Tomas Mraz [Mon, 19 Jan 2009 09:09:15 +0000 (09:09 +0000)]
Relevant BUGIDs: rhbz#476784
Purpose of commit: new feature
Commit summary:
---------------
2009-01-19 Tomas Mraz <t8m@centrum.cz>
* modules/pam_mkhomedir/Makefile.am: Add mkhomedir_helper.
* modules/pam_mkhomedir/mkhomedir_helper.8.xml: New file. Manual page
for mkhomedir_helper.
* modules/pam_mkhomedir/mkhomedir_helper.c: New file. Source
for mkhomedir_helper. Most of the code moved from pam_mkhomedir.c.
* modules/pam_mkhomedir/pam_mkhomedir.c (_pam_parse): Do not convert umask
to integer.
(rec_mkdir): Moved to mkhomedir_helper.c.
(create_homedir): Just exec the helper.
(pam_sm_open_session): Improve logging.
Tomas Mraz [Wed, 17 Dec 2008 14:27:24 +0000 (14:27 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-12-17 Tomas Mraz <t8m@centrum.cz>
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Do
not abort on unknown option. Avoid double free of old_status.
(pam_sm_close_session): Use LOG_DEBUG for restored status message.
* configure.in: Test for getseuser().
* modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Call getseuser()
instead of getseuserbyname() if the function is available.
Tomas Mraz [Wed, 17 Dec 2008 13:49:42 +0000 (13:49 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-12-17 Tomas Mraz <t8m@centrum.cz>
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Do
not abort on unknown option. Avoid double free of old_status.
(pam_sm_close_session): Use LOG_DEBUG for restored status message.
Thorsten Kukuk [Tue, 2 Dec 2008 15:13:43 +0000 (15:13 +0000)]
Relevant BUGIDs:
Purpose of commit: new features
Commit summary:
---------------
2008-12-02 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_env/pam_env.c: Add support for user specific
environment file. Based on a patch from Ubuntu.
* modules/pam_env/pam_env.8.xml: Document new options.
* modules/pam_filter/pam_filter.c (master): Use /dev/ptmx
instead of the old BSD pseudoterminal API.
(set_filter): Call grantpt(), unlockpt() and ptsname(). Do not
close pseudoterminal handle in filter child.
* modules/pam_filter/upperLOWER/upperLOWER.c (main): Use
regular read() instead of pam_modutil_read() to allow for
short reads.
Tomas Mraz [Mon, 24 Nov 2008 14:06:15 +0000 (14:06 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-11-24 Tomas Mraz <t8m@centrum.cz>
* modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Fix leaks
in error path.
* modules/pam_env/pam_env.c(_parse_env_file): Remove superfluous
condition.
* modules/pam_group/pam_group.c(check_account): Fix leak
in error path.
* modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Fix leak
in error path.
* modules/pam_securetty/pam_securetty.c(securetty_perform_check): Remove
superfluous condition.
* modules/pam_stress/pam_stress.c(stress_get_password,pam_sm_authenticate):
Remove superfluous conditions.
(pam_sm_chauthtok): Fix mistaken && for &.
* modules/pam_unix/pam_unix_auth.c(pam_sm_authenticate): Remove
superfluous condition.
All the problems fixed in this commit were found by Steve Grubb.
Tomas Mraz [Mon, 24 Nov 2008 13:56:29 +0000 (13:56 +0000)]
Relevant BUGIDs: rhbz#471762
Purpose of commit: new feature
Commit summary:
---------------
2008-11-24 Tomas Mraz <t8m@centrum.cz>
* libpam/pam_handlers.c (_pam_parse_conf_file): '-' at
beginning of type token marks silent module.
(_pam_load_module): Add handler_type parameter. Do not log
module load error if module is silent.
(_pam_add_handler): Pass handler_type to _pam_load_module().
* libpam/pam_private.h: Add PAM_HT_SILENT_MODULE.
