* ldconfig: Only run full ldconfig, if we don't install into a FAKEROOT
environment, else let ldconfig only create the symlinks correct
(from Linux distributors - kukuk)
-
+* pam_unix/pam_pwdb: Use SIG_DFL instead of SIG_IGN for SIGCHLD
+ (from Linux distributors - kukuk)
+* Add parts of the first chunk of Steve Grubb's resource leak and
+ other fixes (from Linux distributors - kukuk)
0.77: Mon Sep 23 10:25:42 PDT 2002
#define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */
#define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */
#define PAM_TRY_AGAIN 24 /* Preliminary check by password service */
-#define PAM_IGNORE 25 /* Ingore underlying account module */
+#define PAM_IGNORE 25 /* Ignore underlying account module */
/* regardless of whether the control */
/* flag is required, optional, or sufficient */
#define PAM_ABORT 26 /* Critical error (?module fail now request) */
/*
* fill entries in pamh->env
*/
-
+
pamh->env->entries = PAM_ENV_CHUNK;
pamh->env->requested = 1;
pamh->env->list[0] = NULL;
/* add a new NULL entry at end; increase counter */
pamh->env->list[pamh->env->requested++] = NULL;
-
+
} else { /* replace old */
D(("replacing item: %s\n with: %s"
, pamh->env->list[item], name_value));
_pam_overwrite(dump[i]);
_pam_drop(dump[i]);
}
+ __pam_drop(dump);
return NULL;
}
}
/* indicate its name - later we will search for it by this */
if ((mod->name = _pam_strdup(mod_path)) == NULL) {
D(("_pam_handler: couldn't get memory for mod_path"));
- _pam_system_log(LOG_ERR, "no memory for module path", mod_path);
+ _pam_system_log(LOG_ERR, "no memory for module path");
success = PAM_ABORT;
}
void _pam_parse_control(int *control_array, char *tok);
-void _pam_system_log(int priority, const char *format, ... );
+void _pam_system_log(int priority, const char *format, ... )
+#ifdef __GNUC__
+ __attribute__ ((format (printf, 2, 3)));
+#else
+ ;
+#endif
+
#define _PAM_SYSTEM_LOG_PREFIX "PAM "
/*
* (I took login_access from logdaemon-5.6 and converted it to PAM
* using parts of pam_time code.)
*
- ************************************************************************
+ ************************************************************************
* Copyright message from logdaemon-5.6 (original file name DISCLAIMER)
- ************************************************************************
- * Copyright 1995 by Wietse Venema. All rights reserved. Individual files
- * may be covered by other copyrights (as noted in the file itself.)
- *
- * This material was originally written and compiled by Wietse Venema at
- * Eindhoven University of Technology, The Netherlands, in 1990, 1991,
- * 1992, 1993, 1994 and 1995.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this entire copyright notice is duplicated in all such
- * copies.
- *
- * This software is provided "as is" and without any expressed or implied
- * warranties, including, without limitation, the implied warranties of
- * merchantibility and fitness for any particular purpose.
+ ************************************************************************
+ * Copyright 1995 by Wietse Venema. All rights reserved. Individual files
+ * may be covered by other copyrights (as noted in the file itself.)
+ *
+ * This material was originally written and compiled by Wietse Venema at
+ * Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+ * 1992, 1993, 1994 and 1995.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this entire copyright notice is duplicated in all such
+ * copies.
+ *
+ * This software is provided "as is" and without any expressed or implied
+ * warranties, including, without limitation, the implied warranties of
+ * merchantibility and fitness for any particular purpose.
*************************************************************************
*/
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
-int strcasecmp(const char *s1, const char *s2);
-
/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */
/*
* control based on login names and on host (or domain) names, internet
* addresses (or network numbers), or on terminal line names in case of
* non-networked logins. Diagnostics are reported through syslog(3).
