-2006-08-04 Ray Strode <rstrode@redhat.com>
+2006-08-05 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * configure.in: Generate xtests/Makefile.
+ * Makefile.am (SUBDIRS): Add xtests.
+ * README: Document make check and make xtests.
+ * xtests/Makefile.am: New.
+ * xtests/tst-pam_dispatch1.pamd: New.
+ * xtests/tst-pam_dispatch2.pamd: New.
+ * xtests/tst-pam_dispatch3.pamd: New.
+ * xtests/tst-pam_dispatch1.c: New.
+ * xtests/tst-pam_dispatch2.c: New.
+ * xtests/tst-pam_dispatch3.c: New.
+
+2006-08-04 Ray Strode <rstrode@redhat.com>
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate):
Return PAM_USER_UNKNOWN instead of PAM_SERVICE_ERR where appropriate.
-2006-08-03 David Howells <dhowells@redhat.com>
+2006-08-03 David Howells <dhowells@redhat.com>
* modules/pam_keyinit/pam_keyinit.c: Debug should be off by default.
(init_keyrings): Properly handle multiple invocations of the module.
(kill_keyrings, pam_sm_open_session, pam_sm_close_session): Likewise.
-2006-08-03 Tomas Mraz <t8m@centrum.cz>
+2006-08-03 Tomas Mraz <t8m@centrum.cz>
* modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist):
New function for list matching.
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
if STATIC_MODULES
-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples
+SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
else
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
endif
CLEANFILES = *~
tar jfc Linux-PAM-$(VERSION)-docs.tar.bz2 \
Linux-PAM-$(VERSION)/doc
rm -rf Linux-PAM-$(VERSION)
+
+xtests:
+ make -C xtests xtests
+
+.PHONY: xtests
Linux-PAM NEWS -- history of user-visible changes.
+* Add xtests (to run after installation).
* Documentation: Convert sgml guides to XML, unify documentation
for PAM functions and modules.
./configure <your-options>
make
+To make sure everything was compiled correct, run:
+
+ make check
+
+If a test failes, you should not continue to install this build.
+
Note, if you are worried - don't even think about doing the next line
(most Linux distributions already support PAM out of the box, so if
something goes wrong with installing the code from this version your
That said, please report problems to the bug reporting database
on sourceforge.net.
+You can run additional checks after installing by executing
+
+ make xtests
+
+as root.
+
If you do not wish to make the modules dynamically loadable, but
build a static libpam including all PAM modules, you have to call:
modules/pam_warn/Makefile modules/pam_wheel/Makefile \
modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
- doc/mwg/Makefile examples/Makefile tests/Makefile)
+ doc/mwg/Makefile examples/Makefile tests/Makefile \
+ xtests/Makefile)
Conditions are three words: a field, a test, and a value to test for.
-Available fields are user, uid, gid, shell and home:
+Available fields are user, uid, gid, shell, home and service:
field < number
Field does not match the given glob.
+field in item:item:...
+
+ Field is contained in the list of items separated by colons.
+
+field notin item:item:...
+
+ Field is not contained in the list of items separated by colons.
+
user ingroup group
User is in given group.
User is not in given group.
+user innetgr netgroup
+
+ (user,host) is in given netgroup.
+
+user notinnetgr group
+
+ (user,host) is not in given netgroup.
+
EXAMPLES
To emulate the behaviour of pam_wheel, except there is no fallback to group 0:
.\" Title: pam_succeed_if
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/22/2006
+.\" Date: 08/05/2006
.\" Manual: Linux\-PAM
.\" Source: Linux\-PAM
.\"
-.TH "PAM_SUCCEED_IF" "8" "06/22/2006" "Linux\-PAM" "Linux\-PAM"
+.TH "PAM_SUCCEED_IF" "8" "08/05/2006" "Linux\-PAM" "Linux\-PAM"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
\fIuser\fR,
\fIuid\fR,
\fIgid\fR,
-\fIshell\fR
+\fIshell\fR,
+\fIhome\fR
and
-\fIhome\fR:
+\fIservice\fR:
.TP 3n
\fBfield < number\fR
Field has a value numerically less than number.
