Tomas Mraz [Thu, 19 Jun 2014 13:32:08 +0000 (15:32 +0200)]
pam_limits: nofile refers to file descriptors not files
modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit.
modules/pam_limits/limits.conf: Likewise.
Tomas Mraz [Thu, 19 Jun 2014 12:41:50 +0000 (14:41 +0200)]
pam_limits: clarify documentation of maxlogins and maxsyslogins limits.
modules/pam_limits/limits.conf.5.xml: clarify documentation of
maxlogins and maxsyslogins limits.
Tomas Mraz [Thu, 19 Jun 2014 11:51:20 +0000 (13:51 +0200)]
pam_unix: Check for NULL return from Goodcrypt_md5().
modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for
NULL return from Goodcrypt_md5().
Tomas Mraz [Thu, 19 Jun 2014 11:43:26 +0000 (13:43 +0200)]
pam_unix: check for NULL return from malloc()
* modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().
Tomas Mraz [Thu, 22 May 2014 09:33:21 +0000 (11:33 +0200)]
pam_loginuid: Document one more possible case of PAM_IGNORE return.
modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case
of PAM_IGNORE return value.
Tomas Mraz [Thu, 22 May 2014 09:25:13 +0000 (11:25 +0200)]
pam_loginuid: Document other possible return values.
modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return
values.
Dmitry V. Levin [Wed, 26 Mar 2014 22:17:23 +0000 (22:17 +0000)]
pam_timestamp: fix potential directory traversal issue (ticket #27)
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
the timestamp pathname it creates, so extra care should be taken to
avoid potential directory traversal issues.
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
"." and ".." tty values as invalid.
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
value containing '/', as invalid.
Fixes CVE-2014-2583.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Tomas Mraz [Thu, 20 Mar 2014 09:46:13 +0000 (10:46 +0100)]
pam_userdb: document that .db suffix should not be used
modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix
should not be used and correct the example.
Tomas Mraz [Tue, 11 Mar 2014 08:59:12 +0000 (09:59 +0100)]
pam_selinux: canonicalize user name
SELinux expects canonical user name for example without domain component.
* modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().
Dmitry V. Levin [Tue, 28 Jan 2014 15:01:24 +0000 (15:01 +0000)]
Change tarball name back to "Linux-PAM"
As a side effect of commit Linux-PAM-1_1_8
-11-g3fa23ce, tarball name
changed accidentally from "Linux-PAM" to "linux-pam".
This change brings it back to "Linux-PAM".
* configure.in (AC_INIT): Explicitly specify TARNAME argument.
Dmitry V. Levin [Fri, 24 Jan 2014 15:32:08 +0000 (15:32 +0000)]
Introduce pam_modutil_sanitize_helper_fds
This change introduces pam_modutil_sanitize_helper_fds - a new function
that redirects standard descriptors and closes all other descriptors.
pam_modutil_sanitize_helper_fds supports three types of input and output
redirection:
- PAM_MODUTIL_IGNORE_FD: do not redirect at all.
- PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented
by creating a pipe, closing its write end, and redirecting stdin to
its read end. Likewise, for stdout/stderr it is implemented by
creating a pipe, closing its read end, and redirecting to its write
end. Unlike stdin redirection, stdout/stderr redirection to a pipe
has a side effect that a process writing to such descriptor should be
prepared to handle SIGPIPE appropriately.
- PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is
implemented via PAM_MODUTIL_PIPE_FD because there is no functional
difference. For stdout/stderr, it is classic redirection to
/dev/null.
PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel
security restrictions, but when the helper process might be writing to
the corresponding descriptor and termination of the helper process by
SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD.
* libpam/pam_modutil_sanitize.c: New file.
* libpam/Makefile.am (libpam_la_SOURCES): Add it.
* libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd,
pam_modutil_sanitize_helper_fds): New declarations.
* libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface.
* modules/pam_exec/pam_exec.c (call_exec): Use
pam_modutil_sanitize_helper_fds.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
* modules/pam_unix/support.h (MAX_FD_NO): Remove.
