#
README: README.xml
- $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" --nonet http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $(srcdir)/$@
+ $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-html.xsl $< | $(BROWSER) > $(srcdir)/$@
%.1: %.1.xml
$(XMLLINT) --nonet --xinclude --postvalid --noout $<
- $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $<
%.3: %.3.xml
$(XMLLINT) --nonet --xinclude --postvalid --noout $<
- $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $<
%.5: %.5.xml
$(XMLLINT) --nonet --xinclude --postvalid --noout $<
- $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $<
%.8: %.8.xml
$(XMLLINT) --nonet --xinclude --postvalid --noout $<
- $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $<
#CLEANFILES += $(man_MANS) README
LIBS=$BACKUP_LIBS
fi
+AC_ARG_ENABLE([econf],
+ AS_HELP_STRING([--disable-econf], [do not use libeconf]),
+ [WITH_ECONF=$enableval], WITH_ECONF=yes)
+if test "$WITH_ECONF" = "yes" ; then
+ PKG_CHECK_MODULES([ECONF], [libeconf], [],
+ [AC_CHECK_LIB([econf],[econf_readDirs],[ECONF_LIBS="-leconf"],[ECONF_LIBS=""])])
+ if test -n "$ECONF_LIBS" ; then
+ ECONF_CFLAGS="-DUSE_ECONF=1 $ECONF_CFLAGS"
+ fi
+fi
+AC_SUBST([ECONF_CFLAGS])
+AC_SUBST([ECONF_LIBS])
+AC_ARG_ENABLE([vendordir],
+ AS_HELP_STRING([--enable-vendordir=DIR], [Directory for distribution provided configuration files]),,[])
+AC_SUBST([VENDORDIR], [$enable_vendordir])
+AM_CONDITIONAL([HAVE_VENDORDIR], [test "x$enable_vendordir" != x])
+
dnl Checks for header files.
AC_HEADER_DIRENT
AC_HEADER_STDC
dist_html_DATA = index.html
+EXTRA_DIST = custom-html.xsl custom-man.xsl
+
#######################################################
releasedocs: all
--- /dev/null
+<?xml version='1.0'?> <!--*-nxml-*-->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:ss="http://docbook.sf.net/xmlns/string.subst/1.0"
+ xmlns:exsl="http://exslt.org/common" version="1.0">
+
+ <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl"/>
+ <xsl:param name="vendordir"/>
+
+ <xsl:template match="filename">
+ <xsl:variable name="replacements">
+ <ss:substitution oldstring="%vendordir%" newstring="{$vendordir}" />
+ </xsl:variable>
+ <xsl:call-template name="apply-string-subst-map">
+ <xsl:with-param name="content" select="."/>
+ <xsl:with-param name="map.contents" select="exsl:node-set($replacements)/*" />
+ </xsl:call-template>
+ </xsl:template>
+</xsl:stylesheet>
+
--- /dev/null
+<?xml version='1.0'?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ss="http://docbook.sf.net/xmlns/string.subst/1.0" version="1.0">
+ <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"/>
+ <xsl:param name="vendordir"/>
+
+ <xsl:param name="man.string.subst.map.local.pre">
+ <ss:substitution oldstring="%vendordir%" newstring="{$vendordir}" />
+ </xsl:param>
+</xsl:stylesheet>
+
pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
+if HAVE_VENDORDIR
+XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR)
+else
+XSLTPROC_CUSTOM = --stringparam vendordir "<vendordir>"
+endif
-include $(top_srcdir)/Make.xml.rules
endif
<para>
Vendor-supplied PAM configuration files might be installed in
- the system directory <filename>/usr/lib/pam.d/</filename> instead
+ the system directory <filename>/usr/lib/pam.d/</filename> or
+ a configurable vendor specific directory instead
of the machine configuration directory <filename>/etc/pam.d/</filename>.
If no machine configuration file is found, the vendor-supplied file
is used. All files in <filename>/etc/pam.d/</filename> override
- files with the same name in <filename>/usr/lib/pam.d/</filename>.
+ files with the same name in other directories.