\fBfield !~ glob\fR
Field does not match the given glob.
.TP 3n
+\fBfield in item:item:...\fR
+Field is contained in the list of items separated by colons.
+.TP 3n
+\fBfield notin item:item:...\fR
+Field is not contained in the list of items separated by colons.
+.TP 3n
\fBuser ingroup group\fR
User is in given group.
.TP 3n
\fBuser notingroup group\fR
User is not in given group.
+.TP 3n
+\fBuser innetgr netgroup\fR
+(user,host) is in given netgroup.
+.TP 3n
+\fBuser notinnetgr group\fR
+(user,host) is not in given netgroup.
.SH "MODULE SERVICES PROVIDED"
.PP
The
--- /dev/null
+Makefile
+Makefile.in
+.deps
+.libs
+tst-pam_dispatch1
+tst-pam_dispatch2
+tst-pam_dispatch3
--- /dev/null
+#
+# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de>
+#
+
+AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_srcdir)/libpam/include
+AM_LDFLAGS = -L$(top_builddir)/libpam -lpam
+
+CLEANFILES = *~
+
+EXTRA_DIST = tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
+ tst-pam_dispatch3.pamd
+
+XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3
+
+noinst_PROGRAMS = $(XTESTS)
+
+tst_pam_dispatch1_LDADD = -L$(top_builddir)/libpam -lpam -ldl -L$(top_builddir)/libpam_misc -lpam_misc
+tst_pam_dispatch2_LDADD = -L$(top_builddir)/libpam -lpam -ldl -L$(top_builddir)/libpam_misc -lpam_misc
+tst_pam_dispatch3_LDADD = -L$(top_builddir)/libpam -lpam -ldl -L$(top_builddir)/libpam_misc -lpam_misc
+
+xtests: $(XTESTS)
+ @failed=0; pass=0; all=0; \
+ for testname in $(XTESTS) ; do \
+ install -m 644 $$testname.pamd /etc/pam.d/$$testname ; \
+ ./$$testname > /dev/null ; \
+ if test $$? -ne 0 ; then \
+ echo "FAIL: $$testname" ; \
+ failed=`expr $$failed + 1`; \
+ else \
+ echo "PASS: $$testname" ; \
+ pass=`expr $$pass + 1`; \
+ fi ; \
+ all=`expr $$all + 1` ; \
+ rm -f /etc/pam.d/$$testname ; \
+ done ; \
+ if test "$$failed" -ne 0; then \
+ echo "===================" ; \
+ echo "$$failed of $$all tests failed" ; \
+ echo "===================" ; \
+ exit 1 ; \
+ else \
+ echo "==================" ; \
+ echo "All $$all tests passed" ; \
+ echo "==================" ; \
+ fi
--- /dev/null
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#include <stdio.h>
+
+static struct pam_conv conv = {
+ misc_conv,
+ NULL
+};
+
+static int debug = 0;
+
+/*
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859
+
+ This stack should not return PAM_IGNORE to the application:
+ auth [default=bad] pam_debug.so auth=ignore
+*/
+static int
+test1 (void)
+{
+ pam_handle_t *pamh=NULL;
+ const char *user="nobody";
+ int retval;
+
+ retval = pam_start("tst-pam_dispatch1", user, &conv, &pamh);
+ if (retval != PAM_SUCCESS)
+ {
+ if (debug)
+ fprintf (stderr, "test1: pam_start returned %d\n", retval);
+ return 1;
+ }
+
+ retval = pam_authenticate(pamh, 0);
+ if (retval != PAM_PERM_DENIED)
+ {
+ if (debug)
+ fprintf (stderr, "test1: pam_authenticate returned %d\n", retval);
+ return 1;
+ }
+
+ retval = pam_end(pamh,retval);
+ if (retval != PAM_SUCCESS)
+ {