Dmitry V. Levin [Fri, 24 Jan 2014 13:38:38 +0000 (13:38 +0000)]
pam_xauth: avoid potential SIGPIPE when writing to xauth process
Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
* modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
close the read end of input pipe after writing to its write end.
Dmitry V. Levin [Sun, 19 Jan 2014 14:12:59 +0000 (14:12 +0000)]
pam_loginuid: log significant loginuid write errors
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
during /proc/self/loginuid update that are not ignored.
Dmitry V. Levin [Fri, 24 Jan 2014 23:53:09 +0000 (23:53 +0000)]
Fix gratuitous use of strdup and x_strdup
There is no need to copy strings passed as arguments to execve,
the only potentially noticeable effect of using strdup/x_strdup
would be a malformed argument list in case of memory allocation error.
Also, x_strdup, being a thin wrapper around strdup, is of no benefit
when its argument is known to be non-NULL, and should not be used in
such cases.
* modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup
instead of x_strdup, the latter is of no benefit in this case.
* modules/pam_ftp/pam_ftp.c (lookup): Likewise.
* modules/pam_userdb/pam_userdb.c (user_lookup): Likewise.
* modules/pam_userdb/pam_userdb.h (x_strdup): Remove.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use
x_strdup for strings passed as arguments to execve.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
(_unix_verify_password): Use strdup instead of x_strdup, the latter
is of no benefit in this case.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for
strings passed as arguments to execv.
Dmitry V. Levin [Fri, 24 Jan 2014 22:18:32 +0000 (22:18 +0000)]
pam_userdb: fix password hash comparison
Starting with commit
Linux-PAM-0-77-28-g0b3e583 that introduced hashed
passwords support in pam_userdb, hashes are compared case-insensitively.
This bug leads to accepting hashes for completely different passwords in
addition to those that should be accepted.
Additionally, commit Linux-PAM-1_1_6
-13-ge2a8187 that added support for
modern password hashes with different lengths and settings, did not
update the hash comparison accordingly, which leads to accepting
computed hashes longer than stored hashes when the latter is a prefix
of the former.
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
hash whose length differs from the stored hash length.
Compare computed and stored hashes case-sensitively.
Fixes CVE-2013-7041.
Bug-Debian: http://bugs.debian.org/731368
Dmitry V. Levin [Fri, 24 Jan 2014 15:30:01 +0000 (15:30 +0000)]
pam_xauth: log fatal errors preventing xauth process execution
* modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe()
and fork() calls.
Dmitry V. Levin [Sun, 19 Jan 2014 14:02:53 +0000 (14:02 +0000)]
pam_loginuid: cleanup loginuid buffer initialization
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid
buffer initialization closer to its first use.
Dmitry V. Levin [Wed, 22 Jan 2014 02:34:03 +0000 (02:34 +0000)]
libpam_misc: fix an inconsistency in handling memory allocation errors
When misc_conv fails to allocate memory for pam_response array, it
returns PAM_CONV_ERR. However, when read_string fails to allocate
memory for a response string, it loses the response string and silently
ignores the error, with net result as if EOF has been read.
* libpam_misc/misc_conv.c (read_string): Use strdup instead of x_strdup,
the latter is of no benefit in this case.
Do not ignore potential memory allocation errors returned by strdup,
forward them to misc_conv.
Dmitry V. Levin [Mon, 20 Jan 2014 16:24:18 +0000 (16:24 +0000)]
pam_limits: fix utmp->ut_user handling
ut_user member of struct utmp is a string that is not necessarily
null-terminated, so extra care should be taken when using it.
* modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to
a null-terminated string and consistently use it where a null-terminated
string is expected.
Dmitry V. Levin [Mon, 20 Jan 2014 02:29:41 +0000 (02:29 +0000)]
pam_mkhomedir: check and create home directory for the same user (ticket #22)
Before pam_mkhomedir helper was introduced in commit
7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for
existance and creating the same directory - the home directory of the
user NAME returned by pam_get_item(PAM_USER).
