamh, LOG_ERR,
"option %s allowed in auth phase only", argv);
}
}
else if ( ! strcmp( *argv, "per_user" ) )
{
log_phase_no_auth(pamh, phase, *argv);
- opts->ctrl |= OPT_PER_USER;
+ opts->ctrl |= OPT_PER_USER;
}
else if ( ! strcmp( *argv, "no_lock_time") )
{
log_phase_no_auth(pamh, phase, *argv);
- opts->ctrl |= OPT_NO_LOCK_TIME;
+ opts->ctrl |= OPT_NO_LOCK_TIME;
}
else if ( ! strcmp( *argv, "no_reset" ) ) {
opts->ctrl |= OPT_NO_RESET;
(void) pam_get_item(pamh, PAM_RHOST, &remote_host);
if (!remote_host) {
- (void) pam_get_item(pamh, PAM_TTY, &cur_tty);
+ (void) pam_get_item(pamh, PAM_TTY, &cur_tty);
if (!cur_tty) {
- strncpy(fsp->fs_faillog.fail_line, "unknown",
+ strncpy(fsp->fs_faillog.fail_line, "unknown",
sizeof(fsp->fs_faillog.fail_line) - 1);
fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0;
} else {
- strncpy(fsp->fs_faillog.fail_line, cur_tty,
+ strncpy(fsp->fs_faillog.fail_line, cur_tty,
sizeof(fsp->fs_faillog.fail_line)-1);
fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0;
}
} else {
- strncpy(fsp->fs_faillog.fail_line, remote_host,
+ strncpy(fsp->fs_faillog.fail_line, remote_host,
(size_t)sizeof(fsp->fs_faillog.fail_line));
fsp->fs_faillog.fail_line[sizeof(fsp->fs_faillog.fail_line)-1] = 0;
}
if (lock_time && oldtime
&& !(opts->ctrl & OPT_NO_LOCK_TIME) )
{
- if ( lock_time + oldtime > time(NULL) )
- {
+ if ( lock_time + oldtime > time(NULL) )
+ {
if (!(opts->ctrl & OPT_SILENT))
pam_info (pamh,
_("Account temporary locked (%ld seconds left)"),
if (!(opts->ctrl & OPT_NOLOGNOTICE))
pam_syslog (pamh, LOG_NOTICE,
- "user %s (%lu) has time limit [%lds left]"
+ "user %s (%lu) has time limit [%lds left]"
" since last failure.",
user, (unsigned long int) uid,
oldtime+lock_time-time(NULL));
- return PAM_AUTH_ERR;
- }
+ return PAM_AUTH_ERR;
+ }
}
if (opts->unlock_time && oldtime)
{
- if ( opts->unlock_time + oldtime <= time(NULL) )
- { /* ignore deny check after unlock_time elapsed */
- return PAM_SUCCESS;
- }
+ if ( opts->unlock_time + oldtime <= time(NULL) )
+ { /* ignore deny check after unlock_time elapsed */
+ return PAM_SUCCESS;
+ }
}
if (
( deny != 0 ) && /* deny==0 means no deny */
if (tally == 0)
{
- fsp->fs_faillog.fail_time = (time_t) 0;
- strcpy(fsp->fs_faillog.fail_line, "");
+ fsp->fs_faillog.fail_time = (time_t) 0;
+ strcpy(fsp->fs_faillog.fail_line, "");
}
i=set_tally(pamh, tally, uid, opts->filename, &TALLY, fsp);
if ( ! fread((char *) &fsp->fs_faillog,
sizeof (struct faillog), 1, TALLY)
|| ! fsp->fs_faillog.fail_cnt ) {
- continue;
- }
+ continue;
+ }
