+2007-12-06 Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+ * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n()
+ macro.
+ * libpam/include/security/_pam_types.h: Add PAM_XDISPLAY,
+ PAM_XAUTHDATA items, pam_xauth_data struct.
+ * libpam/pam_item.c (pam_set_item, pam_get_item): Handle
+ PAM_XDISPLAY and PAM_XAUTHDATA items.
+ * libpam/pam_end.c (pam_end): Destroy the new items.
+ * libpam/pam_private.h (pam_handle): Add data members for new
+ items. Add prototype for _pam_memdup.
+ * libpam/pam_misc.c: Add _pam_memdup.
+ * doc/man/Makefile.am: Add pam_xauth_data.3. Replace
+ pam_item_types.inc.xml with pam_item_types_std.inc.xml and
+ pam_item_types_ext.inc.xml.
+ * doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml
+ with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml.
+ * doc/man/pam_set_item.3.xml: Likewise.
+ * doc/man/pam_item_types.inc.xml: Removed file.
+ * doc/man/pam_item_types_ext.inc.xml: New file.
+ * doc/man/pam_item_types_std.inc.xml: New file.
+
2007-12-06 Tomas Mraz <t8m@centrum.cz>
* modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example.
* New substack directive in config file syntax.
* New module pam_tty_audit.so for enabling and disabling tty
auditing.
+* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
Release 0.99.9.0
* misc_conv no longer blocks SIGINT; applications that don't want
pam_acct_mgmt.3 pam_authenticate.3 \
pam_chauthtok.3 pam_close_session.3 pam_conv.3 \
pam_end.3 pam_error.3 \
- pam_fail_delay.3 \
+ pam_fail_delay.3 pam_xauth_data.3 \
pam_get_data.3 pam_get_item.3 pam_get_user.3 pam_getenv.3 \
pam_getenvlist.3 \
pam_info.3 \
pam_acct_mgmt.3.xml pam_authenticate.3.xml \
pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \
pam_end.3.xml pam_error.3.xml \
- pam_fail_delay.3.xml \
+ pam_fail_delay.3.xml pam_xauth_data.3 \
pam_get_data.3.xml pam_get_item.3.xml pam_get_user.3.xml \
pam_getenv.3.xml pam_getenvlist.3.xml \
pam_info.3.xml \
pam_sm_close_session.3.xml pam_sm_open_session.3.xml \
pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \
pam_sm_chauthtok.3.xml \
- pam_item_types.inc.xml \
+ pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \
pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \
misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
pam_misc_setenv.3.xml
if ENABLE_REGENERATE_MAN
-pam_get_item.3: pam_item_types.inc.xml
-pam_set_data.3: pam_item_types.inc.xml
+pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
+pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
-include $(top_srcdir)/Make.xml.rules
endif
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
[
<!--
-<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml">
-->
]>
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_item_types.inc.xml"/>
+ href="pam_item_types_std.inc.xml"/>
+
+ <para>
+ The following additional items are specific to Linux-PAM and should not be used in
+ portable applications:
+ </para>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_item_types_ext.inc.xml"/>
<para>
If a service module wishes to obtain the name of the user,
--- /dev/null
+<!-- this file is included by pam_set_item and pam_get_item -->
+
+ <variablelist>
+ <varlistentry>
+ <term>PAM_FAIL_DELAY</term>
+ <listitem>
+ <para>
+ A function pointer to redirect centrally managed
+ failure delays. See
+ <citerefentry>
+ <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_XDISPLAY</term>
+ <listitem>
+ <para>
+ The name of the X display. For graphical, X-based applications the
+ value for this item should be the <emphasis>$DISPLAY</emphasis>
+ variable. This value should be used instead of
+ <emphasis>PAM_TTY</emphasis> for passing the
+ name of the display where possible.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_XAUTHDATA</term>
+ <listitem>
+ <para>
+ A pointer to a structure containing the X authentication data
+ required to make a connection to the display specified by
+ <emphasis>PAM_XDISPLAY</emphasis>, if such information is
+ necessary. See
+ <citerefentry>
+ <refentrytitle>pam_xauth_data</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
</listitem>
</varlistentry>
- <varlistentry>
- <term>PAM_FAIL_DELAY</term>
- <listitem>
- <para>
- A function pointer to redirect centrally managed
- failure delays. See
- <citerefentry>
- <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>.