</para>
<para>From the point of view of the system administrator, for whom this
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><filename>%vendordir%/pam.d</filename></term>
+ <listitem>
+ <para>
+ the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration
+ directory. Files in <filename>/etc/pam.d</filename> and
+ <filename>/usr/lib/pam.d</filename> override files with the same
+ name in this directory. Only available if Linux-PAM was compiled
+ with vendordir enabled.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
#
AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \
- -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) -DPAM_VERSION=\"$(VERSION)\"
+ -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) $(ECONF_CFLAGS) \
+ -DPAM_VERSION=\"$(VERSION)\" -DSYSCONFDIR=\"$(sysconfdir)\"
if HAVE_LIBSELINUX
AM_CFLAGS += -D"WITH_SELINUX"
endif
+if HAVE_VENDORDIR
+ AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
+endif
CLEANFILES = *~
pam_modutil_private.h
libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84
-libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
+libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@
if HAVE_VERSIONING
libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map
, char **path
, FILE **file)
{
+ const char *pamd_dirs[] = { PAM_CONFIG_DF, PAM_CONFIG_DIST_DF
+#ifdef VENDORDIR
+ , PAM_CONFIG_DIST2_DF
+#endif
+ };
char *p;
FILE *f;
- int err = 0;
+ size_t i;
/* Absolute path */
if (service[0] == '/') {
return PAM_ABORT;
}
- /* Local Machine Configuration /etc/pam.d/ */
- if (asprintf (&p, PAM_CONFIG_DF, service) < 0) {
- pam_syslog(pamh, LOG_CRIT, "asprintf failed");
- return PAM_BUF_ERR;
- }
- D(("opening %s", p));
- f = fopen(p, "r");
- if (f != NULL) {
- *path = p;
- *file = f;
- return PAM_SUCCESS;
- }
-
- /* System Configuration /usr/lib/pam.d/ */
- _pam_drop(p);
- if (asprintf (&p, PAM_CONFIG_DIST_DF, service) < 0) {
- pam_syslog(pamh, LOG_CRIT, "asprintf failed");
- return PAM_BUF_ERR;
- }
- D(("opening %s", p));
- f = fopen(p, "r");
- if (f != NULL) {
+ for (i = 0; i < sizeof (pamd_dirs)/sizeof (char *); i++) {
+ if (asprintf (&p, pamd_dirs[i], service) < 0) {
+ pam_syslog(pamh, LOG_CRIT, "asprintf failed");
+ return PAM_BUF_ERR;
+ }
+ D(("opening %s", p));
+ f = fopen(p, "r");
+ if (f != NULL) {
*path = p;
*file = f;
return PAM_SUCCESS;
+ }
+ _pam_drop(p);
}
- _pam_drop(p);
return PAM_ABORT;
}
/* Is there a PAM_CONFIG_D directory? */
if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
- (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
+ (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))
+#ifdef PAM_CONFIG_DIST2_D
+ || (stat(PAM_CONFIG_DIST2_D, &test_d) == 0
+ && S_ISDIR(test_d.st_mode))
+#endif
+ ) {
char *path = NULL;
int read_something=0;
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
+#ifdef USE_ECONF
+#include <libeconf.h>
+#endif
#define BUF_SIZE 8192
+#ifdef USE_ECONF
+#define LOGIN_DEFS "/etc/login.defs"
+
+#ifndef VENDORDIR
+#define VENDORDIR NULL
+#endif
+
+static char *
+econf_search_key (const char *name, const char *suffix, const char *key)
+{
+ econf_file *key_file = NULL;
+ char *val;
+
+ if (econf_readDirs (&key_file, VENDORDIR, SYSCONFDIR, name, suffix,
+ " \t", "#"))
+ return NULL;
+
+ if (econf_getStringValue (key_file, NULL, key, &val)) {
+ econf_free (key_file);
+ return NULL;
+ }
+
+ econf_free (key_file);
+
+ return val;
+}
+
+#endif
+
/* lookup a value for key in login.defs file or similar key value format */
char *
pam_modutil_search_key(pam_handle_t *pamh UNUSED,
size_t buflen = 0;
char *retval = NULL;
+#ifdef USE_ECONF
+ if (strcmp (file_name, LOGIN_DEFS) == 0)
+ return econf_search_key ("login", ".defs", key);
+#endif
+
fp = fopen(file_name, "r");
if (NULL == fp)
return NULL;
#define PAM_CONFIG_DF "/etc/pam.d/%s"
#define PAM_CONFIG_DIST_D "/usr/lib/pam.d"
#define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s"
+#ifdef VENDORDIR
+#define PAM_CONFIG_DIST2_D VENDORDIR"/pam.d"
+#define PAM_CONFIG_DIST2_DF VENDORDIR"/pam.d/%s"