The change in behaviour accidentally introduced along with
mkhomedir_helper is not consistent: while the module still checks for
getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is
getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily
the same as the directory being checked.
This change brings check and creation back in sync, both handling
getpwnam(NAME)->pw_dir.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace
"struct passwd *" argument with user's name and home directory.
Pass user's name to MKHOMEDIR_HELPER.
(pam_sm_open_session): Update create_homedir call.
Tomas Mraz [Mon, 20 Jan 2014 16:12:53 +0000 (17:12 +0100)]
pam_limits: detect and ignore stale utmp entries
Original idea by Christopher Hailey
* modules/pam_limits/pam_limits.c (check_logins): Use kill() to
detect if pid of the utmp entry is still running and ignore the entry
if it is not.
Stéphane Graber [Fri, 17 Jan 2014 23:24:16 +0000 (18:24 -0500)]
pam_loginuid: Always return PAM_IGNORE in userns
The previous patch to support user namespaces works fine with containers
that are started from a desktop/terminal session but fails when dealing
with containers that were started from a remote session such as ssh.
I haven't looked at the exact reason for that in the kernel but on the
userspace side of things, the difference is that containers started from
an ssh session will happily let pam open /proc/self/loginuid read-write,
will let it read its content but will then fail with EPERM when trying
to write to it.
So to make the userns support bullet proof, this commit moves the userns
check earlier in the function (which means a small performance impact as
it'll now happen everytime on kernels that have userns support) and will
set rc = PAM_IGNORE instead of rc = PAM_ERROR.
The rest of the code is still executed in the event that PAM is run on a
future kernel where we have some kind of audit namespace that includes a
working loginuid.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Steve Langasek [Wed, 15 Jan 2014 03:48:51 +0000 (19:48 -0800)]
pam_namespace: don't use bashisms in default namespace.init script
* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
namespace init script, so that scripts run with maximum privilege regardless
of the shell implementation.
* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
shebang line
This is not a POSIX standard option, it's a bashism. The bash manpage says
that it's used to prevent the effective user id from being reset to the real
user id on startup, and to ignore certain unsafe variables from the
environment.
In the case of pam_namespace, the -p is not necessary for environment
sanitizing because the PAM module (properly) sanitizes the environment
before execing the script.
The stated reason given in CVS history for passing -p is to "preserve euid
when called from setuid apps (su, newrole)." This should be done more
portably, by calling setuid() before spawning the shell.
Signed-off-by: Steve Langasek <vorlon@debian.org>
Bug-Debian: http://bugs.debian.org/624842
Bug-Ubuntu: https://bugs.launchpad.net/bugs/
1081323
Stéphane Graber [Wed, 8 Jan 2014 00:12:03 +0000 (16:12 -0800)]
pam_loginuid: Ignore failure in user namespaces
When running pam_loginuid in a container using the user namespaces, even
uid 0 isn't allowed to set the loginuid property.
This change catches the EACCES from opening loginuid, checks if the user
is in the host namespace (by comparing the uid_map with the host's one)
and only if that's the case, sets rc to 1.
Should uid_map not exist or be unreadable for some reason, it'll be
assumed that the process is running on the host's namespace.
The initial reason behind this change was failure to ssh into an
unprivileged container (using a 3.13 kernel and current LXC) when using
a standard pam profile for sshd (which requires success from
pam_loginuid).
I believe this solution doesn't have any drawback and will allow people
to use unprivileged containers normally. An alternative would be to have
all distros set pam_loginuid as optional but that'd be bad for any of
the other potential failure case which people may care about.
There has also been some discussions to get some of the audit features
tied with the user namespaces but currently none of that has been merged
upstream and the currently proposed implementation doesn't cover
loginuid (nor is it clear how this should even work when loginuid is set
as immutable after initial write).