- *
+ *
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
*/
, loginfo->service, 11 + argv[i]);
return 0;
}
-
+
} else {
_log_err("unrecognized option [%s]", argv[i]);
}
}
-
+
return 1; /* OK */
}
-typedef int match_func (char *, struct login_info *);
+typedef int match_func (char *, struct login_info *);
static int list_match (char *, struct login_info *,
match_func *);
(void) fclose(fp);
} else if (errno != ENOENT) {
_log_err("cannot open %s: %m", item->config_file);
+ return NO;
}
return (match == 0 || (line[0] == '+'));
}
{
static char name[MAXHOSTNAMELEN + 1];
- gethostname(name, MAXHOSTNAMELEN);
- name[MAXHOSTNAMELEN] = 0;
- return (name);
+ if (gethostname(name, MAXHOSTNAMELEN) == 0) {
+ name[MAXHOSTNAMELEN] = 0;
+ return (name);
+ }
+ return NULL;
}
/* netgroup_match - match group against machine or user */
if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
*at = 0;
fake_item.from = myhostname();
+ if (fake_item.from == NULL)
+ return NO;
return (user_match(tok, item) && from_match(at + 1, &fake_item));
} else if (tok[0] == '@') { /* netgroup */
return (netgroup_match(tok + 1, (char *) 0, string));
return (NO);
}
-/* end of login_access.c */
-
-int strcasecmp(const char *s1, const char *s2)
-{
- while ((toupper(*s1)==toupper(*s2)) && (*s1) && (*s2)) {s1++; s2++;}
- return(toupper(*s1)-toupper(*s2));
-}
-
/* --- public account management functions --- */
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
NULL
};
#endif
-
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
-#ifndef LINUX_PAM
+#ifndef LINUX_PAM
#include <security/pam_appl.h>
#endif /* LINUX_PAM */
struct pam_response **response)
{
int retval;
- struct pam_conv *conv;
+ struct pam_conv *conv = NULL;
- retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
+ retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
- if ( retval == PAM_SUCCESS ) {
+ if ( retval == PAM_SUCCESS && conv ) {
retval = conv->conv(nargs, (const struct pam_message **)message,
response, conv->appdata_ptr);
if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) {
}
} else {
_pam_log(LOG_ERR, "couldn't obtain coversation function [%s]",
- pam_strerror(pamh, retval));
+ pam_strerror(pamh, retval));
+ if ( retval == PAM_SUCCESS )
+ retval = PAM_BAD_ITEM; /* conv was NULL */
}
return retval; /* propagate error status */
size -= digits;
else if (digits < opt->dig_credit * -1)
return 1;
-
+
if (opt->up_credit >= 0)
size -= uppers;
else if (uppers < opt->up_credit * -1)
return 1;
-
+
if (opt->low_credit >= 0)
size -= lowers;
else if (lowers < opt->low_credit * -1)
return 1;
-
+
if (opt->oth_credit >= 0)
size -= others;
else if (others < opt->oth_credit * -1)
const char *msg = NULL;
const char *user;
int retval;
-
+
if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
if (ctrl && PAM_DEBUG_ARG)
_pam_log(LOG_DEBUG, "bad authentication token");
msg = password_check(opt, pass_old,pass_new);
if (!msg) {
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
- if (retval != PAM_SUCCESS) {
+ if (retval != PAM_SUCCESS || user == NULL) {
if (ctrl & PAM_DEBUG_ARG) {
_pam_log(LOG_ERR,"Can not get username");
return PAM_AUTHTOK_ERR;
if (msg) {
char remark[BUFSIZ];
-
+
memset(remark,0,sizeof(remark));
snprintf(remark,sizeof(remark),"BAD PASSWORD: %s",msg);
if (ctrl && PAM_DEBUG_ARG)
msg);
make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
return PAM_AUTHTOK_ERR;
- };
+ };
return PAM_SUCCESS;
-
+
}
-/* The Main Thing (by Cristian Gafton, CEO at this module :-)
+/* The Main Thing (by Cristian Gafton, CEO at this module :-)
* (stolen from http://home.netscape.com)
*/
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
ctrl = _pam_parse(&options, argc, argv);
if (flags & PAM_PRELIM_CHECK) {
- /* Check for passwd dictionary */
+ /* Check for passwd dictionary */
struct stat st;
char buf[sizeof(CRACKLIB_DICTPATH)+10];
CRACKLIB_DICTPATH);
return PAM_ABORT;
}
-
+
/* Not reached */
return PAM_SERVICE_ERR;
retval = PAM_SUCCESS;
}
- do {
+ do {
/*
* make sure nothing inappropriate gets returned
*/
token1 = token2 = NULL;
-
+
if (!options.retry_times) {
D(("returning %s because maxtries reached",
pam_strerror(pamh, retval)));
/* Planned modus operandi:
* Get a passwd.