+#endif
+
#define PAM_DEFAULT_SERVICE "other" /* lower case */
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
+if HAVE_VENDORDIR
+ AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
+endif
securelib_LTLIBRARIES = pam_securetty.la
pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
if ENABLE_REGENERATE_MAN
noinst_DATA = README
README: pam_securetty.8.xml
+if HAVE_VENDORDIR
+XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR)
+else
+XSLTPROC_CUSTOM = --stringparam vendordir "<vendordir>"
+endif
-include $(top_srcdir)/Make.xml.rules
endif
<para>
pam_securetty is a PAM module that allows root logins only if the
user is logging in on a "secure" tty, as defined by the listing
- in <filename>/etc/securetty</filename>. pam_securetty also checks
- to make sure that <filename>/etc/securetty</filename> is a plain
- file and not world writable. It will also allow root logins on
+ in the <filename>securetty</filename> file. pam_securetty checks at
+ first, if <filename>/etc/securetty</filename> exists. If not and
+ it was built with vendordir support, it will use
+ <filename>%vendordir%/securetty</filename>. pam_securetty also
+ checks that the <filename>securetty</filename> files are plain
+ files and not world writable. It will also allow root logins on
the tty specified with <option>console=</option> switch on the
kernel command line and on ttys from the
<filename>/sys/class/tty/console/active</filename>.
Do not automatically allow root logins on the kernel console
device, as specified on the kernel command line or by the sys file,
if it is not also specified in the
- <filename>/etc/securetty</filename> file.
+ <filename>securetty</filename> file.
</para>
</listitem>
</varlistentry>
<para>
Authentication is rejected. Either root is attempting to
log in via an unacceptable device, or the
- <filename>/etc/securetty</filename> file is world writable or
+ <filename>securetty</filename> file is world writable or
not a normal file.
</para>
</listitem>
<para>
An error occurred while the module was determining the
user's name or tty, or the module could not open
- <filename>/etc/securetty</filename>.
+ the <filename>securetty</filename> file.
</para>
</listitem>
</varlistentry>
/* pam_securetty module */
#define SECURETTY_FILE "/etc/securetty"
+#ifdef VENDORDIR
+#define SECURETTY2_FILE VENDORDIR"/securetty"
+#endif
#define TTY_PREFIX "/dev/"
#define CMDLINE_FILE "/proc/cmdline"
#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
#include <string.h>
#include <ctype.h>
#include <limits.h>
+#include <errno.h>
/*
* here, we make a definition for the externally accessible function
const char *function_name)
{
int retval = PAM_AUTH_ERR;
+ const char *securettyfile;
const char *username;
const char *uttyname;
const void *void_uttyname;
}
if (stat(SECURETTY_FILE, &ttyfileinfo)) {
+#ifdef VENDORDIR
+ if (errno == ENOENT) {
+ if (stat(SECURETTY2_FILE, &ttyfileinfo)) {
+ pam_syslog(pamh, LOG_NOTICE,
+ "Couldn't open %s: %m", SECURETTY2_FILE);
+ return PAM_SUCCESS; /* for compatibility with old securetty handling,
+ this needs to succeed. But we still log the
+ error. */
+ }
+ securettyfile = SECURETTY2_FILE;
+ } else {
+#endif
pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
return PAM_SUCCESS; /* for compatibility with old securetty handling,
this needs to succeed. But we still log the
error. */
+#ifdef VENDORDIR
+ }
+#endif
+ } else {
+ securettyfile = SECURETTY_FILE;
}
if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
normal file, return error */
pam_syslog(pamh, LOG_ERR,
"%s is either world writable or not a normal file",
- SECURETTY_FILE);
+ securettyfile);
return PAM_AUTH_ERR;
}
- ttyfile = fopen(SECURETTY_FILE,"r");
+ ttyfile = fopen(securettyfile,"r");
if (ttyfile == NULL) { /* Check that we opened it successfully */
- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
+ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", securettyfile);
return PAM_SERVICE_ERR;
}
projects / linux-pam / commitdiff