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Dmitry V. Levin [Wed, 8 Jan 2014 23:53:30 +0000 (15:53 -0800)]
pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist
When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
PAM_SUCCESS, so that we can distinguish between "loginuid set
successfully" and "loginuid not set, but this is expected".
Suggested by Steve Langasek.
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
does not exist, PAM_SESSION_ERR in case of any other error.
(_pam_loginuid): Forward the PAM error code returned by set_loginuid.
Dmitry V. Levin [Wed, 20 Nov 2013 15:55:40 +0000 (15:55 +0000)]
pam_access: fix debug level logging (ticket #19)
* modules/pam_access/pam_access.c (group_match): Log the group token
passed to the function, not an uninitialized data on the stack.
Dmitry V. Levin [Tue, 19 Nov 2013 21:55:40 +0000 (21:55 +0000)]
pam_warn: log flags passed to the module (ticket #25)
* modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and
log it using pam_syslog.
(pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok,
pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass
"flags" argument to log_items.
Dmitry V. Levin [Tue, 19 Nov 2013 21:08:00 +0000 (21:08 +0000)]
Modernize AM_INIT_AUTOMAKE invocation
Before this change, automake complained that two- and three-arguments
forms of AM_INIT_AUTOMAKE are deprecated.
* configure.in: Pass PACKAGE and VERSION arguments to AC_INIT instead
of AM_INIT_AUTOMAKE.
Dmitry V. Levin [Tue, 19 Nov 2013 20:49:47 +0000 (20:49 +0000)]
Fix autoconf warnings
Before this change, autoconf complained that AC_COMPILE_IFELSE
and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS.
* configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT.
Dmitry V. Levin [Tue, 19 Nov 2013 14:18:44 +0000 (14:18 +0000)]
pam_securetty: check return value of fgets
Checking return value of fgets not only silences the warning from glibc
but also leads to a cleaner code.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Check return value of fgets.
Dmitry V. Levin [Tue, 19 Nov 2013 14:05:09 +0000 (14:05 +0000)]
pam_lastlog: fix format string
gcc -Wformat justly complains:
format '%d' expects argument of type 'int', but argument 5 has type 'time_t'
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format
string.
Darren Tucker [Wed, 20 Nov 2013 08:43:50 +0000 (09:43 +0100)]
If the correct loginuid is set already, skip writing it.
modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid
and skip writing if already correctly set.
Thorsten Kukuk [Mon, 11 Nov 2013 13:14:31 +0000 (14:14 +0100)]
Always ask for old password if changing NIS account
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask
for old password if NIS account.
Thorsten Kukuk [Fri, 8 Nov 2013 14:35:41 +0000 (15:35 +0100)]
Allow DES as compatibility option for /etc/login.defs
* modules/pam_unix/support.h: Add UNIX_DES
Tomas Mraz [Mon, 14 Oct 2013 12:09:22 +0000 (14:09 +0200)]
Docfix: pam_prompt() and pam_vprompt() return int.
doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int.
Tomas Mraz [Mon, 14 Oct 2013 12:04:23 +0000 (14:04 +0200)]
Make pam_tty_audit work with old kernels not supporting log_passwd.
modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros
if message is short from older kernel.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Tomas Mraz [Wed, 25 Sep 2013 10:40:05 +0000 (12:40 +0200)]
Fix pam_tty_audit log_passwd support and regression.
modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include.
(pam_sm_open_session): Always copy the old status as initialization of new.
Thorsten Kukuk [Thu, 19 Sep 2013 09:30:37 +0000 (11:30 +0200)]
Release version 1.1.8
Thorsten Kukuk [Mon, 16 Sep 2013 09:48:12 +0000 (11:48 +0200)]
Check return value of setuid to remove glibc warnings.
* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
* modules/pam_unix/support.c: Likewise.
Tomas Mraz [Fri, 13 Sep 2013 13:20:01 +0000 (15:20 +0200)]
Write to *rounds only if non-NULL.
modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
Tomas Mraz [Fri, 13 Sep 2013 12:04:08 +0000 (14:04 +0200)]
Add missing ')'
modules/pam_unix/pam_unix_passwd.c: Add missing ')'..