* doc/man/pam.conf-syntax.xml: Document the '-' at beginning
of type.
Tomas Mraz [Thu, 20 Nov 2008 14:10:17 +0000 (14:10 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-11-20 Tomas Mraz <t8m@centrum.cz>
* modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not
call sepermit_lock() if sense is deny. Do not crash on NULL seuser
match.
(pam_sm_authenticate): Try to call getseuserbyname() even if
SELinux is disabled.
Tomas Mraz [Tue, 30 Sep 2008 14:40:39 +0000 (14:40 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-09-30 Tomas Mraz <t8m@centrum.cz>
* modules/pam_lastlog/pam_lastlog.8.xml: Document new options
noupdate and showfailed.
* modules/pam_lastlog/pam_lastlog.c(pam_parse): Recognize the new
options.
(last_login_read): New output parameter lltime. Do not display
the last login message if it would be empty.
(last_login_date): New output parameter lltime. Do not write the
last login info when LASTLOG_UPDATE is not set.
(last_login_failed): New function to display the last bad login
attempt from btmp.
(pam_sm_open_session): Obtain lltime from last_login_date() and
call last_login_failed() when appropriate.
Tomas Mraz [Fri, 19 Sep 2008 13:38:32 +0000 (13:38 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-09-19 Tomas Mraz <t8m@centrum.cz>
* modules/pam_cracklib/pam_cracklib.8.xml: Fix description
of the palindrome test. Document new options maxrepeat and
reject_username.
* modules/pam_cracklib/pam_cracklib.c(_pam_parse): Parse
the maxrepeat and reject_username options.
(password_check): Call the new tests usercheck() and
consecutive().
(_pam_unix_approve_pass): Pass user name to the password_check().
* modules/pam_exec/pam_exec.c: Expose authtok if requested,
provide environment variable containing service type.
* modules/pam_exec/pam_exec.8.xml: Document new option.
Thorsten Kukuk [Sat, 2 Aug 2008 02:03:19 +0000 (02:03 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
* configure.in: Add version for gettext, add search path
for m4 directory, fix handling of --disable-* options.
Patches from Diego Pettenò <flameeyes@gmail.com>.
Steve Langasek [Mon, 28 Jul 2008 20:51:56 +0000 (20:51 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix (thread safety)
Commit summary:
---------------
2008-07-28 Steve Langasek <vorlon@debian.org>
* modules/pam_unix/passverify.c: make save_old_password()
thread-safe by using pam_modutil_getpwnam() instead of getpwnam()
* modules/pam_unix/passverify.c, modules/pam_unix/passverify.h,
modules/pam_unix/pam_unix_passwd.c: add pamh argument to
save_old_password()
Steve Langasek [Sun, 27 Jul 2008 04:47:54 +0000 (04:47 +0000)]
Relevant BUGIDs: Debian bug #439984
Purpose of commit: bugfix
Commit summary:
---------------
2008-07-26 Steve Langasek <vorlon@debian.org>
* modules/pam_env/pam_env.c: Fix module to skip over
non-alphanumeric variable names, and to handle the case when
asked to delete a non-existent variable.
Tomas Mraz [Fri, 11 Jul 2008 15:37:28 +0000 (15:37 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-07-11 Tomas Mraz <t8m@centrum.cz>
* modules/pam_selinux/pam_selinux.c (config_context): Do not
ask for the level if use_current_range is set.
(context_from_env): New function to obtain the context from
PAM environment variables.
(pam_sm_open_session): Call context_from_env() if env_params option
is present. use_current_range now modifies behavior of the
context_from_env and config_context options.
* modules/pam_selinux/pam_selinux.8.xml: Describe the env_params
option. Adjust description of use_current_range option.
Commit summary:
---------------
2008-07-11 Tomas Mraz <t8m@centrum.cz>
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Do
not close the pipe descriptor in borderline case (#2009766)
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
* modules/pam_unix/support.h: Define upper limit of fds we will
attempt to close.