tally = fsp->fs_faillog.fail_cnt;
if ( ( pw=getpwuid(uid) ) ) {
#define MAIN
#include "pam_tally.c"
-
log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv)
{
if ( phase != PHASE_AUTH ) {
- pam_syslog(pamh, LOG_ERR,
+ pam_syslog(pamh, LOG_ERR,
"option %s allowed in auth phase only", argv);
}
}
if ((*tfile = open(filename, O_RDWR)) == -1) {
#ifndef MAIN
if (errno == EACCES) /* called with insufficient access rights */
- return PAM_IGNORE;
+ return PAM_IGNORE;
#endif
pam_syslog(pamh, LOG_ALERT, "Error opening %s for update: %m", filename);
if (lseek(*tfile, (off_t)uid*(off_t)sizeof(*tally), SEEK_SET) == (off_t)-1) {
pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename);
if (!preopened) {
- close(*tfile);
+ close(*tfile);
*tfile = -1;
}
return PAM_AUTH_ERR;
if (uid) {
/* Unlock time check */
if (opts->unlock_time && oldtime) {
- if (opts->unlock_time + oldtime <= time(NULL)) {
+ if (opts->unlock_time + oldtime <= time(NULL)) {
/* ignore deny check after unlock_time elapsed */
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
NULL, NULL, NULL, 1);
#endif
- rv = PAM_SUCCESS;
- goto cleanup;
- }
+ rv = PAM_SUCCESS;
+ goto cleanup;
+ }
}
} else {
/* Root unlock time check */
if (opts->root_unlock_time && oldtime) {
if (opts->root_unlock_time + oldtime <= time(NULL)) {
- /* ignore deny check after unlock_time elapsed */
+ /* ignore deny check after unlock_time elapsed */
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
NULL, NULL, NULL, 1);
#endif
- rv = PAM_SUCCESS;
- goto cleanup;
- }
+ rv = PAM_SUCCESS;
+ goto cleanup;
+ }
}
}
oldtime+opts->lock_time-time(NULL));
}
if (!(opts->ctrl & OPT_NOLOGNOTICE)) {
- pam_syslog(pamh, LOG_NOTICE,
+ pam_syslog(pamh, LOG_NOTICE,
"user %s (%lu) has time limit [%lds left]"
" since last failure.",
user, (unsigned long)uid,
}
rv = PAM_AUTH_ERR;
goto cleanup;
- }
+ }
}
cleanup:
(void) pam_get_item(pamh, PAM_RHOST, &remote_host);
if (!remote_host) {
- (void) pam_get_item(pamh, PAM_TTY, &remote_host);
+ (void) pam_get_item(pamh, PAM_TTY, &remote_host);
if (!remote_host) {
- remote_host = "unknown";
- }
+ remote_host = "unknown";
+ }
}
strncpy(tally.fail_line, remote_host,
FILE *tfile=fopen(cline_filename, "r");
uid_t uid=0;
if (!tfile && cline_reset != 0) {
- perror(*argv);
- exit(1);
+ perror(*argv);
+ exit(1);
}
for ( ; tfile && !feof(tfile); uid++ ) {
if ( !fread(&tally, sizeof(tally), 1, tfile)
|| !tally.fail_cnt ) {
- continue;
+ continue;
}
print_one(&tally, uid);
}
#define MAIN
#include "pam_tally2.c"
-
return -1;
}
}
-
+
if (*from > 0)
to = shift_buf(*buf, *from);