Thorsten Kukuk [Wed, 11 Sep 2013 14:49:07 +0000 (16:49 +0200)]
Release version 1.1.7
Tomas Mraz [Wed, 11 Sep 2013 11:55:22 +0000 (13:55 +0200)]
Updated translations from Transifex.
po/*.po: Updated translations from Transifex.
Thorsten Kukuk [Wed, 4 Sep 2013 14:40:37 +0000 (16:40 +0200)]
Extend pam_exec by stdout and type= options (ticket #8):
* modules/pam_exec/pam_exec.c: Add stdout and type= option
* modules/pam_exec/pam_exec.8.xml: Document new options
Thorsten Kukuk [Fri, 30 Aug 2013 12:46:47 +0000 (14:46 +0200)]
Fix compile error
* modules/pam_unix/pam_unix_acct.c: fix last change
Thorsten Kukuk [Thu, 29 Aug 2013 12:09:39 +0000 (14:09 +0200)]
Restart waitpid if it returns with EINTR (ticket #17)
* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/support.c: Likewise.
Thorsten Kukuk [Wed, 28 Aug 2013 09:00:49 +0000 (11:00 +0200)]
misc_conv.3: Fix documentation of misc_conv
doc/man/misc_conv.3.xml: Fix return value of misc_conv
Tomas Mraz [Fri, 23 Aug 2013 12:43:36 +0000 (14:43 +0200)]
Apply the exclusive check in pam_sepermit only when loginuid not set.
* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
/proc
(sepermit_match): Apply the exclusive check only when loginuid not set.
Tomas Mraz [Thu, 22 Aug 2013 11:41:30 +0000 (13:41 +0200)]
Updated translations from Transifex.
* po/*.po: Updated translations from Transifex.
Dmitry V. Levin [Mon, 1 Jul 2013 22:18:02 +0000 (22:18 +0000)]
pam_rootok: fix linking in --enable-audit mode
pam_rootok.c explicitly uses functions from libaudit, so the module has
to be linked with the library.
* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.
Richard Guy Briggs [Thu, 27 Jun 2013 19:31:16 +0000 (15:31 -0400)]
pam_tty_audit: fix a typo that crept in during patch review
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
* configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Richard Guy Briggs [Fri, 21 Jun 2013 12:29:00 +0000 (08:29 -0400)]
pam_tty_audit: add an option to control logging of passwords: log_passwd
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command. Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.
* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Tomas Mraz [Thu, 20 Jun 2013 08:11:43 +0000 (10:11 +0200)]
Man page fix - unix_update runs in the permissive mode as well.
modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.
Thorsten Kukuk [Tue, 18 Jun 2013 14:27:15 +0000 (16:27 +0200)]
Use hash from /etc/login.defs as default if no
other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
Tomas Mraz [Fri, 12 Apr 2013 10:49:55 +0000 (12:49 +0200)]
pam_access: better not change the default function used to get domain name.
modules/pam_access/pam_access.c (netgroup_match): As we did not use
yp_get_default_domain() in the 1.1 branch due to typo in ifdef
we should use it only as fallback.
Tomas Mraz [Thu, 28 Mar 2013 14:30:19 +0000 (15:30 +0100)]
Fix strict aliasing issue in MD5 implementations.
modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
Tomas Mraz [Fri, 22 Mar 2013 12:50:54 +0000 (13:50 +0100)]
pam_lastlog: Do not fail on short read if btmp is corrupted.
modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
on short read or read error.
Tomas Mraz [Fri, 22 Mar 2013 08:42:22 +0000 (09:42 +0100)]
pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux
modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.
Tomas Mraz [Fri, 8 Feb 2013 14:04:26 +0000 (15:04 +0100)]
Add checks for crypt() returning NULL.