+ if (debug)
+ fprintf (stderr, "test1: pam_end returned %d\n", retval);
+ return 1;
+ }
+ return 0;
+}
+
+
+int main(int argc, char *argv[])
+{
+ if (argc > 1 && strcmp (argv[1], "-d") == 0)
+ debug = 1;
+
+ if (test1 ())
+ return 1;
+
+ return 0;
+}
--- /dev/null
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859
+# This stack should not return PAM_IGNORE to the application:
+auth [default=bad] pam_debug.so auth=ignore
--- /dev/null
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#include <stdio.h>
+
+static struct pam_conv conv = {
+ misc_conv,
+ NULL
+};
+
+static int debug = 0;
+
+/*
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859
+
+ This stack should not return PAM_IGNORE to the application:
+ auth [default=die] pam_debug.so auth=ignore
+*/
+static int
+test2 (void)
+{
+ pam_handle_t *pamh=NULL;
+ const char *user="nobody";
+ int retval;
+
+ retval = pam_start("tst-pam_dispatch2", user, &conv, &pamh);
+ if (retval != PAM_SUCCESS)
+ {
+ if (debug)
+ fprintf (stderr, "test2: pam_start returned %d\n", retval);
+ return 1;
+ }
+
+ retval = pam_authenticate(pamh, 0);
+ if (retval != PAM_PERM_DENIED)
+ {
+ if (debug)
+ fprintf (stderr, "test2: pam_authenticate returned %d\n", retval);
+ return 1;
+ }
+
+ retval = pam_end(pamh,retval);
+ if (retval != PAM_SUCCESS)
+ {
+ if (debug)
+ fprintf (stderr, "test2: pam_end returned %d\n", retval);
+ return 1;
+ }
+ return 0;
+}
+
+int main(int argc, char *argv[])
+{
+ if (argc > 1 && strcmp (argv[1], "-d") == 0)
+ debug = 1;
+
+ if (test2 ())
+ return 1;
+
+ return 0;
+}
--- /dev/null
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859
+# This stack should not return PAM_IGNORE to the application:
+auth [default=die] pam_debug.so auth=ignore
--- /dev/null
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#include <stdio.h>
+
+static struct pam_conv conv = {
+ misc_conv,
+ NULL
+};
+
+
+/* Check that errors of optional modules are ignored and that
+ required modules after a sufficient one are not executed. */
+
+int
+main(int argc, char *argv[])
+{
+ pam_handle_t *pamh=NULL;
+ const char *user="nobody";
+ int retval;
+ int debug = 0;
+
+ if (argc > 1 && strcmp (argv[1], "-d") == 0)
+ debug = 1;
+
+ retval = pam_start("tst-pam_dispatch3", user, &conv, &pamh);
+ if (retval != PAM_SUCCESS)
+ {
+ if (debug)
+ fprintf (stderr, "test3: pam_start returned %d\n", retval);
+ return 1;
+ }
+
+ retval = pam_authenticate(pamh, 0);
+ if (retval != PAM_SUCCESS)
+ {
+ if (debug)
+ fprintf (stderr, "test3: pam_authenticate returned %d\n", retval);
+ return 1;
+ }
+
+ retval = pam_end(pamh,retval);
+ if (retval != PAM_SUCCESS)
+ {
+ if (debug)
+ fprintf (stderr, "test3: pam_end returned %d\n", retval);
+ return 1;
+ }
+ return 0;
+}
--- /dev/null
+#%PAM-1.0
+auth optional pam_debug.so auth=auth_err
+auth sufficient pam_debug.so auth=success
+auth required pam_debug.so auth=perm_denied
+account required pam_debug.so acct=acct_expired
+
projects / linux-pam / commitdiff