#ifdef HAVE_LIBAUDIT
if (!(ctrl & PAM_NO_AUDIT)) {
pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_TIME,
- "pam_time", rv); /* ignore return value as we fail anyway */
+ "pam_time", rv); /* ignore return value as we fail anyway */
}
#endif
if (ctrl & PAM_DEBUG_ARG) {
-# this is an example configuration file for the pam_time module. Its syntax
+# this is an example configuration file for the pam_time module. Its syntax
# was initially based heavily on that of the shadow package (shadow-960129).
#
# the syntax of the lines is as follows:
Games (configured to use PAM) are only to be accessed out of
working hours. This rule does not apply to the user
<emphasis>waster</emphasis>:
- <programlisting>
+ <programlisting>
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
</programlisting>
</para>
"b617318655057264e28bc0b6fb378c8ef146be00",
},
-#ifdef HMAC_ALLOW_SHORT_KEYS
+#ifdef HMAC_ALLOW_SHORT_KEYS
{
"Jefe", 4,
"what do ya want for nothing?", 28,
pam_syslog(pamh, LOG_ERR, "Cannot create %s: %m", filename);
return;
}
-
-
+
+
if (fchown(keyfd, owner, group) == -1) {
pam_syslog(pamh, LOG_ERR, "Cannot chown %s: %m", filename);
return;
</refsect1>
</refentry>
-
</refsect1>
</refentry>
-
sha1_output(struct sha1_context *ctx, unsigned char *out)
{
struct sha1_context ctx2;
-
+
/* Output the sum. */
if (out != NULL) {
u_int32_t c;
- temporarily removed the crypt16 stuff. I'm really paranoid about
crypto stuff and exporting it, and there are a few too many 's-box'
references in the code for my liking..
-
+
* Wed Jun 30 1999 Steve Langasek <vorlon@netexpress.net>
- further NIS+ fixes
is too lame to use it in real life)
* Sun Mar 21 1999 Jan Rêkorajski <baggins@mimuw.edu.pl>
-- pam_unix_auth now correctly behave when user has NULL AUTHTOK
+- pam_unix_auth now correctly behave when user has NULL AUTHTOK
- pam_unix_auth returns PAM_PERM_DENIED when seteuid fails
-
/*
* This function implements the "bigcrypt" algorithm specifically for
* Linux-PAM.
- *
+ *
* This algorithm is algorithm 0 (default) shipped with the C2 secure
* implementation of Digital UNIX.
- *
+ *
* Disclaimer: This work is not based on the source code to Digital
* UNIX, nor am I connected to Digital Equipment Corp, in any way
* other than as a customer. This code is based on published
* interfaces and reasonable guesswork.
- *
+ *
* Description: The cleartext is divided into blocks of SEGMENT_SIZE=8
* characters or less. Each block is encrypted using the standard UNIX
* libc crypt function. The result of the encryption for one block
* provides the salt for the suceeding block.
- *
+ *
* Restrictions: The buffer used to hold the encrypted result is
* statically allocated. (see MAX_PASS_LEN below). This is necessary,
* as the returned pointer points to "static data that are overwritten
}
/*
- * Final wrapup - pad to 64-byte boundary with the bit pattern
+ * Final wrapup - pad to 64-byte boundary with the bit pattern
* 1 0* (64-bit count of bits processed, MSB-first)
*/
void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
don't worry about an explicit check of argv. */
if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
&& pretval) {
- retval = *(const int *)pretval;
+ retval = *(const int *)pretval;
pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
D(("recovered data indicates that old retval was %d", retval));
}
rlim.rlim_max = MAX_FD_NO;
for (i=0; i < (int)rlim.rlim_max; i++) {
if (i != STDIN_FILENO)
- close(i);
+ close(i);
}
}
} else {
D(("fork failed"));
close(fds[0]);
- close(fds[1]);
+ close(fds[1]);
retval = PAM_AUTH_ERR;
}
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior
* written permission.
- *
+ *
* ALTERNATIVELY, this product may be distributed under the terms of
* the GNU Public License, in which case the provisions of the GPL are
* required INSTEAD OF the above restrictions. (This clause is
* necessary due to a potential bad interaction between the GPL and
* the restrictions contained in a BSD-style copyright.)
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
NULL,
};
#endif
-
} else {
if (!strncmp(hash, "$1$", 3)) {
pp = Goodcrypt_md5(p, hash);
- if (pp && strcmp(pp, hash) != 0) {
+ if (pp && strcmp(pp, hash) != 0) {
_pam_delete(pp);
pp = Brokencrypt_md5(p, hash);
- }
+ }
} else if (*hash != '$' && hash_len >= 13) {
- pp = bigcrypt(p, hash);
- if (pp && hash_len == 13 && strlen(pp) > hash_len) {
+ pp = bigcrypt(p, hash);
+ if (pp && hash_len == 13 && strlen(pp) > hash_len) {
_pam_overwrite(pp + hash_len);
- }
+ }
} else {
- /*
+ /*
* Ok, we don't know the crypt algorithm, but maybe
* libcrypt knows about it? We should try it.