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
Tomas Mraz [Thu, 7 Feb 2013 16:06:57 +0000 (17:06 +0100)]
pam_userdb: Allow also modern password hashes supported by crypt().
modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
longer than 13 characters and long salt.
Walter de Jong [Fri, 18 Jan 2013 13:51:40 +0000 (14:51 +0100)]
pam_access: fix typo in ifdef
modules/pam_access/pam_access.c (netgroup_match): Fix typo
in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.
Tomas Mraz [Thu, 20 Dec 2012 15:22:47 +0000 (16:22 +0100)]
pam_cracklib: Mention checks that are not run for root.
modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
when run as root.
Tomas Mraz [Thu, 20 Dec 2012 15:21:52 +0000 (16:21 +0100)]
Update also the POT file.
po/Linux-PAM.pot: Update to reflect current sources.
Tomas Mraz [Wed, 12 Dec 2012 17:38:48 +0000 (18:38 +0100)]
Updated translations from Transifex, added new languages.
po/LINGUAS: Added new languages.
po/*.po: Updated translations from Transifex including new languages.
Tomas Mraz [Fri, 30 Nov 2012 20:05:26 +0000 (21:05 +0100)]
pam_selinux: Drop obsolete and unsupported manual context selection.
modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
(compute_exec_context): Drop manual_context() call.
Tomas Mraz [Fri, 23 Nov 2012 09:06:15 +0000 (10:06 +0100)]
pam_limits: fix grammatical mistake.
modules/pam_limits/limits.conf: Fix grammatical mistake.
Tomas Mraz [Tue, 13 Nov 2012 08:19:05 +0000 (09:19 +0100)]
Reflect the enforce_for_root semantics change in pam_pwhistory xtest.
xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
running with real uid == 0.
Dmitry V. Levin [Wed, 10 Oct 2012 18:13:07 +0000 (18:13 +0000)]
pam_unix: fix build in --enable-selinux mode
glibc's <sys/wait.h> starting with commit
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=
glibc-2.15-231-gd94a467
does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
when pam is being built with SELinux support enabled, pam_unix_passwd.c
uses getrlimit(2) and therefore should include <sys/resource.h> without
relying on other headers.
* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
Tomas Mraz [Wed, 10 Oct 2012 17:46:02 +0000 (19:46 +0200)]
pam_namespace: add mntopts flag for tmpfs mount options
modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
structure.
modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
(parse_method): Parse the mntopts flag.
(ns_setup): Pass the mount_opts to mount().
modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.
Tomas Mraz [Thu, 6 Sep 2012 12:58:57 +0000 (14:58 +0200)]
pam_selinux, pam_tally2: Add tty and rhost to audit data.
modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
rhost from PAM items and pass them to audit.
modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
rhost from PAM items and pass them to audit.
(main): Obtain tty name of stdin and pass it to audit.
Tomas Mraz [Thu, 6 Sep 2012 12:47:59 +0000 (14:47 +0200)]
Update configure.in to use more recent interfaces.
configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead
of AC_HELP_STRING.
Tomas Mraz [Fri, 17 Aug 2012 12:46:40 +0000 (14:46 +0200)]
Add missing $(DESTDIR) when making directories on install.
modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
$(namespaceddir) on install.
modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
$(sepermitlockdir) on install.
Thorsten Kukuk [Fri, 17 Aug 2012 09:48:15 +0000 (11:48 +0200)]
release version 1.1.6
configure.in: Bump version to 1.1.6
NEWS: Document changes
po/*.po: Regenerate *.po files
Thorsten Kukuk [Thu, 16 Aug 2012 13:46:56 +0000 (15:46 +0200)]
Small documentation and define fixes
modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]
Tomas Mraz [Mon, 13 Aug 2012 18:06:44 +0000 (20:06 +0200)]
Respect PAM_AUTHTOK_TYPE in pam_get_authtok_verify().
libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE
item when obtained from module options.
(pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting.
Tomas Mraz [Thu, 9 Aug 2012 09:55:23 +0000 (11:55 +0200)]
Document limits.d also in the limits.conf manpage.
modules/pam_limits/limits.conf.5.xml: Document the limits.d existence.