* modules/pam_tally/pam_tally.c: Add support for silent and
no_log_info options.
* modules/pam_tally/pam_tally.8.xml: Document silent and
no_log_info options.
Tomas Mraz [Wed, 14 May 2008 13:03:39 +0000 (13:03 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-05-14 Tomas Mraz <t8m@centrum.cz>
* modules/pam_unix/pam_unix_passwd.c(pam_sm_chauthtok): Unset authtok
item when password is not approved.
* modules/pam_unix/support.c(_unix_read_password): UNIX_USE_FIRST_PASS
is always set when UNIX_AUTHTOK is set, change order of conditions.
Tomas Mraz [Fri, 2 May 2008 12:41:32 +0000 (12:41 +0000)]
Relevant BUGIDs:
Purpose of commit: cleanup
Commit summary:
---------------
2008-05-02 Tomas Mraz <t8m@centrum.cz>
* modules/pam_selinux/pam_selinux.c(query_response): Add handling
for NULL response.
(manual_context): Handle failed query_response() properly. Rename
variable responses to response which is more correct name.
(config_context): Likewise.
(pam_sm_open_session): Do not base decision on whether there is a tty.
Tomas Mraz [Tue, 22 Apr 2008 19:21:37 +0000 (19:21 +0000)]
Relevant BUGIDs: rhbz#443667
Purpose of commit: bugfix
Commit summary:
---------------
2008-04-22 Tomas Mraz <t8m@centrum.cz>
* modules/pam_selinux/pam_selinux.c(pam_sm_close_sesion): Fix
regression from the change from 2008-03-20. setexeccon() must be
called also with NULL prev_context.
* modules/pam_access/access.conf.5.xml: Document changed behavior
of LOCAL keyword.
* modules/pam_access/pam_access.c: Add from_remote_host to
struct login_info to change behavior of LOCAL keyword: if
PAM_RHOST is not set, LOCAL will be true.
Tomas Mraz [Fri, 18 Apr 2008 12:53:38 +0000 (12:53 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-04-18 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/pam_namespace.c: New functions
unprotect_dirs(), cleanup_protect_data(), protect_mount(),
protect_dir() to protect directory by bind mount.
(cleanup_data): Renamed to cleanup_polydir_data().
(parse_create_params): Allow missing specification of mode
or owner.
(check_inst_parent): Call protect_dir() on the instance parent
directory. The directory is created when it doesn't exist.
(create_polydir): Protect and make the polydir by protect_dir(),
remove potential races.
(create_dirs): Renamed to create_instance(), remove call to
inst_init().
(ns_setup): Call protect_dir() on the polydir if it already exists.
Call inst_init() after the polydir is mounted.
(setup_namespace): Set the namespace protect data to be cleaned up
on pam_close_session()/pam_end().
(pam_sm_open_session): Initialize the protect_dirs.
(pam_sm_close_session): Cleanup namespace protect data.
* modules/pam_namespace/pam_namespace.h: Define struct for the
stack of protected dirs.
* modules/pam_namespace/pam_namespace.8.xml: Document when the
instance init script is called.
* modules/pam_namespace/namespace.conf.5.xml: Likewise.
Tomas Mraz [Thu, 17 Apr 2008 12:52:25 +0000 (12:52 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-04-17 Tomas Mraz <t8m@centrum.cz>
* modules/pam_access/pam_access.c(myhostname): Removed function.
(user_match): Supply hostname of the machine to the netgroup_match().
Use hostname from the loginfo instead of calling myhostname().
(pam_sm_authenticate): Call gethostname() to fill hostname in the
loginfo.
Tomas Mraz [Wed, 16 Apr 2008 08:21:05 +0000 (08:21 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-04-16 Tomas Mraz <t8m@centrum.cz>
* modules/pam_cracklib/pam_cracklib.c(_pam_parse): Recognize also
try_first_pass and use_first_pass options.
(pam_sm_chauthtok): Implement the new options.