*/
char tempfile[]="/etc/.pwdXXXXXX";
if (confined != -1)
- return confined;
+ return confined;
/* cannot be confined without SELinux enabled */
if (!SELINUX_ENABLED){
- confined = 0;
- return confined;
+ confined = 0;
+ return confined;
}
/* let's try opening shadow read only */
char *sptr = NULL;
found = 1;
if (howmany == 0)
- continue;
+ continue;
buf[strlen(buf) - 1] = '\0';
s_luser = strtok_r(buf, ":", &sptr);
s_uid = strtok_r(NULL, ":", &sptr);
rlim.rlim_max = MAX_FD_NO;
for (i=0; i < (int)rlim.rlim_max; i++) {
if (i != STDIN_FILENO)
- close(i);
+ close(i);
}
}
} else {
D(("fork failed"));
close(fds[0]);
- close(fds[1]);
+ close(fds[1]);
retval = PAM_AUTH_ERR;
}
}
if (lock_pwdf() != PAM_SUCCESS)
- return PAM_AUTHTOK_LOCK_BUSY;
+ return PAM_AUTHTOK_LOCK_BUSY;
pwd = getpwnam(forwho);
README: pam_userdb.8.xml
-include $(top_srcdir)/Make.xml.rules
endif
-
#!/usr/bin/perl
-# this program creates a database in ARGV[1] from pairs given on
+# this program creates a database in ARGV[1] from pairs given on
# stdandard input
#
# $Id$
$lusers{$user} = $pass;
}
untie %lusers;
-
-
* return values:
* 1 = User not found
* 0 = OK
- * -1 = Password incorrect
+ * -1 = Password incorrect
* -2 = System error
*/
static int
retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
if (retval != PAM_SUCCESS || password == NULL) {
if ((ctrl & PAM_TRY_FPASS_ARG) != 0) {
- /* Converse to obtain a password */
- retval = obtain_authtok(pamh);
- if (retval != PAM_SUCCESS) {
+ /* Converse to obtain a password */
+ retval = obtain_authtok(pamh);
+ if (retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_ERR, "can not obtain password from user");
return retval;
- }
+ }
retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
}
if (retval != PAM_SUCCESS || password == NULL) {
#ifndef _PAM_USERSDB_H
#define _PAM_USERSDB_H
/* $Id$ */
-
+
/* Header files */
#include <security/pam_appl.h>
*.gmo
remove-potcdate.sed
stamp-po
-
tst-pam_group1;tty1;tstpamgrp;Al0000-2400;tstpamgrpg
-
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
-
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
-
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
-
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
-
if (argc > 2) {
stack = argv[2];
}
-
+
if (argc > 1) {
if (strcmp (argv[1], "-d") == 0)
debug = 1;
else
stack = argv[1];
}
-
+
retval = pam_start(stack, user, &conv, &pamh);
if (retval != PAM_SUCCESS)
if (argc > 2) {
stack = argv[2];
}
-
+
if (argc > 1) {
if (strcmp (argv[1], "-d") == 0)
debug = 1;
else
stack = argv[1];
}
-
+
retval = pam_start(stack, user, &conv, &pamh);
if (retval != PAM_SUCCESS)
auth sufficient pam_debug.so auth=success
auth required pam_debug.so auth=perm_denied
account required pam_debug.so acct=acct_expired
-
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
-
account required pam_permit.so
password required pam_permit.so
session required pam_limits.so
-
password required pam_pwhistory.so remember=10 retry=1
password required pam_unix.so use_authtok md5
session required pam_permit.so
-
#%PAM-1.0
-# Even if the substack succeeds with sufficient
+# Even if the substack succeeds with sufficient
# the whole stack should fail.
auth substack tst-pam_substack1a
auth required pam_debug.so auth=auth_err
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
-
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
-
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
-
account required pam_unix.so
password required pam_unix.so debug
session required pam_unix.so
-