Tomas Mraz [Mon, 23 Jul 2012 16:32:16 +0000 (18:32 +0200)]
New autotools do not create empty directories on install.
modules/pam_namespace/Makefile.am: Add install-data-local target to create
namespaceddir.
modules/pam_sepermit/Makefile.am: Add install-data-local target to create
sepermitlockdir.
Stevan Bajić [Mon, 9 Jul 2012 07:43:11 +0000 (09:43 +0200)]
RLIMIT_* variables are no longer defined unless you explicitly include
sys/resource.h.
Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.
Tomas Mraz [Wed, 27 Jun 2012 16:21:13 +0000 (18:21 +0200)]
pam_umask: correct the documentation of GECOS field parsing
modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field
parsing.
Tomas Mraz [Fri, 22 Jun 2012 11:36:45 +0000 (13:36 +0200)]
pam_cracklib: Add monotonic character sequence checking.
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option.
(sequence): New function to check for too long monotonic sequence of characters.
(password_check): Call the sequence().
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check.
Tomas Mraz [Fri, 1 Jun 2012 09:12:21 +0000 (11:12 +0200)]
pam_timestamp: Fix copy&paste error in manpage.
modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section.
Tomas Mraz [Mon, 28 May 2012 18:57:36 +0000 (20:57 +0200)]
Pulled new translations from Transifex.
po/*.po: Updated translations.
Tomas Mraz [Mon, 28 May 2012 18:24:17 +0000 (20:24 +0200)]
pam_pwhistory: Always record the old password even when root changes it.
modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of
the process instead of the target user UID (same as in pam_cracklib) to
check for root. Always record old password.
Tomas Mraz [Thu, 24 May 2012 11:40:24 +0000 (13:40 +0200)]
pam_cracklib: Add enforce_for_root option.
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
(pam_sm_chauthtok): Enforce errors for root with the option.
modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.
Tomas Mraz [Mon, 30 Apr 2012 13:03:32 +0000 (15:03 +0200)]
pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore.
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
(simple): Add the check for the same class repetition.
(usercheck): Refactor into wordcheck().
(gecoscheck): New test for words from the GECOS field.
(password_check): Call the gecoscheck().
(pam_sm_chauthtok): Drop the diff_ignore from options struct.
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.
Tomas Mraz [Mon, 30 Apr 2012 12:46:48 +0000 (14:46 +0200)]
pam_lastlog: Never lock out the root account.
modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
uid==0.
modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.
Tomas Mraz [Tue, 17 Apr 2012 12:05:24 +0000 (14:05 +0200)]
pam_lastlog: add possibility to lock out inactive users in auth or account
* modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and
option.
* modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out.
(_pam_session_parse): Renamed from _pam_parse.
(_pam_auth_parse): New function to parse auth arguments.
(_last_login_open): Factor out opening of the lastlog file.
(_last_login_read): Factor out opening of the lastlog file.
(pam_sm_authenticate): Implement the lockout functionality.
(pam_sm_setcred): Just return PAM_SUCCESS.
(pam_sm_acct_mgmt): Call pam_sm_authenticate().
Paul Wouters [Wed, 11 Apr 2012 19:13:14 +0000 (21:13 +0200)]
Check for crypt() failure returning NULL.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
* modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
returning NULL.
Dmitry V. Levin [Fri, 3 Feb 2012 00:13:44 +0000 (00:13 +0000)]
pam_unix: make configuration consistent in --enable-static-modules mode
In --enable-static-modules mode, it was not possible to use "pam_unix"
in PAM config files. Instead, different names had to be used for each
management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
pam_unix_session. This change makes pam_unix configuration consistent
with other PAM modules.
* README: Remove the paragraph describing pam_unix distinctions in
--enable-static-modules mode.
* libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
_pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
_pam_unix_session_modstruct): Remove.