* Verify it against cracklib.
- * If okay get it a second time.
+ * If okay get it a second time.
* Check to be the same with the first one.
* set PAM_AUTHTOK and return
*/
{
char *crack_msg;
char remark[BUFSIZ];
-
+
bzero(remark,sizeof(remark));
D(("against cracklib"));
if ((crack_msg = FascistCheck(token1, cracklib_dictpath))) {
retval = PAM_AUTHTOK_RECOVER_ERR;
continue;
}
-
+
/* Yes, the password was typed correct twice
* we store this password as an item
*/
return PAM_SUCCESS;
}
}
-
+
} while (options.retry_times--);
} else {
}
/* Not reached */
- return PAM_SERVICE_ERR;
+ return PAM_SERVICE_ERR;
}
}
if (user == NULL || *user == '\0') {
D(("username not known"));
- pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
+ retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
+ if (retval != PAM_SUCCESS)
+ return retval;
}
user = NULL; /* clean up */
#endif
#define DEFAULT_ETC_ENVFILE "/etc/environment"
-#define DEFAULT_READ_ENVFILE 1
+#define DEFAULT_READ_ENVFILE 0
#include <security/_pam_aconf.h>
return PAM_IGNORE;
}
- /* _pam_assemble_line will provide a complete line from the config file, with all
- * comments removed and any escaped newlines fixed up
+ /* _pam_assemble_line will provide a complete line from the config file,
+ * with all comments removed and any escaped newlines fixed up
*/
while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) {
(void) fclose(conf);
/* tidy up */
- _clean_var(var); /* We could have got here prematurely, this is safe though */
+ _clean_var(var); /* We could have got here prematurely,
+ * this is safe though */
_pam_overwrite(*conffile);
_pam_drop(*conffile);
file = NULL;
D(("Exit."));
- return (retval<0?PAM_ABORT:PAM_SUCCESS);
+ return (retval != 0 ? PAM_ABORT : PAM_SUCCESS);
}
static int _parse_env_file(pam_handle_t *pamh, int ctrl, char **env_file)
continue;
/* skip over "export " if present so we can be compat with
- bash type declerations */
+ bash type declarations */
if (strncmp(key, "export ", (size_t) 7) == 0)
key += 7;
_pam_drop(*env_file);
file = NULL;
D(("Exit."));
- return (retval<0?PAM_IGNORE:PAM_SUCCESS);
+ return (retval != 0 ? PAM_IGNORE : PAM_SUCCESS);
}
/*
retval = _parse_config_file(pamh, ctrl, &conf_file);
- if(readenv)
- _parse_env_file(pamh, ctrl, &env_file);
+ if(readenv && retval == PAM_SUCCESS)
+ retval = _parse_env_file(pamh, ctrl, &env_file);
/* indicate success or failure */
retval = _parse_config_file(pamh, ctrl, &conf_file);
- if(readenv)
- _parse_env_file(pamh, ctrl, &env_file);
+ if(readenv && retval == PAM_SUCCESS)
+ retval = _parse_env_file(pamh, ctrl, &env_file);
/* indicate success or failure */
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_IGN);
+ sighandler = signal(SIGCHLD, SIG_DFL);
}
/* fork */
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_IGN);
+ sighandler = signal(SIGCHLD, SIG_DFL);
}
/* fork */
projects / linux-pam / commitdiff