- </para>
- </listitem>
- </varlistentry>
-
</variablelist>
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
[
<!--
-<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml">
-->
]>
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_item_types.inc.xml"/>
+ href="pam_item_types_std.inc.xml"/>
+
+ <para>
+ The following additional items are specific to Linux-PAM and should not be used in
+ portable applications:
+ </para>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_item_types_ext.inc.xml"/>
<para>
For all <emphasis>item_type</emphasis>s, other than PAM_CONV and
*__xx__++ = '\0'; \
} while (0)
+#define _pam_overwrite_n(x,n) \
+do { \
+ register char *__xx__; \
+ register int __i__ = 0; \
+ if ((__xx__=(x))) \
+ for (;__i__<n; __i__++) \
+ __xx__[__i__] = 0; \
+} while (0)
+
/*
* Don't just free it, forget it too.
*/
#define PAM_OLDAUTHTOK 7 /* The old authentication token */
#define PAM_RUSER 8 /* The remote user name */
#define PAM_USER_PROMPT 9 /* the prompt for getting a username */
+/* Linux-PAM extensions */
#define PAM_FAIL_DELAY 10 /* app supplied function to override failure
delays */
+#define PAM_XDISPLAY 11 /* X display name */
+#define PAM_XAUTHDATA 12 /* X server authentication data */
/* -------------- Special defines used by Linux-PAM -------------- */
void *appdata_ptr;
};
+/* Used by the PAM_XAUTHDATA pam item. Contains X authentication
+ data used by modules to connect to the user's X display. Note:
+ this structure is intentionally compatible with xcb_auth_info_t. */
+
+struct pam_xauth_data {
+ int namelen;
+ char *name;
+ int datalen;
+ char *data;
+};
+
/* ... adapted from the pam_appl.h file created by Theodore Ts'o and
*
* Copyright Theodore Ts'o, 1996. All rights reserved.
_pam_drop(pamh->former.substates);
+ _pam_overwrite(pamh->xdisplay);
+ _pam_drop(pamh->xdisplay);
+
+ _pam_overwrite(pamh->xauth.name);
+ _pam_drop(pamh->xauth.name);
+ _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen);
+ _pam_drop(pamh->xauth.data);
+ _pam_overwrite_n(&pamh->xauth, sizeof(pamh->xauth));
+
/* and finally liberate the memory for the pam_handle structure */
_pam_drop(pamh);
pamh->fail_delay.delay_fn_ptr = item;
break;
+ case PAM_XDISPLAY:
+ RESET(pamh->xdisplay, item);
+ break;
+
+ case PAM_XAUTHDATA:
+ if (pamh->xauth.namelen) {
+ _pam_overwrite(pamh->xauth.name);
+ free(pamh->xauth.name);
+ }
+ if (pamh->xauth.datalen) {
+ _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen);
+ free(pamh->xauth.data);
+ }
+ pamh->xauth = *((const struct pam_xauth_data *) item);
+ pamh->xauth.name = _pam_strdup(pamh->xauth.name);
+ pamh->xauth.data = _pam_memdup(pamh->xauth.data, pamh->xauth.datalen);
+ break;
+
default:
retval = PAM_BAD_ITEM;
}
*item = pamh->fail_delay.delay_fn_ptr;
break;
+ case PAM_XDISPLAY:
+ *item = pamh->xdisplay;
+ break;
+
+ case PAM_XAUTHDATA:
+ *item = &pamh->xauth;
+ break;
+
default:
retval = PAM_BAD_ITEM;
}
return new; /* return the duplicate or NULL on error */
}
+/*
+ * Safe duplication of memory buffers. "Paranoid"; don't leave
+ * evidence of old token around for later stack analysis.
+ */
+
+char *_pam_memdup(const char *x, int len)
+{
+ register char *new=NULL;
+
+ if (x != NULL) {
+ if ((new = malloc(len)) == NULL) {
+ len = 0;
+ pam_syslog(NULL, LOG_CRIT, "_pam_memdup: failed to get memory");
+ } else {
+ memcpy (new, x, len);
+ }
+ x = NULL;
+ }
+
+ return new; /* return the duplicate or NULL on error */
+}
+
/* Generate argv, argc from s */
/* caller must free(argv) */
char *rhost;
char *ruser;
char *tty;
+ char *xdisplay;
struct pam_data *data;
struct pam_environ *env; /* structure to maintain environment list */
struct _pam_fail_delay fail_delay; /* helper function for easy delays */
+ struct pam_xauth_data xauth; /* auth info for X display */
struct service handlers;
struct _pam_former_state former; /* library state - support for
event driven applications */
char *_pam_strdup(const char *s);
+char *_pam_memdup(const char *s, int len);
+
int _pam_mkargv(char *s, char ***argv, int *argc);
void _pam_sanitize(pam_handle_t *pamh);