(_pam_unix_modstruct): New pam_module declaration.
* modules/pam_unix/pam_unix_static.h: New file.
* modules/pam_unix/pam_unix_static.c: Likewise.
* modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
(pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
* modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
* modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
* modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
* modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_session_modstruct): Remove.
Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
Dmitry V. Levin [Thu, 26 Jan 2012 22:22:59 +0000 (22:22 +0000)]
Make --disable-cracklib compatible with --enable-static-modules mode
* configure.in: Define HAVE_LIBCRACK when cracklib is enabled.
* libpam/pam_static_modules.h (static_modules): Guard the use of
_pam_cracklib_modstruct by HAVE_LIBCRACK macro.
Tomas Mraz [Fri, 10 Feb 2012 08:10:10 +0000 (09:10 +0100)]
Add missing includes for types used in the pam_modutil.h.
* libpam/include/security/pam_modutil.h: Add missing includes for used types.
Matveychikov Ilya [Tue, 17 Jan 2012 07:16:49 +0000 (11:16 +0400)]
Fix compile time errors in --enable-static-modules mode
* libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove
obsolete declaration.
(static_modules): Remove undefined reference to
_pam_rhosts_auth_modstruct.
* modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to
{save,check}_old_pass in order to avoid conflicts with pam_unix.
* modules/pam_pwhistory/opasswd.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to
_pam_tally2_modstruct.
Signed-off-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
Dmitry V. Levin [Thu, 26 Jan 2012 22:24:21 +0000 (22:24 +0000)]
Fix SUBDIRS for --enable-static-modules mode
There is no way to build "modules" subdirectory before "libpam" anyway.
In STATIC_MODULES mode, "libpam" subdirectory must be built twice to
produce a usable libpam.a without undefined references to multiple
_pam_*_modstruct symbols.
* Makefile.am: Use default SUBDIRS in STATIC_MODULES mode.
Matveychikov Ilya [Fri, 20 Jan 2012 11:05:23 +0000 (11:05 +0000)]
configure: fix typo in --disable-nis help string
* configure.in: Change '-disable-nis' to '--disable-nis'.
Tomas Mraz [Thu, 26 Jan 2012 13:50:51 +0000 (14:50 +0100)]
Do not unmount anything by default in pam_namespace close session call.
* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
the unmount_on_close option and make the default to be to not unmount.
* modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
PAMNS_UNMOUNT_ON_CLOSE.
* modules/pam_namespace/pam_namespace.8.xml: Document the change.
Tomas Mraz [Tue, 24 Jan 2012 19:03:28 +0000 (20:03 +0100)]
Make / mount as rslave instead of bind mounting polydirs.
* modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
(check_inst_parent): Drop the always argument from protect_dir().
(create_polydir): Likewise.
(ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
(setup_namespace): Mark the / with MS_SLAVE|MS_REC.
* modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.
Tomas Mraz [Fri, 13 Jan 2012 17:33:27 +0000 (18:33 +0100)]
Add possibility to match ruser, rhost, and tty in pam_succeed_if.
* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
rhost, and tty as left operand.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
possible left operands.
Tomas Mraz [Tue, 3 Jan 2012 11:34:12 +0000 (12:34 +0100)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam
Tomas Mraz [Tue, 3 Jan 2012 11:30:43 +0000 (12:30 +0100)]
Fix matching of usernames in the pam_unix remember feature.
* modules/pam_unix/pam_unix_passwd.c (check_old_password): Make
sure we match only the whole username in opasswd entry.
* modules/pam_unix/passverify.c (save_old_password): Likewise make
sure we match only the whole username in opasswd entry.
Dmitry V. Levin [Mon, 26 Dec 2011 18:10:29 +0000 (18:10 +0000)]
pam_start: fix memory leak on error path
* libpam/pam_start.c (pam_start): If _pam_make_env() or
_pam_init_handlers() returned an error, release the memory allocated
for pam_conv structure.
Patch-by: cancel <suntsu@yandex.ru>.